Inventory Category - Firmware

[cborla]

Description

This epic tracks the design and implementation of a unified inventory model for Firmware within the Wazuh architecture. The objective is to define a platform-agnostic data contract that enables the collection, normalization, and indexing of firmware-related information from Windows, Linux, and macOS systems. The collected data includes BIOS/UEFI details, Secure Boot configuration, and TPM (Trusted Platform Module) presence and attributes.

The resulting inventory events must follow ECS-compatible conventions where applicable and provide normalized, stateful data suitable for use in security auditing and visibility into system-level integrity features.

Functional Requirements

• Propose and agree on the data model (fields and structure) for:
  • BIOS/UEFI attributes (e.g., vendor, version, release date)
  • Secure Boot status and enforcement
  • TPM (version, manufacturer, enabled/active status)
• Ensure ECS compatibility where possible, using custom wazuh.* fields when needed.
• Store firmware data under a single inventory index (e.g., wazuh-inventory-firmware).

Non-Functional Requirements

• Normalize differences across operating systems while preserving key platform-specific attributes.
• Support efficient filtering, querying, and dashboard representation.
• Ensure minimal overhead during data collection and processing.

Plan

Indexer

• Define a flat document structure with key firmware attributes:
  • firmware.vendor, firmware.version, firmware.release_date, secure_boot.enabled, tpm.present, tpm.version, etc.
• Tag documents with platform identifiers and firmware type if needed.
• Store all records in a single index, enabling unified visibility.

Agent

• DBSync
  • Consolidate data from multiple sources (platform_info, secureboot, tpm_info) into a single table.
  • Normalize data to match the unified inventory contract.
  • Integrate data collection into syscollector via extended_sources.

Issues

• Integrate Firmware inventory into syscollector wazuh#29694

Server

• Wazuh-DB
  • Use Rsync to synchronize firmware_inventory records.
  • Design schema to support key firmware attributes across platforms.
  • Expose data via API with consistent field structure and filtering support.

Dashboard

• Define the visualization strategy for firmware data:
  • Filter by platform, Secure Boot status, or TPM presence.
  • Group hosts by firmware vendor or outdated firmware versions.
  • Highlight systems missing critical security components (e.g., Secure Boot disabled, no TPM).

Deliverables

• Define and document the ECS/WCS field set for firmware_inventory.
• Propose table schema for dbsync (1 table).
• Define the Wazuh-DB schema and Rsync format for synchronization.
• Align syscollector outputs with the agreed model.
• Validate and test the schema on all Tier 1 platforms (Linux, Windows, macOS).

Acceptance Criteria

• A formal document or JSON schema exists defining the fields and structure for firmware inventory.
• Agent generates inventory data in the agreed format, using syscollector.
• Wazuh-DB stores and synchronizes the information correctly via Rsync.
• Indexer receives structured inventory data with correct mappings and searchable fields.
• Dashboard is capable of querying and visualizing the new firmware inventory fields.