Closed alberpilot closed 2 months ago
verdx
commented
1 year ago A fresh installation of the agent following the official documentation doesn't seem to create a login item on its own in Monterey, even after running # /Library/Ossec/bin/wazuh-control start, although the application is running correctly.
verdx
commented
1 year ago The installed agent has correctly been added to a manager without problem, and in more fresh install tests no login item is added on installation.
It has been tried to add manually the Login Item, although Wazuh Agent doesn't appear in the application list to create Login Items. Searching for Wazuh in that screen you can get to a script called Launcher.sh, presumably the same that gives the error in Ventura.
The launcher just starts Wazuh if it is stopped and stops it else.
No warning has appeared in the Login Item screen at any moment.
![Uploading deprimerasnada.png…]()
verdx
commented
1 year ago With a fresh installation of the agent in Big Sur, as with Monterey, no Login Item is added. Furthermore, the launcher.sh cannot be added manually as one.
After finally being able to upgrade it to MacOS Ventura (in AWS), the error has been replicated.
From the investigation, it has been concluded that with this new version of MacOS, the Login Items logic has changed, at least which to show, now all services are shown in Settings. It has been a problem even for Operative System's services, as seen here, here and here.
From the solutions given in this forum it seems using iMazing to create a Profile to sign our scripts may be the solution.
verdx
commented
1 year ago launchctl information on the Wazuh Agent Login Item:
ec2-user@ip-172-31-46-132 ~ % sudo launchctl list | grep 'wazuh'
337 0 com.wazuh.agentec2-user@ip-172-31-46-132 ~ % launchctl print system/com.wazuh.agent
system/com.wazuh.agent = {
active count = 1
path = /Library/LaunchDaemons/com.wazuh.agent.plist
type = LaunchDaemon
state = running
program = /Library/StartupItems/WAZUH/launcher.sh
arguments = {
/Library/StartupItems/WAZUH/launcher.sh
}
default environment = {
PATH => /usr/bin:/bin:/usr/sbin:/sbin
}
environment = {
XPC_SERVICE_NAME => com.wazuh.agent
}
domain = system
minimum runtime = 10
exit timeout = 5
runs = 1
pid = 337
immediate reason = speculative
forks = 19901
execs = 2
initialized = 1
trampolined = 1
started suspended = 0
proxy started suspended = 0
last exit code = (never exited)
spawn type = daemon (3)
jetsam priority = 40
jetsam memory limit (active) = (unlimited)
jetsam memory limit (inactive) = (unlimited)
jetsamproperties category = daemon
jetsam thread limit = 32
cpumon = default
probabilistic guard malloc policy = {
activation rate = 1/1000
sample rate = 1/0
}
properties = runatload | inferred program | system service
}We can see the LaunchDaemon runs a program in /Library/StartupItems, which is a mixture of different types of ways to start an Application on boot. As we can see here, the Startup Items are deprecated, which leaves us with two options:
A test was done to stop using the Startup Items, in the case this could be the problem. The objective is to change the location of laucher.sh to inside /Library/Ossec, so it is considered as part of out application. First it has been done manually:
sh-3.2# mkdir /Library/Ossec/LoginItems
sh-3.2# cp -r /Library/StartupItems/WAZUH/* /Library/Ossec/LoginItems/
sh-3.2# nano /Library/LaunchDaemons/com.wazuh.agent.plist
sh-3.2# cat /Library/LaunchDaemons/com.wazuh.agent.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.wazuh.agent</string>
<key>ProgramArguments</key>
<array>
<string>/Library/Ossec/LoginItems/launcher.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
sh-3.2# This didn't seem to work, but maybe the identification of the executables is done on installation, so the next test is to try and do it as part of the installation.
After changing it in file preinstall.sh and creating the package, this is not installed correctly, as we can see in this /var/log/install.log:
<details
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: UID available for wazuh user is:
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: 101
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <dscl_cmd> DS Error: -14136 (eDSRecordNotFound)
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <dscl_cmd> DS Error: -14136 (eDSRecordNotFound)
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <?xml version="1.0" encoding="UTF-8"?>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <plist version="1.0">
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <dict>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <key>Label</key>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <string>com.wazuh.agent</string>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <key>ProgramArguments</key>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <array>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <string>/Library/Ossec/LoginItems/WAZUH/launcher.sh</string>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: </array>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <key>RunAtLoad</key>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <true/>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: </dict>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: </plist>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: mkdir: /Library/Ossec: No such file or directory
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: mkdir: /Library/Ossec/LoginItems: No such file or directory
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: chown: /Library/Ossec/LoginItems/WAZUH: No such file or directory
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: tee: /Library/Ossec/LoginItems/WAZUH/WAZUH: No such file or directory
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: #!/bin/sh
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: . /etc/rc.common
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: DIRECTORY="/Library/Ossec"
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: StartService ()
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: {
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: ${DIRECTORY}/bin/wazuh-control start
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: }
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: StopService ()
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: {
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: ${DIRECTORY}/bin/wazuh-control stop
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: }
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: RestartService ()
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: {
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: ${DIRECTORY}/bin/wazuh-control restart
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: }
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: RunService "$1"
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: chown: /Library/Ossec/LoginItems/WAZUH/WAZUH: No such file or directory
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: chmod: /Library/Ossec/LoginItems/WAZUH/WAZUH: No such file or directory
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: tee: /Library/Ossec/LoginItems/WAZUH/StartupParameters.plist: No such file or directory
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <?xml version="1.0" encoding="UTF-8"?>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: www.apple.com/DTDs/PropertyList-1.0.dtd">
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <plist version="1.0">
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <dict>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <key>Description</key>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <string>WAZUH Security agent</string>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <key>Messages</key>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <dict>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <key>start</key>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <string>Starting Wazuh agent</string>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <key>stop</key>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <string>Stopping Wazuh agent</string>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: </dict>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <key>Provides</key>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <array>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <string>WAZUH</string>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: </array>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <key>Requires</key>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <array>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: <string>IPFilter</string>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: </array>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: </dict>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: </plist>
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: chown: /Library/Ossec/LoginItems/WAZUH/StartupParameters.plist: No such file or directory
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: chmod: /Library/Ossec/LoginItems/WAZUH/StartupParameters.plist: No such file or directory
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: tee: /Library/Ossec/LoginItems/WAZUH/launcher.sh: No such file or directory
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: #!/bin/sh
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: DIRECTORY="/Library/Ossec"
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: capture_sigterm() {
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: ${DIRECTORY}/bin/wazuh-control stop
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: exit $?
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: }
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: if ! ${DIRECTORY}/bin/wazuh-control start; then
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: ${DIRECTORY}/bin/wazuh-control stop
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: fi
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: while : ; do
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: trap capture_sigterm SIGTERM
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: sleep 3
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: done
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: chown: /Library/Ossec/LoginItems/WAZUH/launcher.sh: No such file or directory
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: ./preinstall: chmod: /Library/Ossec/LoginItems/WAZUH/launcher.sh: No such file or directory
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: PackageKit: Hosted team responsible for script has been cleared.
