search

wazuh / wazuh-packages

Wazuh - Tools for packages creation
https://wazuh.com
GNU General Public License v2.0
100 stars 90 forks source link

Wazuh installation assistant failed #2776

Closed mingo-devsec closed 5 months ago

mingo-devsec commented 6 months ago
Wazuh version Component Install type Install method Platform
4.8.0-alpha2 All in one All in one Wazuh installation assistant Debian 11

Description

During https://github.com/wazuh/wazuh/issues/21374, the Wazuh installation assistant failed to run Wazuh Indexer security admin script and then failed to initialize Wazuh Dashboard when it run from the root user instead of a local user

Reference issue

Documentation

Information

Verbose logs

```console root@wazuh-aio-testing:~# bash ./wazuh-install.sh -a -i -v 16/01/2024 10:36:05 DEBUG: Checking root permissions. 16/01/2024 10:36:05 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.0 16/01/2024 10:36:05 INFO: Verbose logging redirected to /var/log/wazuh-install.log 16/01/2024 10:36:05 DEBUG: APT package manager will be used. 16/01/2024 10:36:05 DEBUG: Checking system distribution. 16/01/2024 10:36:05 DEBUG: Detected distribution name: debian 16/01/2024 10:36:05 DEBUG: Detected distribution version: 11 16/01/2024 10:36:05 DEBUG: Checking Wazuh installation. 16/01/2024 10:36:05 DEBUG: Installing check dependencies. Hit:1 http://deb.debian.org/debian bullseye InRelease Hit:2 http://deb.debian.org/debian bullseye-updates InRelease Hit:3 http://security.debian.org/debian-security bullseye-security InRelease Reading package lists... 16/01/2024 10:36:07 DEBUG: Checking system architecture. 16/01/2024 10:36:07 WARNING: Hardware and system checks ignored. 16/01/2024 10:36:07 INFO: Wazuh web interface port will be 443. 16/01/2024 10:36:07 DEBUG: Checking ports availability. 16/01/2024 10:36:07 DEBUG: Installing prerequisites dependencies. Hit:1 http://security.debian.org/debian-security bullseye-security InRelease Hit:2 http://deb.debian.org/debian bullseye InRelease Hit:3 http://deb.debian.org/debian bullseye-updates InRelease Reading package lists... 16/01/2024 10:36:08 DEBUG: Checking curl tool version. 16/01/2024 10:36:08 DEBUG: Adding the Wazuh repository. gpg: keyring '/usr/share/keyrings/wazuh.gpg' created gpg: key 96B3EE5F29111145: public key "Wazuh.com (Wazuh Signing Key) " imported gpg: Total number processed: 1 gpg: imported: 1 deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages-dev.wazuh.com/pre-release/apt/ unstable main Hit:1 http://security.debian.org/debian-security bullseye-security InRelease Hit:2 http://deb.debian.org/debian bullseye InRelease Hit:3 http://deb.debian.org/debian bullseye-updates InRelease Get:4 https://packages-dev.wazuh.com/pre-release/apt unstable InRelease [17.3 kB] Get:5 https://packages-dev.wazuh.com/pre-release/apt unstable/main amd64 Packages [36.6 kB] Fetched 53.9 kB in 2s (31.3 kB/s) Reading package lists... 16/01/2024 10:36:11 INFO: Wazuh development repository added. 16/01/2024 10:36:11 INFO: --- Configuration files --- 16/01/2024 10:36:11 INFO: Generating configuration files. 16/01/2024 10:36:11 DEBUG: Creating Wazuh certificates. 16/01/2024 10:36:11 DEBUG: Reading configuration file. 16/01/2024 10:36:11 DEBUG: Creating the root certificate. Generating a RSA private key ..............................................................................................................................+++++ ............................................................................................................................................................................................................+++++ writing new private key to '/tmp/wazuh-certificates//root-ca.key' ----- 16/01/2024 10:36:11 DEBUG: Generating Admin certificates. Generating RSA private key, 2048 bit long modulus (2 primes) ..............................+++++ ......