Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wazuh manager with dynamic link installation path issue after upgrading to 4.3.x #1695

Closed
dariommr opened this issue Jun 15, 2022 · 4 comments · Fixed by #1713
Closed

Wazuh manager with dynamic link installation path issue after upgrading to 4.3.x #1695

dariommr opened this issue Jun 15, 2022 · 4 comments · Fixed by #1713
Assignees
@DFolchA
Labels
reporter/operations team/cicd

Comments

@dariommr
Copy link
Member

dariommr commented Jun 15, 2022
edited

Wazuh version Component Install type Install method Platform
4.3.4-40316 Analysisd Manager Packages CentOS7

Description

Hello Team,
I am having this issue after upgrading the Wazuh Manager from any 4.2.x version:

[root@wzh-upg ~]# yum install wazuh-manager-4.2.7-1.x86_64.rpm                                                                 <--- INSTALLING 4.2.x
Loaded plugins: fastestmirror
Examining wazuh-manager-4.2.7-1.x86_64.rpm: wazuh-manager-4.2.7-1.x86_64
Marking wazuh-manager-4.2.7-1.x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package wazuh-manager.x86_64 0:4.2.7-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================================================================================================================================================
 Package                                                Arch                                            Version                                            Repository                                                              Size
========================================================================================================================================================================================================================================
Installing:
 wazuh-manager                                          x86_64                                          4.2.7-1                                            /wazuh-manager-4.2.7-1.x86_64                                          427 M

Transaction Summary
========================================================================================================================================================================================================================================
Install  1 Package

Total size: 427 M
Installed size: 427 M
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : wazuh-manager-4.2.7-1.x86_64                                                                                                                                                                                         1/1 
  Verifying  : wazuh-manager-4.2.7-1.x86_64                                                                                                                                                                                         1/1 

Installed:
  wazuh-manager.x86_64 0:4.2.7-1                                                                                                                                                                                                        

Complete!
[root@wzh-upg ~]# systemctl daemon-reload
[root@wzh-upg ~]# systemctl enable wazuh-manager
[root@wzh-upg ~]# systemctl start wazuh-manager
[root@wzh-upg ~]# systemctl stop wazuh-manager                                                                     <--- STOPING THE WAZUH MANAGER
[root@wzh-upg ~]# mv /var/ossec/ /data/staging/                                                                         <--- MOVING THE OSSEC FOLDER
[root@wzh-upg ~]# ln -s /data/staging/ossec/ /var/ossec                                                              <--- CREATING SYMLINK
[root@wzh-upg ~]# ls -l /var | grep ossec
lrwxrwxrwx.  1 root root   20 Jun 16 08:04 ossec -> /data/staging/ossec/
[root@wzh-upg ~]# systemctl start wazuh-manager                                                                      <--- STARTING WAZUH MANAGER
[root@wzh-upg ~]# rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
[root@wzh-upg ~]# echo -e '[wazuh]\ngpgcheck=1\ngpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH\nenabled=1\nname=EL-$releasever - Wazuh\nbaseurl=https://packages.wazuh.com/4.x/yum/\nprotect=1' | tee /etc/yum.repos.d/wazuh.repo
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
[root@wzh-upg ~]# yum upgrade wazuh-manager                                                                      <--- UPGRADING FROM REPO
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.zero.com.ar
 * extras: mirrors.eze.sysarmy.com
 * updates: mirror.ufro.cl
wazuh                                                                                                                                                                                                            | 3.4 kB  00:00:00     
wazuh/primary_db                                                                                                                                                                                                 | 208 kB  00:00:00     
Resolving Dependencies
--> Running transaction check
---> Package wazuh-manager.x86_64 0:4.2.7-1 will be updated
---> Package wazuh-manager.x86_64 0:4.3.4-1 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================================================================================================================================================
 Package                                                      Arch                                                  Version                                                  Repository                                            Size
========================================================================================================================================================================================================================================
Updating:
 wazuh-manager                                                x86_64                                                4.3.4-1                                                  wazuh                                                114 M

Transaction Summary
========================================================================================================================================================================================================================================
Upgrade  1 Package

Total download size: 114 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
wazuh-manager-4.3.4-1.x86_64.rpm                                                                                                                                                                                 | 114 MB  00:00:09     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : wazuh-manager-4.3.4-1.x86_64                                                                                                                                                                                         1/2 
warning: /var/ossec/etc/ossec.conf created as /var/ossec/etc/ossec.conf.rpmnew
  Cleanup    : wazuh-manager-4.2.7-1.x86_64                                                                                                                                                                                         2/2 
  Verifying  : wazuh-manager-4.3.4-1.x86_64                                                                                                                                                                                         1/2 
  Verifying  : wazuh-manager-4.2.7-1.x86_64                                                                                                                                                                                         2/2 

Updated:
  wazuh-manager.x86_64 0:4.3.4-1                                                                                                                                                                                                        

Complete!
[root@wzh-upg ~]# systemctl status wazuh-manager                                                     <--- WAZUH MANAGER DID NOT START
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2022-06-16 08:06:52 -03; 10s ago
  Process: 20228 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=1/FAILURE)

Jun 16 08:06:39 wzh-upg systemd[1]: Starting Wazuh manager...
Jun 16 08:06:40 wzh-upg env[20228]: 2022/06/16 08:06:40 wazuh-modulesd: WARNING: The <ignore_time> tag at module 'vulnerability-detector' is deprecated for version newer than 4.3.
Jun 16 08:06:40 wzh-upg env[20228]: Starting Wazuh v4.3.4...
Jun 16 08:06:52 wzh-upg env[20228]: wazuh-apid did not start correctly.
Jun 16 08:06:52 wzh-upg systemd[1]: wazuh-manager.service: control process exited, code=exited status=1
Jun 16 08:06:52 wzh-upg systemd[1]: Failed to start Wazuh manager.
Jun 16 08:06:52 wzh-upg systemd[1]: Unit wazuh-manager.service entered failed state.
Jun 16 08:06:52 wzh-upg systemd[1]: wazuh-manager.service failed.
[root@wzh-upg ~]# find /var/ossec/ -group ossec | wc -l                                                 <--- FILES STILL WITH PERMISSIONS OVER THE OSSEC GROUP
74
[root@wzh-upg ~]# find /var/ossec/ -user 998 | wc -l                                                       <--- FILES STILL WITH PERMISSONS OVER THE OSSEC USER
47
[root@wzh-upg ~]# find /var/ossec/ -user 997 | wc -l
7

Steps to reproduce

  1. Install any CentOS7 system.
  2. Mount a secondary disk in any mount point
  3. Install Wazuh Manager 4.2.x
  4. Stop the Wazuh Manager service
  5. Move /var/ossec folder to the mount point
  6. Create a symlink for the new location
  7. Start the Wazuh Manager service
  8. Create some custom rules and decoders files and modify some configurations
  9. Upgrade the Wazuh Manager to the v4.3.4 from a package already downloaded.