2022-11-25 12:32:40+00 ip-172-31-46-132 package_script_service[1761]: Responsibility set back to self.
2022-11-25 12:32:40+00 ip-172-31-46-132 install_monitor[5316]: Re-included: /Applications, /Library, /System, /bin, /private, /sbin, /usr
2022-11-25 12:32:41+00 ip-172-31-46-132 installd[1759]: PackageKit: releasing backupd
2022-11-25 12:32:41+00 ip-172-31-46-132 installd[1759]: PackageKit: allow user idle system sleep
2022-11-25 12:32:41+00 ip-172-31-46-132 installd[1759]: PackageKit: Install Failed: Error Domain=PKInstallErrorDomain Code=112 "An error occurred while running scripts from the package “wazuh-agent-4.3.10-1917-2.pkg”." UserInfo={NSFilePath=./preinstall, NSURL=file:///Users/ec2-user/wazuh-agent-4.3.10-1917-2.pkg#agent.pkg, PKInstallPackageIdentifier=com.wazuh.pkg.wazuh-agent, NSLocalizedDescription=An error occurred while running scripts from the package “wazuh-agent-4.3.10-1917-2.pkg”.} {
NSFilePath = "./preinstall";
NSLocalizedDescription = "An error occurred while running scripts from the package \U201cwazuh-agent-4.3.10-1917-2.pkg\U201d.";
NSURL = "file:///Users/ec2-user/wazuh-agent-4.3.10-1917-2.pkg#agent.pkg";
PKInstallPackageIdentifier = "com.wazuh.pkg.wazuh-agent";
}
2022-11-25 12:32:41+00 ip-172-31-46-132 installd[1759]: PackageKit: Cleared responsibility for install from 5315.
2022-11-25 12:32:41+00 ip-172-31-46-132 installd[1759]: PackageKit: Hosted team responsible for install has been cleared.
2022-11-25 12:32:41+00 ip-172-31-46-132 installd[1759]: PackageKit: Running idle tasks
2022-11-25 12:32:41+00 ip-172-31-46-132 installer[5315]: install:didFailWithError:Error Domain=PKInstallErrorDomain Code=112 "An error occurred while running scripts from the package “wazuh-agent-4.3.10-1917-2.pkg”." UserInfo={NSFilePath=./preinstall, NSURL=file:///Users/ec2-user/wazuh-agent-4.3.10-1917-2.pkg#agent.pkg, PKInstallPackageIdentifier=com.wazuh.pkg.wazuh-agent, NSLocalizedDescription=An error occurred while running scripts from the package “wazuh-agent-4.3.10-1917-2.pkg”.}
2022-11-25 12:32:41+00 ip-172-31-46-132 installd[1759]: PackageKit: Removing client PKInstallDaemonClient pid=5315, uid=0 (/usr/sbin/installer)
2022-11-25 12:32:41+00 ip-172-31-46-132 installd[1759]: PackageKit: Done with sandbox removals
2022-11-25 12:32:41+00 ip-172-31-46-132 installer[5315]: Install failed: The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.The next test was to try and change the location of launcher.sh, but outside /Library/Ossec, into /Library/TestFolder, to see if the use of Startup Items was either unnecessary or problematic. This package did install without errors, but somehow, still copying the files to /Library/StartupItems, even though it is not even mentioned in any part of the package building scripts. It was also copied to Library/TestingFolder, which makes it even weirder
sh-3.2# /Library/Ossec/bin/wazuh-control stop
wazuh-modulesd not running...
wazuh-logcollector not running...
wazuh-syscheckd not running...
wazuh-agentd not running...
wazuh-execd not running...
Wazuh v4.3.10 Stopped
sh-3.2# /bin/rm -r /Library/Ossec
sh-3.2# /bin/launchctl unload /Library/LaunchDaemons/com.wazuh.agent.plist
sh-3.2# /bin/rm -f /Library/LaunchDaemons/com.wazuh.agent.plist
sh-3.2# /bin/rm -rf /Library/StartupItems/WAZUH
sh-3.2# /usr/bin/dscl . -delete "/Users/wazuh"
sh-3.2# /usr/bin/dscl . -delete "/Groups/wazuh"
sh-3.2# /usr/sbin/pkgutil --forget com.wazuh.pkg.wazuh-agent
Forgot package 'com.wazuh.pkg.wazuh-agent' on '/'.
sh-3.2# installer -pkg wazuh-agent-4.3.10-1917-test -target / -verboseR
wazuh-agent-4.3.10-1917-test(1).pkg wazuh-agent-4.3.10-1917-test.pkg
sh-3.2# installer -pkg wazuh-agent-4.3.10-1917-test( -target / -verboseR
Display all 1358 possibilities? (y or n)
sh-3.2# installer -pkg wazuh-agent-4.3.10-1917-test\(1\).pkg -target / -verboseR
installer: Package name is Wazuh Agent
installer: Installing at base path /
installer:PHASE:Preparing for installation…
installer:PHASE:Preparing the disk…
installer:PHASE:Preparing Wazuh Agent…
installer:PHASE:Waiting for other installations to complete…
installer:PHASE:Configuring the installation…
installer:STATUS:
installer:%36.051663
installer:PHASE:Running package scripts…
installer:%37.984592
installer:PHASE:Running package scripts…
installer:%86.551602
installer:PHASE:Running package scripts…
installer:PHASE:Validating packages…
installer:%97.750000
installer:STATUS:Running installer actions…
installer:STATUS:
installer:PHASE:Finishing the Installation…
installer:STATUS:
installer:%100.000000
installer:PHASE:The software was successfully installed.
installer: The install was successful.
sh-3.2# ls /Library/StartupItems/
WAZUH
sh-3.2# ls
.CFUserTextEncoding Library
.DS_Store Movies
.Trash Music
.lesshst Pictures
.ssh macos
.zsh_history wazuh-agent-4.3.10-1.pkg
.zsh_sessions wazuh-agent-4.3.10-1917-2.pkg
.zshrc wazuh-agent-4.3.10-1917-test(1).pkg
Desktop wazuh-agent-4.3.10-1917-test.pkg
Documents wazuh-agent-4.3.10-1917.pkg
Downloads
sh-3.2# rm wazuh-agent-4.3.10-1*
sh-3.2# ls /Library/TestingFolder/WAZUH/
StartupParameters.plist WAZUH launcher.shAfter a new try, folder StartupItems is still being created, although not mentioned in the wazuh-packages code. New files are also created, as TestingFolder.