+++++ e is 65537 (0x010001) Signature ok subject=C = US, L = California, O = Wazuh, OU = Wazuh, CN = admin Getting CA Private Key 16/01/2024 10:36:11 DEBUG: Generating Wazuh indexer certificates. 16/01/2024 10:36:11 DEBUG: Creating the Wazuh indexer certificates. 16/01/2024 10:36:11 DEBUG: Generating certificate configuration. Generating a RSA private key ............................................................+++++ ....+++++ writing new private key to '/tmp/wazuh-certificates//wazuh-indexer-key.pem' ----- Signature ok subject=C = US, L = California, O = Wazuh, OU = Wazuh, CN = wazuh-indexer Getting CA Private Key 16/01/2024 10:36:11 DEBUG: Generating Filebeat certificates. 16/01/2024 10:36:11 DEBUG: Creating the Wazuh server certificates. 16/01/2024 10:36:11 DEBUG: Generating certificate configuration. Generating a RSA private key ...............................+++++ .....................................................................................................................................+++++ writing new private key to '/tmp/wazuh-certificates//wazuh-server-key.pem' ----- Signature ok subject=C = US, L = California, O = Wazuh, OU = Wazuh, CN = wazuh-server Getting CA Private Key 16/01/2024 10:36:11 DEBUG: Generating Wazuh dashboard certificates. 16/01/2024 10:36:11 DEBUG: Creating the Wazuh dashboard certificates. 16/01/2024 10:36:11 DEBUG: Generating certificate configuration. Generating a RSA private key ...............................................................................+++++ .................................................................................................................+++++ writing new private key to '/tmp/wazuh-certificates//wazuh-dashboard-key.pem' ----- Signature ok subject=C = US, L = California, O = Wazuh, OU = Wazuh, CN = wazuh-dashboard Getting CA Private Key 16/01/2024 10:36:12 DEBUG: Cleaning certificate files. 16/01/2024 10:36:12 DEBUG: Generating password file. 16/01/2024 10:36:12 DEBUG: Generating random passwords. 16/01/2024 10:36:12 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 16/01/2024 10:36:12 DEBUG: Extracting Wazuh configuration. 16/01/2024 10:36:12 DEBUG: Reading configuration file. 16/01/2024 10:36:12 INFO: --- Wazuh indexer --- 16/01/2024 10:36:12 INFO: Starting Wazuh indexer installation. Reading package lists... Building dependency tree... Reading state information... The following NEW packages will be installed: wazuh-indexer 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 0 B/759 MB of archive Created opensearch keystore in /etc/wazuh-indexer/opensearch.keystore). Selecting previously unselected package wazuh-indexer. 16/01/2024 10:36:41 DEBUG: Checking Wazuh installation. 16/01/2024 10:36:41 DEBUG: There are Wazuh indexer remaining files. 16/01/2024 10:36:42 INFO: Wazuh indexer installation finished. 16/01/2024 10:36:42 DEBUG: Configuring Wazuh indexer. 16/01/2024 10:36:42 DEBUG: Copying Wazuh indexer certificates. 16/01/2024 10:36:42 INFO: Wazuh indexer post-install configuration finished. 16/01/2024 10:36:42 INFO: Starting service wazuh-indexer. Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-indexer.service → /lib/systemd/system/wazuh-indexer.service. 16/01/2024 10:36:49 INFO: wazuh-indexer service started. 16/01/2024 10:36:49 INFO: Initializing Wazuh indexer cluster security settings. ./wazuh-install.sh: line 1648: sudo: command not found Will create 'wazuh' index template SUCC: 'wazuh' template created or updated Will create 'ism_history_indices' index template SUCC: 'ism_history_indices' template created or updated Will disable replicas for 'plugins.index_state_management.history' indices SUCC: cluster's settings saved Will create index templates to configure the alias SUCC: 'wazuh-alerts' template created or updated SUCC: 'wazuh-archives' template created or updated Will create the 'rollover_policy' policy ERROR: could not check if the policy 'rollover_policy' exists => 503 ERROR: Indexer ISM initialization failed. Check /tmp/wazuh-indexer/ism-init.log for more information. 