Evidences

Configuration:

# ls -l /var/ | grep ossec
lrwxrwxrwx.  1 root root   20 Jun 15 16:42 ossec -> /data/staging/ossec/

# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.3.4"
WAZUH_REVISION="40316"
WAZUH_TYPE="server"

Misconfigurations

[root@wzh-upg ~]# find /var/ossec/ -group ossec | wc -l
74
[root@wzh-upg ~]# find /var/ossec/ -user 998 | wc -l
47
[root@wzh-upg ~]# find /var/ossec/ -user 997 | wc -l
7

Conclusion

It seems the use of a symbolic link for the Wazuh Manager folder it breaks the ownership of the files when upgrading.
@dariommr
Copy link
Member Author

dariommr commented Jun 15, 2022
edited

Workaround

Find the ID of the ossec users before performing the upgrade:

# cat /etc/passwd | grep ossec
ossec:x:997:118::/var/ossec:/sbin/nologin
ossecm:x:998:118::/var/ossec:/sbin/nologin
ossecr:x:999:118::/var/ossec:/sbin/nologin

Find all users 999, 998 and 997 and replace them with the user wazuh, apply the same but for the group ossec:

[root@wzh-upg ~]# find /var/ossec/ -user 997 -exec chown wazuh {} \;
[root@wzh-upg ~]# find /var/ossec/ -user 998 -exec chown wazuh {} \;
[root@wzh-upg ~]# find /var/ossec/ -user 999 -exec chown wazuh {} \;
[root@wzh-upg ~]# find /var/ossec/ -group ossec -exec chown :wazuh {} \;
[root@wzh-upg ~]# systemctl restart wazuh-manager
[root@wzh-upg ~]# systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2022-06-16 08:16:49 -03; 8s ago
  Process: 20461 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/wazuh-manager.service
           ├─20517 /data/staging/ossec/framework/python/bin/python3 /data/staging/ossec/api/scripts/wazuh-apid.py
           ├─20557 /var/ossec/bin/wazuh-authd
           ├─20574 /var/ossec/bin/wazuh-db
           ├─20588 /data/staging/ossec/framework/python/bin/python3 /data/staging/ossec/api/scripts/wazuh-apid.py
           ├─20591 /data/staging/ossec/framework/python/bin/python3 /data/staging/ossec/api/scripts/wazuh-apid.py
           ├─20604 /var/ossec/bin/wazuh-execd
           ├─20619 /var/ossec/bin/wazuh-analysisd
           ├─20633 /var/ossec/bin/wazuh-syscheckd
           ├─20698 /var/ossec/bin/wazuh-remoted
           ├─20731 /var/ossec/bin/wazuh-logcollector
           ├─20777 /var/ossec/bin/wazuh-monitord
           └─20824 /var/ossec/bin/wazuh-modulesd

Jun 16 08:16:40 wzh-upg env[20461]: Started wazuh-execd...
Jun 16 08:16:41 wzh-upg env[20461]: Started wazuh-analysisd...
Jun 16 08:16:43 wzh-upg env[20461]: Started wazuh-syscheckd...
Jun 16 08:16:44 wzh-upg env[20461]: Started wazuh-remoted...
Jun 16 08:16:45 wzh-upg env[20461]: Started wazuh-logcollector...
Jun 16 08:16:46 wzh-upg env[20461]: Started wazuh-monitord...
Jun 16 08:16:46 wzh-upg env[20461]: 2022/06/16 08:16:46 wazuh-modulesd: WARNING: The <ignore_time> tag at module 'vulnerability-detector' is deprecated for version newer than 4.3.
Jun 16 08:16:47 wzh-upg env[20461]: Started wazuh-modulesd...
Jun 16 08:16:49 wzh-upg env[20461]: Completed.
Jun 16 08:16:49 wzh-upg systemd[1]: Started Wazuh manager

I hope this could be helpful.

@havidarou havidarou changed the title Issue starting manager service after upgrading from package Wazuh manager with dynamic link installation path issue after upgrading to 4.3.x Jun 22, 2022
@Dwordcito Dwordcito assigned pereyra-m and unassigned Dwordcito Jun 23, 2022
@pereyra-m
Copy link
Member

Reproducing the issue

This issue was reproduced following the described steps above.

First, we have a fresh CentOS 7 box where Wazuh has been uninstalled and all the groups and users were removed.
This is the content of /etc/passwd and /etc/group files before installing anything, there is no trace of Wazuh or OSSEC

passwd_content_pre_install 
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:995::/var/lib/chrony:/sbin/nologin
vagrant:x:1000:1000:vagrant:/home/vagrant:/bin/bash
group_content_pre_install 
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
wheel:x:10:
cdrom:x:11:
mail:x:12:postfix
man:x:15:
dialout:x:18:
floppy:x:19:
games:x:20:
tape:x:33:
video:x:39:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
utmp:x:22:
utempter:x:35:
input:x:999:
systemd-journal:x:190:
systemd-network:x:192:
dbus:x:81:
polkitd:x:998:
rpc:x:32:
printadmin:x:997:
ssh_keys:x:996:
tss:x:59:
rpcuser:x:29:
nfsnobody:x:65534:
sshd:x:74:
postdrop:x:90:
postfix:x:89:
chrony:x:995:
vagrant:x:1000:vagrant

Then a Wazuh v4.2.7 was installed using the debug mode for yum. The /etc/passwd and /etc/group files content was read again

passwd_content_pre_upgrade 
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:995::/var/lib/chrony:/sbin/nologin
vagrant:x:1000:1000:vagrant:/home/vagrant:/bin/bash
ossec:x:997:994::/var/ossec:/sbin/nologin
ossecr:x:996:994::/var/ossec:/sbin/nologin
ossecm:x:995:994::/var/ossec:/sbin/nologin
group_content_pre_upgrade 
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
wheel:x:10:
cdrom:x:11:
mail:x:12:postfix
man:x:15:
dialout:x:18:
floppy:x:19:
games:x:20:
tape:x:33:
video:x:39:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
utmp:x:22:
utempter:x:35:
input:x:999:
systemd-journal:x:190:
systemd-network:x:192:
dbus:x:81:
polkitd:x:998:
rpc:x:32:
printadmin:x:997:
ssh_keys:x:996:
tss:x:59:
rpcuser:x:29:
nfsnobody:x:65534:
sshd:x:74:
postdrop:x:90:
postfix:x:89:
chrony:x:995:
vagrant:x:1000:vagrant
ossec:x:994:ossec,ossecr,ossecm

yum_output_pre_upgrade.log

Finally, the Wazuh manager was upgraded to v4.3.5 using the debug mode for yum. The /etc/passwd and /etc/group files content was read again

passwd_content_post_upgrade 
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:995::/var/lib/chrony:/sbin/nologin
vagrant:x:1000:1000:vagrant:/home/vagrant:/bin/bash
wazuh:x:994:993::/var/ossec:/sbin/nologin
group_content_post_upgrade 
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
wheel:x:10:
cdrom:x:11:
mail:x:12:postfix
man:x:15:
dialout:x:18:
floppy:x:19:
games:x:20:
tape:x:33:
video:x:39:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
utmp:x:22:
utempter:x:35:
input:x:999:
systemd-journal:x:190:
systemd-network:x:192:
dbus:x:81:
polkitd:x:998:
rpc:x:32:
printadmin:x:997:
ssh_keys:x:996:
tss:x:59:
rpcuser:x:29:
nfsnobody:x:65534:
sshd:x:74:
postdrop:x:90:
postfix:x:89:
chrony:x:995:
vagrant:x:1000:vagrant
ossec:x:994:
wazuh:x:993:wazuh

yum_output_post_upgrade.log

We can see in /etc/group that the ossec:x:994: group wasn't deleted.
Also, the find commands that should update the ownership of the files left some files belonging to the ossec group or user.