As seen in this documentation page , apart from being deprecated, StartupItems needs for the executable to have the same name as the folder, so a new test was done with a different executable in StartupItems. This managed to change it in file, but the removed launcher.sh is still being created
The new executable:
#!/bin/sh
# The start subroutine
StartService() {
${DIRECTORY}/bin/wazuh-control start
}
# The stop subroutine
StopService() {
${DIRECTORY}/bin/wazuh-control stop
}
# The restart subroutine
RestartService() {
${DIRECTORY}/bin/wazuh-control stop
sleep 5
${DIRECTORY}/bin/wazuh-control start
}
RunService "$1"
As seen in the previous image, there are more Login Items, some unidentified and one identified. After searching in the /Library nothing was found related to AMZN Mobile LLC. For the contrary, all other Login Items were called by files in /Library/LaunchDaemons, from where Wazuh is also called.
sh-3.2# cat /Library/LaunchDaemons/* | grep -A3 ProgramArguments
<key>ProgramArguments</key>
<array>
<string>/opt/aws/ssm/bin/amazon-ssm-agent</string>
</array>
--
<key>ProgramArguments</key>
<array>
<string>/usr/local/libexec/ec2-macos-init</string>
<string>run</string>
--
<key>ProgramArguments</key>
<array>
<string>/usr/local/libexec/send-cpu-utilization</string>
</array>
--
<key>ProgramArguments</key>
<array>
<string>/Library/StartupItems/WAZUH/launcher.sh</string>
</array>
sh-3.2# After seeing it in a forum photo as an identified Login Item, program iMazing was installed, as to compare ways of creating a Login Item, but as with AMZN Mobile LLC, it couldn't be found in the same places.
sh-3.2# ls /Library/LaunchAgents/
sh-3.2# ls /Library/LaunchDaemons/
com.amazon.aws.ssm.plist com.amazon.ec2.macos-init.plist com.wazuh.agent.plist
com.amazon.ec2.ena-ethernet.plist com.amazon.ec2.monitoring.agents.cpuutilization.plist
sh-3.2# ls /Library/StartupItems/
WAZUH
sh-3.2# On hold because of https://github.com/wazuh/wazuh/issues/15526
verdx
commented
1 year ago More investigation in the code has made me aware that the files used for the Login Item and Launch Daemon may not be correctly signed and/or notarized, as they are created in script preinstall.sh and not mentioned on the spec file wazuh-agent.pkgproj.
[verdx@verdx-big specs]$ cat wazuh-agent.pkgproj| grep launcher.sh
[verdx@verdx-big specs]$ cat wazuh-agent.pkgproj| grep com.wazuh.agent.plist
[verdx@verdx-big specs]$ cat wazuh-agent.pkgproj| grep WAZUH
[verdx@verdx-big specs]$ cat wazuh-agent.pkgproj| grep StartupParameters.plist
[verdx@verdx-big specs]$ Creation of the startup files:
The rest of the files installed in the system are first installed on the pkgproj and then its permissions are changed in script postinstall.sh. For example, for file /Library/Ossec/etc/internal_options.conf:
<dict>
<key>CHILDREN</key>
<array/>
<key>GID</key>
<integer>0</integer>
<key>PATH</key>
<string>/Library/Ossec/etc/internal_options.conf</string>
<key>PATH_TYPE</key>
<integer>0</integer>
<key>PERMISSIONS</key>
<integer>416</integer>
<key>TYPE</key>
<integer>3</integer>
<key>UID</key>
<integer>0</integer>
</dict>chmod 640 ${DIR}/etc/internal_options.conf
chown root:${GROUP} ${DIR}/etc/internal_options.conf
chmod 640 ${DIR}/etc/local_internal_options.conf
chown root:${GROUP} ${DIR}/etc/local_internal_options.confChanging the way of installing all the files for the LoginItems should let all of them be signed and the warning should no longer appear.
verdx
commented
1 year ago The changes proposed in the last comment have been done in branch 1917-improve-login-item-Macos-Ventura, and tried to make a package with them, but script generate-wazuh-package.sh fails with error:
ec2-user@ip-172-31-43-156 macos % sudo bash generate_wazuh_packages.sh -b 4.3
/usr/local/bin/packagesbuild
Cloning into '/Users/ec2-user/wazuh-packages/macos/repository/wazuh'...
remote: Enumerating objects: 3555, done.
remote: Counting objects: 100% (3555/3555), done.
remote: Compressing objects: 100% (3120/3120), done.
remote: Total 3555 (delta 711), reused 955 (delta 215), pack-reused 0
Receiving objects: 100% (3555/3555), 8.17 MiB | 6.49 MiB/s, done.
Resolving deltas: 100% (711/711), done.
Modifiying specs/wazuh-agent.pkgproj to match revision.
cp: package_files/*.sh: No such file or directory
generate_wazuh_packages.sh: line 146: /Users/ec2-user/wazuh-packages/macos/package_files/build.sh: No such file or directory
==============================================================================
ERROR:
Description:
Unable to read attributes of item at path "/Library/Ossec"
Step:
Project > Distribution > Package 'agent' > Payload > Assemble
==============================================================================
Build Failed
ERROR: something went wrong while building the package.
sudo: /Library/Ossec/bin/ossec-control: command not found
rm: /Library/Ossec*: No such file or directory
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
No receipt for 'com.wazuh.pkg.wazuh-agent' found at '/'.
No receipt for 'com.wazuh.pkg.wazuh-agent-etc' found at '/'.
Wazuh agent correctly removed from the system.
It has also been tried to build the package using Jenkins, and it has also failed, but I haven't been able to isolate the error, in the Console View for the failed Ansible Playbook the error is:
17:07:29 TASK [Build Wazuh agent package for macOS, sign binaries and package and notarize the package.] ***
17:07:29 task path: /home/ec2-user/workspace/Packages_builder_macos/ansible-playbooks/packages/build_macos_packages.yml:57
17:07:29 fatal: [****_host]: FAILED! => {
17:07:29 "censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result",
17:07:29 "changed": true
17:07:29 }
17:07:29
17:07:29 PLAY RECAP *********************************************************************
17:07:29 ****_host : ok=4 changed=3 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
17:07:29
17:07:29 Playbook run took 0 days, 0 hours, 0 minutes, 35 seconds
17:07:30 FATAL: command execution failed
17:07:30 hudson.AbortException: Ansible playbook execution failed
17:07:30 at org.****ci.plugins.ansible.AnsiblePlaybookBuilder.perform(AnsiblePlaybookBuilder.java:262)
17:07:30 at org.****ci.plugins.ansible.workflow.AnsiblePlaybookStep$AnsiblePlaybookExecution.run(AnsiblePlaybookStep.java:430)
17:07:30 at org.****ci.plugins.ansible.workflow.AnsiblePlaybookStep$AnsiblePlaybookExecution.run(AnsiblePlaybookStep.java:351)
17:07:30 at org.****ci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1$1.call(AbstractSynchronousNonBlockingStepExecution.java:47)
17:07:30 at hudson.security.ACL.impersonate2(ACL.java:449)
17:07:30 at hudson.security.ACL.impersonate(ACL.java:461)
17:07:30 at org.****ci.plugins.workflow.steps.AbstractSynchronousNonBlockingStepExecution$1.run(AbstractSynchronousNonBlockingStepExecution.java:44)
17:07:30 at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
17:07:30 at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
17:07:30 at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
17:07:30 at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
17:07:30 at java.base/java.lang.Thread.run(Thread.java:829), which seems more a problem with Ansible than with creating the package
verdx
commented
1 year ago Still testing to create a package with a correct way to create the Login Items using MacOS Ventura, the first error has been:
cd data_provider/ && mkdir -p build && cd build && cmake -DCMAKE_SYSTEM_NAME=Darwin .. && /Library/Developer/CommandLineTools/usr/bin/make
cd shared_modules/dbsync/ && mkdir -p build && cd build && cmake .. && /Library/Developer/CommandLineTools/usr/bin/make
/bin/sh: cmake: command not found
/bin/sh: cmake: command not found
make[1]: *** [build_sysinfo] Error 127
make[1]: *** Waiting for unfinished jobs....
