Closed sjdwhiting closed 2 months ago
Couple thoughts on this:
/var/ossec
will be empty, so we'll need to copy everything over.nixos-rebuild
/pre-start, /var/ossec
will already be populated with a state that the user doesn't want to lose every rebuild. rsync
solves this by excluding the client.keys
, but how can we ensure other stateful files are intact? What about logs or configurations?Since we're theoretically only updating the binaries every build, what are your thoughts on just copying and overwriting /var/ossec/bin
on every pre-start? That now just leaves us with overwriting /var/ossec/etc/ossec.conf
as we're assuming it's being configured declarative in the user's configuration.nix. All other stateful files remain untouched.
While it is possible to take a declarative approach to client.keys, I don't think that makes sense.
I agree, I'm assuming these are handled internally by Wazuh.
Good point on the other files like logs. Not super useful to have logs purged due to other systems operations.
I think it makes sense to overwrite /var/ossec/bin
every time as well as ossec.conf
.
What do we do about the initial population of /var/ossec
like on the initial build? Should we include that in the actual package definition maybe as opposed to in the service?
So after looking at the output of tree
for /var/ossec
for my install, I think I remain in favor of using rsync
to copy everything over and just add exclusions for things like the log files. It seems like it is mostly things we want to copy over on every build and only a few volatile items that need preserved.
I know that with central management you can push configuration changes to agents, so I think we want to preserve that functionality somehow so we might need to call out additional files within /var/ossec/etc
and also figure out which ones can be added as options in the service like you did with ossec.conf
.
[root@nixos:/var/ossec]# tree
.
├── active-response
│ └── bin
│ ├── default-firewall-drop
│ ├── disable-account
│ ├── firewalld-drop
│ ├── host-deny
│ ├── ip-customblock
│ ├── ipfw
│ ├── kaspersky
│ ├── kaspersky.py
│ ├── npf
│ ├── pf
│ ├── restart.sh
│ ├── restart-wazuh
│ ├── route-null
│ └── wazuh-slack
├── agentless
│ ├── main.exp
│ ├── register_host.sh
│ ├── ssh_asa-fwsmconfig_diff
│ ├── ssh.exp
│ ├── ssh_foundry_diff
│ ├── ssh_generic_diff
│ ├── ssh_integrity_check_bsd
│ ├── ssh_integrity_check_linux
│ ├── sshlogin.exp
│ ├── ssh_nopass.exp
│ ├── ssh_pixconfig_diff
│ └── su.exp
├── backup
├── bin
│ ├── agent-auth
│ ├── manage_agents
│ ├── wazuh-agentd
│ ├── wazuh-control
│ ├── wazuh-execd
│ ├── wazuh-logcollector
│ ├── wazuh-modulesd
│ └── wazuh-syscheckd
├── etc
│ ├── client.keys
│ ├── internal_options.conf
│ ├── local_internal_options.conf
│ ├── ossec.conf
│ ├── shared
│ │ ├── agent.conf
│ │ ├── ar.conf
│ │ ├── cis_apache2224_rcl.txt
│ │ ├── cis_debian_linux_rcl.txt
│ │ ├── cis_mysql5-6_community_rcl.txt
│ │ ├── cis_mysql5-6_enterprise_rcl.txt
│ │ ├── cis_rhel5_linux_rcl.txt
│ │ ├── cis_rhel6_linux_rcl.txt
│ │ ├── cis_rhel7_linux_rcl.txt
│ │ ├── cis_rhel_linux_rcl.txt
│ │ ├── cis_sles11_linux_rcl.txt
│ │ ├── cis_sles12_linux_rcl.txt
│ │ ├── cis_win2012r2_domainL1_rcl.txt
│ │ ├── cis_win2012r2_domainL2_rcl.txt
│ │ ├── cis_win2012r2_memberL1_rcl.txt
│ │ ├── cis_win2012r2_memberL2_rcl.txt
│ │ ├── merged.mg
│ │ ├── rootkit_files.txt
│ │ ├── rootkit_trojans.txt
│ │ ├── system_audit_rcl.txt
│ │ ├── system_audit_ssh.txt
