search

wazuh / wazuh-packages

Wazuh - Tools for packages creation
https://wazuh.com
GNU General Public License v2.0
103 stars 94 forks source link

Wazuh deb uninstall left non-config files #2195

Closed jnasselle closed 3 months ago

jnasselle commented 1 year ago
Wazuh version Install type Action performed Platform
up to master Manager/Agent Remove Debian-based

Related issue: https://github.com/wazuh/wazuh-packages/issues/182

Description

During wazuh/wazuh#16954 testing procedure, it was found (first in ppc64le linux and then in amd64 linux) that, in case the Wazuh agent has connectivity issues with the manager and is being removed, some non-config files were left on the installation directory, specifically

/var/ossec/
|`-- queue
    |-- alerts
    |   |-- cfgaq
    |   `-- execq
    |-- fim
    |   `-- db
    |       |-- fim.db
    |       `-- fim.db-journal
    |-- logcollector
    |   `-- file_status.json
    |-- rids
    |   |-- 011
    |   `-- sender_counter
    |-- sockets
    |   |-- com
    |   |-- control
    |   |-- logcollector
    |   |-- queue
    |   |-- syscheck
    |   |-- upgrade
    |   `-- wmodules
    `-- syscollector
        `-- db
            `-- local.db

Our docs says that apt remove left only config files, and mentioned files are not configuration ones

Install and remove with communication issues with the Manager

root@43587536d740:/# curl -LO https://packages-dev.wazuh.com/pre-release/apt/pool/main/w/wazuh-agent/wazuh-agent_4.4.2-1_amd64.deb
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 8708k  100 8708k    0     0  2955k      0  0:00:02  0:00:02 --:--:-- 2955k
root@43587536d740:/# WAZUH_MANAGER="44.200.77.198" apt install ./wazuh-agent_4.4.2-1_amd64.deb 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Note, selecting 'wazuh-agent' instead of './wazuh-agent_4.4.2-1_amd64.deb'
The following NEW packages will be installed:
  wazuh-agent
0 upgraded, 1 newly installed, 0 to remove and 25 not upgraded.
Need to get 0 B/8918 kB of archives.
After this operation, 30.2 MB of additional disk space will be used.
Get:1 /wazuh-agent_4.4.2-1_amd64.deb wazuh-agent amd64 4.4.2-1 [8918 kB]
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package wazuh-agent.
(Reading database ... 5747 files and directories currently installed.)
Preparing to unpack /wazuh-agent_4.4.2-1_amd64.deb ...
Unpacking wazuh-agent (4.4.2-1) ...
Setting up wazuh-agent (4.4.2-1) ...
root@43587536d740:/# apt remove wazuh-agent^C
root@43587536d740:/# /var/ossec/bin/wazuh-control start
Starting Wazuh v4.4.2...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
root@43587536d740:/# tree /var/ossec/
/var/ossec/
|-- active-response
|   `-- bin
|       |-- default-firewall-drop
|       |-- disable-account
|       |-- firewall-drop
|       |-- firewalld-drop
|       |-- host-deny
|       |-- ip-customblock
|       |-- ipfw
|       |-- kaspersky
|       |-- kaspersky.py
|       |-- npf
|       |-- pf
|       |-- restart-wazuh
|       |-- restart.sh
|       |-- route-null
|       `-- wazuh-slack
|-- agentless
|   |-- main.exp
|   |-- register_host.sh
|   |-- ssh.exp
|   |-- ssh_asa-fwsmconfig_diff
|   |-- ssh_foundry_diff
|   |-- ssh_generic_diff
|   |-- ssh_integrity_check_bsd
|   |-- ssh_integrity_check_linux
|   |-- ssh_nopass.exp
|   |-- ssh_pixconfig_diff
|   |-- sshlogin.exp
|   `-- su.exp
|-- backup
|-- bin
|   |-- agent-auth
|   |-- manage_agents
|   |-- wazuh-agentd
|   |-- wazuh-control
|   |-- wazuh-execd
|   |-- wazuh-logcollector
|   |-- wazuh-modulesd
|   `-- wazuh-syscheckd
|-- etc
|   |-- client.keys
|   |-- internal_options.conf
|   |-- local_internal_options.conf
|   |-- localtime
|   |-- ossec.conf
|   |-- shared
|   |   |-- agent.conf
|   |   |-- ar.conf
|   |   |-- cis_apache2224_rcl.txt
|   |   |-- cis_debian_linux_rcl.txt
|   |   |-- cis_mysql5-6_community_rcl.txt
|   |   |-- cis_mysql5-6_enterprise_rcl.txt
|   |   |-- cis_rhel5_linux_rcl.txt
|   |   |-- cis_rhel6_linux_rcl.txt
|   |   |-- cis_rhel7_linux_rcl.txt
|   |   |-- cis_rhel_linux_rcl.txt
|   |   |-- cis_sles11_linux_rcl.txt
|   |   |-- cis_sles12_linux_rcl.txt
|   |   |-- cis_win2012r2_domainL1_rcl.txt
|   |   |-- cis_win2012r2_domainL2_rcl.txt
|   |   |-- cis_win2012r2_memberL1_rcl.txt
|   |   |-- cis_win2012r2_memberL2_rcl.txt
|   |   |-- merged.mg
|   |   |-- rootkit_files.txt
|   |   |-- rootkit_trojans.txt
|   |   |-- system_audit_rcl.txt
|   |   |-- system_audit_ssh.txt
|   |   |-- win_applications_rcl.txt
|   |   |-- win_audit_rcl.txt
|   |   `-- win_malware_rcl.txt
|   `-- wpk_root.pem
|-- lib
|   |-- libdbsync.so
|   |-- libgcc_s.so.1
|   |-- librsync.so
|   |-- libstdc++.so.6
|   |-- libsyscollector.so
|   |-- libsysinfo.so
|   |-- libwazuhext.so
|   `-- libwazuhshared.so
|-- logs
|   |-- active-responses.log
|   |-- ossec.log
|   `-- wazuh
|-- queue
|   |-- alerts
|   |   |-- cfgaq
|   |   `-- execq
|   |-- diff
|   |-- fim
|   |   `-- db
|   |       |-- fim.db
|   |       `-- fim.db-journal
|   |-- logcollector
|   |   `-- file_status.json
|   |-- rids
|   |   |-- 011
|   |   `-- sender_counter
|   |-- sockets
|   |   |-- com
|   |   |-- control
|   |   |-- logcollector
|   |   |-- queue
|   |   |-- syscheck
|   |   |-- upgrade
|   |   `-- wmodules
|   `-- syscollector
|       |-- db
|       |   `-- local.db
|       `-- norm_config.json
|-- ruleset
|   `-- sca
|       `-- cis_ubuntu22-04.yml
|-- tmp
|-- var
|   |-- incoming
|   |-- run
|   |   |-- wazuh-agentd-5612.pid
|   |   |-- wazuh-agentd.state
|   |   |-- wazuh-execd-5601.pid
|   |   |-- wazuh-logcollector-5653.pid
|   |   |-- wazuh-modulesd-5669.pid
|   |   `-- wazuh-syscheckd-5626.pid
|   |-- selinux
|   |   `-- wazuh.pp
|   |-- upgrade
|   `-- wodles
`-- wodles
    |-- __init__.py
    |-- aws
    |   `-- aws-s3
    |-- azure
    |   |-- azure-logs
    |   `-- orm.py
    |-- docker
    |   `-- DockerListener
    |-- gcloud
    |   |-- buckets
    |   |   |-- access_logs.py
    |   |   `-- bucket.py
    |   |-- exceptions.py
    |   |-- gcloud
    |   |-- integration.py
    |   |-- pubsub
    |   |   `-- subscriber.py
    |   `-- tools.py
    `-- utils.py