make[1]: *** [build_shared_modules] Error 127
make: *** [agent] Error 2
==============================================================================
ERROR:
Description:
Incorrect type for file at path "/Users/ec2-user/wazuh-packages/macos/package_files/wazuh-agent.pkgproj"
Step:
Project
==============================================================================
Build Failed
ERROR: something went wrong while building the package.
sudo: /Library/Ossec/bin/ossec-control: command not found
rm: /Library/Ossec*: No such file or directory
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
No receipt for 'com.wazuh.pkg.wazuh-agent' found at '/'.
No receipt for 'com.wazuh.pkg.wazuh-agent-etc' found at '/'.
Wazuh agent correctly removed from the system.After correctly installing Cmake, the error changes to:
ec2-user@ip-172-31-34-153 macos % sudo bash generate_wazuh_packages.sh -b 4.3
/usr/local/bin/packagesbuild
Cloning into '/Users/ec2-user/wazuh-packages/macos/repository/wazuh'...
remote: Enumerating objects: 3555, done.
remote: Counting objects: 100% (3555/3555), done.
remote: Compressing objects: 100% (3120/3120), done.
remote: Total 3555 (delta 711), reused 955 (delta 215), pack-reused 0
Receiving objects: 100% (3555/3555), 8.17 MiB | 5.91 MiB/s, done.
Resolving deltas: 100% (711/711), done.
Updating files: 100% (3139/3139), done.
Modifiying specs/wazuh-agent.pkgproj to match revision.
cp: package_files/*.sh: No such file or directory
generate_wazuh_packages.sh: line 148: /Users/ec2-user/wazuh-packages/macos/package_files/build.sh: No such file or directory
==============================================================================
ERROR:
Description:
Incorrect type for file at path "/Users/ec2-user/wazuh-packages/macos/package_files/wazuh-agent.pkgproj"
Step:
Project
==============================================================================
Build Failed
ERROR: something went wrong while building the package.
sudo: /Library/Ossec/bin/ossec-control: command not found
rm: /Library/Ossec*: No such file or directory
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
No receipt for 'com.wazuh.pkg.wazuh-agent' found at '/'.
No receipt for 'com.wazuh.pkg.wazuh-agent-etc' found at '/'.
Wazuh agent correctly removed from the system.Looking for error Incorrect type for file at path "/Users/ec2-user/wazuh-packages/macos/package_files/wazuh-agent.pkgproj" this question and answer was found:
Just want to confirm that granting full disk access to packages_builder AND packages_dispatcher makes it work.
After testing that solution, the error is exactly the same
A test in 4.3 to see if the problem is with the OS or machine ends with an error, confirming it:
[100%] Built target rsync_test_tool
make: *** [agent] Error 2
==============================================================================
ERROR:
Description:
Unable to read attributes of item at path "/Library/Ossec"
Step:
Project > Distribution > Package 'agent' > Payload > Assemble
==============================================================================
Build Failed
ERROR: something went wrong while building the package.
sudo: /Library/Ossec/bin/ossec-control: command not found
rm: /Library/Ossec*: No such file or directory
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
No receipt for 'com.wazuh.pkg.wazuh-agent' found at '/'.
No receipt for 'com.wazuh.pkg.wazuh-agent-etc' found at '/'.
Wazuh agent correctly removed from the system.
ec2-user@ip-172-31-34-153 macos % A new issue was also discovered while doing this tests: https://github.com/wazuh/wazuh-packages/issues/1965
The next tests were done in Sierra, with the same error but none of the previous ones, it seems those were OS-specific and the one stopping the build is the Incorrect type for file at path:
+ cp /Users/vagrant/wazuh-packages/macos/repository/wazuh/src/REVISION /Library/Ossec/packages_files/agent_installation_scripts/src/
==============================================================================
ERROR:
Description:
Incorrect type for file at path "/Users/vagrant/wazuh-packages/macos/package_files/wazuh-agent.pkgproj"
Step:
Project
==============================================================================
Build Failed
ERROR: something went wrong while building the package.
sudo: /Library/Ossec/bin/ossec-control: command not found
No receipt for 'com.wazuh.pkg.wazuh-agent' found at '/'.
No receipt for 'com.wazuh.pkg.wazuh-agent-etc' found at '/'.
Wazuh agent correctly removed from the system.
macos-1012-cmake:macos vagrant$ Some more changes were done in wazuh-agent.pkgproj but nothing changed in the error. The directories also had some problems, some identified in this issue and some yet unidentified:
macos-1012-cmake:macos vagrant$ sudo bash generate_wazuh_packages.sh -b 4.3
/usr/local/bin/packagesbuild
Cloning into '/Users/vagrant/wazuh-packages/macos/repository/wazuh'...
fatal: The remote end hung up unexpectedly
fatal: protocol error: bad pack header
generate_wazuh_packages.sh: line 199: /Users/vagrant/wazuh-packages/macos/repository/wazuh/src/VERSION: No such file or directory
Modifiying specs/wazuh-agent.pkgproj to match revision.
cat: /Users/vagrant/wazuh-packages/macos/repository/wazuh/src/VERSION: No such file or directory
cp: /Users/vagrant/wazuh-packages/macos/package_files/build.sh and package_files/build.sh are identical (not copied).
cp: /Users/vagrant/wazuh-packages/macos/package_files/postinstall.sh and package_files/postinstall.sh are identical (not copied).
cp: /Users/vagrant/wazuh-packages/macos/package_files/preinstall.sh and package_files/preinstall.sh are identical (not copied).