│ │ ├── win_applications_rcl.txt
│ │ ├── win_audit_rcl.txt
│ │ └── win_malware_rcl.txt
│ └── wpk_root.pem
├── lib
│ ├── libdbsync.so
│ ├── libfimdb.so
│ ├── libgcc_s.so.1
│ ├── librsync.so
│ ├── libstdc++.so.6
│ ├── libsyscollector.so
│ ├── libsysinfo.so
│ ├── libwazuhext.so
│ └── libwazuhshared.so
├── logs
│ ├── active-responses.log
│ ├── ossec.json
│ ├── ossec.log
│ └── wazuh
│ └── 2024
│ └── Apr
│ ├── ossec-26-001.log.gz
│ ├── ossec-26.json.gz
│ ├── ossec-26.log.gz
│ ├── ossec-27.log.gz
│ ├── ossec-28.log.gz
│ └── ossec-29.log.gz
├── queue
│ ├── alerts
│ │ ├── cfgaq
│ │ └── execq
│ ├── diff
│ ├── fim
│ │ └── db
│ │ ├── fim.db
│ │ └── fim.db-journal
│ ├── logcollector
│ │ └── file_status.json
│ ├── rids
│ │ ├── 002
│ │ ├── 004
│ │ └── sender_counter
│ ├── sockets
│ │ ├── com
│ │ ├── control
│ │ ├── logcollector
│ │ ├── queue
│ │ ├── syscheck
│ │ ├── upgrade
│ │ └── wmodules
│ └── syscollector
│ ├── db
│ │ ├── local.db
│ │ └── local.db-journal
│ └── norm_config.json
├── ruleset
│ └── sca
│ └── sca_unix_audit.yml
├── tmp
├── var
│ ├── incoming
│ ├── run
│ │ ├── wazuh-agentd-2193.pid
│ │ ├── wazuh-agentd.state
│ │ ├── wazuh-execd-2184.pid
│ │ ├── wazuh-logcollector-2235.pid
│ │ ├── wazuh-logcollector.state
│ │ ├── wazuh-modulesd-2250.pid
│ │ └── wazuh-syscheckd-2224.pid
│ ├── selinux
│ ├── upgrade
│ └── wodles
└── wodles
├── aws
│ └── aws-s3
├── azure
│ ├── azure-logs
│ └── orm.py
├── docker
│ └── DockerListener
├── gcloud
│ ├── buckets
│ │ ├── access_logs.py
│ │ └── bucket.py
│ ├── exceptions.py
│ ├── gcloud
│ ├── integration.py
│ ├── pubsub
│ │ └── subscriber.py
│ └── tools.py
├── __init__.py
└── utils.py
39 directories, 120 files
I'm kind of thinking out loud as I write this. I see two possible situations for Wazuh on NixOS in a more production environment.
Definitely some good points raised. I'm all in for rsync
and just picking out what files/directories we should exclude.
So adding /var/ossec/logs/
and /var/ossec/logs/*
to the exclude statements builds but it doesn't seem to work. On reboot the log files are still wiped. I rebooted my mac, which also has an agent, and the log files stay intact so it doesn't appear to be Wazuh itself wiping them.
Is it a possibility that the systemd-tmpfiles implementation be involved in any of those issues?
Appears to work with that change. I did it correctly on the first --exclude
so funny that I messed it up on the second one. I tried having the entire path of /var/ossec/logs/
but you just need /logs/
for it to work since it already has the context of which directories it is working in. Logs survived a rebuild and reboot.
Sweeet good to hear. I'm good with merging this if you think it's ready. We'll worry about other stateful files later on when it gets brought up
Yea, I'm happy with it for now. I'm sure we will find more bugs and need to fix them. Especially as we, and hopefully others get this into actual use. A lot of that will come down to developing a deeper understanding of how Wazuh actually works.
Description of changes
Implemented rysnc to maintain client.keys intact.
Prior to this, client.keys was overwritten due to the use of
cp -rf
. This was noted on a reboot of my test machine. The agent was then unable to register with the manager server due to a name collision.I tested this on a reboot and rebuild.
Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a :+1: reaction to pull requests you find important.