16/01/2024 10:36:49 INFO: The Wazuh indexer cluster ISM initialized. 16/01/2024 10:36:49 INFO: Wazuh indexer cluster initialized. 16/01/2024 10:36:49 INFO: --- Wazuh server --- 16/01/2024 10:36:49 INFO: Starting the Wazuh manager installation. Reading package lists... Building dependency tree... Reading state information... Suggested packages: expect The following NEW packages will be installed: wazuh-manager 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need t Setting up wazuh-manager (4.8.0-1) ...4.8.0-1_amd64.deb ...installed.)l disk space will be used. (Reading database ... 16/01/2024 10:37:19 DEBUG: Checking Wazuh installation. 16/01/2024 10:37:20 DEBUG: There are Wazuh remaining files. 16/01/2024 10:37:20 DEBUG: There are Wazuh indexer remaining files. 16/01/2024 10:37:20 INFO: Wazuh manager installation finished. 16/01/2024 10:37:20 INFO: Starting service wazuh-manager. Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-manager.service → /lib/systemd/system/wazuh-manager.service. 16/01/2024 10:37:35 INFO: wazuh-manager service started. 16/01/2024 10:37:35 INFO: Starting Filebeat installation. Reading package lists... Building dependency tree... Reading state information... The following NEW packages will be installed: filebeat 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 0 B/22.1 MB of archives. A Setting up filebeat (7.10.2) ..._7.10.2_amd64.deb ...ently installed.)ecting previously unselected package filebeat. 16/01/2024 10:37:36 DEBUG: Checking Wazuh installation. 16/01/2024 10:37:36 DEBUG: There are Wazuh remaining files. 16/01/2024 10:37:36 DEBUG: There are Wazuh indexer remaining files. 16/01/2024 10:37:36 DEBUG: There are Filebeat remaining files. 16/01/2024 10:37:36 INFO: Filebeat installation finished. 16/01/2024 10:37:36 DEBUG: Configuring Filebeat. 16/01/2024 10:37:36 DEBUG: Filebeat template was download successfully. wazuh/ wazuh/_meta/ wazuh/_meta/docs.asciidoc wazuh/_meta/config.yml wazuh/_meta/fields.yml wazuh/archives/ wazuh/archives/manifest.yml wazuh/archives/config/ wazuh/archives/config/archives.yml wazuh/archives/ingest/ wazuh/archives/ingest/pipeline.json wazuh/module.yml wazuh/alerts/ wazuh/alerts/manifest.yml wazuh/alerts/config/ wazuh/alerts/config/alerts.yml wazuh/alerts/ingest/ wazuh/alerts/ingest/pipeline.json 16/01/2024 10:37:37 DEBUG: Filebeat module was downloaded successfully. 16/01/2024 10:37:37 DEBUG: Copying Filebeat certificates. Created filebeat keystore Successfully updated the keystore Successfully updated the keystore 16/01/2024 10:37:37 INFO: Filebeat post-install configuration finished. 16/01/2024 10:37:37 INFO: Starting service filebeat. Synchronizing state of filebeat.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable filebeat Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /lib/systemd/system/filebeat.service. 16/01/2024 10:37:38 INFO: filebeat service started. 16/01/2024 10:37:38 INFO: --- Wazuh dashboard --- 16/01/2024 10:37:38 INFO: Starting Wazuh dashboard installation. Reading package lists... Building dependency tree... Reading state information... The following NEW packages will be installed: wazuh-dashboard 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 0 B/186 MB of archi Setting up wazuh-dashboard (4.8.0-1) ...4.8.0-1_amd64.deb ...stalled.). Selecting previously unselected package wazuh-dashboard. 16/01/2024 10:37:54 DEBUG: Checking Wazuh installation. 16/01/2024 10:37:54 DEBUG: There are Wazuh remaining files. 16/01/2024 10:37:54 DEBUG: There are Wazuh indexer remaining files. 16/01/2024 10:37:55 DEBUG: There are Filebeat remaining files. 16/01/2024 10:37:55 DEBUG: There are Wazuh dashboard remaining files. 16/01/2024 10:37:55 INFO: Wazuh dashboard installation finished. 16/01/2024 10:37:55 DEBUG: Configuring Wazuh dashboard. 16/01/2024 10:37:55 DEBUG: Copying Wazuh dashboard certificates. 16/01/2024 10:37:55 DEBUG: Wazuh dashboard certificate setup finished. 