+ DESTINATION_PATH=/Library/Ossec
+ SOURCES_PATH=/Users/vagrant/wazuh-packages/macos/repository/wazuh
+ BUILD_JOBS=2
+ INSTALLATION_SCRIPTS_DIR=/Library/Ossec/packages_files/agent_installation_scripts
+ build
+ configure
+ echo USER_LANGUAGE=en
/Users/vagrant/wazuh-packages/macos/package_files/build.sh: line 17: /Users/vagrant/wazuh-packages/macos/repository/wazuh/etc/preloaded-vars.conf: No such file or directory
==============================================================================
ERROR:
Description:
Incorrect type for file at path "/Users/vagrant/wazuh-packages/macos/package_files/wazuh-agent.pkgproj"
Step:
Project
==============================================================================
Build Failed
ERROR: something went wrong while building the package.
sudo: /Library/Ossec/bin/ossec-control: command not found
rm: /Library/Ossec*: No such file or directory
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
delete: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
No receipt for 'com.wazuh.pkg.wazuh-agent' found at '/'.
No receipt for 'com.wazuh.pkg.wazuh-agent-etc' found at '/'.
Wazuh agent correctly removed from the system.As there is no documentation on the error, an option would be the new elements in the wazuh-agent.pkgproj had property TYPE incorrect, and it seemed it was it, but after correcting them the build gives the same error as before.
verdx
commented
1 year ago After lots of tests and solving each new error one by one a package has been finally created with the changes in the Login Item installation and now the are part of the package in the Package Project and supposedly in signing:
Press enter to continue
Build Successful (1 second)
The wazuh agent package for MacOS X has been successfully built.
sudo: /Library/Ossec/bin/ossec-control: command not found
No receipt for 'com.wazuh.pkg.wazuh-agent' found at '/'.
No receipt for 'com.wazuh.pkg.wazuh-agent-etc' found at '/'.
Wazuh agent correctly removed from the system.
macos-1012-cmake:macos vagrant$ With these changes and more done during the testing to fix various things throughout the generation of macOS packages a PR has been created, https://github.com/wazuh/wazuh-packages/pull/1970, which does not solve this issue but fixes other little problems and/or bad practices.
When the new package has been installed in macOS Ventura, it has not solved the issue. The login item still appears as coming from an unidentified developer and what's more, the previously used and now erased launcher.sh has appeared again in the file.
A new file remains to be changed for these changes to be correctly tested, darwin-init.sh, this time in the source directory, which is why it hadn't been found before. Next day changes will be done to that file to see if the files can be signed.
verdx
commented
1 year ago After removing the call the file darwin-init.sh, only the files defined inside the package and thus signed are placed in folder /Library/StartupItems. Even with that, the package is still shown as from an unidentified developer.
verdx
commented
1 year ago On hold for: https://github.com/wazuh/wazuh-packages/issues/1973
verdx
commented
1 year ago Since the last commentary, it has been on hold for #1965 #1969 and #1984 but it is now back on progress
verdx
commented
1 year ago On hold by: https://developer.apple.com/forums/thread/721918
verdx
commented
1 year ago A rebase has been done to version 4.5.0 and some problems have arisen. When trying to create a package using the Jenkins pipeline, an error has appeared:
https://ci.wazuh.info/job/Packages_builder_macos/8333/consoleFull:
17:37:44 TASK [Build Wazuh agent package for macOS, sign binaries and package and notarize the package.] ***
17:37:44 task path: /home/ec2-user/workspace/Packages_builder_macos/ansible-playbooks/packages/build_macos_packages.yml:57
17:37:44 fatal: [****_host]: FAILED! => {
17:37:44 "censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result",
17:37:44 "changed": true
17:37:44 }
17:37:44 A branch 1917-macos-package-generation-fixes-jenkins was created on https://github.com/wazuh/wazuh-jenkins to change the no_log property to see better the error. Using it to create a package gave a more verbose error:
https://ci.wazuh.info/job/Packages_builder_macos/8334/console
Of which the main error seems to be:
17:48:57 ERROR:
17:48:57
17:48:57 Description:
17:48:57
17:48:57 Incorrect type for file at path "/tmp/Packages_builder_macos/B8334/wazuh-packages/macos/package_files/wazuh-agent.pkgproj"
17:48:57 Step:
17:48:57
17:48:57 ProjectSome syntax must have changed in the project file with the merges and it should be closely examined.
verdx
commented
1 year ago After fixing the macOS SPECS file (wazuh-agent.pkgproj) a package has been able to be generated. The problem was some lines had gone missing with the merge.
When creating the package with logs (https://ci.wazuh.info/job/Packages_builder_macos/8346/console) and with a debug output on the signing function we can see the new files added to the project are not being signed, although that may be correct. The new files are not binaries, although they are executables.
Signing /Library/Ossec/bin/wazuh-logcollector
Signing /Library/Ossec/bin/wazuh-execd
Signing /Library/Ossec/bin/wazuh-syscheckd
Signing /Library/Ossec/bin/manage_agents
Signing /Library/Ossec/bin/agent-auth
Signing /Library/Ossec/bin/wazuh-agentd
Signing /Library/Ossec/bin/wazuh-modulesd
Signing /Library/Ossec/lib/libwazuhshared.dylib
Signing /Library/Ossec/lib/libsysinfo.dylib
Signing /Library/Ossec/lib/libdbsync.dylib
Signing /Library/Ossec/lib/librsync.dylib
Signing /Library/Ossec/lib/libsyscollector.dylib
Signing /Library/Ossec/lib/libwazuhext.dylib
Signing /Library/Ossec/active-response/bin/firewall-drop
Signing /Library/Ossec/active-response/bin/host-deny
Signing /Library/Ossec/active-response/bin/firewalld-drop
Signing /Library/Ossec/active-response/bin/default-firewall-drop
Signing /Library/Ossec/active-response/bin/npf
Signing /Library/Ossec/active-response/bin/pf
Signing /Library/Ossec/active-response/bin/ip-customblock
Signing /Library/Ossec/active-response/bin/ipfw
Signing /Library/Ossec/active-response/bin/route-null
Signing /Library/Ossec/active-response/bin/restart-wazuh
Signing /Library/Ossec/active-response/bin/wazuh-slack
Signing /Library/Ossec/active-response/bin/kaspersky
Signing /Library/Ossec/active-response/bin/disable-account
Build Successful (2 seconds)
The wazuh agent package for MacOS X has been successfully built.After adding a line to sign the executable of the Login Item, a package has been created and tested in macOS Ventura, but the same error as always has appeared.
