Avoid Deleting client.keys and wazuh-agent logs on host.

[sjdwhiting]

Description of changes

Implemented rysnc to maintain client.keys intact.

Prior to this, client.keys was overwritten due to the use of cp -rf. This was noted on a reboot of my test machine. The agent was then unable to register with the manager server due to a name collision.

I tested this on a reboot and rebuild.

Things done

• Built on platform(s)
  • [x] x86_64-linux
  • [ ] aarch64-linux
  • [ ] x86_64-darwin
  • [ ] aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • [ ] sandbox = relaxed
  • [ ] sandbox = true
• [x] Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• [ ] Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• [ ] Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
  • [ ] (Package updates) Added a release notes entry if the change is major or breaking
  • [ ] (Module updates) Added a release notes entry if the change is significant
  • [ ] (Module addition) Added a release notes entry if adding a new NixOS module
• [x] Fits CONTRIBUTING.md.

---

Add a :+1: reaction to pull requests you find important.

[V3ntus]

Couple thoughts on this:

• On initial build, of course /var/ossec will be empty, so we'll need to copy everything over.
• On package updates/nixos-rebuild/pre-start, /var/ossec will already be populated with a state that the user doesn't want to lose every rebuild. rsync solves this by excluding the client.keys, but how can we ensure other stateful files are intact? What about logs or configurations?

Since we're theoretically only updating the binaries every build, what are your thoughts on just copying and overwriting /var/ossec/bin on every pre-start? That now just leaves us with overwriting /var/ossec/etc/ossec.conf as we're assuming it's being configured declarative in the user's configuration.nix. All other stateful files remain untouched.

[V3ntus]

While it is possible to take a declarative approach to client.keys, I don't think that makes sense.

I agree, I'm assuming these are handled internally by Wazuh.

[sjdwhiting]

Good point on the other files like logs. Not super useful to have logs purged due to other systems operations.

I think it makes sense to overwrite /var/ossec/bin every time as well as ossec.conf.

What do we do about the initial population of /var/ossec like on the initial build? Should we include that in the actual package definition maybe as opposed to in the service?

[sjdwhiting]

So after looking at the output of tree for /var/ossec for my install, I think I remain in favor of using rsync to copy everything over and just add exclusions for things like the log files. It seems like it is mostly things we want to copy over on every build and only a few volatile items that need preserved.

I know that with central management you can push configuration changes to agents, so I think we want to preserve that functionality somehow so we might need to call out additional files within /var/ossec/etc and also figure out which ones can be added as options in the service like you did with ossec.conf.

