search

wazuh / wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
https://wazuh.com/
Other
10.67k stars 1.63k forks source link

Error: runuser: command not found when deploying Wazuh indexer with Puppet #19409

Closed Rolly-M closed 1 year ago

Rolly-M commented 1 year ago
Wazuh version Component Install type Install method Platform
4.6.0 Beta 1 Wazuh component Indexer Wazuh Puppet Module Ubuntu 18.04 Bionic

Test Environment

Componentl type OS Platform
Manager Multi node Ubuntu 18.04 Bionic Wazuh Puppet Module
Indexer Multi node Ubuntu 18.04 Bionic Wazuh Puppet Module
Dashboard Ubuntu 18.04 Bionic Wazuh Puppet Module
Agent Ubuntu 18.04 Bionic Wazuh Puppet Module

During the deployment in the scope of this issue, I got an error runuser: command not found for the indexer nodes preventing the security admin script from being ran.

Info: /Stage[main]/Wazuh::Indexer/Service[wazuh-indexer]: Unscheduling refresh on Service[wazuh-indexer]
Error: /usr/share/wazuh-indexer/bin/indexer-security-init.sh: line 112: runuser: command not found

Error: /Stage[main]/Wazuh::Indexer/Exec[Initialize the Opensearch security index in Wazuh indexer]/returns: change from 'notrun' to ['0'] failed: /usr/share/wazuh-indexer/bin/indexer-security-init.sh: line 112: runuser: command not found

Info: Class[Wazuh::Indexer]: Unscheduling all events on Class[Wazuh::Indexer]
Info: Stage[main]: Unscheduling all events on Stage[main]
Notice: Applied catalog in 763.25 seconds

image

I tried to run the script manually and it works fine. 

root@indexer1:/home/rolly# /usr/share/wazuh-indexer/bin/indexer-security-init.sh
root@indexer1:/home/rolly# /usr/share/wazuh-indexer/bin/indexer-security-init.sh
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
Will connect to 127.0.0.1:9200 ... done
Connected as "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
OpenSearch Version: 2.8.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: wazuh-cluster
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /etc/wazuh-indexer/opensearch-security/
Will update '/config' with /etc/wazuh-indexer/opensearch-security/config.yml
   SUCC: Configuration for 'config' created or updated
Will update '/roles' with /etc/wazuh-indexer/opensearch-security/roles.yml
   SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /etc/wazuh-indexer/opensearch-security/roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /etc/wazuh-indexer/opensearch-security/internal_users.yml
   SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /etc/wazuh-indexer/opensearch-security/action_groups.yml
   SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with /etc/wazuh-indexer/opensearch-security/tenants.yml
   SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with /etc/wazuh-indexer/opensearch-security/nodes_dn.yml
   SUCC: Configuration for 'nodesdn' created or updated
Will update '/whitelist' with /etc/wazuh-indexer/opensearch-security/whitelist.yml
   SUCC: Configuration for 'whitelist' created or updated
Will update '/audit' with /etc/wazuh-indexer/opensearch-security/audit.yml
   SUCC: Configuration for 'audit' created or updated
Will update '/allowlist' with /etc/wazuh-indexer/opensearch-security/allowlist.yml
   SUCC: Configuration for 'allowlist' created or updated
SUCC: Expected 10 config types for node {"updated_config_types":["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"],"updated_config_size":10,"message":null} is 10 (["allowlist","tenants","rolesmapping","nodesdn","audit","roles","whitelist","internalusers","actiongroups","config"]) due to: null
Done with success

Checked on my indexer nodes if the runuser command does exist and it is actually installed already.

root@indexer1:/home/rolly# runuser
root@indexer1:/home/rolly# which runuser
/sbin/runuser

Related

davidcr01 commented 1 year ago

Update Report

Investigating the problem

I have found the code related to the error.

https://github.com/wazuh/wazuh-puppet/blob/d4469c5627f5c20c7f5de65ca0f15f50095a2de3/manifests/indexer.pp#L147-L152

exec { 'Initialize the Opensearch security index in Wazuh indexer':
    path    => ['/usr/bin', '/bin', '/usr/sbin'],
    command => "/usr/share/wazuh-indexer/bin/indexer-security-init.sh && touch ${indexer_security_init_lockfile}",
    creates => $indexer_security_init_lockfile,
    require => Service['wazuh-indexer'],
  }