codesign -f --sign "${CERT_APPLICATION_ID}" --entitlements "${ENTITLEMENTS_PATH}" --timestamp --options=runtime --verbose=4 "${LOGIN_ITEM_PATH}/Wazuh"
After checking the files, it is seen the StartupItem files hadn't been correctly signed, unlike the files in /Library/Ossec/bin:
sh-3.2# codesign -dv --verbose=4 /Library/StartupItems/WAZUH/Wazuh
/Library/StartupItems/WAZUH/Wazuh: code object is not signed at all
sh-3.2# codesign -dv --verbose=4 /Library/Ossec/bin/wazuh-execd
Executable=/Library/Ossec/bin/wazuh-execd
Identifier=wazuh-execd
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=5431 flags=0x10000(runtime) hashes=161+5 location=embedded
VersionPlatform=1
VersionMin=658432
VersionSDK=658432
Hash type=sha256 size=32
CandidateCDHash sha256=3e2fc1aec136042a81d0aacf2ef3bc3437b9eff6
CandidateCDHashFull sha256=3e2fc1aec136042a81d0aacf2ef3bc3437b9eff6f0db48d3bb8c685db9126fea
Hash choices=sha256
CMSDigest=3e2fc1aec136042a81d0aacf2ef3bc3437b9eff6f0db48d3bb8c685db9126fea
CMSDigestType=2
Page size=4096
Launch Constraints:
None
CDHash=3e2fc1aec136042a81d0aacf2ef3bc3437b9eff6
Signature size=8968
Authority=Developer ID Application: Wazuh Inc (KLZK8P68R5)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Dec 21, 2022 at 12:00:14 PM
Info.plist=not bound
TeamIdentifier=KLZK8P68R5
Runtime Version=10.12.0
Sealed Resources=none
Internal requirements count=1 size=172The files had been added after signing, and after fixing that error and by writing to the output the file before signing it, we can see it is there, but it is still not signed:
Signing /Library/Ossec/active-response/bin/disable-account
#!/bin/sh
# The start subroutine
DIRECTORY="/Library/Ossec"
StartService() {
${DIRECTORY}/bin/wazuh-control start
}
# The stop subroutine
StopService() {
${DIRECTORY}/bin/wazuh-control stop
}
# The restart subroutine
RestartService() {
${DIRECTORY}/bin/wazuh-control stop
sleep 5
${DIRECTORY}/bin/wazuh-control start
}
RunService "$1"
Build Successful (2 seconds)sh-3.2# codesign -dv --verbose=4 /Library/StartupItems/WAZUH/Wazuh
/Library/StartupItems/WAZUH/Wazuh: code object is not signed at allWhen trying to get the result of calling on codesign with the Login Item, nothing is shown:
result=$(codesign -f --sign "${CERT_APPLICATION_ID}" --entitlements "${ENTITLEMENTS_PATH}" --timestamp --options=runtime --verbose "${LOGIN_ITEM_PATH}/Wazuh")
echo "The codesign for the Login Item has ended in ${result}."The codesign for the Login Item has ended in .To try and get why the file wasn't being signed, various debug methods were tried:
set -x
codesign -f --sign "${CERT_APPLICATION_ID}" --entitlements "${ENTITLEMENTS_PATH}" --timestamp --options=runtime --verbose "${LOGIN_ITEM_PATH}/Wazuh" && echo "Correctly signed Login Item" || echo "Error signing Login Item"
set +xBut in several tries the only output of that part of the code was
11:36:05 Signing /Library/Ossec/active-response/bin/disable-account
11:36:05 Correctly signed Login Item
11:36:05 Build Successful (2 seconds)After trying to run it locally or entering the machine without any luck, in an stopped pipeline the output of signing /Library/StartupItems/WAZUH/Wazuh was found:
12:43:21 + codesign -f --sign **** --entitlements /private/tmp/Packages_builder_macos/B8371/wazuh-packages/macos/entitlements.plist --timestamp --options=runtime --verbose /Library/StartupItems/WAZUH/Wazuh
12:43:21 /Library/StartupItems/WAZUH/Wazuh: signed generic [WAZUH]
12:43:21 + echo 'Correctly signed Login Item'
12:43:21 + set +xTrying with the rest of files as well we can see they are signed apparently differently, all with Mach-o:
13:32:50 /Library/Ossec/active-response/bin/disable-account: signed Mach-O thin (x86_64) [disable-account]
13:32:50 + codesign -f --sign **** --entitlements /private/tmp/Packages_builder_macos/B8372/wazuh-packages/macos/entitlements.plist --timestamp --options=runtime --verbose /Library/StartupItems/WAZUH/Wazuh
13:32:50 /Library/StartupItems/WAZUH/Wazuh: signed generic [WAZUH]
13:32:50 + echo 'Correctly signed Login Item'
13:32:50 + set +xAs seen here, it seems scripts can be signed.
Since version 4.3.0, where this issue was first pointed at, the .pkgproj file has changed, and now there isn't any file there, only the ones put by this issue. I haven't been able to find anywhere why the difference in signing, although it would be understandable if it had to do with the fact that the Startup Item is not a binary, it is a script. I tried adding --deep again to the signing of it but it gives the same result.
verdx
commented
1 year ago As seen here and in the Technical Note for Code Signing, scripts can be signed and are signed the same, using --sign. All non-Mach-o executables store the signing in their extended attributes, which sometimes don't survive moving the files between places.
To see if the sign is correctly I added a check of the extended attributes before and after signing the script and we can confirm it is correctly signed:
As seen in this article some tools, as ditto or tar more effectively preserve the extended attributes, including the signing, in non-Mach-o scripts and files. The problem is the only program that actually does something to the file is packagesbuild, which bundles the package.
In a new found tutorial there are some minor changes, permissions for the script are 0744 and not 0755 and the optional argument to codesign --identifier, which gives the name of the identifier if the script is signed. To make the package it uses munkipkg instead of packagesbuild, and that is probably where the signing error lies.
An issue has been done, #2006 to change the tool with which macOS packages are built, but as it will probably take a long time, some other solution must be found. It has not been tested yet, but a possible solution could be compressing with tar the script after signing it and decompressing it in the post-install script, as, according to this article, tar preserves the extended attributes of the files/
alberpilot
commented
1 year ago On Hold due to: https://github.com/wazuh/wazuh-packages/issues/1962
verdx
commented
1 year ago Added code to compress and decompress the Login Item using tar in branch https://github.com/wazuh/wazuh-jenkins/tree/1917-macos-package-generation-fixes-jenkins . The package builder has been left running creating a package with the new code: https://ci.wazuh.info/view/Packages/job/Packages_builder_macos/8483.
verdx
commented
1 year ago Back on hold due to: #1962
verdx
commented
1 year ago Back in progress due to closing https://github.com/wazuh/wazuh-packages/issues/1962
verdx
commented
1 year ago After some tests, it has been proved that tar preserves the extended attributes where the sign of the script is. The compressing and decompressing of the file still need to be done correctly.
