Error when editing configuration through the UI

Selutario commented 1 week ago

Description

We have been reported that, in 4.8.0-rc1, an error like the following sometimes appears when trying to edit the ossec.conf through the UI:

Checks

The following elements have been updated or reviewed (should also be checked if no modification is required):

[x] Tests (unit tests, API integration tests).
[x] Changelog.
[x] Documentation.
[x] Integration test mapping (using api/test/integration/mapping/_test_mapping.py).

GGP1 commented 1 week ago

Update

I tried to reproduce the error using a multi-node wazuh-docker environment with the tag 4.8.0-rc1, but the configuration was updated successfully the 10 times I tried. I tested saving both changed and unchanged configuration files.

The issue was likely caused by the file ossec.conf not having proper permissions and ownership set.

https://github.com/wazuh/wazuh/blob/1e51c2d9ad140ba3dcdf60fdb9c5a79c43c8ffb3/framework/wazuh/core/configuration.py#L1319-L1323

We would need further information about the environment or steps to reproduce to continue with the investigation.

Tests

Wazuh version

![cluster](https://github.com/wazuh/wazuh/assets/51374959/240cc7bf-742f-473c-95e8-830c1c3fb528) ```console bash-5.2# /var/ossec/bin/wazuh-control info WAZUH_VERSION="v4.8.0" WAZUH_REVISION="40809" WAZUH_TYPE="server" ```

Configuration update UI

![config_change](https://github.com/wazuh/wazuh/assets/51374959/857cdad9-3557-4516-b1d2-4f2d60dcee6e)

Configuration update API logs

```console bash-5.2# cat /var/ossec/logs/api.log | grep PUT 2024/05/07 18:45:32 INFO: wazuh-wui 172.19.0.7 "PUT /cluster/manager/configuration" with parameters {} and body {} done in 1.073s: 200 2024/05/07 18:46:04 INFO: wazuh-wui 172.19.0.7 "PUT /cluster/manager/configuration" with parameters {} and body {} done in 0.634s: 200 2024/05/07 18:46:21 INFO: wazuh-wui 172.19.0.7 "PUT /cluster/manager/configuration" with parameters {} and body {} done in 0.723s: 200 2024/05/07 18:46:54 INFO: wazuh-wui 172.19.0.7 "PUT /cluster/manager/configuration" with parameters {} and body {} done in 2.403s: 200 2024/05/07 18:52:44 INFO: wazuh-wui 172.19.0.7 "PUT /cluster/manager/configuration" with parameters {} and body {} done in 0.977s: 200 2024/05/07 18:52:55 INFO: wazuh-wui 172.19.0.7 "PUT /cluster/manager/configuration" with parameters {} and body {} done in 0.675s: 200 2024/05/07 18:53:00 INFO: wazuh-wui 172.19.0.7 "PUT /cluster/manager/configuration" with parameters {} and body {} done in 0.677s: 200 2024/05/07 18:53:05 INFO: wazuh-wui 172.19.0.7 "PUT /cluster/manager/configuration" with parameters {} and body {} done in 0.667s: 200 2024/05/07 18:53:20 INFO: wazuh-wui 172.19.0.7 "PUT /cluster/manager/configuration" with parameters {} and body {} done in 0.639s: 200 2024/05/07 18:53:27 INFO: wazuh-wui 172.19.0.7 "PUT /cluster/manager/configuration" with parameters {} and body {} done in 0.645s: 200 ```

Initial ossec.conf file information

```console bash-5.2# stat /var/ossec/etc/ossec.conf File: /var/ossec/etc/ossec.conf Size: 8665 Blocks: 24 IO Block: 4096 regular file Device: fe00h/65024d Inode: 3803290 Links: 1 Access: (0660/-rw-rw----) Uid: ( 0/ root) Gid: ( 999/ wazuh) Access: 2024-05-07 18:42:21.162256276 +0000 Modify: 2024-05-07 18:42:21.150256176 +0000 Change: 2024-05-07 18:42:21.150256176 +0000 Birth: 2024-05-07 18:42:21.150256176 +0000 ```

ossec.conf file information after an update

```console bash-5.2# stat /var/ossec/etc/ossec.conf File: /var/ossec/etc/ossec.conf Size: 7879 Blocks: 16 IO Block: 4096 regular file Device: fe00h/65024d Inode: 3803290 Links: 1 Access: (0660/-rw-rw----) Uid: ( 0/ root) Gid: ( 999/ wazuh) Access: 2024-05-07 18:46:53.294937600 +0000 Modify: 2024-05-07 18:46:53.290937572 +0000 Change: 2024-05-07 18:46:53.290937572 +0000 Birth: 2024-05-07 18:19:16.441548103 +0000 ```

GGP1 commented 1 week ago

Update

Made the same tests in the Demo environment but couldn't reproduce the failure. I also analyzed the API logs from previous days but no internal errors were found.

A pull request has been opened to include the exception message in the error thrown by the API to aid the debugging in the future.

Configuration change

![demo_config_update](https://github.com/wazuh/wazuh/assets/51374959/4636a356-79de-40e2-8295-ac5087dfab1a)

ossec.conf stat before change