36 directories, 112 files
root@43587536d740:/# apt remove wazuh-agent
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  distro-info-data libexpat1 libmpdec3 libpython3-stdlib libpython3.10-minimal libpython3.10-stdlib libreadline8 libsqlite3-0 lsb-release media-types python3 python3-minimal python3.10 python3.10-minimal
  readline-common
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
  wazuh-agent
0 upgraded, 0 newly installed, 1 to remove and 25 not upgraded.
After this operation, 30.2 MB disk space will be freed.
Do you want to continue? [Y/n] 
(Reading database ... 6120 files and directories currently installed.)
Removing wazuh-agent (4.4.2-1) ...
root@43587536d740:/# tree /var/ossec/
/var/ossec/
|-- etc
|   |-- client.keys.save
|   |-- local_internal_options.conf.save
|   |-- ossec.conf.save
|   `-- shared
|       |-- agent.conf.save
|       |-- ar.conf.save
|       |-- cis_apache2224_rcl.txt.save
|       |-- cis_debian_linux_rcl.txt.save
|       |-- cis_mysql5-6_community_rcl.txt.save
|       |-- cis_mysql5-6_enterprise_rcl.txt.save
|       |-- cis_rhel5_linux_rcl.txt.save
|       |-- cis_rhel6_linux_rcl.txt.save
|       |-- cis_rhel7_linux_rcl.txt.save
|       |-- cis_rhel_linux_rcl.txt.save
|       |-- cis_sles11_linux_rcl.txt.save
|       |-- cis_sles12_linux_rcl.txt.save
|       |-- cis_win2012r2_domainL1_rcl.txt.save
|       |-- cis_win2012r2_domainL2_rcl.txt.save
|       |-- cis_win2012r2_memberL1_rcl.txt.save
|       |-- cis_win2012r2_memberL2_rcl.txt.save
|       |-- merged.mg.save
|       |-- rootkit_files.txt.save
|       |-- rootkit_trojans.txt.save
|       |-- system_audit_rcl.txt.save
|       |-- system_audit_ssh.txt.save
|       |-- win_applications_rcl.txt.save
|       |-- win_audit_rcl.txt.save
|       `-- win_malware_rcl.txt.save
`-- queue
    |-- alerts
    |   |-- cfgaq
    |   `-- execq
    |-- fim
    |   `-- db
    |       |-- fim.db
    |       `-- fim.db-journal
    |-- logcollector
    |   `-- file_status.json
    |-- rids
    |   |-- 011
    |   `-- sender_counter
    |-- sockets
    |   |-- com
    |   |-- control
    |   |-- logcollector
    |   |-- queue
    |   |-- syscheck
    |   |-- upgrade
    |   `-- wmodules
    `-- syscollector
        `-- db
            `-- local.db

