umask 077 impacts ability for wazuh-api to execute bundled python libraries

Hi there,

I was pulling my hair out last night following an upgrade to 3.10 on two managers - which i eventually solved but thought i should share what happened/how i fixed it to save anyone else from balding. My scenario as follows:

Environment:

Ubuntu 18.04 LTS*
Upgraded from Wazuh 3.9.4 to 3.10.0
building from source (root user)
umask 077
nginx reverse proxy for the Wazuh-API - for SSL purposes

Following upgrade:

wazuh-manager - service was running with no issues
wazuh-api - service itself was running with no issues, HOWEVER, accessing the API through nodejs was not working.

Error log

WazuhAPI 2019-09-19 02:33:22 cog-waz-API: 127.0.0.1 GET /agents
WazuhAPI 2019-09-19 02:33:22 cog-waz-API: CMD - Command: /var/ossec/framework/python/bin/python3 args:/var/ossec/api/models/wazuh-api.py stdin:{"function":"/agents","arguments":{"offset":0,"limit":30,"sort":{"fields":["id"],"order":"asc"},"wait_for_complete":false}}
WazuhAPI 2019-09-19 02:33:22 cog-waz-API: CMD - Exit code: 1
WazuhAPI 2019-09-19 02:33:22 cog-waz-API: [127.0.0.1] GET /agents/?offset=0&limit=30&sort=id - 500 - error: '1'.
WazuhAPI 2019-09-19 02:33:22 cog-waz-API: Response: {"error":1,"message":"Error executing internal command. Exit code: 1"} HTTP Status: 500

Note that i was to do the following without errors:

curl -u <user>:<pass> @ -XGET "http://localhost:55001/version?pretty"
curl -u <user>:<pass> @ -XGET "http://localhost:55001?pretty"

All other queries failed with Exit code: 1.

As the root user i was able to get API responses without failure manually by utilizing:

echo '{"function":"/agents","arguments":{"filters":{}},"ossec_path":"/var/ossec"}' | /var/ossec/framework/python/bin/python3 /var/ossec/api/models/wazuh-api.py --debug

Solution After hours of digging around i discovered from another bug report that exit code: 1 was typically a Python issue - i was scratching my head about this because i was getting valid responses when manually executing the wazuh-api.py script -> led me to thinking that it must be related to the user running the wazuh-api service wasn't able to access libraries.... and viola:

The fix:

chmod -R 755 /var/ossec/framework/python/lib/python3.7/

For reference purposes:

config.js

var config = {};

// Basic configuration

// Path
config.ossec_path = "/var/ossec";
// The host to bind the API to.
config.host = "localhost";
// TCP Port used by the API.
config.port = "55001";
// Use HTTP protocol over TLS/SSL. Values: yes, no.
config.https = "no";
// Use HTTP authentication. Values: yes, no.
config.basic_auth = "yes";
//In case the API run behind a proxy server, turn to "yes" this feature. Values: yes, no.
config.BehindProxyServer = "yes";

// HTTPS Certificates
//config.https_key = "configuration/ssl/server.key"
//config.https_cert = "configuration/ssl/server.crt"
//config.https_use_ca = "no"
//config.https_ca = "configuration/ssl/ca.crt"

// Advanced configuration

// Values for API log: disabled, info, warning, error, debug (each level includes the previous level).
config.logs = "info";
// Cross-origin resource sharing. Values: yes, no.
config.cors = "yes";
// Cache (time in milliseconds)
config.cache_enabled = "yes";
config.cache_debug = "no";
config.cache_time = "750";
// Log path
config.log_path = config.ossec_path + "/logs/api.log";

// Option to force the use of authd to remove and add agents
config.use_only_authd = false;

// Option to drop privileges (run as ossec)
config.drop_privileges = true;

// Activate features still under development
config.experimental_features  = false;

/************************* SSL OPTIONS ****************************************/
// SSL protocol

// SSL protocol to use. All available secure protocols available at:
// https://www.openssl.org/docs/man1.0.2/ssl/ssl.html#DEALING-WITH-PROTOCOL-METHODS
config.secureProtocol = "TLSv1_2_method";
try {
    // Disable the use of SSLv3, TLSv1.1 and TLSv1.0. All available secureOptions at:
    // https://nodejs.org/api/crypto.html#crypto_openssl_options
    const crypto = require('crypto');
    config.secureOptions = crypto.constants.SSL_OP_NO_SSLv3 |
                           crypto.constants.SSL_OP_NO_TLSv1 |
                           crypto.constants.SSL_OP_NO_TLSv1_1;
} catch (err) {
    console.log("Could not configure NodeJS to avoid unsecure SSL/TLS protocols: " + err)
}

// SSL ciphersuit

// When choosing a cipher, use the server's preferences instead of the client
// preferences. When not set, the SSL server will always follow the clients
// preferences. More info at:
// https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html
config.honorCipherOrder = true;
// Modify default ciphersuit. More info:
// https://nodejs.org/api/tls.html#tls_modifying_the_default_tls_cipher_suite
config.ciphers =  "";

module.exports = config;

nginx config

server {
    listen 55000;
    ssl on;
    ssl_certificate <path to cert>.cer;
    ssl_certificate_key <path to key>.key;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    add_header Strict-Transport-Security max-age=15768000;

    access_log            /var/log/nginx/nginx.access.log;
    error_log            /var/log/nginx/nginx.error.log;

    location / {
        proxy_pass http://localhost:55001/;
    }
}

* Note that originally i had compiled/built Wazuh on Ubuntu 16.04 -- not sure if this is relevant to the issue but providing more information than less.

wazuh / wazuh-api

umask 077 impacts ability for wazuh-api to execute bundled python libraries #451