files_with_ossec_group_post_upgrade 
[root@localhost ossec]# find /var/ossec/ -group ossec -exec ls -l {} \;
-rw-r-----. 1 997 ossec 98304 Jun 23 21:06 /var/ossec/api/configuration/security/rbac.db
-rw-rw----. 1 997 ossec 19888 Jun 23 21:06 /var/ossec/etc/lists/amazon/aws-eventnames.cdb
-rw-rw----. 1 997 ossec 2265 Jun 23 21:06 /var/ossec/etc/lists/audit-keys.cdb
-rw-rw----. 1 997 ossec 6461 Jun 23 21:06 /var/ossec/etc/lists/security-eventchannel.cdb
-rw-rw----. 1 root ossec 9959 Jun 23 21:05 /var/ossec/etc/ossec.conf
-rw-rw----. 1 996 ossec 899420 Jun 23 21:15 /var/ossec/etc/shared/default/merged.mg
-rw-r-----. 2 997 ossec 327402 Jun 23 21:15 ossec-alerts-23.json
-rw-r-----. 2 997 ossec 544197 Jun 23 21:15 ossec-alerts-23.log
-rw-r-----. 2 997 ossec 544197 Jun 23 21:15 /var/ossec/logs/alerts/2022/Jun/ossec-alerts-23.log
-rw-r-----. 2 997 ossec 327402 Jun 23 21:15 /var/ossec/logs/alerts/2022/Jun/ossec-alerts-23.json
-rw-r-----. 2 997 ossec 544197 Jun 23 21:15 /var/ossec/logs/alerts/alerts.log
-rw-r-----. 2 997 ossec 327402 Jun 23 21:15 /var/ossec/logs/alerts/alerts.json
-rw-r-----. 2 997 ossec 0 Jun 23 21:06 ossec-archive-23.log
-rw-r-----. 2 997 ossec 0 Jun 23 21:06 /var/ossec/logs/archives/2022/Jun/ossec-archive-23.log
-rw-r-----. 2 997 ossec 0 Jun 23 21:06 /var/ossec/logs/archives/archives.log
-rw-r-----. 2 997 ossec 0 Jun 23 21:06 ossec-firewall-23.log
-rw-r-----. 2 997 ossec 0 Jun 23 21:06 /var/ossec/logs/firewall/2022/Jun/ossec-firewall-23.log
-rw-r-----. 2 997 ossec 0 Jun 23 21:06 /var/ossec/logs/firewall/firewall.log
-rw-rw----. 1 997 ossec 0 Jun 23 21:05 /var/ossec/logs/active-responses.log
-rw-r-----. 1 995 ossec 0 Jun 23 21:05 /var/ossec/logs/integrations.log
-rw-rw----. 1 root ossec 15367 Jun 23 21:16 /var/ossec/logs/ossec.log
srw-rw----. 1 root ossec 0 Jun 23 21:07 /var/ossec/queue/alerts/execq
srw-rw----. 1 996 ossec 0 Jun 23 21:07 /var/ossec/queue/alerts/cfgarq
srw-rw----. 1 996 ossec 0 Jun 23 21:07 /var/ossec/queue/alerts/ar
srw-rw----. 1 root ossec 0 Jun 23 21:07 /var/ossec/queue/alerts/cfgaq
-rw-r-----. 1 997 ossec 2351104 Jun 23 21:13 /var/ossec/queue/db/000.db
-rw-r-----. 1 997 ossec 913 Jun 23 21:13 last-entry
-rw-r-----. 1 997 ossec 913 Jun 23 21:13 /var/ossec/queue/diff/localhost/535/last-entry
-rw-rw----. 1 root ossec 1482752 Jun 23 21:10 /var/ossec/queue/fim/db/fim.db
-rw-rw----. 1 root ossec 0 Jun 23 21:10 /var/ossec/queue/fim/db/fim.db-journal
-rw-r-----. 1 997 ossec 0 Jun 23 21:06 /var/ossec/queue/fts/hostinfo
-rw-r-----. 1 997 ossec 0 Jun 23 21:06 /var/ossec/queue/fts/fts-queue
-rw-r-----. 1 997 ossec 0 Jun 23 21:06 /var/ossec/queue/fts/ig-queue
-rw-r--r--. 1 root ossec 507 Jun 23 21:15 /var/ossec/queue/logcollector/file_status.json
-rw-r--r--. 1 996 ossec 0 Jun 23 21:06 /var/ossec/queue/rids/sender_counter
srw-rw----. 1 root ossec 0 Jun 23 21:07 /var/ossec/queue/sockets/auth
srw-rw----. 1 root ossec 0 Jun 23 21:07 /var/ossec/queue/sockets/com
srw-rw----. 1 997 ossec 0 Jun 23 21:07 /var/ossec/queue/sockets/queue
srw-rw----. 1 root ossec 0 Jun 23 21:07 /var/ossec/queue/sockets/syscheck
srw-rw----. 1 997 ossec 0 Jun 23 21:07 /var/ossec/queue/sockets/analysis
srw-rw----. 1 997 ossec 0 Jun 23 21:07 /var/ossec/queue/sockets/logtest
srw-rw----. 1 996 ossec 0 Jun 23 21:07 /var/ossec/queue/sockets/request
srw-rw----. 1 root ossec 0 Jun 23 21:07 /var/ossec/queue/sockets/logcollector
srw-rw----. 1 root ossec 0 Jun 23 21:07 /var/ossec/queue/sockets/download
srw-rw----. 1 root ossec 0 Jun 23 21:07 /var/ossec/queue/sockets/wmodules
srw-rw----. 1 root ossec 0 Jun 23 21:07 /var/ossec/queue/sockets/control
srw-rw----. 1 997 ossec 0 Jun 23 21:07 /var/ossec/queue/sockets/monitor
-rw-r--r--. 1 root ossec 151552 Jun 23 21:07 /var/ossec/queue/syscollector/db/local.db
-rw-r-----. 1 997 ossec 57344 Jun 23 21:06 /var/ossec/queue/tasks/tasks.db
srw-rw----. 1 root ossec 0 Jun 23 21:07 /var/ossec/queue/tasks/upgrade
srw-rw----. 1 root ossec 0 Jun 23 21:07 /var/ossec/queue/tasks/task
-rw-------. 1 root ossec 0 Jun 23 21:15 /var/ossec/queue/agents-timestamp
files_with_ossec_user_post_upgrade 
[root@localhost ossec]# find /var/ossec/ -user 997 -exec ls -l {} \;
-rw-r-----. 1 997 ossec 98304 Jun 23 21:06 /var/ossec/api/configuration/security/rbac.db
-rw-rw----. 1 997 ossec 19888 Jun 23 21:06 /var/ossec/etc/lists/amazon/aws-eventnames.cdb
-rw-rw----. 1 997 ossec 2265 Jun 23 21:06 /var/ossec/etc/lists/audit-keys.cdb
-rw-rw----. 1 997 ossec 6461 Jun 23 21:06 /var/ossec/etc/lists/security-eventchannel.cdb
-rw-r-----. 2 997 ossec 327402 Jun 23 21:15 ossec-alerts-23.json
-rw-r-----. 2 997 ossec 544197 Jun 23 21:15 ossec-alerts-23.log
-rw-r-----. 2 997 ossec 544197 Jun 23 21:15 /var/ossec/logs/alerts/2022/Jun/ossec-alerts-23.log
-rw-r-----. 2 997 ossec 327402 Jun 23 21:15 /var/ossec/logs/alerts/2022/Jun/ossec-alerts-23.json
-rw-r-----. 2 997 ossec 544197 Jun 23 21:15 /var/ossec/logs/alerts/alerts.log
-rw-r-----. 2 997 ossec 327402 Jun 23 21:15 /var/ossec/logs/alerts/alerts.json
-rw-r-----. 2 997 ossec 0 Jun 23 21:06 ossec-archive-23.log
-rw-r-----. 2 997 ossec 0 Jun 23 21:06 /var/ossec/logs/archives/2022/Jun/ossec-archive-23.log
-rw-r-----. 2 997 ossec 0 Jun 23 21:06 /var/ossec/logs/archives/archives.log
-rw-r-----. 2 997 ossec 0 Jun 23 21:06 ossec-firewall-23.log
-rw-r-----. 2 997 ossec 0 Jun 23 21:06 /var/ossec/logs/firewall/2022/Jun/ossec-firewall-23.log
-rw-r-----. 2 997 ossec 0 Jun 23 21:06 /var/ossec/logs/firewall/firewall.log
-rw-rw----. 1 997 ossec 0 Jun 23 21:05 /var/ossec/logs/active-responses.log
-rw-r-----. 1 997 ossec 2351104 Jun 23 21:13 /var/ossec/queue/db/000.db
-rw-r-----. 1 997 ossec 913 Jun 23 21:13 last-entry
-rw-r-----. 1 997 ossec 913 Jun 23 21:13 /var/ossec/queue/diff/localhost/535/last-entry
-rw-r-----. 1 997 ossec 0 Jun 23 21:06 /var/ossec/queue/fts/hostinfo
-rw-r-----. 1 997 ossec 0 Jun 23 21:06 /var/ossec/queue/fts/fts-queue
-rw-r-----. 1 997 ossec 0 Jun 23 21:06 /var/ossec/queue/fts/ig-queue
srw-rw----. 1 997 ossec 0 Jun 23 21:07 /var/ossec/queue/sockets/queue
srw-rw----. 1 997 ossec 0 Jun 23 21:07 /var/ossec/queue/sockets/analysis
srw-rw----. 1 997 ossec 0 Jun 23 21:07 /var/ossec/queue/sockets/logtest
srw-rw----. 1 997 ossec 0 Jun 23 21:07 /var/ossec/queue/sockets/monitor
-rw-r-----. 1 997 ossec 57344 Jun 23 21:06 /var/ossec/queue/tasks/tasks.db

