Creating a custom WPK
Prerequisites
To create a WPK file, an X509 certificate and root CA are required. They provide a secure mechanism for signing and verifying WPK packages. If you already have them, jump to the building the WPK section. Else, perform these steps on the Wazuh server:
Create a root CA:
# openssl req -x509 -new -nodes -newkey rsa:2048 -keyout wpk_root.key -out wpk_root.pem -batch
Create a certificate and key:
# openssl req -new -nodes -newkey rsa:2048 -keyout wpkcert.key -out wpkcert.csr -subj '/C=US/ST=CA/O=Wazuh'
Set the location as follows:
/C=US
is the country./ST=CA
is the state./O=Wazuh
is the organization's name.
Sign this certificate with the root CA:
# openssl x509 -req -days 365 -in wpkcert.csr -CA wpk_root.pem -CAkey wpk_root.key -out wpkcert.pem -CAcreateserial
Building the WPK
There are two different methods of creating a WPK:
Using Docker
Wazuh provides an automated way of building WPK packages using Docker, so no other dependency is needed.
To generate a WPK package, you need an X509 certificate, and CA. See prerequisites to learn more.
Perform these steps on the Wazuh server to create a WPK package using Docker:
Requirements
Docker
Git
Download the
wazuh-packages
repository from GitHub and navigate to the WPK directory:$ git clone https://github.com/wazuh/wazuh-packages && cd wazuh-packages/wpk && git checkout v4.9.0
Execute the
generate_wpk_package.sh
script with the different options you desire. This script will build a Docker image with all the necessary tools to create the WPK and run a container that will build it:$ ./generate_wpk_package.sh -h
Usage: ./generate_wpk_package.sh [OPTIONS] -t, --target-system <target> [Required] Select target wpk to build [linux/windows/macos]. -b, --branch <branch> [Required] Select Git branch or tag e.g. -d, --destination <path> [Required] Set the destination path of package. -pn, --package-name <name> [Required for windows and macos] Package name to pack on wpk. -o, --output <name> [Required] Name to the output package. -k, --key-dir <arch> [Required] Set the WPK key path to sign package. --aws-wpk-key [Optional] AWS Secrets manager Name/ARN to get WPK private key. --aws-wpk-cert [Optional] AWS secrets manager Name/ARN to get WPK certificate. --aws-wpk-key-region [Optional] AWS Region where secrets are stored. -a, --architecture <arch> [Optional] Target architecture of the package [x86_64]. -j, --jobs <number> [Optional] Number of parallel jobs when compiling. -p, --path <path> [Optional] Installation path for the package. By default: /var. -c, --checksum [Optional] Generatez checksum. -h, --help Show this help.
To use this tool, the previously created certificate and key must be in the same directory.
Linux WPK
Run the command below to build a Linux WPK:
# ./generate_wpk_package.sh -t linux -b v4.9.0 -d /<DESTINATION_PATH> -k /<PATH_TO_GENERATED_WPK_KEYS> -o wazuh-agent_v4.9.0_linux.wpk
This script builds a Wazuh version 4.9.0 Linux WPK file named wazuh-agent_v4.9.0_linux.wpk
and stores it in /<DESTINATION_PATH>
(You can use a destination path of your choice). It does this using the previously generated keys saved in /<PATH_TO_GENERATED_WPK_KEYS>
(See prerequisites).
Replace /<PATH_TO_GENERATED_WPK_KEYS>
with the directory path of the previously generated keys (Example: /tmp/keys
).
Windows WPK
To build a WPK for Windows, you need to first download an MSI package of the desired version:
# curl -O https://packages.wazuh.com/4.x/windows/wazuh-agent-4.9.0-1.msi
Run the command below to build a Windows WPK:
# ./generate_wpk_package.sh -t windows -b v4.9.0 -d /<DESTINATION_PATH> -k /<PATH_TO_GENERATED_WPK_KEYS> -o wazuh-agent_v4.9.0_windows.wpk -pn /<PATH_TO>/wazuh-agent-4.9.0-1.msi
This script builds a Wazuh 4.9.0 Windows WPK package named wazuh-agent_v4.9.0_windows.wpk
and stores it in /<DESTINATION_PATH>
. (You can use a destination path of your choice). It does this using the previously generated keys saved in /<PATH_TO_GENERATED_WPK_KEYS>
and the downloaded MSI package in /<PATH_TO>/wazuh-agent-4.9.0-1.msi
.