16/01/2024 10:37:55 INFO: Wazuh dashboard post-install configuration finished. 16/01/2024 10:37:55 INFO: Starting service wazuh-dashboard. Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-dashboard.service → /etc/systemd/system/wazuh-dashboard.service. 16/01/2024 10:37:55 INFO: wazuh-dashboard service started. 16/01/2024 10:37:55 DEBUG: Setting Wazuh indexer cluster passwords. 16/01/2024 10:37:55 DEBUG: Checking Wazuh installation. 16/01/2024 10:37:55 DEBUG: There are Wazuh remaining files. 16/01/2024 10:37:55 DEBUG: There are Wazuh indexer remaining files. 16/01/2024 10:37:55 DEBUG: There are Filebeat remaining files. 16/01/2024 10:37:55 DEBUG: There are Wazuh dashboard remaining files. 16/01/2024 10:37:55 INFO: Updating the internal users. 16/01/2024 10:37:55 DEBUG: Creating password backup. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to localhost:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index does not exists, attempt to create it ... done (0-all replicas) Will retrieve '/config' into /etc/wazuh-indexer/backup/config.yml FAIL: Configuration for 'config' failed because of empty source Will retrieve '/roles' into /etc/wazuh-indexer/backup/roles.yml FAIL: Configuration for 'roles' failed because of empty source Will retrieve '/rolesmapping' into /etc/wazuh-indexer/backup/roles_mapping.yml FAIL: Configuration for 'rolesmapping' failed because of empty source Will retrieve '/internalusers' into /etc/wazuh-indexer/backup/internal_users.yml FAIL: Configuration for 'internalusers' failed because of empty source Will retrieve '/actiongroups' into /etc/wazuh-indexer/backup/action_groups.yml FAIL: Configuration for 'actiongroups' failed because of empty source Will retrieve '/tenants' into /etc/wazuh-indexer/backup/tenants.yml FAIL: Configuration for 'tenants' failed because of empty source Will retrieve '/nodesdn' into /etc/wazuh-indexer/backup/nodes_dn.yml SUCC: Configuration for 'nodesdn' stored in /etc/wazuh-indexer/backup/nodes_dn.yml Will retrieve '/whitelist' into /etc/wazuh-indexer/backup/whitelist.yml SUCC: Configuration for 'whitelist' stored in /etc/wazuh-indexer/backup/whitelist.yml Will retrieve '/allowlist' into /etc/wazuh-indexer/backup/allowlist.yml SUCC: Configuration for 'allowlist' stored in /etc/wazuh-indexer/backup/allowlist.yml Will retrieve '/audit' into /etc/wazuh-indexer/backup/audit.yml FAIL: Configuration for 'audit' failed because of empty source 16/01/2024 10:37:57 DEBUG: Password backup created in /etc/wazuh-indexer/backup. 16/01/2024 10:37:57 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. 16/01/2024 10:37:57 DEBUG: The internal users have been updated before changing the passwords. 16/01/2024 10:37:58 DEBUG: The given user admin does not exist 16/01/2024 10:37:58 DEBUG: The given user kibanaserver does not exist 16/01/2024 10:37:58 DEBUG: The given user kibanaro does not exist 16/01/2024 10:37:58 DEBUG: The given user logstash does not exist 16/01/2024 10:37:58 DEBUG: The given user readall does not exist 16/01/2024 10:37:58 DEBUG: The given user snapshotrestore does not exist 16/01/2024 10:37:58 DEBUG: Generating password hashes. 16/01/2024 10:38:00 DEBUG: Password hashes generated. 16/01/2024 10:38:00 DEBUG: Creating password backup. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to localhost:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index already exists, so we do not need to create one. Will retrieve '/config' into /etc/wazuh-indexer/backup/config.yml FAIL: Configuration for 'config' failed because of empty source Will retrieve '/roles' into /etc/wazuh-indexer/backup/roles.yml FAIL: Configuration for 'roles' failed because of empty source Will retrieve '/rolesmapping' into /etc/wazuh-indexer/backup/roles_mapping.yml FAIL: Configuration for 'rolesmapping' failed because of empty source Will retrieve '/internalusers' into /etc/wazuh-indexer/backup/internal_users.yml FAIL: Configuration for 'internalusers' failed because of empty source