sh-3.2# ls /Library/StartupItems/WAZUH/
StartupParameters.plist Wazuh.tar
sh-3.2# tar xvf /Library/StartupItems/WAZUH/Wazuh.tar --cd /Library/StartupItems/WAZUH/
x Library/StartupItems/WAZUH/Wazuh
sh-3.2# codesign -dv --verbose=4 /Library/StartupItems/WAZUH/Library/StartupItems/WAZUH/Wazuh
Executable=/Library/StartupItems/WAZUH/Library/StartupItems/WAZUH/Wazuh
Identifier=com.wazuh.example
Format=generic
CodeDirectory v=20200 size=273 flags=0x10000(runtime) hashes=1+5 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha1=79e60e39763f6058b461d87ee286ab0e19ecc29c
CandidateCDHashFull sha1=79e60e39763f6058b461d87ee286ab0e19ecc29c
CandidateCDHash sha256=92bb8fd39447b9f0fea216c3616c74f9d845c8b5
CandidateCDHashFull sha256=92bb8fd39447b9f0fea216c3616c74f9d845c8b5a720e17c3766e6a6082e8235
Hash choices=sha1,sha256
CMSDigest=988680ab0b5c326478a13710c8ae48e95f3ca590e63353f27608b3c992096df9
CMSDigestType=2
Page size=none
Launch Constraints:
None
CDHash=92bb8fd39447b9f0fea216c3616c74f9d845c8b5
Signature size=9049
Authority=Developer ID Application: Wazuh Inc (KLZK8P68R5)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Jan 13, 2023 at 4:08:24 PM
Info.plist=not bound
TeamIdentifier=KLZK8P68R5
Sealed Resources=none
Internal requirements count=1 size=180
sh-3.2# With the last changes, script Wazuh in /Library/StartupItems/WAZUH has managed to be signed ,as can be seen in this log:
ec2-user@ip-172-31-43-176 ~ % installer -pkg wazuh-agent-4.5.0-1917.pkg -target /
installer: Must be run as root to install this package.
ec2-user@ip-172-31-43-176 ~ % sudo installer -pkg wazuh-agent-4.5.0-1917.pkg -target /
installer: Package name is Wazuh Agent
installer: Installing at base path /
installer: The install was successful.
ec2-user@ip-172-31-43-176 ~ % /Library/Ossec/bin/wazuh-control start
zsh: permission denied: /Library/Ossec/bin/wazuh-control
ec2-user@ip-172-31-43-176 ~ % sudo /Library/Ossec/bin/wazuh-control start
2023/01/16 16:06:38 wazuh-agentd: ERROR: (4112): Invalid server address found: 'MANAGER_IP'
2023/01/16 16:06:38 wazuh-agentd: CRITICAL: (1215): No client configured. Exiting.
wazuh-agentd: Configuration error. Exiting
ec2-user@ip-172-31-43-176 ~ % sudo defaults write /var/db/launchd.db/com.apple.launchd/overrides.plist com.apple.screensharing -dict Disabled -bool false
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.screensharing.plist
ec2-user@ip-172-31-43-176 ~ % sudo su
sh-3.2# /usr/bin/dscl . -passwd /Users/ec2-user
New Password:
sh-3.2# ls /Library/StartupItems/WAZUH/
StartupParameters.plist Wazuh Wazuh.tar
sh-3.2# xattr -l /Library/StartupItems/WAZUH/
sh-3.2# xattr -l /Library/StartupItems/WAZUH/Wazuh
com.apple.cs.CodeDirectory: ��
com.apple.cs.CodeEntitlements: ��qq
com.apple.cs.CodeRequirements: ��
com.apple.cs.CodeRequirements-1: ��
��0�10pl`�He.CodeSignature: 0� *�H��
sh-3.2# codesign -dv -v /Library/StartupItems/WAZUH/Wazuh
Executable=/Library/StartupItems/WAZUH/Wazuh
Identifier=com.wazuh.example
Format=generic
CodeDirectory v=20200 size=273 flags=0x10000(runtime) hashes=1+5 location=embedded
Signature size=9049
Authority=Developer ID Application: Wazuh Inc (KLZK8P68R5)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Jan 16, 2023 at 2:27:47 PM
Info.plist=not bound
TeamIdentifier=KLZK8P68R5
Sealed Resources=none
Internal requirements count=1 size=180
When checking the settings to for the Login Item, it still appears as coming from an Unidentifed developer and when checking why it can be seen the script to which the Launch Item points is some launcher.sh, which isn`t installed, and has appeared at the installation with no mention to it:
sh-3.2# cat /Library/LaunchDaemons/com.wazuh.agent.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.wazuh.agent</string>
<key>ProgramArguments</key>
<array>
<string>/Library/StartupItems/WAZUH/launcher.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>This version of com.wazuh.agent.plist doesn't appear either on the source code or the packages repository and is the only stopper for the fix at this moment.
On the other hand, the code for the program used to bundle the package has finally been found, it is https://github.com/packagesdev/packages, and it has an open issue on the fact that extended attributes are not preserved. A new commentary has been written there.
verdx
commented
1 year ago To try and test if the solution of signing the script will actually work, com.wazuh.agent.plist has been changed after installation to point to the actual script in /Library/StartupItems/WAZUH, but, even after a restart, the settings don't change and the name of the Startup Item shown is launcher.sh.
sh-3.2# cat /Library/LaunchDaemons/com.wazuh.agent.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.wazuh.agent</string>
<key>ProgramArguments</key>
<array>
<string>/Library/StartupItems/WAZUH/Wazuh</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
sh-3.2# codesign -dv -verbose=4 /Library/StartupItems/WAZUH/Wazuh
/Library/StartupItems/WAZUH/Wazuh: operation inapplicable or not supported for this type of code
sh-3.2# codesign -dv -v /Library/StartupItems/WAZUH/Wazuh
Executable=/Library/StartupItems/WAZUH/Wazuh
Identifier=com.wazuh.example
Format=generic
CodeDirectory v=20200 size=273 flags=0x10000(runtime) hashes=1+5 location=embedded
Signature size=9049
Authority=Developer ID Application: Wazuh Inc (KLZK8P68R5)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Jan 16, 2023 at 2:27:47 PM
Info.plist=not bound
TeamIdentifier=KLZK8P68R5
Sealed Resources=none
Internal requirements count=1 size=180
sh-3.2# 
verdx
commented
1 year ago The part where com.wazuh.agent.plist was overwritten has been found to be script darwin-init.sh in the source code. After removing the call to it (everything it does overlaps the new way of creating the Login Items), some errors have been appearing and more debugging has been needed. A correct build has finally finished, tomorrow the testing will be done.
verdx
commented
1 year ago verdx
commented
1 year ago The test has been done with the package created yesterday and the installation finishes correctly. The Startup Item is correctly signed, but the Launch daemon isn't, as it hasn't been compressed and decompressed. The Login Item still shows Unidentified developer, which may be because of the unsigned Launch Daemon.
