Closed jnasselle closed 3 months ago
(03/06/2024) Deploying enviroment to replicate issue. (04/06/2024) Opened PR with proposal solution, tested and pending review. (05/06/2024) Performing some other test to keep consistency between rpm and deb packages removal and between agent and manager packages.
I have also found some incosistencies between deb and rpm package removal referencing residual files:
As has been clarified by management, the remove of a package must not let residual packages so the situation is as follows for the each system:
(10/06/2024) Updating removed files. pending testing.
The apt man page states the following:
Removing a package removes all packaged data, but leaves usually small (modified) user configuration files behind, in case the remove was an accident. Just issuing an installation request for the accidentally removed package will restore its function as before in that case. On the other hand you can get rid of these leftovers by calling purge even on already removed packages. Note that this does not affect any data or configuration stored in your home directory.
So the apt remove
option as it's currently implemented covers this situation, for the apt purge
it also complies with the requirement is it really erases the /var/ossec
folder
root@agent1-ubu22:/home/vagrant# dpkg -i wazuh-agent_4.7.5-1_amd64.deb
Selecting previously unselected package wazuh-agent.
(Reading database ... 71284 files and directories currently installed.)
Preparing to unpack wazuh-agent_4.7.5-1_amd64.deb ...
Unpacking wazuh-agent (4.7.5-1) ...
Setting up wazuh-agent (4.7.5-1) ...
root@agent1-ubu22:/home/vagrant# ls /var/ossec/
active-response agentless backup bin etc lib logs queue ruleset tmp var wodles
root@agent1-ubu22:/home/vagrant# apt purge wazuh-agent
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be REMOVED:
wazuh-agent*
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 31.5 MB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 71672 files and directories currently installed.)
Removing wazuh-agent (4.7.5-1) ...
(Reading database ... 71300 files and directories currently installed.)
Purging configuration files for wazuh-agent (4.7.5-1) ...
dpkg: warning: while removing wazuh-agent, directory '/usr/lib/systemd/system' not empty so not removed
root@agent1-ubu22:/home/vagrant# ls /var/ossec/
ls: cannot access '/var/ossec/': No such file or directory
root@agent1-ubu22:/home/vagrant# apt info wazuh-agent
N: Unable to locate package wazuh-agent
N: Unable to locate package wazuh-agent
E: No packages found
This behavior is consistent for agent and manager cases.
In the case of rpm
and yum there is no a partial options as apt remove
. If we run rpm -e
or yum remove
it takes into account the names with the .rpmsave
not removing them.
[root@linux-rocky vagrant]# rpm -iv wazuh-agent-4.7.5-1.x86_64.rpm
warning: wazuh-agent-4.7.5-1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 29111145: NOKEY
Verifying packages...
Preparing packages...
wazuh-agent-4.7.5-1.x86_64
[root@linux-rocky vagrant]# yum info wazuh-agent
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 0:35:24 ago on Fri Jun 7 08:36:38 2024.
Installed Packages
Name : wazuh-agent
Version : 4.7.5
Release : 1
Architecture : x86_64
Size : 26 M
Source : wazuh-agent-4.7.5-1.src.rpm
Repository : @System
From repo : @System
Summary : Wazuh helps you to gain security visibility into your infrastructure by monitoring hosts at an operating system and
: application level. It provides the following capabilities: log analysis, file integrity monitoring, intrusions detection
: and policy and compliance monitoring
URL : https://www.wazuh.com/
License : GPL
Description : Wazuh helps you to gain security visibility into your infrastructure by monitoring
: hosts at an operating system and application level. It provides the following capabilities:
: log analysis, file integrity monitoring, intrusions detection and policy and compliance monitoring
[root@linux-rocky vagrant]# rpm -e wazuh-agent
warning: /var/ossec/etc/ossec.conf saved as /var/ossec/etc/ossec.conf.rpmsave
It should be decided if we create .rpmsave
files or if the package is completely removed when rpm -e
or yum remove
commands are run.
Related issue: https://github.com/wazuh/wazuh-packages/issues/182
Description
During wazuh/wazuh#16954 testing procedure, it was found (first in ppc64le linux and then in amd64 linux) that, in case the Wazuh agent has connectivity issues with the manager and is being removed, some non-config files were left on the installation directory, specifically
Our docs says that
apt remove
left only config files, and mentioned files are not configuration onesInstall and remove with communication issues with the Manager
Install and remove with established communication with the Manager