Root cause analysis

These changes were introduced in #716: Change default user and group.

Upgrade fails when using symbolic links

This happens because the upgrade script runs the find commands in the following way: the line

find %{_localstatedir} -group ossec -user root -exec chown root:wazuh {} \; > /dev/null 2>&1 || true

Is translated to

+ find /var/ossec -group ossec -user root -exec chown root:wazuh '{}' ';'

But /var/ossec is a symbolic link and we need to add a / character at the end. If we don't, it won't be resolved properly and the find command won't run in the real folder.

This is described here https://pubs.opengroup.org/onlinepubs/9699919799/xrat/V4_xbd_chap03.html#tag_21_03_00_59
When the final component of a pathname is a symbolic link, the standard requires that a trailing <slash> causes the link to be followed. This is the behavior of historical implementations. For example, for /a/b and /a/b/, if /a/b is a symbolic link to a directory, then /a/b refers to the symbolic link, and /a/b/ refers to the directory to which the symbolic link points.

ossec group isn't removed after the upgrade

This happens because there is a bug in the SPECS file for rpm (all distributions should be checked).
Here the script is trying to verify if the ossec group exists using id -g ossec

wazuh-packages/rpms/SPECS/wazuh-manager.spec

Lines 459 to 461 in 1cf85f1

if id -g ossec > /dev/null 2>&1; then
groupdel ossec > /dev/null 2>&1
fi

But the correct expression to verify the existence of the group should be getent group ossec. This prevents the ossec group for being removed after the upgrade. We should also verify it here

wazuh-packages/rpms/SPECS/wazuh-manager.spec

Line 445 in 1cf85f1

if id -g ossec > /dev/null 2>&1; then

@DFolchA DFolchA self-assigned this Jun 28, 2022
@DFolchA DFolchA transferred this issue from wazuh/wazuh Jun 28, 2022
@DFolchA
Copy link
Contributor

DFolchA commented Jun 29, 2022
edited

Update

  • Apply suggested changes.

Tests

  • Build packages
    • RPM
    • DEB
  • Test installation
    • RPM
    • DEB
  • Test upgrade
    • RPM
    • DEB

@DFolchA DFolchA mentioned this issue Jun 30, 2022
Merged
30 tasks
@DFolchA DFolchA linked a pull request Jul 1, 2022 that will close this issue
Fix error when upgrading using symlinks #1713
Merged
30 tasks
@DFolchA
Copy link
Contributor

DFolchA commented Jul 1, 2022
edited

Testing

Build packages

https://ci.wazuh.info/job/Packages_builder_tier/2238/
https://ci.wazuh.info/job/Packages_builder_special/538/

Test Install

https://ci.wazuh.info/job/Test_install_tier/

Solaris11 
root@solaris11:/export/home/vagrant# pkg install -g wazuh-agent_v4.3.6-sol11-i386.p5p wazuh-agent
                        Paquetes que instalar:  1
                        Servicios que cambiar:  1
                      Crear entorno de inicio: No
Crear copia de seguridad de entorno de inicio: No

DESCARGAR                           PAQUETES      ARCHIVOS    XFER (MB) VELOCIDAD
Finalizado                               1/1         92/92      5.7/5.7 79.1M/s

FASE                                       ELEMENTOS
Instalando acciones nuevas                   144/144
Actualizando base de datos de estado de paquete   Terminado 
Actualizando caché de paquete                   0/0 
Actualizando estado de imagen              Terminado 
Creando base de datos de búsqueda rápida   Terminado 
Actualizando caché de paquete                   2/2
AIX 
bash-4.4# rpm -ihv wazuh-agent-4.3.6-1.aix.ppc.rpm 
wazuh-agent                 ##################################################
bash-4.4# ls -lah /var/ossec/
ls: illegal option -- h
usage: ls [-1ACFHLNRSabcdefgiklmnopqrstuxEUX] [File...]
bash-4.4# ls -la /var/ossec/
total 24
drwxr-x---   15 root     wazuh          4096 Jul  1 07:20 .
drwxr-xr-x   41 bin      bin            4096 Jul  1 07:20 ..
drwxrwx---    2 root     wazuh           256 Jul  1 06:27 .ssh
drwxr-x---    3 root     wazuh           256 Jul  1 07:20 active-response
drwxr-x---    2 root     wazuh          4096 Jul  1 07:20 agentless
drwxr-x---    2 root     wazuh           256 Jul  1 06:27 backup
drwxr-x---    2 root     system          256 Jul  1 07:20 bin
drwxrwx---    3 wazuh    wazuh           256 Jul  1 07:20 etc
drwxr-x---    2 root     system          256 Jul  1 07:20 lib
drwxrwx---    3 wazuh    wazuh           256 Jul  1 07:20 logs
drwxr-x---    9 root     wazuh           256 Jul  1 07:20 queue
drwxr-xr-x    3 root     system          256 Jul  1 07:20 ruleset
drwxr-x--T    2 root     wazuh           256 Jul  1 07:20 tmp
drwxr-x---    6 root     wazuh           256 Jul  1 07:20 var
drwxr-x---    5 root     wazuh           256 Jul  1 07:20 wodles

Test upgrade

https://ci.wazuh.info/job/Test_upgrade_tier/1984/

Solaris11 
root@solaris11:/export/home/vagrant# pkg install -g wazuh-agent_v4.0.0-sol11-i386.p5p  wazuh-agent
                        Paquetes que instalar:  1
                      Crear entorno de inicio: No
Crear copia de seguridad de entorno de inicio: No

DESCARGAR                           PAQUETES      ARCHIVOS    XFER (MB) VELOCIDAD
Finalizado                               1/1         79/79    14.0/14.0  166M/s

FASE                                       ELEMENTOS
Instalando acciones nuevas                   119/119
Actualizando base de datos de estado de paquete   Terminado 
Actualizando caché de paquete                   0/0 
Actualizando estado de imagen              Terminado 
Creando base de datos de búsqueda rápida   Terminado 
Actualizando caché de paquete                   2/2 
root@solaris11:/export/home/vagrant# pkg install -g wazuh-agent_v4.3.6-sol11-i386.p5p wazuh-agent
                      Paquetes que actualizar:   1
                        Servicios que cambiar:   1
                      Crear entorno de inicio:  No
Crear copia de seguridad de entorno de inicio: Sí