11 directories, 42 files

Install and remove with established communication with the Manager

root@43587536d740:/# WAZUH_MANAGER="44.200.77.198" apt install ./wazuh-agent_4.4.0-1_amd64.deb 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Note, selecting 'wazuh-agent' instead of './wazuh-agent_4.4.0-1_amd64.deb'
The following additional packages will be installed:
  distro-info-data libexpat1 libmpdec3 libpython3-stdlib libpython3.10-minimal libpython3.10-stdlib libreadline8 libsqlite3-0 lsb-release media-types python3 python3-minimal python3.10 python3.10-minimal
  readline-common
Suggested packages:
  python3-doc python3-tk python3-venv python3.10-venv python3.10-doc binutils binfmt-support readline-doc
The following NEW packages will be installed:
  distro-info-data libexpat1 libmpdec3 libpython3-stdlib libpython3.10-minimal libpython3.10-stdlib libreadline8 libsqlite3-0 lsb-release media-types python3 python3-minimal python3.10 python3.10-minimal
  readline-common wazuh-agent
0 upgraded, 16 newly installed, 0 to remove and 25 not upgraded.
Need to get 6522 kB/15.4 MB of archives.
After this operation, 53.1 MB of additional disk space will be used.
Do you want to continue? [Y/n] 
Get:1 /wazuh-agent_4.4.0-1_amd64.deb wazuh-agent amd64 4.4.0-1 [8832 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libpython3.10-minimal amd64 3.10.6-1~22.04.2ubuntu1 [810 kB]                                                                                      
Get:3 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libexpat1 amd64 2.4.7-1ubuntu0.2 [91.0 kB]                                                                                                        
Get:4 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 python3.10-minimal amd64 3.10.6-1~22.04.2ubuntu1 [2263 kB]                                                                                        
Get:5 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 python3-minimal amd64 3.10.6-1~22.04 [24.3 kB]                                                                                                    
Get:6 http://archive.ubuntu.com/ubuntu jammy/main amd64 media-types all 7.0.0 [25.5 kB]                                                                                                                           
Get:7 http://archive.ubuntu.com/ubuntu jammy/main amd64 libmpdec3 amd64 2.5.1-2build2 [86.8 kB]                                                                                                                   
Get:8 http://archive.ubuntu.com/ubuntu jammy/main amd64 readline-common all 8.1.2-1 [53.5 kB]                                                                                                                     
Get:9 http://archive.ubuntu.com/ubuntu jammy/main amd64 libreadline8 amd64 8.1.2-1 [153 kB]                                                                                                                       
Get:10 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libsqlite3-0 amd64 3.37.2-2ubuntu0.1 [641 kB]                                                                                                    
Get:11 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libpython3.10-stdlib amd64 3.10.6-1~22.04.2ubuntu1 [1831 kB]                                                                                     
Get:12 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 python3.10 amd64 3.10.6-1~22.04.2ubuntu1 [497 kB]                                                                                                
Get:13 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libpython3-stdlib amd64 3.10.6-1~22.04 [6910 B]                                                                                                  
Get:14 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 python3 amd64 3.10.6-1~22.04 [22.8 kB]                                                                                                           
Get:15 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 distro-info-data all 0.52ubuntu0.3 [5258 B]                                                                                                      
Get:16 http://archive.ubuntu.com/ubuntu jammy/main amd64 lsb-release all 11.1.0ubuntu4 [10.8 kB]                                                                                                                  
Fetched 6522 kB in 25s (257 kB/s)                                                                                                                                                                                 
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libpython3.10-minimal:amd64.
(Reading database ... 4968 files and directories currently installed.)
Preparing to unpack .../libpython3.10-minimal_3.10.6-1~22.04.2ubuntu1_amd64.deb ...
Unpacking libpython3.10-minimal:amd64 (3.10.6-1~22.04.2ubuntu1) ...
Selecting previously unselected package libexpat1:amd64.
Preparing to unpack .../libexpat1_2.4.7-1ubuntu0.2_amd64.deb ...
Unpacking libexpat1:amd64 (2.4.7-1ubuntu0.2) ...
Selecting previously unselected package python3.10-minimal.
Preparing to unpack .../python3.10-minimal_3.10.6-1~22.04.2ubuntu1_amd64.deb ...
Unpacking python3.10-minimal (3.10.6-1~22.04.2ubuntu1) ...
Setting up libpython3.10-minimal:amd64 (3.10.6-1~22.04.2ubuntu1) ...
Setting up libexpat1:amd64 (2.4.7-1ubuntu0.2) ...
Setting up python3.10-minimal (3.10.6-1~22.04.2ubuntu1) ...
Selecting previously unselected package python3-minimal.
(Reading database ... 5270 files and directories currently installed.)
Preparing to unpack .../0-python3-minimal_3.10.6-1~22.04_amd64.deb ...
Unpacking python3-minimal (3.10.6-1~22.04) ...
Selecting previously unselected package media-types.
Preparing to unpack .../1-media-types_7.0.0_all.deb ...
Unpacking media-types (7.0.0) ...
Selecting previously unselected package libmpdec3:amd64.
Preparing to unpack .../2-libmpdec3_2.5.1-2build2_amd64.deb ...
Unpacking libmpdec3:amd64 (2.5.1-2build2) ...
