Closed rauldpm closed 4 months ago
Hi @rauldpm I'm asking about the procedure used in the test you mention, since I haven't been able to obtain the same results, here's a summary of what I tested using a centos7 Docker VM:
[root@05a3e797059b /]# ls -ld /var/ossec/queue/keystore/
drwxr-x--- 2 wazuh wazuh 4096 Feb 27 14:51 /var/ossec/queue/keystore/
[root@05a3e797059b /]# /var/ossec/bin/wazuh-keystore -f indexer -k username -v admin
[root@05a3e797059b /]# ls -l /var/ossec/queue/keystore/
total 144
-rw-r--r-- 1 root root 1307 Feb 26 22:16 000012.sst
-rw-r--r-- 1 root root 0 Feb 27 14:51 000015.log
-rw-r--r-- 1 root root 1307 Feb 27 14:51 000023.sst
-rw-r--r-- 1 root root 16 Feb 27 14:51 CURRENT
-rw-r--r-- 1 root root 36 Feb 26 22:16 IDENTITY
-rw-r--r-- 1 root root 0 Feb 26 22:16 LOCK
-rw-r--r-- 1 root root 54733 Feb 27 14:51 LOG
-rw-r--r-- 1 root root 44832 Feb 26 22:16 LOG.old.1709045504859047
-rw-r--r-- 1 root root 420 Feb 27 14:51 MANIFEST-000016
-rw-r--r-- 1 root root 11473 Feb 27 14:51 OPTIONS-000020
-rw-r--r-- 1 root root 11474 Feb 27 14:51 OPTIONS-000022
[root@05a3e797059b /]# ls -ld /var/ossec/queue/keystore/
drwxr-x--- 2 wazuh wazuh 4096 Feb 27 19:07 /var/ossec/queue/keystore/
You can also access the generated package to perform this test. https://ci.wazuh.info/job/Packages_builder/188437/ https://packages-dev.wazuh.com/debug/yum/wazuh-manager-4.8.0-2854.1.x86_64.rpm
Is there a process that has been run after the installation? What could be modifying the permissions of the aforementioned directory?
@rauldpm, we have not been able to reproduce the behavior described in this issue. If no further steps are provided to reproduce it, we will close this issue as "not planned".
@tdrauncieal No, I just installed the 4.8.0 Beta 2 package in a CentOS 7 Vagrant box (centos/7
), is it possible for Wazuh to change the keystore directory permissions temporarily? I can't reproduce it now
Description
Reviewing the 4.8.0 Beta 2 changelog, the following pull request has been found: https://github.com/wazuh/wazuh-packages/pull/2804/, this pull request mentions RPM and DEB system in the pull request name, but the changes only modify the RPM package.
While reviewing and comparing the Wazuh manager RPM package, it has been found that it set different permissions than the DEB package in the
/var/ossec/keystore/
directoryWe should review those permissions and check if they are correct since a
read
permission is being granted touser group
andexecution
permission is being granted toothers
, which could lead to a security risk.