Description
This epic tracks the design and implementation of a unified inventory model for Kernel Modules within the Wazuh architecture. The goal is to define a structured, cross-platform data contract to collect and represent kernel-level components across Linux, Windows, and macOS. This includes Linux kernel modules, Windows drivers, and macOS kernel extensions.
The resulting inventory must be normalized and follow an ECS-aligned schema, enabling visibility and auditing of kernel-level components through stateful events that are consistent across platforms.
Functional Requirements
- Propose and agree on the data model (fields and structure) for:
- Linux kernel modules
- Windows drivers
- macOS kernel extensions
- Ensure ECS compatibility where applicable, with
wazuh.* extensions as needed.
- Prefer a single index in the Indexer (e.g.
wazuh-inventory-kernel-modules) for storing all platform data.
Non-Functional Requirements
- The schema should support efficient filtering by name, load status, version, and source.
- Normalize platform-specific attributes while preserving relevant details.
- Output should be ready for integration into API queries and Dashboard views.
Plan
Indexer
- Define the document format for kernel module entries:
- Include a
platform or module_type field for Linux/Windows/macOS.
- Store all records in a single index, enabling unified analysis.
Agent
- DBSync
- Model the inventory with a unified table:
- Accepts records from
kernel_modules, drivers, and kernel_extensions.
- Integrate collection logic into
syscollector via extended_sources.
Related Collector Issues
Server
- Wazuh-DB
- Use Rsync to synchronize
kernel_modules_inventory data.
- Maintain a schema that supports platform-specific fields within a unified structure.
- Provide filtering and query capabilities through the API.
Dashboard
- Define how kernel module data will be visualized:
- Group by load status (loaded, unloaded, failed).
- Filter by platform, module name, or version.
Deliverables
Acceptance Criteria
- A formal document or JSON schema exists defining the fields and structure for kernel modules.
- Agent generates inventory data in the agreed format, using syscollector.
- Wazuh-DB stores and synchronizes the information correctly via Rsync.
- Indexer receives structured inventory data with correct mappings and searchable fields.
- Dashboard is capable of querying and visualizing the new kernel module inventory fields.
Description
This epic tracks the design and implementation of a unified inventory model for Kernel Modules within the Wazuh architecture. The goal is to define a structured, cross-platform data contract to collect and represent kernel-level components across Linux, Windows, and macOS. This includes Linux kernel modules, Windows drivers, and macOS kernel extensions.
The resulting inventory must be normalized and follow an ECS-aligned schema, enabling visibility and auditing of kernel-level components through stateful events that are consistent across platforms.
Functional Requirements
wazuh.*extensions as needed.wazuh-inventory-kernel-modules) for storing all platform data.Non-Functional Requirements
Plan
Indexer
platformormodule_typefield for Linux/Windows/macOS.Agent
kernel_modules,drivers, andkernel_extensions.syscollectorviaextended_sources.Related Collector Issues
Server
kernel_modules_inventorydata.Dashboard
Deliverables
kernel_modules_inventory.dbsync(1 table).Acceptance Criteria