Selecting previously unselected package readline-common.
Preparing to unpack .../3-readline-common_8.1.2-1_all.deb ...
Unpacking readline-common (8.1.2-1) ...
Selecting previously unselected package libreadline8:amd64.
Preparing to unpack .../4-libreadline8_8.1.2-1_amd64.deb ...
Unpacking libreadline8:amd64 (8.1.2-1) ...
Selecting previously unselected package libsqlite3-0:amd64.
Preparing to unpack .../5-libsqlite3-0_3.37.2-2ubuntu0.1_amd64.deb ...
Unpacking libsqlite3-0:amd64 (3.37.2-2ubuntu0.1) ...
Selecting previously unselected package libpython3.10-stdlib:amd64.
Preparing to unpack .../6-libpython3.10-stdlib_3.10.6-1~22.04.2ubuntu1_amd64.deb ...
Unpacking libpython3.10-stdlib:amd64 (3.10.6-1~22.04.2ubuntu1) ...
Selecting previously unselected package python3.10.
Preparing to unpack .../7-python3.10_3.10.6-1~22.04.2ubuntu1_amd64.deb ...
Unpacking python3.10 (3.10.6-1~22.04.2ubuntu1) ...
Selecting previously unselected package libpython3-stdlib:amd64.
Preparing to unpack .../8-libpython3-stdlib_3.10.6-1~22.04_amd64.deb ...
Unpacking libpython3-stdlib:amd64 (3.10.6-1~22.04) ...
Setting up python3-minimal (3.10.6-1~22.04) ...
Selecting previously unselected package python3.
(Reading database ... 5699 files and directories currently installed.)
Preparing to unpack .../python3_3.10.6-1~22.04_amd64.deb ...
Unpacking python3 (3.10.6-1~22.04) ...
Selecting previously unselected package distro-info-data.
Preparing to unpack .../distro-info-data_0.52ubuntu0.3_all.deb ...
Unpacking distro-info-data (0.52ubuntu0.3) ...
Selecting previously unselected package lsb-release.
Preparing to unpack .../lsb-release_11.1.0ubuntu4_all.deb ...
Unpacking lsb-release (11.1.0ubuntu4) ...
Selecting previously unselected package wazuh-agent.
Preparing to unpack /wazuh-agent_4.4.0-1_amd64.deb ...
Unpacking wazuh-agent (4.4.0-1) ...
Setting up media-types (7.0.0) ...
Setting up distro-info-data (0.52ubuntu0.3) ...
Setting up libsqlite3-0:amd64 (3.37.2-2ubuntu0.1) ...
Setting up libmpdec3:amd64 (2.5.1-2build2) ...
Setting up readline-common (8.1.2-1) ...
Setting up libreadline8:amd64 (8.1.2-1) ...
Setting up libpython3.10-stdlib:amd64 (3.10.6-1~22.04.2ubuntu1) ...
Setting up libpython3-stdlib:amd64 (3.10.6-1~22.04) ...
Setting up python3.10 (3.10.6-1~22.04.2ubuntu1) ...
Setting up python3 (3.10.6-1~22.04) ...
running python rtupdate hooks for python3.10...
running python post-rtupdate hooks for python3.10...
Setting up lsb-release (11.1.0ubuntu4) ...
Setting up wazuh-agent (4.4.0-1) ...
Processing triggers for libc-bin (2.35-0ubuntu3.1) ...
root@43587536d740:/# apt install tree
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  tree
0 upgraded, 1 newly installed, 0 to remove and 25 not upgraded.
Need to get 47.9 kB of archives.
After this operation, 116 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu jammy/universe amd64 tree amd64 2.0.2-1 [47.9 kB]
Fetched 47.9 kB in 1s (62.4 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package tree.
(Reading database ... 6103 files and directories currently installed.)
Preparing to unpack .../tree_2.0.2-1_amd64.deb ...
Unpacking tree (2.0.2-1) ...
Setting up tree (2.0.2-1) ...
root@43587536d740:/# tree /var/ossec/
/var/ossec/
|-- active-response
|   `-- bin
|       |-- default-firewall-drop
|       |-- disable-account
|       |-- firewall-drop
|       |-- firewalld-drop
|       |-- host-deny
|       |-- ip-customblock
|       |-- ipfw
|       |-- kaspersky
|       |-- kaspersky.py
|       |-- npf
|       |-- pf
|       |-- restart-wazuh
|       |-- restart.sh
|       |-- route-null
|       `-- wazuh-slack
|-- agentless
|   |-- main.exp
|   |-- register_host.sh
|   |-- ssh.exp
|   |-- ssh_asa-fwsmconfig_diff
|   |-- ssh_foundry_diff
|   |-- ssh_generic_diff
|   |-- ssh_integrity_check_bsd
|   |-- ssh_integrity_check_linux
|   |-- ssh_nopass.exp
|   |-- ssh_pixconfig_diff
|   |-- sshlogin.exp
|   `-- su.exp
|-- backup
|-- bin
|   |-- agent-auth
|   |-- manage_agents
|   |-- wazuh-agentd
|   |-- wazuh-control
|   |-- wazuh-execd
|   |-- wazuh-logcollector
|   |-- wazuh-modulesd
|   `-- wazuh-syscheckd
|-- etc
|   |-- client.keys
|   |-- internal_options.conf
|   |-- local_internal_options.conf
|   |-- localtime
|   |-- ossec.conf
|   |-- shared
|   |   |-- cis_apache2224_rcl.txt
|   |   |-- cis_debian_linux_rcl.txt
|   |   |-- cis_mysql5-6_community_rcl.txt
|   |   |-- cis_mysql5-6_enterprise_rcl.txt
|   |   |-- cis_rhel5_linux_rcl.txt
|   |   |-- cis_rhel6_linux_rcl.txt
|   |   |-- cis_rhel7_linux_rcl.txt
|   |   |-- cis_rhel_linux_rcl.txt
|   |   |-- cis_sles11_linux_rcl.txt
|   |   |-- cis_sles12_linux_rcl.txt
|   |   |-- cis_win2012r2_domainL1_rcl.txt
|   |   |-- cis_win2012r2_domainL2_rcl.txt
|   |   |-- cis_win2012r2_memberL1_rcl.txt
|   |   |-- cis_win2012r2_memberL2_rcl.txt
|   |   |-- rootkit_files.txt
|   |   |-- rootkit_trojans.txt
|   |   |-- system_audit_rcl.txt
|   |   |-- system_audit_ssh.txt
|   |   |-- win_applications_rcl.txt
|   |   |-- win_audit_rcl.txt
|   |   `-- win_malware_rcl.txt
|   `-- wpk_root.pem
|-- lib
|   |-- libdbsync.so
|   |-- libgcc_s.so.1
|   |-- librsync.so
|   |-- libstdc++.so.6
|   |-- libsyscollector.so
|   |-- libsysinfo.so
|   |-- libwazuhext.so
|   `-- libwazuhshared.so
|-- logs
|   |-- active-responses.log
|   |-- ossec.log
|   `-- wazuh
|-- queue
|   |-- alerts
|   |-- diff
|   |-- fim
|   |   `-- db
|   |-- logcollector
|   |-- rids
|   |-- sockets
|   `-- syscollector
|       |-- db
|       `-- norm_config.json
|-- ruleset
|   `-- sca
|       `-- cis_ubuntu22-04.yml
|-- tmp
|-- var
|   |-- incoming
|   |-- run
|   |-- selinux
|   |   `-- wazuh.pp
|   |-- upgrade
|   `-- wodles
`-- wodles
    |-- __init__.py
    |-- aws
    |   `-- aws-s3
    |-- azure
    |   |-- azure-logs
    |   `-- orm.py
    |-- docker
    |   `-- DockerListener
    |-- gcloud
    |   |-- buckets
    |   |   |-- access_logs.py
    |   |   `-- bucket.py
    |   |-- exceptions.py
    |   |-- gcloud
    |   |-- integration.py
    |   |-- pubsub
    |   |   `-- subscriber.py
    |   `-- tools.py
    `-- utils.py