```console [root@wazuh-manager-master-0 ~]# stat /var/ossec/etc/ossec.conf File: ‘/var/ossec/etc/ossec.conf’ Size: 12982 Blocks: 32 IO Block: 4096 regular file Device: 10301h/66305d Inode: 16914061 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 995/ wazuh) Gid: ( 993/ wazuh) Access: 2024-05-03 16:19:44.603601284 +0000 Modify: 2024-05-08 14:59:19.378609358 +0000 Change: 2024-05-08 14:59:19.378609358 +0000 Birth: - ```

ossec.conf stat after change

```console [root@wazuh-manager-master-0 ~]# stat /var/ossec/etc/ossec.conf File: ‘/var/ossec/etc/ossec.conf’ Size: 12170 Blocks: 24 IO Block: 4096 regular file Device: 10301h/66305d Inode: 16914061 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 995/ wazuh) Gid: ( 993/ wazuh) Access: 2024-05-03 16:19:44.603601284 +0000 Modify: 2024-05-08 15:02:33.747001924 +0000 Change: 2024-05-08 15:02:33.747001924 +0000 Birth: - ```

Current day configuration updates

```console [root@wazuh-manager-master-0 ~]# cat /var/ossec/logs/api.log | grep "PUT /cluster/master/configuration" 2024/05/08 13:56:28 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 2.327s: 200 2024/05/08 14:12:47 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 2.119s: 200 2024/05/08 14:42:19 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 2.045s: 200 2024/05/08 14:42:39 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 2.569s: 200 2024/05/08 14:43:01 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 2.415s: 200 2024/05/08 14:46:08 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 2.108s: 200 2024/05/08 14:48:38 INFO: unknown_user 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 0.003s: 401 2024/05/08 14:48:43 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 2.064s: 200 2024/05/08 14:48:55 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 2.204s: 200 2024/05/08 14:50:44 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 2.288s: 200 2024/05/08 14:53:32 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 2.151s: 200 2024/05/08 14:56:18 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 2.054s: 200 2024/05/08 14:59:21 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 2.053s: 200 2024/05/08 15:02:35 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 1.894s: 200 2024/05/08 15:03:01 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 2.331s: 200 ```

Previous days configuration updates

```console [root@wazuh-manager-master-0 ~]# cat /var/ossec/logs/api/2024/May/api.log-03 | grep "PUT /cluster/master/configuration" [root@wazuh-manager-master-0 ~]# cat /var/ossec/logs/api/2024/May/api.log-04 | grep "PUT /cluster/master/configuration" [root@wazuh-manager-master-0 ~]# cat /var/ossec/logs/api/2024/May/api.log-05 | grep "PUT /cluster/master/configuration" [root@wazuh-manager-master-0 ~]# cat /var/ossec/logs/api/2024/May/api.log-06 | grep "PUT /cluster/master/configuration" 2024/05/06 17:15:58 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 0.034s: 200 2024/05/06 17:16:48 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 2.159s: 200 2024/05/06 17:16:58 INFO: unknown_user 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 0.003s: 401 2024/05/06 17:17:02 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 2.162s: 200 2024/05/06 17:17:12 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 2.074s: 200 2024/05/06 17:17:52 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 2.024s: 200 2024/05/06 17:21:30 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 2.154s: 200 2024/05/06 17:36:46 INFO: wazuh (3ad997ac943fc4f9eaa3d5b4f1332ad3) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 2.509s: 200 [root@wazuh-manager-master-0 ~]# cat /var/ossec/logs/api/2024/May/api.log-07 | grep "PUT /cluster/master/configuration" 2024/05/07 14:10:47 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 2.138s: 200 2024/05/07 14:10:59 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 2.136s: 200 2024/05/07 14:11:23 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 2.004s: 200 2024/05/07 16:08:23 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 2.716s: 200 2024/05/07 16:14:11 INFO: wazuh (2bec21896ad97dc43603f7fffcf2ceb6) 10.0.0.182 "PUT /cluster/master/configuration" with parameters {} and body {} done in 2.128s: 200 ```

api.log internal errors

```console [root@wazuh-manager-master-0 ~]# cat /var/ossec/logs/api.log | grep "s: 500" [root@wazuh-manager-master-0 ~]# cat /var/ossec/logs/api/2024/May/api.log-03 | grep "s: 500" [root@wazuh-manager-master-0 ~]# cat /var/ossec/logs/api/2024/May/api.log-04 | grep "s: 500" [root@wazuh-manager-master-0 ~]# cat /var/ossec/logs/api/2024/May/api.log-05 | grep "s: 500" [root@wazuh-manager-master-0 ~]# cat /var/ossec/logs/api/2024/May/api.log-06 | grep "s: 500" [root@wazuh-manager-master-0 ~]# cat /var/ossec/logs/api/2024/May/api.log-07 | grep "s: 500" ```

javiersanchz commented 1 week ago

Review

The provided tests are clear, compelling, and demonstrate the correct operation when editing the ossec.conf from the UI.
As mentioned in the investigation, the issue likely stemmed from the ossec.conf file not having the proper permissions and ownership set.
I agree, LGTM!

Selutario commented 1 week ago

GJ. Although it could not be reproduced, we will obtain more information in the future in case it happens again after this issue's PR.

wazuh / wazuh