search

wazuh / wazuh-packages

Wazuh - Tools for packages creation
https://wazuh.com
GNU General Public License v2.0
105 stars 96 forks source link

Solaris 11 does not remove the group in Solaris 11.3 #3053

Closed rauldpm closed 3 weeks ago

rauldpm commented 3 months ago

Description

The v4.9.0-alpha3 dev documentation states the following note when uninstalling the Solaris 11 package

Note

If you uninstall the Wazuh agent in Solaris 11.4 or later, the Solaris 11 package manager does not remove the group wazuh from the system. Run the groupdel wazuh command to manually remove it.

But when I removed the package in a Solaris 11.3 system, the wazuh group still exists 

root@sossp104:~# pkg uninstall wazuh-agent
            Packages to remove:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

PHASE                                          ITEMS
Removing old actions                         233/233
Updating package state database                 Done 
Updating package cache                           1/1 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           2/2 

The following unexpected or editable files and directories were
salvaged while executing the requested package operation; they
have been moved to the displayed location in the image:

  ar/ossec/etc/client.keys -> /var/pkg/lost+found/var/ossec/etc/client.keys-20240722T154943Z
  ar/ossec/etc/ossec.conf -> /var/pkg/lost+found/var/ossec/etc/ossec.conf-20240722T154943Z
  ar/ossec/ruleset/sca -> /var/pkg/lost+found/var/ossec/ruleset/sca-20240722T154943Z
  ar/ossec/queue/syscollector/db -> /var/pkg/lost+found/var/ossec/queue/syscollector/db-20240722T154943Z
  ar/ossec/queue/sockets -> /var/pkg/lost+found/var/ossec/queue/sockets-20240722T154943Z
  ar/ossec/queue/rids -> /var/pkg/lost+found/var/ossec/queue/rids-20240722T154943Z
  ar/ossec/queue/logcollector -> /var/pkg/lost+found/var/ossec/queue/logcollector-20240722T154943Z
  ar/ossec/queue/fim/db -> /var/pkg/lost+found/var/ossec/queue/fim/db-20240722T154943Z
  ar/ossec/queue/alerts -> /var/pkg/lost+found/var/ossec/queue/alerts-20240722T154943Z
  ar/ossec/etc/shared -> /var/pkg/lost+found/var/ossec/etc/shared-20240722T154943Z
root@sossp104:~# grep wazuh /etc/group 
wazuh::13:
root@sossp104:~# grep wazuh /etc/passwd | wc -l
       0
root@sossp104:~# groupdel wazuh
root@sossp104:~# groupdel ossec
UX: groupdel: ERROR: ossec does not exist.

We need to determine if the package is not removing the group or if we need to change the documentation

Related

MarcelKemp commented 3 months ago

Replicated

I was able to replicate the problem on a Solaris 11:

root@solaris11:/export/home/vagrant# pkg uninstall wazuh-agent
            Packages to remove:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

PHASE                                          ITEMS
Removing old actions                         233/233
Updating package state database                 Done 
Updating package cache                           1/1 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           1/1 

The following unexpected or editable files and directories were
salvaged while executing the requested package operation; they
have been moved to the displayed location in the image:

  ar/ossec/etc/ossec.conf -> /var/pkg/lost+found/var/ossec/etc/ossec.conf-20240723T184935Z
  ar/ossec/ruleset/sca -> /var/pkg/lost+found/var/ossec/ruleset/sca-20240723T184935Z
  ar/ossec/queue/syscollector/db -> /var/pkg/lost+found/var/ossec/queue/syscollector/db-20240723T184935Z
  ar/ossec/queue/sockets -> /var/pkg/lost+found/var/ossec/queue/sockets-20240723T184935Z
  ar/ossec/queue/logcollector -> /var/pkg/lost+found/var/ossec/queue/logcollector-20240723T184935Z
  ar/ossec/queue/fim/db -> /var/pkg/lost+found/var/ossec/queue/fim/db-20240723T184935Z
  ar/ossec/queue/alerts -> /var/pkg/lost+found/var/ossec/queue/alerts-20240723T184935Z
root@solaris11:/export/home/vagrant# grep wazuh /etc/group 
wazuh::13:
root@solaris11:/export/home/vagrant# grep wazuh /etc/passwd | wc -l
       0
root@solaris11:/export/home/vagrant# groupdel wazuh
root@solaris11:/export/home/vagrant# groupdel wazuh
UX: groupdel: ERROR: wazuh does not exist.

Possible causes

The problem may be a privilege issue when deleting the wazuh group, as I show in the following outputs, if you are not using an admin user:

vagrant@solaris11:~$ sudo pkg uninstall wazuh-agent
            Packages to remove:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

PHASE                                          ITEMS
Removing old actions                         233/233
Updating package state database                 Done 
Updating package cache                           1/1 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           1/1 

The following unexpected or editable files and directories were
salvaged while executing the requested package operation; they
have been moved to the displayed location in the image:

  ar/ossec/ruleset/sca -> /var/pkg/lost+found/var/ossec/ruleset/sca-20240723T190002Z
vagrant@solaris11:~$ grep wazuh /etc/group
wazuh::13:
vagrant@solaris11:~$ groupdel wazuh
UX: groupdel: ERROR: Permission denied.
vagrant@solaris11:~$ sudo groupdel wazuh

In this case, the bug seems to be found from 4.3 with the following PR:

However, this has nothing to do with the Solaris version 11.4 that they indicate. It is therefore not 100% certain that this is the problem.

On the other hand, looking for the reason they indicate a version 11.4 or higher, I have not found any reason for it, as the commit where it was introduced does not contain any relevant information:

Tasks to investigate

vikman90 commented 3 months ago

Thanks, @MarcelKemp.

Let's add this issue to the backlog as a medium-impact bug, since it dates back to previous versions.

jotacarma90 commented 1 month ago

Analysis

I'm still trying to get the wazuh-postremove.sh script to work, so far I'm not finding a way. Right now I have modified the manifest like this:

        <exec_method timeout_seconds='60' type='method' name='stop'
                     exec='/var/svc/manifest/site/wazuh-postremove.sh'/>

And created the wazuh-postremove.sh script:

#!/bin/sh
# postremove script for wazuh-agent
# Wazuh, Inc 2015

if getent passwd wazuh > /dev/null 2>&1; then
  userdel wazuh
fi

if getent group wazuh > /dev/null 2>&1; then
  groupdel wazuh
fi

if getent passwd ossec > /dev/null 2>&1; then
  userdel ossec
fi

if getent group ossec > /dev/null 2>&1; then
  groupdel ossec
fi

I have added in the generation script:

    echo "file wazuh-postremove.sh path=var/ossec/installation_scripts/wazuh-postremove.sh owner=root group=bin mode=0755" >> wazuh-agent.p5m.1

But it still doesn't run during package uninstall. After many attempts, I have managed to get this method to work, however, the script trigger is when the Wazuh service is stopped. And this is problematic, since any reboot or a manual service stop would delete the group and the user.

I have tried to investigate about the creation and deletion of the group and user, but I have not been able to conclude how IPS handles it, here you can see the Group actions and User actions: https://docs.oracle.com/cd/E37838_01/html/E61051/pkgterms.html#PKDEVgludu

At the moment, it would only remain to investigate the possibility of running the script looking for the trigger to be specifically the uninstallation of the package, but it does not seem simple. For the moment we will conclude that it is preferable to warn in the documentation of the need to remove the group manually.