36 directories, 88 files
root@43587536d740:/# apt remove wazuh-agent
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  distro-info-data libexpat1 libmpdec3 libpython3-stdlib libpython3.10-minimal libpython3.10-stdlib libreadline8 libsqlite3-0 lsb-release media-types python3 python3-minimal python3.10 python3.10-minimal
  readline-common
Use 'apt autoremove' to remove them.
The following packages will be REMOVED:
  wazuh-agent
0 upgraded, 0 newly installed, 1 to remove and 25 not upgraded.
After this operation, 29.6 MB disk space will be freed.
Do you want to continue? [Y/n] Y
(Reading database ... 6111 files and directories currently installed.)
Removing wazuh-agent (4.4.0-1) ...
root@43587536d740:/# tree /var/ossec/
/var/ossec/
`-- etc
    |-- client.keys.save
    |-- local_internal_options.conf.save
    |-- ossec.conf.save
    `-- shared
        |-- cis_apache2224_rcl.txt.save
        |-- cis_debian_linux_rcl.txt.save
        |-- cis_mysql5-6_community_rcl.txt.save
        |-- cis_mysql5-6_enterprise_rcl.txt.save
        |-- cis_rhel5_linux_rcl.txt.save
        |-- cis_rhel6_linux_rcl.txt.save
        |-- cis_rhel7_linux_rcl.txt.save
        |-- cis_rhel_linux_rcl.txt.save
        |-- cis_sles11_linux_rcl.txt.save
        |-- cis_sles12_linux_rcl.txt.save
        |-- cis_win2012r2_domainL1_rcl.txt.save
        |-- cis_win2012r2_domainL2_rcl.txt.save
        |-- cis_win2012r2_memberL1_rcl.txt.save
        |-- cis_win2012r2_memberL2_rcl.txt.save
        |-- rootkit_files.txt.save
        |-- rootkit_trojans.txt.save
        |-- system_audit_rcl.txt.save
        |-- system_audit_ssh.txt.save
        |-- win_applications_rcl.txt.save
        |-- win_audit_rcl.txt.save
        `-- win_malware_rcl.txt.save