It seems that, in the Ubuntu 18 system, the runuser command is not located in any path specified in the path command:

root@ubuntu18:/home/vagrant# ls /usr/sbin/ | grep runuser
root@ubuntu18:/home/vagrant# ls /bin | grep runuser
root@ubuntu18:/home/vagrant# ls /usr/bin | grep runuser

In this case, the runuser command is located in the /sbin/ path:

root@ubuntu18:/home/vagrant# ls /sbin/ | grep runuser
runuser

Reproducing the error

I followed the steps described in this comment, but only for the Wazuh indexer, and I got the same reproduced error:

:red_circle: Indexer error ```console root@indexer:/home/vagrant# puppet agent -t Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Info: Retrieving locales Info: Loading facts Info: Caching catalog for indexer Info: Applying configuration version '1696494578' Notice: /Stage[main]/Wazuh::Certificates/File[Configure Wazuh Certificates config.yml]/ensure: defined content as '{md5}80e7f98468c8befcfe9971ae3f1d6609' Notice: /Stage[main]/Wazuh::Certificates/File[/tmp/wazuh-certs-tool.sh]/ensure: defined content as '{mtime}2023-09-23 06:21:37 UTC' Notice: /Stage[main]/Wazuh::Certificates/Exec[Create Wazuh Certificates]/returns: executed successfully Notice: /Stage[main]/Wazuh::Indexer/File_line[Insert line limits nofile for wazuh-indexer]/ensure: created Info: /Stage[main]/Wazuh::Indexer/File_line[Insert line limits nofile for wazuh-indexer]: Scheduling refresh of Service[wazuh-indexer] Notice: /Stage[main]/Wazuh::Indexer/File_line[Insert line limits memlock for wazuh-indexer]/ensure: created Info: /Stage[main]/Wazuh::Indexer/File_line[Insert line limits memlock for wazuh-indexer]: Scheduling refresh of Service[wazuh-indexer] Notice: /Stage[main]/Wazuh::Repo/Apt::Key[wazuh]/Apt_key[wazuh]/ensure: created Notice: /Stage[main]/Apt/File[preferences]/ensure: created Info: /Stage[main]/Apt/File[preferences]: Scheduling refresh of Class[Apt::Update] Notice: /Stage[main]/Apt/Apt::Setting[conf-update-stamp]/File[/etc/apt/apt.conf.d/15update-stamp]/content: --- /etc/apt/apt.conf.d/15update-stamp 2021-05-14 18:43:17.000000000 +0000 +++ /tmp/puppet-file20231005-16963-1paehsb 2023-10-05 08:29:43.960812000 +0000 @@ -1 +1,2 @@ +// This file is managed by Puppet. DO NOT EDIT. APT::Update::Post-Invoke-Success {"touch /var/lib/apt/periodic/update-success-stamp 2>/dev/null || true";}; Info: Computing checksum on file /etc/apt/apt.conf.d/15update-stamp Info: /Stage[main]/Apt/Apt::Setting[conf-update-stamp]/File[/etc/apt/apt.conf.d/15update-stamp]: Filebucketed /etc/apt/apt.conf.d/15update-stamp to puppet with sum b9de0ac9e2c9854b1bb213e362dc4e41 Notice: /Stage[main]/Apt/Apt::Setting[conf-update-stamp]/File[/etc/apt/apt.conf.d/15update-stamp]/content: content changed '{md5}b9de0ac9e2c9854b1bb213e362dc4e41' to '{md5}0962d70c4ec78bbfa6f3544ae0c41974' Info: /Stage[main]/Apt/Apt::Setting[conf-update-stamp]/File[/etc/apt/apt.conf.d/15update-stamp]: Scheduling refresh of Class[Apt::Update] Notice: /Stage[main]/Wazuh::Repo/Apt::Source[wazuh]/Apt::Setting[list-wazuh]/File[/etc/apt/sources.list.d/wazuh.list]/ensure: defined content as '{md5}b50d1939fbda19eba3f4910243e3ac3d' Info: /Stage[main]/Wazuh::Repo/Apt::Source[wazuh]/Apt::Setting[list-wazuh]/File[/etc/apt/sources.list.d/wazuh.list]: Scheduling refresh of Class[Apt::Update] Info: Class[Apt::Update]: Scheduling refresh of Exec[apt_update] Notice: /Stage[main]/Apt::Update/Exec[apt_update]: Triggered 'refresh' from 1 event Notice: /Stage[main]/Wazuh::Indexer/Package[wazuh-indexer]/ensure: created Info: /Stage[main]/Wazuh::Indexer/Package[wazuh-indexer]: Scheduling refresh of Exec[set recusive ownership of /etc/wazuh-indexer] Info: /Stage[main]/Wazuh::Indexer/Package[wazuh-indexer]: Scheduling refresh of Exec[set recusive ownership of /usr/share/wazuh-indexer] Info: /Stage[main]/Wazuh::Indexer/Package[wazuh-indexer]: Scheduling refresh of Exec[set recusive ownership of /var/lib/wazuh-indexer] Notice: /Stage[main]/Wazuh::Indexer/Exec[ensure full path of /etc/wazuh-indexer/certs]/returns: executed successfully Notice: /Stage[main]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs]/owner: owner changed 'root' to 'wazuh-indexer' Notice: /Stage[main]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs]/group: group changed 'root' to 'wazuh-indexer' Notice: /Stage[main]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs]/mode: mode changed '0755' to '0500' Notice: /Stage[main]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/indexer.pem]/ensure: defined content as '{md5}7679074a9a711a281402dfaf1a36f8c7' Notice: /Stage[main]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/indexer-key.pem]/ensure: defined content as '{md5}e7be322380b4eb669ed20a62558784d6' Notice: /Stage[main]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/root-ca.pem]/ensure: defined content as '{md5}b0c3c6ea182dde361ea2fc235dc01af4' Notice: /Stage[main]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/admin.pem]/ensure: defined content as '{md5}8568f4328bf5d62e3e878f6c4482e0b0' Notice: /Stage[main]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/admin-key.pem]/ensure: defined content as '{md5}ef8cfa0b842cc77f9c4fd4ea57ad1097' Notice: /Stage[main]/Wazuh::Indexer/File[configuration file]/content: --- /etc/wazuh-indexer/opensearch.yml 2023-09-22 21:18:30.000000000 +0000 +++ /tmp/puppet-file20231005-16963-bsxf9x 2023-10-05 08:33:27.361056000 +0000 @@ -2,16 +2,10 @@ node.name: "node-1" cluster.initial_master_nodes: - "node-1" -#- "node-2" -#- "node-3" cluster.name: "wazuh-cluster" -#discovery.seed_hosts: -# - "node-1-ip" -# - "node-2-ip" -# - "node-3-ip" -node.max_local_storage_nodes: "3" -path.data: /var/lib/wazuh-indexer -path.logs: /var/log/wazuh-indexer +node.max_local_storage_nodes: "1" +path.data: "/var/lib/wazuh-indexer" +path.logs: "/var/log/wazuh-indexer" plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem @@ -29,14 +23,12 @@ plugins.security.enable_snapshot_restore_privilege: true plugins.security.nodes_dn: - "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US" -#- "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US" -#- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US" plugins.security.restapi.roles_enabled: - "all_access" - "security_rest_api_access" plugins.security.system_indices.enabled: true -plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] +plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] ### Option to allow Filebeat-oss 7.10.2 to work ### -compatibility.override_main_response_version: true \ No newline at end of file +compatibility.override_main_response_version: true Info: Computing checksum on file /etc/wazuh-indexer/opensearch.yml Info: /Stage[main]/Wazuh::Indexer/File[configuration file]: Filebucketed /etc/wazuh-indexer/opensearch.yml to puppet with sum 9ee953958f2ca5d4b7753673aec33d42 Notice: /Stage[main]/Wazuh::Indexer/File[configuration file]/content: content changed '{md5}9ee953958f2ca5d4b7753673aec33d42' to '{md5}e7ccb3255cc6687a06c277be3fc7c239' Info: /Stage[main]/Wazuh::Indexer/File[configuration file]: Scheduling refresh of Service[wazuh-indexer] Notice: /Stage[main]/Wazuh::Indexer/Exec[set recusive ownership of /etc/wazuh-indexer]: Triggered 'refresh' from 1 event Info: /Stage[main]/Wazuh::Indexer/Exec[set recusive ownership of /etc/wazuh-indexer]: Scheduling refresh of Service[wazuh-indexer] Notice: /Stage[main]/Wazuh::Indexer/Exec[set recusive ownership of /usr/share/wazuh-indexer]: Triggered 'refresh' from 1 event Info: /Stage[main]/Wazuh::Indexer/Exec[set recusive ownership of /usr/share/wazuh-indexer]: Scheduling refresh of Service[wazuh-indexer] Notice: /Stage[main]/Wazuh::Indexer/Exec[set recusive ownership of /var/lib/wazuh-indexer]: Triggered 'refresh' from 1 event Info: /Stage[main]/Wazuh::Indexer/Exec[set recusive ownership of /var/lib/wazuh-indexer]: Scheduling refresh of Service[wazuh-indexer] Notice: /Stage[main]/Wazuh::Indexer/Service[wazuh-indexer]/ensure: ensure changed 'stopped' to 'running' Info: /Stage[main]/Wazuh::Indexer/Service[wazuh-indexer]: Unscheduling refresh on Service[wazuh-indexer] Error: /usr/share/wazuh-indexer/bin/indexer-security-init.sh: line 112: runuser: command not found Error: /Stage[main]/Wazuh::Indexer/Exec[Initialize the Opensearch security index in Wazuh indexer]/returns: change from 'notrun' to ['0'] failed: /usr/share/wazuh-indexer/bin/indexer-security-init.sh: line 112: runuser: command not found Info: Class[Wazuh::Indexer]: Unscheduling all events on Class[Wazuh::Indexer] Info: Stage[main]: Unscheduling all events on Stage[main] Notice: Applied catalog in 234.06 seconds ```

