search

wazuh / wazuh-packages

Wazuh - Tools for packages creation
https://wazuh.com
GNU General Public License v2.0
103 stars 94 forks source link

Solaris 11 does not remove the group in Solaris 11.3 #3053

Open rauldpm opened 1 month ago

rauldpm commented 1 month ago

Description

The v4.9.0-alpha3 dev documentation states the following note when uninstalling the Solaris 11 package

Note

If you uninstall the Wazuh agent in Solaris 11.4 or later, the Solaris 11 package manager does not remove the group wazuh from the system. Run the groupdel wazuh command to manually remove it.

But when I removed the package in a Solaris 11.3 system, the wazuh group still exists 

root@sossp104:~# pkg uninstall wazuh-agent
            Packages to remove:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

PHASE                                          ITEMS
Removing old actions                         233/233
Updating package state database                 Done 
Updating package cache                           1/1 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           2/2 

The following unexpected or editable files and directories were
salvaged while executing the requested package operation; they
have been moved to the displayed location in the image:

  ar/ossec/etc/client.keys -> /var/pkg/lost+found/var/ossec/etc/client.keys-20240722T154943Z
  ar/ossec/etc/ossec.conf -> /var/pkg/lost+found/var/ossec/etc/ossec.conf-20240722T154943Z
  ar/ossec/ruleset/sca -> /var/pkg/lost+found/var/ossec/ruleset/sca-20240722T154943Z
  ar/ossec/queue/syscollector/db -> /var/pkg/lost+found/var/ossec/queue/syscollector/db-20240722T154943Z
  ar/ossec/queue/sockets -> /var/pkg/lost+found/var/ossec/queue/sockets-20240722T154943Z
  ar/ossec/queue/rids -> /var/pkg/lost+found/var/ossec/queue/rids-20240722T154943Z
  ar/ossec/queue/logcollector -> /var/pkg/lost+found/var/ossec/queue/logcollector-20240722T154943Z
  ar/ossec/queue/fim/db -> /var/pkg/lost+found/var/ossec/queue/fim/db-20240722T154943Z
  ar/ossec/queue/alerts -> /var/pkg/lost+found/var/ossec/queue/alerts-20240722T154943Z
  ar/ossec/etc/shared -> /var/pkg/lost+found/var/ossec/etc/shared-20240722T154943Z
root@sossp104:~# grep wazuh /etc/group 
wazuh::13:
root@sossp104:~# grep wazuh /etc/passwd | wc -l
       0
root@sossp104:~# groupdel wazuh
root@sossp104:~# groupdel ossec
UX: groupdel: ERROR: ossec does not exist.

We need to determine if the package is not removing the group or if we need to change the documentation

Related

MarcelKemp commented 1 month ago

Replicated

I was able to replicate the problem on a Solaris 11:

root@solaris11:/export/home/vagrant# pkg uninstall wazuh-agent
            Packages to remove:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

PHASE                                          ITEMS
Removing old actions                         233/233
Updating package state database                 Done 
Updating package cache                           1/1 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           1/1 

The following unexpected or editable files and directories were
salvaged while executing the requested package operation; they
have been moved to the displayed location in the image:

  ar/ossec/etc/ossec.conf -> /var/pkg/lost+found/var/ossec/etc/ossec.conf-20240723T184935Z
  ar/ossec/ruleset/sca -> /var/pkg/lost+found/var/ossec/ruleset/sca-20240723T184935Z
  ar/ossec/queue/syscollector/db -> /var/pkg/lost+found/var/ossec/queue/syscollector/db-20240723T184935Z
  ar/ossec/queue/sockets -> /var/pkg/lost+found/var/ossec/queue/sockets-20240723T184935Z
  ar/ossec/queue/logcollector -> /var/pkg/lost+found/var/ossec/queue/logcollector-20240723T184935Z
  ar/ossec/queue/fim/db -> /var/pkg/lost+found/var/ossec/queue/fim/db-20240723T184935Z
  ar/ossec/queue/alerts -> /var/pkg/lost+found/var/ossec/queue/alerts-20240723T184935Z
root@solaris11:/export/home/vagrant# grep wazuh /etc/group 
wazuh::13:
root@solaris11:/export/home/vagrant# grep wazuh /etc/passwd | wc -l
       0
root@solaris11:/export/home/vagrant# groupdel wazuh
root@solaris11:/export/home/vagrant# groupdel wazuh
UX: groupdel: ERROR: wazuh does not exist.

Possible causes

The problem may be a privilege issue when deleting the wazuh group, as I show in the following outputs, if you are not using an admin user:

vagrant@solaris11:~$ sudo pkg uninstall wazuh-agent
            Packages to remove:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

PHASE                                          ITEMS
Removing old actions                         233/233
Updating package state database                 Done 
Updating package cache                           1/1 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           1/1 

The following unexpected or editable files and directories were
salvaged while executing the requested package operation; they
have been moved to the displayed location in the image:

  ar/ossec/ruleset/sca -> /var/pkg/lost+found/var/ossec/ruleset/sca-20240723T190002Z
vagrant@solaris11:~$ grep wazuh /etc/group
wazuh::13:
vagrant@solaris11:~$ groupdel wazuh
UX: groupdel: ERROR: Permission denied.
vagrant@solaris11:~$ sudo groupdel wazuh

In this case, the bug seems to be found from 4.3 with the following PR:

However, this has nothing to do with the Solaris version 11.4 that they indicate. It is therefore not 100% certain that this is the problem.

On the other hand, looking for the reason they indicate a version 11.4 or higher, I have not found any reason for it, as the commit where it was introduced does not contain any relevant information:

Tasks to investigate

vikman90 commented 1 month ago

Thanks, @MarcelKemp.

Let's add this issue to the backlog as a medium-impact bug, since it dates back to previous versions.