Will retrieve '/actiongroups' into /etc/wazuh-indexer/backup/action_groups.yml FAIL: Configuration for 'actiongroups' failed because of empty source Will retrieve '/tenants' into /etc/wazuh-indexer/backup/tenants.yml FAIL: Configuration for 'tenants' failed because of empty source Will retrieve '/nodesdn' into /etc/wazuh-indexer/backup/nodes_dn.yml SUCC: Configuration for 'nodesdn' stored in /etc/wazuh-indexer/backup/nodes_dn.yml Will retrieve '/whitelist' into /etc/wazuh-indexer/backup/whitelist.yml SUCC: Configuration for 'whitelist' stored in /etc/wazuh-indexer/backup/whitelist.yml Will retrieve '/allowlist' into /etc/wazuh-indexer/backup/allowlist.yml SUCC: Configuration for 'allowlist' stored in /etc/wazuh-indexer/backup/allowlist.yml Will retrieve '/audit' into /etc/wazuh-indexer/backup/audit.yml FAIL: Configuration for 'audit' failed because of empty source 16/01/2024 10:38:01 DEBUG: Password backup created in /etc/wazuh-indexer/backup. Successfully updated the keystore 16/01/2024 10:38:01 DEBUG: Restarting filebeat service... 16/01/2024 10:38:01 DEBUG: filebeat started. 16/01/2024 10:38:01 DEBUG: Running security admin tool. 16/01/2024 10:38:01 DEBUG: Loading new passwords changes. ************************************************************************** ** This tool will be deprecated in the next major release of OpenSearch ** ** https://github.com/opensearch-project/security/issues/1755 ** ************************************************************************** Security Admin v7 Will connect to localhost:9200 ... done Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" OpenSearch Version: 2.10.0 Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ... Clustername: wazuh-cluster Clusterstate: GREEN Number of nodes: 1 Number of data nodes: 1 .opendistro_security index already exists, so we do not need to create one. Populate config from /root Force type: internalusers ERR: Seems /etc/wazuh-indexer/backup/internal_users.yml is not in OpenSearch Security 7 format: java.lang.NullPointerException: Cannot invoke "org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration.get_meta()" because "sdc" is null ERR: cannot upload configuration, see errors above 16/01/2024 10:38:02 DEBUG: Passwords changed. 16/01/2024 10:38:02 DEBUG: Changing API passwords. 16/01/2024 10:39:04 INFO: Initializing Wazuh dashboard web application. 16/01/2024 10:39:04 INFO: Wazuh dashboard web application not yet initialized. Waiting... 16/01/2024 10:39:19 INFO: Wazuh dashboard web application not yet initialized. Waiting... 16/01/2024 10:39:34 INFO: Wazuh dashboard web application not yet initialized. Waiting... 16/01/2024 10:39:49 INFO: Wazuh dashboard web application not yet initialized. Waiting... 16/01/2024 10:40:04 INFO: Wazuh dashboard web application not yet initialized. Waiting... 16/01/2024 10:40:19 INFO: Wazuh dashboard web application not yet initialized. Waiting... 16/01/2024 10:40:34 INFO: Wazuh dashboard web application not yet initialized. Waiting... 16/01/2024 10:40:49 INFO: Wazuh dashboard web application not yet initialized. Waiting... 16/01/2024 10:41:04 INFO: Wazuh dashboard web application not yet initialized. Waiting... 16/01/2024 10:41:19 INFO: Wazuh dashboard web application not yet initialized. Waiting... 16/01/2024 10:41:34 INFO: Wazuh dashboard web application not yet initialized. Waiting... 16/01/2024 10:41:49 INFO: Wazuh dashboard web application not yet initialized. Waiting... 16/01/2024 10:42:04 INFO: Wazuh dashboard web application not yet initialized. Waiting... 16/01/2024 10:42:19 INFO: Wazuh dashboard web application not yet initialized. Waiting... 16/01/2024 10:42:34 INFO: Wazuh dashboard web application not yet initialized. Waiting... 16/01/2024 10:42:49 INFO: Wazuh dashboard web application not yet initialized. Waiting... 16/01/2024 10:43:04 INFO: Wazuh dashboard web application not yet initialized. Waiting... 16/01/2024 10:43:19 INFO: Wazuh dashboard web application not yet initialized. Waiting... 