DESCARGAR                           PAQUETES      ARCHIVOS    XFER (MB) VELOCIDAD
Finalizado                               1/1         84/84      5.7/5.7 89.1M/s

FASE                                       ELEMENTOS
Eliminando acciones antiguas                   28/28
Instalando acciones nuevas                     51/51
Actualizando acciones modificadas              87/87
Actualizando base de datos de estado de paquete   Terminado 
Actualizando caché de paquete                   1/1 
Actualizando estado de imagen              Terminado 
Creando base de datos de búsqueda rápida   Terminado 
Actualizando caché de paquete                   2/2
AIX 
bash-4.4# rpm -ihv wazuh-agent-4.0.0-1.aix.ppc.rpm 
wazuh-agent                 ##################################################
bash-4.4# rpm -Uhv wazuh-agent-4.3.6-1.aix.ppc.rpm 
warning: /var/ossec/etc/ossec.conf created as /var/ossec/etc/ossec.conf.rpmnew
wazuh-agent                 ##################################################
var/opt/freeware/tmp/rpm-tmp.4017[14]: %posttrans:  not found
bash-4.4# /var/ossec/bin/wazuh-control info
WAZUH_VERSION="v4.3.6"
WAZUH_REVISION="40318"
WAZUH_TYPE="agent"

Upgrade with symlinks

RPM manager 
Examining /var/tmp/yum-root-ZB8kaD/wazuh-manager-4.0.4-1.x86_64.rpm: wazuh-manager-4.0.4-1.x86_64
Marking /var/tmp/yum-root-ZB8kaD/wazuh-manager-4.0.4-1.x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package wazuh-manager.x86_64 0:4.0.4-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================
 Package                         Arch                     Version                     Repository                                       Size
============================================================================================================================================
Installing:
 wazuh-manager                   x86_64                   4.0.4-1                     /wazuh-manager-4.0.4-1.x86_64                   371 M

Transaction Summary
============================================================================================================================================
Install  1 Package

Total size: 371 M
Installed size: 371 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : wazuh-manager-4.0.4-1.x86_64                                                                                             1/1 
  Verifying  : wazuh-manager-4.0.4-1.x86_64                                                                                             1/1 

Installed:
  wazuh-manager.x86_64 0:4.0.4-1                                                                                                            

Complete!
[root@centos7 vagrant]# mv /var/ossec/ /home/ossec
[root@centos7 vagrant]# ln -l /home/ossec /var/ossec
ln: invalid option -- 'l'
Try 'ln --help' for more information.
[root@centos7 vagrant]# ln -s /home/ossec/ /var/ossec
[root@centos7 vagrant]# ls -lah /var/ossec
lrwxrwxrwx. 1 root root 12 Jul  1 11:51 /var/ossec -> /home/ossec/
[root@centos7 vagrant]# ls -lah /var/ossec/
total 4.0K
drwxr-x---. 19 root  ossec  242 Jul  1 11:48 .
drwxr-xr-x.  4 root  root    34 Jul  1 11:50 ..
drwxrwx---.  2 root  ossec    6 Jan 13  2021 .ssh
drwxr-x---.  3 root  ossec   17 Jul  1 11:48 active-response
drwxr-x---.  2 root  ossec  286 Jul  1 11:48 agentless
drwxr-x---.  4 root  ossec   42 Jul  1 11:48 api
drwxr-x---.  5 root  ossec   48 Jul  1 11:48 backup
drwxr-x---.  2 root  ossec 4.0K Jul  1 11:48 bin
drwxrwx---.  7 ossec ossec  265 Jul  1 11:48 etc
drwxr-x---.  5 root  ossec   48 Jul  1 11:48 framework
drwxr-x---.  2 root  ossec   91 Jul  1 11:48 integrations
drwxr-x---.  2 root  ossec   55 Jul  1 11:48 lib
drwxrwx---.  8 ossec ossec  143 Jul  1 11:48 logs
drwxr-x---. 14 root  ossec  181 Jul  1 11:48 queue
drwxr-x---.  5 root  ossec   61 Jul  1 11:48 ruleset
drwxr-x---.  2 ossec ossec    6 Jan 13  2021 stats
drwxrwx--T.  2 root  ossec    6 Jul  1 11:48 tmp
drwxr-x---.  9 root  ossec  106 Jul  1 11:48 var
drwxr-x---.  6 root  ossec   58 Jul  1 11:48 wodles

[root@centos7 vagrant]# yum install https://s3.us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/test/4.3/rpm/var/wazuh-manager-4.3.6-1.x86_64.rpm -y
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror
wazuh-manager-4.3.6-1.x86_64.rpm                                                                                     | 114 MB  00:00:23     
Examining /var/tmp/yum-root-ZB8kaD/wazuh-manager-4.3.6-1.x86_64.rpm: wazuh-manager-4.3.6-1.x86_64
Marking /var/tmp/yum-root-ZB8kaD/wazuh-manager-4.3.6-1.x86_64.rpm as an update to wazuh-manager-4.0.4-1.x86_64
Resolving Dependencies
--> Running transaction check
---> Package wazuh-manager.x86_64 0:4.0.4-1 will be updated
---> Package wazuh-manager.x86_64 0:4.3.6-1 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================
 Package                         Arch                     Version                     Repository                                       Size
============================================================================================================================================
Updating:
 wazuh-manager                   x86_64                   4.3.6-1                     /wazuh-manager-4.3.6-1.x86_64                   436 M

Transaction Summary
============================================================================================================================================
Upgrade  1 Package

Total size: 436 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : wazuh-manager-4.3.6-1.x86_64                                                                                             1/2 
warning: /var/ossec/etc/ossec.conf created as /var/ossec/etc/ossec.conf.rpmnew
  Cleanup    : wazuh-manager-4.0.4-1.x86_64                                                                                             2/2 
  Verifying  : wazuh-manager-4.3.6-1.x86_64                                                                                             1/2 
  Verifying  : wazuh-manager-4.0.4-1.x86_64                                                                                             2/2 

Updated:
  wazuh-manager.x86_64 0:4.3.6-1                                                                                                            

Complete!
[root@centos7 vagrant]# ls -lah /var/ossec
lrwxrwxrwx. 1 root root 12 Jul  1 11:51 /var/ossec -> /home/ossec/
[root@centos7 vagrant]# ls -lah /var/ossec/
total 4.0K
drwxr-x---. 19 root  wazuh  242 Jul  1 11:57 .
drwxr-xr-x.  4 root  root    34 Jul  1 11:50 ..
drwxrwx---.  2 root  wazuh    6 Jul  1 11:21 .ssh
drwxr-x---.  3 root  wazuh   17 Jul  1 11:21 active-response
drwxr-x---.  2 root  wazuh  286 Jul  1 11:57 agentless
drwxr-x---.  4 root  wazuh   42 Jul  1 11:21 api
drwxr-x---.  5 root  wazuh   48 Jul  1 11:21 backup
drwxr-x---.  2 root  wazuh 4.0K Jul  1 11:57 bin
drwxrwx---.  7 wazuh wazuh  267 Jul  1 11:57 etc
drwxr-x---.  5 root  wazuh   48 Jul  1 11:21 framework
drwxr-x---.  2 root  wazuh   91 Jul  1 11:57 integrations
drwxr-x---.  2 root  wazuh  166 Jul  1 11:57 lib
drwxrwx---.  8 wazuh wazuh  143 Jul  1 11:57 logs
drwxr-x---. 16 root  wazuh  219 Jul  1 11:57 queue
drwxr-x---.  5 root  wazuh   46 Jul  1 11:57 ruleset
drwxr-x---.  2 wazuh wazuh    6 Jul  1 11:21 stats
drwxrwx--T.  2 root  wazuh    6 Jul  1 11:57 tmp
drwxr-x---.  9 root  wazuh  106 Jul  1 11:21 var
drwxr-x---.  6 root  wazuh   93 Jul  1 11:57 wodles
[root@centos7 vagrant]#
RPM agent 
[root@centos7-2 vagrant]# yum install https://packages.wazuh.com/4.x/yum/wazuh-agent-4.0.4-1.x86_64.rpm
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror
wazuh-agent-4.0.4-1.x86_64.rpm                                                                                       | 4.7 MB  00:00:01     
Examining /var/tmp/yum-root-PpWDLd/wazuh-agent-4.0.4-1.x86_64.rpm: wazuh-agent-4.0.4-1.x86_64
Marking /var/tmp/yum-root-PpWDLd/wazuh-agent-4.0.4-1.x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.x86_64 0:4.0.4-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================
 Package                        Arch                      Version                      Repository                                      Size
============================================================================================================================================
Installing:
 wazuh-agent                    x86_64                    4.0.4-1                      /wazuh-agent-4.0.4-1.x86_64                     13 M