2 directories, 24 files
root@43587536d740:/#
mjcr99 commented 3 months ago

Update comment

(03/06/2024) Deploying enviroment to replicate issue. (04/06/2024) Opened PR with proposal solution, tested and pending review. (05/06/2024) Performing some other test to keep consistency between rpm and deb packages removal and between agent and manager packages.

Environment installation

Hosts information ## Hosts information Server: ```console root@server-ubu22:/home/vagrant# cat /etc/os-release PRETTY_NAME="Ubuntu 22.04 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04 (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy root@server-ubu22:/home/vagrant# ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp0s3: mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:1d:44:0e brd ff:ff:ff:ff:ff:ff inet 10.0.2.15/24 metric 100 brd 10.0.2.255 scope global dynamic enp0s3 valid_lft 78631sec preferred_lft 78631sec inet6 fe80::a00:27ff:fe1d:440e/64 scope link valid_lft forever preferred_lft forever 3: enp0s8: mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:95:62:1d brd ff:ff:ff:ff:ff:ff inet 192.168.56.100/24 brd 192.168.56.255 scope global enp0s8 valid_lft forever preferred_lft forever inet6 fe80::a00:27ff:fe95:621d/64 scope link valid_lft forever preferred_lft forever ``` The agent info: ```console root@agent1-ubu22:/home/vagrant# cat /etc/os-release PRETTY_NAME="Ubuntu 22.04 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04 (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy root@agent1-ubu22:/home/vagrant# ip a 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp0s3: mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:1d:44:0e brd ff:ff:ff:ff:ff:ff inet 10.0.2.15/24 metric 100 brd 10.0.2.255 scope global dynamic enp0s3 valid_lft 78603sec preferred_lft 78603sec inet6 fe80::a00:27ff:fe1d:440e/64 scope link valid_lft forever preferred_lft forever 3: enp0s8: mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:58:85:f1 brd ff:ff:ff:ff:ff:ff inet 192.168.56.104/24 brd 192.168.56.255 scope global enp0s8 valid_lft forever preferred_lft forever inet6 fe80::a00:27ff:fe58:85f1/64 scope link valid_lft forever preferred_lft forever ```
Reproducing scenario Manager installation: ```console root@server-ubu22:/home/vagrant# dpkg -i /vagrant/wazuh-manager_4.9.0-0_amd64_e2ef72d.deb Selecting previously unselected package wazuh-manager. (Reading database ... 71376 files and directories currently installed.) Preparing to unpack .../wazuh-manager_4.9.0-0_amd64_e2ef72d.deb ... Unpacking wazuh-manager (4.9.0-0) ... Setting up wazuh-manager (4.9.0-0) ... root@server-ubu22:/home/vagrant# /var/ossec/bin/wazuh-control start 2024/06/04 07:44:59 wazuh-modulesd:router: INFO: Loaded router module. 2024/06/04 07:44:59 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Starting Wazuh v4.9.0... Started wazuh-apid... Started wazuh-csyslogd... Started wazuh-dbd... 2024/06/04 07:45:03 wazuh-integratord: INFO: Remote integrations not configured. Clean exit. Started wazuh-integratord... Started wazuh-agentlessd... Started wazuh-authd... Started wazuh-db... Started wazuh-execd... Started wazuh-analysisd... Started wazuh-syscheckd... Started wazuh-remoted... Started wazuh-logcollector... Started wazuh-monitord... 2024/06/04 07:45:07 wazuh-modulesd:router: INFO: Loaded router module. 2024/06/04 07:45:07 wazuh-modulesd:content_manager: INFO: Loaded content_manager module. Started wazuh-modulesd... Completed. ``` Agent installation: ```console root@agent1-ubu22:/home/vagrant# apt install /vagrant/wazuh-agent_4.9.0-0_amd64_e2ef72d.deb Reading package lists... Done Building dependency tree... Done Reading state information... Done Note, selecting 'wazuh-agent' instead of '/vagrant/wazuh-agent_4.9.0-0_amd64_e2ef72d.deb' The following NEW packages will be installed: wazuh-agent 0 upgraded, 1 newly installed, 0 to remove and 234 not upgraded. Need to get 0 B/10.7 MB of archives. After this operation, 37.2 MB of additional disk space will be used. Get:1 /vagrant/wazuh-agent_4.9.0-0_amd64_e2ef72d.deb wazuh-agent amd64 4.9.0-0 [10.7 MB] debconf: delaying package configuration, since apt-utils is not installed Selecting previously unselected package wazuh-agent. (Reading database ... 71376 files and directories currently installed.) Preparing to unpack .../wazuh-agent_4.9.0-0_amd64_e2ef72d.deb ... Unpacking wazuh-agent (4.9.0-0) ... Setting up wazuh-agent (4.9.0-0) ... debconf: unable to initialize frontend: Dialog debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 78.) debconf: falling back to frontend: Readline Scanning processes... Scanning linux images... Running kernel seems to be up-to-date. No services need to be restarted. No containers need to be restarted. No user sessions are running outdated binaries. No VM guests are running outdated hypervisor (qemu) binaries on this host. root@agent1-ubu22:/home/vagrant# tree /var/ossec/ /var/ossec/ ├── active-response │   └── bin │   ├── default-firewall-drop │   ├── disable-account │   ├── firewall-drop │   ├── firewalld-drop │   ├── host-deny │   ├── ip-customblock │   ├── ipfw │   ├── kaspersky │   ├── kaspersky.py │   ├── npf │   ├── pf │   ├── restart-wazuh │   ├── restart.sh │   ├── route-null │   └── wazuh-slack ├── agentless │   ├── main.exp │   ├── register_host.sh │   ├── ssh.exp │   ├── ssh_asa-fwsmconfig_diff │   ├── ssh_foundry_diff │   ├── ssh_generic_diff │   ├── ssh_integrity_check_bsd │   ├── ssh_integrity_check_linux │   ├── ssh_nopass.exp │   ├── ssh_pixconfig_diff │   ├── sshlogin.exp │   └── su.exp ├── backup ├── bin │   ├── agent-auth │   ├── manage_agents │   ├── wazuh-agentd │   ├── wazuh-control │   ├── wazuh-execd │   ├── wazuh-logcollector │   ├── wazuh-modulesd │   └── wazuh-syscheckd ├── etc │   ├── client.keys │   ├── internal_options.conf │   ├── local_internal_options.conf │   ├── localtime │   ├── ossec.conf │   ├── shared │   │   ├── cis_apache2224_rcl.txt │   │   ├── cis_debian_linux_rcl.txt │   │   ├── cis_mysql5-6_community_rcl.txt │   │   ├── cis_mysql5-6_enterprise_rcl.txt │   │   ├── cis_rhel5_linux_rcl.txt │   │   ├── cis_rhel6_linux_rcl.txt │   │   ├── cis_rhel7_linux_rcl.txt │   │   ├── cis_rhel_linux_rcl.txt │   │   ├── cis_sles11_linux_rcl.txt │   │   ├── cis_sles12_linux_rcl.txt │   │   ├── cis_win2012r2_domainL1_rcl.txt │   │   ├── cis_win2012r2_domainL2_rcl.txt │   │   ├── cis_win2012r2_memberL1_rcl.txt │   │   ├── cis_win2012r2_memberL2_rcl.txt │   │   ├── rootkit_files.txt │   │   ├── rootkit_trojans.txt │   │   ├── system_audit_rcl.txt │   │   ├── system_audit_ssh.txt │   │   ├── win_applications_rcl.txt │   │   ├── win_audit_rcl.txt │   │   └── win_malware_rcl.txt │   └── wpk_root.pem ├── lib │   ├── libdbsync.so │   ├── libfimdb.so │   ├── libgcc_s.so.1 │   ├── librsync.so │   ├── libstdc++.so.6 │   ├── libsyscollector.so │   ├── libsysinfo.so │   ├── libwazuhext.so │   └── libwazuhshared.so ├── logs │   ├── active-responses.log │   └── wazuh ├── queue │   ├── alerts │   ├── diff │   ├── fim │   │   └── db │   ├── logcollector │   ├── rids │   ├── sockets │   └── syscollector │   ├── db │   └── norm_config.json ├── ruleset │   └── sca │   └── cis_ubuntu22-04.yml ├── tmp ├── var │   ├── incoming │   ├── run │   ├── selinux │   │   └── wazuh.pp │   ├── upgrade │   └── wodles └── wodles ├── __init__.py ├── aws │   ├── __init__.py │   ├── aws-s3 │   ├── aws_tools.py │   ├── buckets_s3 │   │   ├── __init__.py │   │   ├── aws_bucket.py │   │   ├── cloudtrail.py │   │   ├── config.py │   │   ├── guardduty.py │   │   ├── load_balancers.py │   │   ├── server_access.py │   │   ├── umbrella.py │   │   ├── vpcflow.py │   │   └── waf.py │   ├── services │   │   ├── __init__.py │   │   ├── aws_service.py │   │   ├── cloudwatchlogs.py │   │   └── inspector.py │   ├── subscribers │   │   ├── __init__.py │   │   ├── s3_log_handler.py │   │   ├── sqs_message_processor.py │   │   └── sqs_queue.py │   └── wazuh_integration.py ├── azure │   ├── azure-logs │   ├── azure_services │   │   ├── __init__.py │   │   ├── analytics.py │   │   ├── graph.py │   │   └── storage.py │   ├── azure_utils.py │   └── db │   ├── __init__.py │   ├── orm.py │   └── utils.py ├── docker │   └── DockerListener ├── gcloud │   ├── buckets │   │   ├── access_logs.py │   │   └── bucket.py │   ├── exceptions.py │   ├── gcloud │   ├── integration.py │   ├── pubsub │   │   └── subscriber.py │   └── tools.py └── utils.py 41 directories, 116 files ``` Setting incorrect IP in the manager to emulate connection problems: ```xml
11.11.11.11
1514 tcp ubuntu, ubuntu22, ubuntu22.04 10 60 yes aes ``` Agent start and logs check: ```console root@agent1-ubu22:/home/vagrant# /var/ossec/bin/wazuh-control start Starting Wazuh v4.9.0... Started wazuh-execd... Started wazuh-agentd... Started wazuh-syscheckd... Started wazuh-logcollector... Started wazuh-modulesd... Completed. root@agent1-ubu22:/home/vagrant# cat /var/ossec/logs/ossec.log | grep "agentd" 2024/06/04 07:48:15 wazuh-agentd: INFO: (1410): Reading authentication keys file. 2024/06/04 07:48:15 wazuh-agentd: INFO: Using notify time: 10 and max time to reconnect: 60 2024/06/04 07:48:15 wazuh-agentd: INFO: Version detected -> Linux |agent1-ubu22 |5.15.0-25-generic |#25-Ubuntu SMP Wed Mar 30 15:54:22 UTC 2022 |x86_64 [Ubuntu|ubuntu: 22.04 (Jammy Jellyfish)] - Wazuh v4.9.0 2024/06/04 07:48:15 wazuh-agentd: INFO: Started (pid: 2640). 2024/06/04 07:48:15 wazuh-agentd: INFO: Requesting a key from server: 11.11.11.11 2024/06/04 07:50:24 wazuh-agentd: ERROR: (1208): Unable to connect to enrollment service at '[11.11.11.11]:1515' 2024/06/04 07:50:29 wazuh-agentd: INFO: Requesting a key from server: 11.11.11.11 2024/06/04 07:52:40 wazuh-agentd: ERROR: (1208): Unable to connect to enrollment service at '[11.11.11.11]:1515' 2024/06/04 07:52:50 wazuh-agentd: INFO: Requesting a key from server: 11.11.11.11 ``` Agent uninstall and residual files check: ```console root@agent1-ubu22:/home/vagrant# apt remove wazuh-agent Reading package lists... Done Building dependency tree... Done Reading state information... Done The following packages will be REMOVED: wazuh-agent 0 upgraded, 0 newly installed, 1 to remove and 234 not upgraded. After this operation, 37.2 MB disk space will be freed. Do you want to continue? [Y/n] y (Reading database ... 71800 files and directories currently installed.) Removing wazuh-agent (4.9.0-0) ... root@agent1-ubu22:/home/vagrant# tree /var/ossec/ /var/ossec/ ├── etc │   ├── client.keys.save │   ├── local_internal_options.conf.save │   ├── ossec.conf.save │   └── shared │   ├── cis_apache2224_rcl.txt.save │   ├── cis_debian_linux_rcl.txt.save │   ├── cis_mysql5-6_community_rcl.txt.save │   ├── cis_mysql5-6_enterprise_rcl.txt.save │   ├── cis_rhel5_linux_rcl.txt.save │   ├── cis_rhel6_linux_rcl.txt.save │   ├── cis_rhel7_linux_rcl.txt.save │   ├── cis_rhel_linux_rcl.txt.save │   ├── cis_sles11_linux_rcl.txt.save │   ├── cis_sles12_linux_rcl.txt.save │   ├── cis_win2012r2_domainL1_rcl.txt.save │   ├── cis_win2012r2_domainL2_rcl.txt.save │   ├── cis_win2012r2_memberL1_rcl.txt.save │   ├── cis_win2012r2_memberL2_rcl.txt.save │   ├── rootkit_files.txt.save │   ├── rootkit_trojans.txt.save │   ├── system_audit_rcl.txt.save │   ├── system_audit_ssh.txt.save │   ├── win_applications_rcl.txt.save │   ├── win_audit_rcl.txt.save │   └── win_malware_rcl.txt.save └── queue ├── alerts │   ├── cfgaq │   └── execq ├── fim │   └── db │   ├── fim.db │   └── fim.db-journal ├── logcollector │   └── file_status.json ├── sockets │   ├── com │   ├── control │   ├── logcollector │   ├── queue │   ├── syscheck │   ├── upgrade │   └── wmodules └── syscollector └── db ├── local.db └── local.db-journal 10 directories, 38 files ```
Conclusion The problem is replicated in `4.9.0` version. To fix it we have to ensure the `queue` folder and subdirectories are deleted when the `apt remove` operation is performed. This is done with the SPECS, specifically the postrm script which removes files and folders created by the package.
mjcr99 commented 3 months ago