[root@nixos:/var/ossec]# tree
.
├── active-response
│   └── bin
│       ├── default-firewall-drop
│       ├── disable-account
│       ├── firewalld-drop
│       ├── host-deny
│       ├── ip-customblock
│       ├── ipfw
│       ├── kaspersky
│       ├── kaspersky.py
│       ├── npf
│       ├── pf
│       ├── restart.sh
│       ├── restart-wazuh
│       ├── route-null
│       └── wazuh-slack
├── agentless
│   ├── main.exp
│   ├── register_host.sh
│   ├── ssh_asa-fwsmconfig_diff
│   ├── ssh.exp
│   ├── ssh_foundry_diff
│   ├── ssh_generic_diff
│   ├── ssh_integrity_check_bsd
│   ├── ssh_integrity_check_linux
│   ├── sshlogin.exp
│   ├── ssh_nopass.exp
│   ├── ssh_pixconfig_diff
│   └── su.exp
├── backup
├── bin
│   ├── agent-auth
│   ├── manage_agents
│   ├── wazuh-agentd
│   ├── wazuh-control
│   ├── wazuh-execd
│   ├── wazuh-logcollector
│   ├── wazuh-modulesd
│   └── wazuh-syscheckd
├── etc
│   ├── client.keys
│   ├── internal_options.conf
│   ├── local_internal_options.conf
│   ├── ossec.conf
│   ├── shared
│   │   ├── agent.conf
│   │   ├── ar.conf
│   │   ├── cis_apache2224_rcl.txt
│   │   ├── cis_debian_linux_rcl.txt
│   │   ├── cis_mysql5-6_community_rcl.txt
│   │   ├── cis_mysql5-6_enterprise_rcl.txt
│   │   ├── cis_rhel5_linux_rcl.txt
│   │   ├── cis_rhel6_linux_rcl.txt
│   │   ├── cis_rhel7_linux_rcl.txt
│   │   ├── cis_rhel_linux_rcl.txt
│   │   ├── cis_sles11_linux_rcl.txt
│   │   ├── cis_sles12_linux_rcl.txt
│   │   ├── cis_win2012r2_domainL1_rcl.txt
│   │   ├── cis_win2012r2_domainL2_rcl.txt
│   │   ├── cis_win2012r2_memberL1_rcl.txt
│   │   ├── cis_win2012r2_memberL2_rcl.txt
│   │   ├── merged.mg
│   │   ├── rootkit_files.txt
│   │   ├── rootkit_trojans.txt
│   │   ├── system_audit_rcl.txt
│   │   ├── system_audit_ssh.txt
│   │   ├── win_applications_rcl.txt
│   │   ├── win_audit_rcl.txt
│   │   └── win_malware_rcl.txt
│   └── wpk_root.pem
├── lib
│   ├── libdbsync.so
│   ├── libfimdb.so
│   ├── libgcc_s.so.1
│   ├── librsync.so
│   ├── libstdc++.so.6
│   ├── libsyscollector.so
│   ├── libsysinfo.so
│   ├── libwazuhext.so
│   └── libwazuhshared.so
├── logs
│   ├── active-responses.log
│   ├── ossec.json
│   ├── ossec.log
│   └── wazuh
│       └── 2024
│           └── Apr
│               ├── ossec-26-001.log.gz
│               ├── ossec-26.json.gz
│               ├── ossec-26.log.gz
│               ├── ossec-27.log.gz
│               ├── ossec-28.log.gz
│               └── ossec-29.log.gz
├── queue
│   ├── alerts
│   │   ├── cfgaq
│   │   └── execq
│   ├── diff
│   ├── fim
│   │   └── db
│   │       ├── fim.db
│   │       └── fim.db-journal
│   ├── logcollector
│   │   └── file_status.json
│   ├── rids
│   │   ├── 002
│   │   ├── 004
│   │   └── sender_counter
│   ├── sockets
│   │   ├── com
│   │   ├── control
│   │   ├── logcollector
│   │   ├── queue
│   │   ├── syscheck
│   │   ├── upgrade
│   │   └── wmodules
│   └── syscollector
│       ├── db
│       │   ├── local.db
│       │   └── local.db-journal
│       └── norm_config.json
├── ruleset
│   └── sca
│       └── sca_unix_audit.yml
├── tmp
├── var
│   ├── incoming
│   ├── run
│   │   ├── wazuh-agentd-2193.pid
│   │   ├── wazuh-agentd.state
│   │   ├── wazuh-execd-2184.pid
│   │   ├── wazuh-logcollector-2235.pid
│   │   ├── wazuh-logcollector.state
│   │   ├── wazuh-modulesd-2250.pid
│   │   └── wazuh-syscheckd-2224.pid
│   ├── selinux
│   ├── upgrade
│   └── wodles
└── wodles
    ├── aws
    │   └── aws-s3
    ├── azure
    │   ├── azure-logs
    │   └── orm.py
    ├── docker
    │   └── DockerListener
    ├── gcloud
    │   ├── buckets
    │   │   ├── access_logs.py
    │   │   └── bucket.py
    │   ├── exceptions.py
    │   ├── gcloud
    │   ├── integration.py
    │   ├── pubsub
    │   │   └── subscriber.py
    │   └── tools.py
    ├── __init__.py
    └── utils.py

39 directories, 120 files

[sjdwhiting]

I'm kind of thinking out loud as I write this. I see two possible situations for Wazuh on NixOS in a more production environment.

1. The team managing the overall Wazuh project is comfortable with NixOS and would utilize the options to make changes and keep everything declarative.
2. The team is NOT comfortable with NixOS and would want all central management to be through the manager. That said, even in this scenario, the team could ship over the changes to whoever manages the NixOS hosts and they could update the codebase.

[V3ntus]

Definitely some good points raised. I'm all in for rsync and just picking out what files/directories we should exclude.

[sjdwhiting]

So adding /var/ossec/logs/ and /var/ossec/logs/* to the exclude statements builds but it doesn't seem to work. On reboot the log files are still wiped. I rebooted my mac, which also has an agent, and the log files stay intact so it doesn't appear to be Wazuh itself wiping them.

[V3ntus]

Is it a possibility that the systemd-tmpfiles implementation be involved in any of those issues?

[sjdwhiting]

Appears to work with that change. I did it correctly on the first --exclude so funny that I messed it up on the second one. I tried having the entire path of /var/ossec/logs/ but you just need /logs/ for it to work since it already has the context of which directories it is working in. Logs survived a rebuild and reboot.

[V3ntus]

Sweeet good to hear. I'm good with merging this if you think it's ready. We'll worry about other stateful files later on when it gets brought up

[sjdwhiting]

Yea, I'm happy with it for now. I'm sure we will find more bugs and need to fix them. Especially as we, and hopefully others get this into actual use. A lot of that will come down to developing a deeper understanding of how Wazuh actually works.