16/01/2024 10:43:34 INFO: Wazuh dashboard web application not yet initialized. Waiting... 16/01/2024 10:43:49 INFO: Wazuh dashboard web application not yet initialized. Waiting... 16/01/2024 10:44:04 ERROR: Wazuh dashboard installation failed. 16/01/2024 10:44:04 INFO: --- Removing existing Wazuh installation --- 16/01/2024 10:44:04 INFO: Removing Wazuh manager. Reading package lists... Building dependency tree... Reading state information... The following packages will be REMOVED: wazuh-manager* 0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded. After this operation, 888 MB disk space will be freed. (Reading database ... 147142 files and directories currently installed.) (Reading database ... Removing wazuh-manager (4.8.0-1) ... (Reading database ... 125079 files and directories currently installed.) Purging configuration files for wazuh-manager (4.8.0-1) ... dpkg: error processing package wazuh-manager (--purge): installed wazuh-manager package post-removal script subprocess returned error exit status 1 Errors were encountered while processing: wazuh-manager E: Sub-process /usr/bin/dpkg returned an error code (1) 16/01/2024 10:44:09 INFO: Wazuh manager removed. 16/01/2024 10:44:09 INFO: Removing Wazuh indexer. Reading package lists... Building dependency tree... Reading state information... The following packages will be REMOVED: wazuh-indexer* 0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded. After this operation, 1,050 MB disk space will be freed. (Reading database ... 125078 files and directories currently installed.) (Reading database ... Removing wazuh-indexer (4.8.0-1) ... Stopping wazuh-indexer service... OK (Reading database ... 123942 files and directories currently installed.) Purging configuration files for wazuh-indexer (4.8.0-1) ... Deleting configuration directory... OK dpkg: warning: while removing wazuh-indexer, directory '/var/lib/wazuh-indexer' not empty so not removed dpkg: warning: while removing wazuh-indexer, directory '/var/log/wazuh-indexer' not empty so not removed dpkg: warning: while removing wazuh-indexer, directory '/usr/lib/systemd/system' not empty so not removed 16/01/2024 10:44:09 INFO: Wazuh indexer removed. 16/01/2024 10:44:10 INFO: Removing Filebeat. Reading package lists... Building dependency tree... Reading state information... The following packages will be REMOVED: filebeat* 0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded. After this operation, 73.6 MB disk space will be freed. (Reading database ... 123902 files and directories currently installed.) (Reading database ... Removing filebeat (7.10.2) ... (Reading database ... 123610 files and directories currently installed.) Purging configuration files for filebeat (7.10.2) ... dpkg: warning: while removing filebeat, directory '/etc/filebeat' not empty so not removed dpkg: warning: while removing filebeat, directory '/usr/share/filebeat/module' not empty so not removed 16/01/2024 10:44:10 INFO: Filebeat removed. 16/01/2024 10:44:10 INFO: Removing Wazuh dashboard. Reading package lists... Building dependency tree... Reading state information... The following packages will be REMOVED: wazuh-dashboard* 0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded. After this operation, 987 MB disk space will be freed. (Reading database ... 123583 files and directories currently installed.) (Reading database ... Removing wazuh-dashboard (4.8.0-1) ... Stopping wazuh-dashboard service... OK Deleting PID directory... OK Deleting installation directory... OK (Reading database ... 34797 files and directories currently installed.) Purging configuration files for wazuh-dashboard (4.8.0-1) ... OK 16/01/2024 10:44:13 INFO: Wazuh dashboard removed. 16/01/2024 10:44:13 DEBUG: Removing GPG key from system. 16/01/2024 10:44:13 INFO: Installation cleaned. Check the /var/log/wazuh-install.log file to learn more about the issue. ```

Filebeat output