Replace /<PATH_TO_GENERATED_WPK_KEYS>
with the directory path of the previously generated keys and <PATH_TO>/wazuh-agent-4.9.0-1.msi
with the directory path to the downloaded MSI package.
If the -c
or --checksum
option is used, a file is created containing the SHA512 checksum in the same output path. The location of this file is configurable, and you can indicate where you want to store it.
macOS WPK
To build a WPK for macOS, you need to first download a PKG package of the desired version:
# curl -O https://packages.wazuh.com/4.x/macos/wazuh-agent-4.9.0-1.pkg
Run the command below to build a macOS WPK:
# ./generate_wpk_package.sh -t macos -b v4.9.0 -d /<DESTINATION_PATH> -k /<PATH_TO_GENERATED_WPK_KEYS> -o wazuh-agent_v4.9.0_macOS.wpk -pn /tmp/wazuh-agent-4.9.0-1.pkg
This script builds a Wazuh 4.9.0 macOS WPK package named wazuh-agent_v4.9.0_macOS.wpk
and stores it in /<DESTINATION_PATH>
. (You can use a destination path of your choice). It does this using the previously generated keys saved in /<PATH_TO_GENERATED_WPK_KEYS>
.
Replace /<PATH_TO_GENERATED_WPK_KEYS>
with the directory path of the previously generated keys.
If the -c
or --checksum
option is used, a file is created containing the SHA512 checksum in the same output path. The location of this file is configurable, and you can indicate where you want to store it.
Below is an example of how to build a WPK generation with checksum:
# ./generate_wpk_package.sh -t linux -b v4.9.0 -d /<DESTINATION_PATH> -k /<PATH_TO_GENERATED_WPK_KEYS> -o LinuxAgent.wpk -c /tmp/wpk_checksum
Generating WPK packages manually
Perform these actions on the Wazuh server.
Requirements
Python 2.7 or 3.5+
The Python
cryptography
package. This can be obtained using the following command:$ pip install cryptography
Linux WPK
Install the development tools and compilers. This can easily be done using your distribution package manager.
# yum install make gcc policycoreutils-python automake autoconf libtool unzip
# apt-get install make gcc libc6-dev curl policycoreutils automake autoconf libtool unzip
Download and extract the latest version:
# curl -Ls https://github.com/wazuh/wazuh/archive/v4.9.0.tar.gz | tar zx # cd wazuh-4.9.0
Download the latest version of the Wazuh DEB or RPM package. For example, for Debian:
# curl -Ls https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.9.0-1_amd64.deb --output wazuh-agent-4.9.0-1_amd64.deb
Install the root CA if you want to overwrite the root CA with the file you created previously:
# cp <PATH_TO>/wpk_root.pem etc/wpk_root.pem
Copy the necessary script to the Wazuh sources folder to compile the WPK.
# cp src/init/pkg_installer.sh .
Compile the WPK package using the PKG package, along with your SSL certificate and key.
# tools/agent-upgrade/wpkpack.py output/myagent.wpk path/to/wpkcert.pem path/to/wpkcert.key wazuh-agent-4.9.0-1_amd64.deb upgrade.sh pkg_installer.sh
Definitions:
<PATH_TO>/myagent.wpk
is the name of the output WPK package.<PATH_TO>/wpkcert.pem
is the path to the SSL certificate.<PATH_TO>/wpkcert.key
is the path to the SSL certificate's key.wazuh-agent_4.9.0-1_amd64.deb
is the PKG file downloaded in step 3.upgrade.sh
is the script that run first when the WPK is deployed in the target agent. Find an example at the base directory in the Wazuh repository.pkg_installer.sh
is the script that manages the WPK upgrade procedure. Find an example insrc/init
in the Wazuh repository.