Transaction Summary
============================================================================================================================================
Install  1 Package

Total size: 13 M
Installed size: 13 M
Is this ok [y/d/N]: ^CExiting on user command
Your transaction was saved, rerun it with:
 yum load-transaction /tmp/yum_save_tx.2022-07-01.11-47.9rXuo3.yumtx
[root@centos7-2 vagrant]# 
[root@centos7-2 vagrant]# yum install https://packages.wazuh.com/4.x/yum/wazuh-agent-4.0.4-1.x86_64.rpm -y
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror
wazuh-agent-4.0.4-1.x86_64.rpm                                                                                       | 4.7 MB  00:00:00     
Examining /var/tmp/yum-root-PpWDLd/wazuh-agent-4.0.4-1.x86_64.rpm: wazuh-agent-4.0.4-1.x86_64
Marking /var/tmp/yum-root-PpWDLd/wazuh-agent-4.0.4-1.x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.x86_64 0:4.0.4-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================
 Package                        Arch                      Version                      Repository                                      Size
============================================================================================================================================
Installing:
 wazuh-agent                    x86_64                    4.0.4-1                      /wazuh-agent-4.0.4-1.x86_64                     13 M

Transaction Summary
============================================================================================================================================
Install  1 Package

Total size: 13 M
Installed size: 13 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : wazuh-agent-4.0.4-1.x86_64                                                                                               1/1 
  Verifying  : wazuh-agent-4.0.4-1.x86_64                                                                                               1/1 

Installed:
  wazuh-agent.x86_64 0:4.0.4-1                                                                                                              

Complete!
[root@centos7-2 vagrant]# mv /var/ossec/ /home/ossec
[root@centos7-2 vagrant]# ln -l /home/ossec /var/ossec
ln: invalid option -- 'l'
Try 'ln --help' for more information.
[root@centos7-2 vagrant]# ln -s /home/ossec/ /var/ossec
[root@centos7-2 vagrant]# ls -lah /var/ossec
lrwxrwxrwx. 1 root root 12 Jul  1 11:51 /var/ossec -> /home/ossec/
[root@centos7-2 vagrant]# ls -lah /var/ossec/
total 0
drwxr-x---. 15 root  ossec 181 Jul  1 11:47 .
drwxr-xr-x.  4 root  root   34 Jul  1 11:50 ..
drwxrwx---.  2 root  ossec   6 Jan 13  2021 .ssh
drwxr-x---.  3 root  ossec  17 Jul  1 11:47 active-response
drwxr-x---.  2 root  ossec 286 Jul  1 11:47 agentless
drwxr-x---.  2 root  ossec   6 Jan 13  2021 backup
drwxr-x---.  2 root  root  191 Jul  1 11:47 bin
drwxrwx---.  3 ossec ossec 181 Jul  1 11:47 etc
drwxr-x---.  2 root  ossec  28 Jul  1 11:47 lib
drwxrwx---.  3 ossec ossec  47 Jul  1 11:47 logs
drwxr-x---.  7 root  ossec  68 Jul  1 11:47 queue
drwxr-x---.  3 root  ossec  17 Jul  1 11:47 ruleset
drwxrwx--T.  3 root  ossec  29 Jan 13  2021 tmp
drwxr-x---.  7 root  ossec  77 Jul  1 11:47 var
drwxr-x---.  5 root  ossec  45 Jul  1 11:47 wodles

[root@centos7-2 vagrant]# yum install https://s3.us-west-1.amazonaws.com/packages-dev.wazuh.com/warehouse/test/4.3/rpm/var/wazuh-agent-4.3.6-1.x86_64.rpm -y
Failed to set locale, defaulting to C
Loaded plugins: fastestmirror
wazuh-agent-4.3.6-1.x86_64.rpm                                                                                       | 8.5 MB  00:00:04     
Examining /var/tmp/yum-root-PpWDLd/wazuh-agent-4.3.6-1.x86_64.rpm: wazuh-agent-4.3.6-1.x86_64
Marking /var/tmp/yum-root-PpWDLd/wazuh-agent-4.3.6-1.x86_64.rpm as an update to wazuh-agent-4.0.4-1.x86_64
Resolving Dependencies
--> Running transaction check
---> Package wazuh-agent.x86_64 0:4.0.4-1 will be updated
---> Package wazuh-agent.x86_64 0:4.3.6-1 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================================
 Package                        Arch                      Version                      Repository                                      Size
============================================================================================================================================
Updating:
 wazuh-agent                    x86_64                    4.3.6-1                      /wazuh-agent-4.3.6-1.x86_64                     24 M

Transaction Summary
============================================================================================================================================
Upgrade  1 Package

Total size: 24 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : wazuh-agent-4.3.6-1.x86_64                                                                                               1/2 
warning: /var/ossec/etc/ossec.conf created as /var/ossec/etc/ossec.conf.rpmnew
  Cleanup    : wazuh-agent-4.0.4-1.x86_64                                                                                               2/2 
  Verifying  : wazuh-agent-4.3.6-1.x86_64                                                                                               1/2 
  Verifying  : wazuh-agent-4.0.4-1.x86_64                                                                                               2/2 