I have also found some incosistencies between deb and rpm package removal referencing residual files:

DEB vs RPM Wazuh Agent residual files DEB Agent residual files: ```console root@agent1-ubu22:/home/vagrant# tree /var/ossec/ /var/ossec/ └── etc ├── client.keys.save ├── local_internal_options.conf.save ├── ossec.conf.save └── shared ├── agent.conf.save ├── ar.conf.save ├── cis_apache2224_rcl.txt.save ├── cis_debian_linux_rcl.txt.save ├── cis_mysql5-6_community_rcl.txt.save ├── cis_mysql5-6_enterprise_rcl.txt.save ├── cis_rhel5_linux_rcl.txt.save ├── cis_rhel6_linux_rcl.txt.save ├── cis_rhel7_linux_rcl.txt.save ├── cis_rhel_linux_rcl.txt.save ├── cis_sles11_linux_rcl.txt.save ├── cis_sles12_linux_rcl.txt.save ├── cis_win2012r2_domainL1_rcl.txt.save ├── cis_win2012r2_domainL2_rcl.txt.save ├── cis_win2012r2_memberL1_rcl.txt.save ├── cis_win2012r2_memberL2_rcl.txt.save ├── merged.mg.save ├── rootkit_files.txt.save ├── rootkit_trojans.txt.save ├── system_audit_rcl.txt.save ├── system_audit_ssh.txt.save ├── win_applications_rcl.txt.save ├── win_audit_rcl.txt.save └── win_malware_rcl.txt.save ``` RPM Agent residual files: ```console [root@linux-rocky vagrant]# tree /var/ossec/ /var/ossec/ └── etc ├── client.keys.rpmsave └── ossec.conf.rpmsave ```
DEB vs RPM Wazuh Manager residual files DEB Manager residual files: ```console root@agent1-ubu22:/home/vagrant# tree /var/ossec/ /var/ossec/ ├── api │   └── configuration │   ├── api.yaml.save │   ├── security │   │   └── rbac.db.save │   └── ssl │   ├── server.crt.save │   └── server.key.save ├── backup │   └── db │   └── global.db-backup-2024-06-06-10:22:30.gz └── etc ├── client.keys.save ├── decoders │   └── local_decoder.xml.save ├── lists │   ├── amazon │   │   ├── aws-eventnames.cdb.save │   │   ├── aws-eventnames.save │   │   └── aws-sources.save │   ├── audit-keys.cdb.save │   ├── audit-keys.save │   ├── security-eventchannel.cdb.save │   └── security-eventchannel.save ├── local_internal_options.conf.save ├── ossec.conf.save ├── rootcheck │   ├── cis_apache2224_rcl.txt.save │   ├── cis_debian_linux_rcl.txt.save │   ├── cis_mysql5-6_community_rcl.txt.save │   ├── cis_mysql5-6_enterprise_rcl.txt.save │   ├── cis_rhel5_linux_rcl.txt.save │   ├── cis_rhel6_linux_rcl.txt.save │   ├── cis_rhel7_linux_rcl.txt.save │   ├── cis_rhel_linux_rcl.txt.save │   ├── cis_sles11_linux_rcl.txt.save │   ├── cis_sles12_linux_rcl.txt.save │   ├── cis_win2012r2_domainL1_rcl.txt.save │   ├── cis_win2012r2_domainL2_rcl.txt.save │   ├── cis_win2012r2_memberL1_rcl.txt.save │   ├── cis_win2012r2_memberL2_rcl.txt.save │   ├── rootkit_files.txt.save │   ├── rootkit_trojans.txt.save │   ├── system_audit_rcl.txt.save │   ├── system_audit_ssh.txt.save │   ├── win_applications_rcl.txt.save │   ├── win_audit_rcl.txt.save │   └── win_malware_rcl.txt.save ├── rules │   └── local_rules.xml.save ├── shared │   ├── ar.conf.save │   └── default │   └── merged.mg.save ├── sslmanager.cert.save └── sslmanager.key.save 14 directories, 42 files ``` RPM Manager residual files: ```console [root@linux-rocky vagrant]# tree /var/ossec/ /var/ossec/ ├── backup │   └── db │   └── global.db-backup-2024-06-06-07:22:22.gz └── etc ├── lists │   ├── amazon │   │   └── aws-eventnames.cdb │   ├── audit-keys.cdb │   └── security-eventchannel.cdb ├── ossec.conf.rpmsave ├── shared.save │   ├── ar.conf │   └── default │   └── merged.mg ├── sslmanager.cert.save └── sslmanager.key.save 7 directories, 9 files ```

Update

As has been clarified by management, the remove of a package must not let residual packages so the situation is as follows for the each system:

(10/06/2024) Updating removed files. pending testing.

DEB

The apt man page states the following:

Removing a package removes all packaged data, but leaves usually small (modified) user configuration files behind, in case the remove was an accident. Just issuing an installation request for the accidentally removed package will restore its function as before in that case. On the other hand you can get rid of these leftovers by calling purge even on already removed packages. Note that this does not affect any data or configuration stored in your home directory.

So the apt remove option as it's currently implemented covers this situation, for the apt purge it also complies with the requirement is it really erases the /var/ossec folder

root@agent1-ubu22:/home/vagrant# dpkg -i wazuh-agent_4.7.5-1_amd64.deb 
Selecting previously unselected package wazuh-agent.
(Reading database ... 71284 files and directories currently installed.)
Preparing to unpack wazuh-agent_4.7.5-1_amd64.deb ...
Unpacking wazuh-agent (4.7.5-1) ...
Setting up wazuh-agent (4.7.5-1) ...

root@agent1-ubu22:/home/vagrant# ls /var/ossec/
active-response  agentless  backup  bin  etc  lib  logs  queue  ruleset  tmp  var  wodles

root@agent1-ubu22:/home/vagrant# apt purge wazuh-agent
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be REMOVED:
  wazuh-agent*
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 31.5 MB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 71672 files and directories currently installed.)
Removing wazuh-agent (4.7.5-1) ...
(Reading database ... 71300 files and directories currently installed.)
Purging configuration files for wazuh-agent (4.7.5-1) ...
dpkg: warning: while removing wazuh-agent, directory '/usr/lib/systemd/system' not empty so not removed

root@agent1-ubu22:/home/vagrant# ls /var/ossec/
ls: cannot access '/var/ossec/': No such file or directory

root@agent1-ubu22:/home/vagrant# apt info wazuh-agent
N: Unable to locate package wazuh-agent
N: Unable to locate package wazuh-agent
E: No packages found

This behavior is consistent for agent and manager cases.

RPM

In the case of rpm and yum there is no a partial options as apt remove. If we run rpm -e or yum remove it takes into account the names with the .rpmsave not removing them.

[root@linux-rocky vagrant]# rpm -iv wazuh-agent-4.7.5-1.x86_64.rpm 
warning: wazuh-agent-4.7.5-1.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 29111145: NOKEY
Verifying packages...
Preparing packages...
wazuh-agent-4.7.5-1.x86_64

[root@linux-rocky vagrant]# yum info wazuh-agent
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 0:35:24 ago on Fri Jun  7 08:36:38 2024.
Installed Packages
Name         : wazuh-agent
Version      : 4.7.5
Release      : 1
Architecture : x86_64
Size         : 26 M
Source       : wazuh-agent-4.7.5-1.src.rpm
Repository   : @System
From repo    : @System
Summary      : Wazuh helps you to gain security visibility into your infrastructure by monitoring hosts at an operating system and
             : application level. It provides the following capabilities: log analysis, file integrity monitoring, intrusions detection
             : and policy and compliance monitoring
URL          : https://www.wazuh.com/
License      : GPL
Description  : Wazuh helps you to gain security visibility into your infrastructure by monitoring
             : hosts at an operating system and application level. It provides the following capabilities:
             : log analysis, file integrity monitoring, intrusions detection and policy and compliance monitoring

[root@linux-rocky vagrant]# rpm -e wazuh-agent
warning: /var/ossec/etc/ossec.conf saved as /var/ossec/etc/ossec.conf.rpmsave

It should be decided if we create .rpmsave files or if the package is completely removed when rpm -e or yum remove commands are run.