```console root@wazuh-aio-testing:~# filebeat test output elasticsearch: https://localhost:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1, ::1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... ERROR 503 Service Unavailable: OpenSearch Security not initialized. ```
rauldpm commented 6 months ago

Research

16/01/2024 10:36:49 INFO: Initializing Wazuh indexer cluster security settings.
./wazuh-install.sh: line 1648: sudo: command not found
Will create 'wazuh' index template
 SUCC: 'wazuh' template created or updated
Will create 'ism_history_indices' index template
 SUCC: 'ism_history_indices' template created or updated
Will disable replicas for 'plugins.index_state_management.history' indices
 SUCC: cluster's settings saved
Will create index templates to configure the alias
 SUCC: 'wazuh-alerts' template created or updated
 SUCC: 'wazuh-archives' template created or updated
Will create the 'rollover_policy' policy
  ERROR: could not check if the policy 'rollover_policy' exists => 503
ERROR: Indexer ISM initialization failed. Check /tmp/wazuh-indexer/ism-init.log for more information.
teddytpc1 commented 6 months ago

Possible solutions

To resolve this issue we have two options when sudo is not installed:

  1. Show a warning/error indicating that sudo is not installed and is a required dependency to install Wazuh.
  2. Install sudo to perform the installation and uninstall it at the end of the script execution.
davidjiglesias commented 6 months ago

After talking with @santiago-bassett and @rauldpm we decided to follow solution number 1 proposed here https://github.com/wazuh/wazuh-packages/issues/2776#issuecomment-1898811841. However, apart from that, it is important to check in the starting stage that the environment possesses the necessary dependencies to successfully complete the installation.

davidcr01 commented 5 months ago

Update Report

Development

The following code was added to the common_checkRoot function:

common_logger -d "Checking sudo package."
    if ! command -v sudo; then 
        common_logger -e "The sudo package is not installed and necessary for the installation."
        exit 1;
    fi

Instead of checking if the sudo package is installed with the YUM/APT packages manager, it is done with the sudo command.

Testing

In a Debian11 system with sudo uninstalled, the WIA works as expected:

root@debian11sudo:/home/vagrant# sudo
bash: /usr/bin/sudo: No such file or directory

root@debian11sudo:/home/vagrant# bash wazuh-install.sh -a -i -v
29/01/2024 16:40:00 DEBUG: Checking root permissions.
29/01/2024 16:40:00 DEBUG: Checking sudo package.
29/01/2024 16:40:00 ERROR: The sudo package is not installed and necessary for the installation.