Updated:
  wazuh-agent.x86_64 0:4.3.6-1                                                                                                              

Complete!
[root@centos7-2 vagrant]# ls -lah /var/ossec
lrwxrwxrwx. 1 root root 12 Jul  1 11:51 /var/ossec -> /home/ossec/
[root@centos7-2 vagrant]# ls -lah /var/ossec/
total 0
drwxr-x---. 15 root  wazuh 181 Jul  1 11:56 .
drwxr-xr-x.  4 root  root   34 Jul  1 11:50 ..
drwxrwx---.  2 root  wazuh   6 Jul  1 11:19 .ssh
drwxr-x---.  3 root  wazuh  17 Jul  1 11:19 active-response
drwxr-x---.  2 root  wazuh 286 Jul  1 11:56 agentless
drwxr-x---.  2 root  wazuh   6 Jul  1 11:19 backup
drwxr-x---.  2 root  root  176 Jul  1 11:57 bin
drwxrwx---.  3 wazuh wazuh 183 Jul  1 11:57 etc
drwxr-x---.  2 root  wazuh 139 Jul  1 11:56 lib
drwxrwx---.  3 wazuh wazuh  47 Jul  1 11:57 logs
drwxr-x---.  9 root  wazuh 110 Jul  1 11:57 queue
drwxr-x---.  3 root  wazuh  17 Jul  1 11:19 ruleset
drwxrwx--T.  4 root  wazuh  52 Jul  1 11:19 tmp
drwxr-x---.  7 root  wazuh  77 Jul  1 11:19 var
drwxr-x---.  5 root  wazuh  80 Jul  1 11:56 wodles
DEB manager 
root@ubuntu18LTS:/home/vagrant# apt install ./wazuh-manager_4.0.4-1_amd64.deb 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'wazuh-manager' instead of './wazuh-manager_4.0.4-1_amd64.deb'
Suggested packages:
  expect
The following NEW packages will be installed:
  wazuh-manager
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/105 MB of archives.
After this operation, 390 MB of additional disk space will be used.
Get:1 /home/vagrant/wazuh-manager_4.0.4-1_amd64.deb wazuh-manager amd64 4.0.4-1 [105 MB]
Selecting previously unselected package wazuh-manager.
(Reading database ... 60148 files and directories currently installed.)
Preparing to unpack .../wazuh-manager_4.0.4-1_amd64.deb ...
Unpacking wazuh-manager (4.0.4-1) ...
Setting up wazuh-manager (4.0.4-1) ...
Processing triggers for systemd (237-3ubuntu10.53) ...
Processing triggers for ureadahead (0.100.0-21) ...
root@ubuntu18LTS:/home/vagrant# mv /var/ossec/ /home/ossec
root@ubuntu18LTS:/home/vagrant# ln -l /home/ossec /var/ossec
ln: invalid option -- 'l'
Try 'ln --help' for more information.
root@ubuntu18LTS:/home/vagrant# ln -s /home/ossec/ /var/ossec
root@ubuntu18LTS:/home/vagrant# ls -lah /var/ossec
lrwxrwxrwx 1 root root 12 Jul  1 11:51 /var/ossec -> /home/ossec/
root@ubuntu18LTS:/home/vagrant# ls -lah /var/ossec/
total 76K
drwxr-x--- 19 root  ossec 4.0K Jul  1 11:49 .
drwxr-xr-x  5 root  root  4.0K Jul  1 11:50 ..
drwxrwx---  2 root  ossec 4.0K Jan 13  2021 .ssh
drwxr-x---  3 root  ossec 4.0K Jul  1 11:48 active-response
drwxr-x---  2 root  ossec 4.0K Jul  1 11:48 agentless
drwxr-x---  4 root  ossec 4.0K Jul  1 11:48 api
drwxr-x---  5 root  ossec 4.0K Jul  1 11:48 backup
drwxr-x---  2 root  ossec 4.0K Jul  1 11:48 bin
drwxrwx---  7 ossec ossec 4.0K Jul  1 11:48 etc
drwxr-x---  5 root  ossec 4.0K Jul  1 11:48 framework
drwxr-x---  2 root  ossec 4.0K Jul  1 11:48 integrations
drwxr-x---  2 root  ossec 4.0K Jul  1 11:48 lib
drwxrwx---  8 ossec ossec 4.0K Jul  1 11:48 logs
drwxr-x--- 14 root  ossec 4.0K Jul  1 11:48 queue
drwxr-x---  5 root  ossec 4.0K Jul  1 11:48 ruleset
drwxr-x---  2 ossec ossec 4.0K Jan 13  2021 stats
drwxrwx--T  2 root  ossec 4.0K Jan 13  2021 tmp
drwxr-x---  9 root  ossec 4.0K Jul  1 11:48 var
drwxr-x---  6 root  ossec 4.0K Jul  1 11:48 wodles

root@ubuntu18LTS:/home/vagrant# apt install ./wazuh-manager_4.3.6-1_amd64.deb -y
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'wazuh-manager' instead of './wazuh-manager_4.3.6-1_amd64.deb'
Suggested packages:
  expect
The following packages will be upgraded:
  wazuh-manager
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/119 MB of archives.
After this operation, 65.6 MB of additional disk space will be used.
Get:1 /home/vagrant/wazuh-manager_4.3.6-1_amd64.deb wazuh-manager amd64 4.3.6-1 [119 MB]
(Reading database ... 76856 files and directories currently installed.)
Preparing to unpack .../wazuh-manager_4.3.6-1_amd64.deb ...
Unpacking wazuh-manager (4.3.6-1) over (4.0.4-1) ...
Setting up wazuh-manager (4.3.6-1) ...
Installing new version of config file /etc/init.d/wazuh-manager ...
Processing triggers for systemd (237-3ubuntu10.53) ...
Processing triggers for ureadahead (0.100.0-21) ...
root@ubuntu18LTS:/home/vagrant# ls -lah /var/ossec
lrwxrwxrwx 1 root root 12 Jul  1 11:51 /var/ossec -> /home/ossec/
root@ubuntu18LTS:/home/vagrant# ls -lah /var/ossec/
total 76K
drwxr-x--- 19 root  wazuh 4.0K Jul  1 11:58 .
drwxr-xr-x  5 root  root  4.0K Jul  1 11:50 ..
drwxrwx---  2 root  wazuh 4.0K Jan 13  2021 .ssh
drwxr-x---  3 root  wazuh 4.0K Jul  1 11:48 active-response
drwxr-x---  2 root  wazuh 4.0K Jul  1 11:57 agentless
drwxr-x---  4 root  wazuh 4.0K Jul  1 11:48 api
drwxr-x---  5 root  wazuh 4.0K Jul  1 11:48 backup
drwxr-x---  2 root  wazuh 4.0K Jul  1 11:57 bin
drwxrwx---  7 wazuh wazuh 4.0K Jul  1 11:57 etc
drwxr-x---  5 root  wazuh 4.0K Jul  1 11:48 framework
drwxr-x---  2 root  wazuh 4.0K Jul  1 11:57 integrations
drwxr-x---  2 root  wazuh 4.0K Jul  1 11:57 lib
drwxrwx---  8 wazuh wazuh 4.0K Jul  1 11:57 logs
drwxr-x--- 16 root  wazuh 4.0K Jul  1 11:57 queue
drwxr-x---  5 root  wazuh 4.0K Jul  1 11:57 ruleset
drwxr-x---  2 wazuh wazuh 4.0K Jan 13  2021 stats
drwxrwx--T  2 root  wazuh 4.0K Jan 13  2021 tmp
drwxr-x---  9 root  wazuh 4.0K Jul  1 11:57 var
drwxr-x---  6 root  wazuh 4.0K Jul  1 11:57 wodles
DEB agent 
root@ubuntu18LTS-2:/home/vagrant# apt install ./wazuh-agent_4.0.4-1_amd64.deb 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'wazuh-agent' instead of './wazuh-agent_4.0.4-1_amd64.deb'
The following NEW packages will be installed:
  wazuh-agent
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/4653 kB of archives.
After this operation, 13.4 MB of additional disk space will be used.
Get:1 /home/vagrant/wazuh-agent_4.0.4-1_amd64.deb wazuh-agent amd64 4.0.4-1 [4653 kB]
Preconfiguring packages ...
Selecting previously unselected package wazuh-agent.
(Reading database ... 60148 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.0.4-1_amd64.deb ...
Unpacking wazuh-agent (4.0.4-1) ...
Setting up wazuh-agent (4.0.4-1) ...
Processing triggers for systemd (237-3ubuntu10.53) ...
Processing triggers for ureadahead (0.100.0-21) ...
root@ubuntu18LTS-2:/home/vagrant# mv /var/ossec/ /home/ossec
root@ubuntu18LTS-2:/home/vagrant# ln -l /home/ossec /var/ossec
ln: invalid option -- 'l'
Try 'ln --help' for more information.
root@ubuntu18LTS-2:/home/vagrant# ln -s /home/ossec/ /var/ossec
root@ubuntu18LTS-2:/home/vagrant# ls -lah /var/ossec
lrwxrwxrwx 1 root root 12 Jul  1 11:51 /var/ossec -> /home/ossec/
root@ubuntu18LTS-2:/home/vagrant# ls -lah /var/ossec/
total 60K
drwxr-x--- 15 root  ossec 4.0K Jul  1 11:48 .
drwxr-xr-x  5 root  root  4.0K Jul  1 11:50 ..
drwxrwx---  2 root  ossec 4.0K Jan 13  2021 .ssh
drwxr-x---  3 root  ossec 4.0K Jul  1 11:48 active-response
drwxr-x---  2 root  ossec 4.0K Jul  1 11:48 agentless
drwxr-x---  2 root  ossec 4.0K Jan 13  2021 backup
drwxr-x---  2 root  root  4.0K Jul  1 11:48 bin
drwxrwx---  3 ossec ossec 4.0K Jul  1 11:48 etc
drwxr-x---  2 root  ossec 4.0K Jul  1 11:48 lib
drwxrwx---  3 ossec ossec 4.0K Jul  1 11:48 logs
drwxr-x---  7 root  ossec 4.0K Jul  1 11:48 queue
drwxr-x---  3 root  ossec 4.0K Jul  1 11:48 ruleset
drwxrwx--T  2 root  ossec 4.0K Jan 13  2021 tmp
drwxr-x---  7 root  ossec 4.0K Jul  1 11:48 var
drwxr-x---  5 root  ossec 4.0K Jul  1 11:48 wodles