I edited the /etc/puppetlabs/code/environments/production/modules/wazuh/manifests/indexer.pp file with the following code:

exec { 'Initialize the Opensearch security index in Wazuh indexer':
    path    => ['/usr/bin', '/bin', '/usr/sbin', '/sbin'],

:green_circle: The issue is solved and the error is not generated again:

root@indexer:/home/vagrant# puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Notice: /File[/opt/puppetlabs/puppet/cache/locales/ja]/ensure: created
Notice: /File[/opt/puppetlabs/puppet/cache/locales/ja/puppetlabs-apt.po]/ensure: defined content as '{md5}129cd352e440bd317a8c5493d4fbf5f3'
Notice: /File[/opt/puppetlabs/puppet/cache/locales/ja/puppetlabs-concat.po]/ensure: defined content as '{md5}c9dad056a76901974ded7b150267573a'
Notice: /File[/opt/puppetlabs/puppet/cache/locales/ja/puppetlabs-stdlib.po]/ensure: defined content as '{md5}805e5d893d2025ad57da8ec0614a6753'
Info: Loading facts
Info: Caching catalog for indexer
Info: Applying configuration version '1696496118'
Notice: /Stage[main]/Wazuh::Certificates/File[Configure Wazuh Certificates config.yml]/ensure: defined content as '{md5}80e7f98468c8befcfe9971ae3f1d6609'
Notice: /Stage[main]/Wazuh::Certificates/File[/tmp/wazuh-certs-tool.sh]/ensure: defined content as '{mtime}2023-09-23 06:21:37 UTC'
Notice: /Stage[main]/Wazuh::Certificates/Exec[Create Wazuh Certificates]/returns: executed successfully
Notice: /Stage[main]/Wazuh::Indexer/File_line[Insert line limits nofile for wazuh-indexer]/ensure: created
Info: /Stage[main]/Wazuh::Indexer/File_line[Insert line limits nofile for wazuh-indexer]: Scheduling refresh of Service[wazuh-indexer]
Notice: /Stage[main]/Wazuh::Indexer/File_line[Insert line limits memlock for wazuh-indexer]/ensure: created
Info: /Stage[main]/Wazuh::Indexer/File_line[Insert line limits memlock for wazuh-indexer]: Scheduling refresh of Service[wazuh-indexer]
Notice: /Stage[main]/Wazuh::Repo/Apt::Key[wazuh]/Apt_key[wazuh]/ensure: created
Notice: /Stage[main]/Apt/File[preferences]/ensure: created
Info: /Stage[main]/Apt/File[preferences]: Scheduling refresh of Class[Apt::Update]
Notice: /Stage[main]/Apt/Apt::Setting[conf-update-stamp]/File[/etc/apt/apt.conf.d/15update-stamp]/content: 
--- /etc/apt/apt.conf.d/15update-stamp  2021-05-14 18:43:17.000000000 +0000
+++ /tmp/puppet-file20231005-5202-96fhf1    2023-10-05 08:55:09.284564783 +0000
@@ -1 +1,2 @@
+// This file is managed by Puppet. DO NOT EDIT.
 APT::Update::Post-Invoke-Success {"touch /var/lib/apt/periodic/update-success-stamp 2>/dev/null || true";};