Windows WPK
Install the development tools and compilers. This can easily be done using your distribution package manager:
# yum install make gcc policycoreutils-python automake autoconf libtool unzip
# apt-get install make gcc libc6-dev curl policycoreutils automake autoconf libtool unzip
Download and extract the latest version of Wazuh sources:
# curl -Ls https://github.com/wazuh/wazuh/archive/v4.9.0.tar.gz | tar zx # cd wazuh-4.9.0
Download the latest version of the Wazuh MSI package:
# curl -Ls https://packages.wazuh.com/4.x/windows/wazuh-agent-4.9.0-1.msi --output wazuh-agent-4.9.0-1.msi
Install the root CA if you want to overwrite the root CA with the file you created previously:
# cp <PATH_TO>/wpk_root.pem etc/wpk_root.pem
Compile the WPK package using the MSI package, along with your SSL certificate and key.
# tools/agent-upgrade/wpkpack.py <PATH_TO>/myagent.wpk <PATH_TO>/wpkcert.pem <PATH_TO>/wpkcert.key <PATH_TO>/wazuhagent.msi <PATH_TO>/upgrade.bat <PATH_TO>/do_upgrade.ps1
Definitions:
<PATH_TO>/myagent.wpk
is the name of the output WPK package.<PATH_TO>/wpkcert.pem
is the path to the SSL certificate.<PATH_TO>/wpkcert.key
is the path to the SSL certificate's key.<PATH_TO>/wazuhagent.msi
is the path to the MSI file downloaded in step 3.<PATH_TO>/upgrade.bat
is the path to theupgrade.bat
file. Find an example insrc/win32
in the Wazuh repository.<PATH_TO>/do_upgrade.ps1
is the path to thedo_upgrade.ps1
file. Find an example insrc/win32
in the Wazuh repository.
macOS WPK
Install development tools and compilers. This can easily be done using your distribution package manager:
# yum install make gcc policycoreutils-python automake autoconf libtool unzip
# apt-get install make gcc libc6-dev curl policycoreutils automake autoconf libtool unzip
Download and extract the latest version of Wazuh sources:
# curl -Ls https://github.com/wazuh/wazuh/archive/v4.9.0.tar.gz | tar zx # cd wazuh-4.9.0
Download the latest version of the Wazuh PKG package:
# curl -Ls https://packages.wazuh.com/4.x/macos/wazuh-agent-4.9.0-1.pkg --output wazuh-agent-4.9.0-1.pkg
Install the root CA if you want to overwrite the root CA with the file you created previously:
# cp <PATH_TO>/wpk_root.pem etc/wpk_root.pem
Copy the necessary script to the Wazuh sources folder to compile the WPK:
# cp src/init/pkg_installer.sh .
Compile the WPK package using the PKG package and your SSL certificate and key:
# tools/agent-upgrade/wpkpack.py <PATH_TO>/myagent.wpk <PATH_TO>/wpkcert.pem <PATH_TO>/wpkcert.key wazuh-agent-4.9.0-1.pkg upgrade.sh pkg_installer.sh
Where:
<PATH_TO>/myagent.wpk
is the name of the output WPK package.<PATH_TO>/wpkcert.pem
is the path to the SSL certificate.<PATH_TO>/wpkcert.key
is the path to the SSL certificate's key.wazuh-agent-4.9.0-1.pkg
is the PKG file downloaded in step 3.upgrade.sh
is the script that runs first when the WPK is deployed in the target agent. Find an example in the base directory in the Wazuh repository.pkg_installer.sh
is the script that manages the WPK upgrade procedure. Find an example insrc/init
in the Wazuh repository.
Note
These are only examples. If you want to distribute a WPK package using these methods, it's important to begin with an empty directory.