root@ubuntu18LTS-2:/home/vagrant# apt install ./wazuh-agent_4.3.6-1_amd64.deb -y
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'wazuh-agent' instead of './wazuh-agent_4.3.6-1_amd64.deb'
The following packages will be upgraded:
  wazuh-agent
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/8542 kB of archives.
After this operation, 14.0 MB of additional disk space will be used.
Get:1 /home/vagrant/wazuh-agent_4.3.6-1_amd64.deb wazuh-agent amd64 4.3.6-1 [8542 kB]
Preconfiguring packages ...
(Reading database ... 60447 files and directories currently installed.)
Preparing to unpack .../wazuh-agent_4.3.6-1_amd64.deb ...
Unpacking wazuh-agent (4.3.6-1) over (4.0.4-1) ...
Setting up wazuh-agent (4.3.6-1) ...
Installing new version of config file /etc/systemd/system/wazuh-agent.service ...
Installing new version of config file /etc/init.d/wazuh-agent ...
Processing triggers for systemd (237-3ubuntu10.53) ...
Processing triggers for ureadahead (0.100.0-21) ...
root@ubuntu18LTS-2:/home/vagrant# ls -lah /var/ossec
lrwxrwxrwx 1 root root 12 Jul  1 11:51 /var/ossec -> /home/ossec/
root@ubuntu18LTS-2:/home/vagrant# ls -lah /var/ossec/
total 60K
drwxr-x--- 15 root  wazuh 4.0K Jul  1 11:56 .
drwxr-xr-x  5 root  root  4.0K Jul  1 11:50 ..
drwxrwx---  2 root  wazuh 4.0K Jan 13  2021 .ssh
drwxr-x---  3 root  wazuh 4.0K Jul  1 11:48 active-response
drwxr-x---  2 root  wazuh 4.0K Jul  1 11:56 agentless
drwxr-x---  2 root  wazuh 4.0K Jan 13  2021 backup
drwxr-x---  2 root  root  4.0K Jul  1 11:56 bin
drwxrwx---  3 wazuh wazuh 4.0K Jul  1 11:56 etc
drwxr-x---  2 root  wazuh 4.0K Jul  1 11:56 lib
drwxrwx---  3 wazuh wazuh 4.0K Jul  1 11:56 logs
drwxr-x---  9 root  wazuh 4.0K Jul  1 11:56 queue
drwxr-x---  3 root  wazuh 4.0K Jul  1 11:48 ruleset
drwxrwx--T  2 root  wazuh 4.0K Jan 13  2021 tmp
drwxr-x---  7 root  wazuh 4.0K Jul  1 11:56 var
drwxr-x---  5 root  wazuh 4.0K Jul  1 11:56 wodles
AIX 
bash-4.4# rpm -ihv wazuh-agent-4.0.0-1.aix.ppc.rpm 
wazuh-agent                 ##################################################
bash-4.4# mv /var/ossec/ /home/ossec^C
bash-4.4# ls /home
agdpy       guest       isso        lost+found  sa          siteox      so          srvproxy
bash-4.4# mv /var/ossec/ /home/ossec
bash-4.4# ln -s /home/ossec/ /var/ossec                       
bash-4.4# ls -la /var/ossec
lrwxrwxrwx    1 root     system           12 Jul  1 07:24 /var/ossec -> /home/ossec/
bash-4.4# ls -la /var/ossec/
total 40
drwxr-x---   15 root     ossec          4096 Jul  1 07:23 .
drwxr-xr-x   11 bin      bin            4096 Jul  1 07:24 ..
drwxrwx---    2 root     ossec           256 Oct 22 2020  .ssh
drwxr-x---    3 root     ossec           256 Jul  1 07:23 active-response
drwxr-x---    2 root     ossec          4096 Jul  1 07:23 agentless
drwxr-x---    2 root     ossec           256 Oct 22 2020  backup
drwxr-x---    2 root     system         4096 Jul  1 07:23 bin
drwxrwx---    3 ossec    ossec          4096 Jul  1 07:23 etc
drwxr-x---    2 root     system          256 Oct 22 2020  lib
drwxrwx---    3 ossec    ossec           256 Jul  1 07:23 logs
drwxr-x---    7 root     ossec           256 Jul  1 07:23 queue
drwxr-xr-x    3 root     system          256 Jul  1 07:23 ruleset
drwxr-x--T    2 root     ossec           256 Jul  1 07:23 tmp
drwxr-x---    6 root     ossec           256 Jul  1 07:23 var
drwxr-x---    4 root     ossec           256 Jul  1 07:23 wodles
bash-4.4# rpm -Uhv wazuh-agent-4.3.6-1.aix.ppc.rpm 
warning: /var/ossec/etc/ossec.conf created as /var/ossec/etc/ossec.conf.rpmnew
wazuh-agent                 ##################################################
var/opt/freeware/tmp/rpm-tmp.14805[14]: %posttrans:  not found
bash-4.4# ls -la /var/ossec/
total 40
drwxr-x---   15 root     wazuh          4096 Jul  1 06:27 .
drwxr-xr-x   11 bin      bin            4096 Jul  1 07:25 ..
drwxrwx---    2 root     wazuh           256 Jul  1 06:27 .ssh
drwxr-x---    3 root     wazuh           256 Jul  1 06:27 active-response
drwxr-x---    2 root     wazuh          4096 Jul  1 07:25 agentless
drwxr-x---    2 root     wazuh           256 Jul  1 06:27 backup
drwxr-x---    2 root     system         4096 Jul  1 07:25 bin
drwxrwx---    3 wazuh    wazuh          4096 Jul  1 07:25 etc
drwxr-x---    2 root     system          256 Jul  1 07:25 lib
drwxrwx---    3 wazuh    wazuh           256 Jul  1 07:25 logs
drwxr-x---    9 root     wazuh           256 Jul  1 07:25 queue
drwxr-xr-x    3 root     system          256 Jul  1 07:23 ruleset
drwxr-x--T    2 root     wazuh           256 Jul  1 07:25 tmp
drwxr-x---    6 root     wazuh           256 Jul  1 06:27 var
drwxr-x---    5 root     wazuh           256 Jul  1 07:25 wodles
bash-4.4# ls -la /var/ossec 
lrwxrwxrwx    1 root     system           12 Jul  1 07:24 /var/ossec -> /home/ossec/
Solaris11

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DFolchA DFolchA

Labels
reporter/operations team/cicd
Projects
No open projects
Release 4.3.6
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix error when upgrading using symlinks wazuh/wazuh-packages
6 participants
@alberpilot @havidarou @Dwordcito @DFolchA @dariommr @pereyra-m