Info: Computing checksum on file /etc/apt/apt.conf.d/15update-stamp
Info: /Stage[main]/Apt/Apt::Setting[conf-update-stamp]/File[/etc/apt/apt.conf.d/15update-stamp]: Filebucketed /etc/apt/apt.conf.d/15update-stamp to puppet with sum b9de0ac9e2c9854b1bb213e362dc4e41
Notice: /Stage[main]/Apt/Apt::Setting[conf-update-stamp]/File[/etc/apt/apt.conf.d/15update-stamp]/content: content changed '{md5}b9de0ac9e2c9854b1bb213e362dc4e41' to '{md5}0962d70c4ec78bbfa6f3544ae0c41974'
Info: /Stage[main]/Apt/Apt::Setting[conf-update-stamp]/File[/etc/apt/apt.conf.d/15update-stamp]: Scheduling refresh of Class[Apt::Update]
Notice: /Stage[main]/Wazuh::Repo/Apt::Source[wazuh]/Apt::Setting[list-wazuh]/File[/etc/apt/sources.list.d/wazuh.list]/ensure: defined content as '{md5}b50d1939fbda19eba3f4910243e3ac3d'
Info: /Stage[main]/Wazuh::Repo/Apt::Source[wazuh]/Apt::Setting[list-wazuh]/File[/etc/apt/sources.list.d/wazuh.list]: Scheduling refresh of Class[Apt::Update]
Info: Class[Apt::Update]: Scheduling refresh of Exec[apt_update]
Notice: /Stage[main]/Apt::Update/Exec[apt_update]: Triggered 'refresh' from 1 event
Notice: /Stage[main]/Wazuh::Indexer/Package[wazuh-indexer]/ensure: created
Info: /Stage[main]/Wazuh::Indexer/Package[wazuh-indexer]: Scheduling refresh of Exec[set recusive ownership of /etc/wazuh-indexer]
Info: /Stage[main]/Wazuh::Indexer/Package[wazuh-indexer]: Scheduling refresh of Exec[set recusive ownership of /usr/share/wazuh-indexer]
Info: /Stage[main]/Wazuh::Indexer/Package[wazuh-indexer]: Scheduling refresh of Exec[set recusive ownership of /var/lib/wazuh-indexer]
Notice: /Stage[main]/Wazuh::Indexer/Exec[ensure full path of /etc/wazuh-indexer/certs]/returns: executed successfully
Notice: /Stage[main]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs]/owner: owner changed 'root' to 'wazuh-indexer'
Notice: /Stage[main]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs]/group: group changed 'root' to 'wazuh-indexer'
Notice: /Stage[main]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs]/mode: mode changed '0755' to '0500'
Notice: /Stage[main]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/indexer.pem]/ensure: defined content as '{md5}bc69122dada73e8539a7491d47bc527f'
Notice: /Stage[main]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/indexer-key.pem]/ensure: defined content as '{md5}c10c9381549580d5196f9cb2ef6d4826'
Notice: /Stage[main]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/root-ca.pem]/ensure: defined content as '{md5}da51b59d264f7c1837c77f8f8a42b470'
Notice: /Stage[main]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/admin.pem]/ensure: defined content as '{md5}fd4555f83b83a591686dfbae45e36cda'
Notice: /Stage[main]/Wazuh::Indexer/File[/etc/wazuh-indexer/certs/admin-key.pem]/ensure: defined content as '{md5}9891657f2760eac3958a0f9e87b61f3f'
Notice: /Stage[main]/Wazuh::Indexer/File[configuration file]/content: 
--- /etc/wazuh-indexer/opensearch.yml   2023-09-22 21:18:30.000000000 +0000
+++ /tmp/puppet-file20231005-5202-7i59qh    2023-10-05 08:58:51.583658785 +0000
@@ -2,16 +2,10 @@
 node.name: "node-1"
 cluster.initial_master_nodes:
 - "node-1"
-#- "node-2"
-#- "node-3"
 cluster.name: "wazuh-cluster"
-#discovery.seed_hosts:
-#  - "node-1-ip"
-#  - "node-2-ip"
-#  - "node-3-ip"
-node.max_local_storage_nodes: "3"
-path.data: /var/lib/wazuh-indexer
-path.logs: /var/log/wazuh-indexer
+node.max_local_storage_nodes: "1"
+path.data: "/var/lib/wazuh-indexer"
+path.logs: "/var/log/wazuh-indexer"

 plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
 plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
@@ -29,14 +23,12 @@
 plugins.security.enable_snapshot_restore_privilege: true
 plugins.security.nodes_dn:
 - "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US"
-#- "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US"
-#- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US"
 plugins.security.restapi.roles_enabled:
 - "all_access"
 - "security_rest_api_access"

 plugins.security.system_indices.enabled: true
-plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
+plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]

 ### Option to allow Filebeat-oss 7.10.2 to work ###
-compatibility.override_main_response_version: true
\ No newline at end of file
+compatibility.override_main_response_version: true

Info: Computing checksum on file /etc/wazuh-indexer/opensearch.yml
Info: /Stage[main]/Wazuh::Indexer/File[configuration file]: Filebucketed /etc/wazuh-indexer/opensearch.yml to puppet with sum 9ee953958f2ca5d4b7753673aec33d42
Notice: /Stage[main]/Wazuh::Indexer/File[configuration file]/content: content changed '{md5}9ee953958f2ca5d4b7753673aec33d42' to '{md5}e7ccb3255cc6687a06c277be3fc7c239'
Info: /Stage[main]/Wazuh::Indexer/File[configuration file]: Scheduling refresh of Service[wazuh-indexer]
Notice: /Stage[main]/Wazuh::Indexer/Exec[set recusive ownership of /etc/wazuh-indexer]: Triggered 'refresh' from 1 event
Info: /Stage[main]/Wazuh::Indexer/Exec[set recusive ownership of /etc/wazuh-indexer]: Scheduling refresh of Service[wazuh-indexer]
Notice: /Stage[main]/Wazuh::Indexer/Exec[set recusive ownership of /usr/share/wazuh-indexer]: Triggered 'refresh' from 1 event
Info: /Stage[main]/Wazuh::Indexer/Exec[set recusive ownership of /usr/share/wazuh-indexer]: Scheduling refresh of Service[wazuh-indexer]
Notice: /Stage[main]/Wazuh::Indexer/Exec[set recusive ownership of /var/lib/wazuh-indexer]: Triggered 'refresh' from 1 event
Info: /Stage[main]/Wazuh::Indexer/Exec[set recusive ownership of /var/lib/wazuh-indexer]: Scheduling refresh of Service[wazuh-indexer]
Notice: /Stage[main]/Wazuh::Indexer/Service[wazuh-indexer]/ensure: ensure changed 'stopped' to 'running'
Info: /Stage[main]/Wazuh::Indexer/Service[wazuh-indexer]: Unscheduling refresh on Service[wazuh-indexer]
Notice: /Stage[main]/Wazuh::Indexer/Exec[Initialize the Opensearch security index in Wazuh indexer]/returns: executed successfully
Notice: Applied catalog in 243.05 seconds

Including /sbin in the path parameter ensures that Puppet can locate system commands, including runuser, when it's needed for execution. In many cases, /sbin is already included in the default system PATH, but explicitly specifying it in the Puppet code provides assurance that the command will be found even if the default PATH configuration differs from system to system.

Adding /sbin to the path parameter in the Puppet code should not have a negative impact on Puppet deployments in other systems. /sbin is a standard system directory that typically contains system administration binaries, and it is present on most Unix-like systems.