sh-3.2# codesign -dv -v /Library/StartupItems/WAZUH/Wazuh
Executable=/Library/StartupItems/WAZUH/Wazuh
Identifier=com.wazuh.example
Format=generic
CodeDirectory v=20200 size=273 flags=0x10000(runtime) hashes=1+5 location=embedded
Signature size=9049
Authority=Developer ID Application: Wazuh Inc (KLZK8P68R5)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Jan 17, 2023 at 5:18:49 PM
Info.plist=not bound
TeamIdentifier=KLZK8P68R5
Sealed Resources=none
Internal requirements count=2 size=228
sh-3.2# sh-3.2# codesign -dv -v /Library/LaunchDaemons/com.wazuh.agent.plist
/Library/LaunchDaemons/com.wazuh.agent.plist: code object is not signed at all
sh-3.2# 
The issue is still on hold because of https://github.com/wazuh/wazuh-jenkins/issues/4652, as no tests can be done yet on the MacMini
verdx
commented
1 year ago Finally, with the latest changes, both files used for the Login Item, /Library/StartupItems/WAZUH/Wazuh and /Library/LaunchDaemons/com.wazuh.agent.plist have been signed, but it has been tested this does not solve the issue of the Login Item appearing as coming from an Unidentified Developer.
sh-3.2# codesign -dv /Library/LaunchDaemons/com.wazuh.agent.plist
Executable=/Library/LaunchDaemons/com.wazuh.agent.plist
Identifier=com.wazuh.example
Format=generic
CodeDirectory v=20200 size=273 flags=0x10000(runtime) hashes=1+5 location=embedded
Signature size=9049
Timestamp=Jan 19, 2023 at 11:32:44 AM
Info.plist=not bound
TeamIdentifier=KLZK8P68R5
Sealed Resources=none
Internal requirements count=1 size=180sh-3.2# codesign -dv /Library/StartupItems/WAZUH/Wazuh
Executable=/Library/StartupItems/WAZUH/Wazuh
Identifier=com.wazuh.example
Format=generic
CodeDirectory v=20200 size=273 flags=0x10000(runtime) hashes=1+5 location=embedded
Signature size=9048
Timestamp=Jan 19, 2023 at 11:32:43 AM
Info.plist=not bound
TeamIdentifier=KLZK8P68R5
Sealed Resources=none
Internal requirements count=2 size=228
sh-3.2# 
verdx
commented
1 year ago On hold waiting for an answer on the forums https://developer.apple.com/forums/thread/721918
verdx
commented
1 year ago The question in the forums has been answered, and a couple changes were recommended in order to make the TCC correctly identify our Login Item:
com.wazuh.agent.plist, as it is not code.com.wazuh.agent.plist.The code signing for the property list has been removed and property AssociatedBundleIdentifiers has been added to it, and changed during the creation of the package, as it depends on some variables.
None of the changes have been tested, as the MacMini, the platform that has been used to test it, has been down because of https://github.com/wazuh/wazuh-jenkins/issues/4652
This issue is now blocked because of it.
verdx
commented
1 year ago The package with the latest changes has been finally created and will be tested tomorrow on MacOS Ventura.
verdx
commented
1 year ago The last solution, adding the package identifier to the property list, has been tried, and doesn't solve our problem, as seen in the screen capture below. It may have to do with the fact that our Application isn't listed in the Finder, because it is not recognized by the TCC. The solution to this problem is very probably Issue https://github.com/wazuh/wazuh-packages/issues/2006. A new answer has been posted in the forums to see if there is any last easy way to identify the Login Item.
verdx
commented
1 year ago On hold for an answer on: https://developer.apple.com/forums/thread/721918
verdx
commented
1 year ago As no answer seems to be coming from the developer forums, a new test has been made, following to the detail the instructions explained in forum https://macblog.org/manage-custom-login-items/ to create a package with a Login Item. It uses the package creator presented in https://github.com/wazuh/wazuh-packages/issues/2006, but it is being tested if changing everything else in the tutorial except the package creation tool will do the trick.
We are removing the way it is now done and creating one com.wazuh.agent.plist file in /Library/LaunchDaemons and a script in /Library/Ossec, to try and get the system to recognize it as part of the package. The script has the same problem when being signed as the last one, so the tar solution has been tried. It has not yet been signed, but some debugging is needed.
It is now being tested in MacOS Catalina, because it hasn't been possible to virtualize MacOS Ventura, but when everything is signed and in its place after the installation, the test on Ventura will be the deciding one.
verdx
commented
1 year ago The new package has been tested on MacOS Ventura and it hasn't brought the expected results. The Login Item still shows as unidentified. The script is not signed, although the tar trick has been used, so that may be the problem. A new test should be done with the script correctly signed.
sh-3.2# codesign -dv /Library/Ossec/Wazuh-startup
/Library/Ossec/Wazuh-startup: code object is not signed at all
sh-3.2# On hold for: https://github.com/wazuh/wazuh-packages/issues/2096
verdx
commented
1 year ago The script hadn't been signed in the last test because the file transmitted with the package hadn't been the compressed one but the original. After correcting it and getting an installation in which the script is correctly signed, the error is not yet solved.
sh-3.2# installer -pkg wazuh-agent-4.5.0-1917.pkg -target /
installer: Package name is Wazuh Agent
installer: Installing at base path /
installer: The install was successful.
sh-3.2# codesign -dv /Library/Ossec/Wazuh-startup
Executable=/Library/Ossec/Wazuh-startup
Identifier=com.wazuh.example
Format=generic
CodeDirectory v=20200 size=273 flags=0x10000(runtime) hashes=1+5 location=embedded
Signature size=9049
Timestamp=Feb 15, 2023 at 2:23:39 PM
Info.plist=not bound
TeamIdentifier=KLZK8P68R5
Sealed Resources=none
Internal requirements count=2 size=228
sh-3.2# man 
This leaves us with the last option of changing the tool to create and sign the packages to see if it does solve it.
verdx
commented
1 year ago verdx
commented
1 year ago Some of the problems seen that were thought to have been the problem are the following:
The identifier has been added by using parameter --identifier 'com.wazuh.agent' on command codesign with no effect.
It has been tested signing all launch items individually, compressing them in a tar and decompressing on postinstall.sh to ensure the signing is preserved(It isn't by default on scripts). The result has been the same
As explained in commentary https://github.com/wazuh/wazuh-packages/issues/2212#issuecomment-1560790038 on the issue to remove the Login Item, when removing any one of the services that make the agent start on launch or login, the Login Item in the settings not only does not disappear but it still appears as installed from an unidentified developer
Using a different tool to create the macOS package could be the solution to correctly signing and notarising the packages, which will probably solve the problems related to the Login Items.
mjcr99
commented
2 months ago (08/08/2024) Added test in https://github.com/wazuh/wazuh/pull/25091 to verify it solves the problem.
MarcelKemp
commented
2 months ago
Wazuh agent version: 4.3.9 for macOS
@santiago-bassett reported the following issue: After upgrading macOS to the Ventura version, there is something weird in
Settings -> General -> Login Items:A warning message with
Item from unidentified developer.appeared. In order to avoid the Wazuh agent uninstalling by mistake (due to user mistrust), it's necessary to fix it.Tasks
Research
Code
Test