Open AishVinod opened 3 months ago
saraiva82
commented
2 months ago I am seeing some issues with this with my integration as well. All files in the container are root:wazuh owned. if you run a ps in the container
same
and
there does not seem to be a user 101 either
closest is some dude name games lol. now the wazuh user is 999 so wouldn't it make more sense to set that securityContext: to fsGroup: 999 instead? anyways Im trying it out and see if my cluster still works after
AishVinod
commented
2 months ago @saraiva82 Any luck on the same? I am still struggling for the same
saraiva82
commented
2 months ago Hey @AishVinod,
so far the permissions issues seem to have resolved themselves
and now when i use wazuh-logtester to debug my log I do not see the permissions errors that I was getting on my integrations and rules. So I think it resolved the issue even though im troubleshooting my log but now i think is a decoder thing and not this.
I am trying to integrate custom-urlhaus with wazuh deployed on kubernetes using this documentation https://wazuh.com/blog/detecting-malicious-urls-using-wazuh-and-urlhaus/
For kubernetes setup I have mounted custom-urlhaus.py into /var/ossec/integrations/custom-urlhaus.py. However in order to execute the scripts below permisisons and ownership is mandatory :
chmod 750 /var/ossec/integrations/custom-urlhaus.py chown root:wazuh /var/ossec/integrations/custom-urlhaus.py
Once I mount the files into pod, by default I see permission as below :
-rw-r--r-- 1 root 101 5441 custom-urlhaus.py
I suppose group 101 is coming from below configuration is master-sts file :
securityContext: fsGroup: 101
I tried adding initcontainer to execute the required script :
initContainers:
However I see inticontainer is failing with below errors :
chmod: /var/ossec/integrations/custom-urlhaus.py: Read-only file system chown: unknown user/group root:wazuh
Any help on how to update the needed permissions in cluster files would be appreciated.