Question regarding to wodle command

[Carlos Lopez]

Hi all,

I am using the following to keep osquery updated in all my macOS agents:

#!/bin/bash

install_version="4.8.0"
down_url="https://pkg.osquery.io/darwin/osquery-${install_version}.pkg"
pkg="/tmp/osquery.pkg"

if [ ! -x /usr/local/bin/osqueryi ]; then
curl -s --fail -o $pkg $down_url
if [ $? -eq 0 ]; then
installer -pkg $pkg -target / > /dev/null 2>&1
sleep 30
/Library/Ossec/bin/ossec-control restart > /dev/null 2>&1
exit 0
fi
elif [ "$(/usr/local/bin/osqueryi --version | awk '{print $3}')" != "$install_version" ]; then
launchctl unload /Library/LaunchDaemons/com.facebook.osqueryd.plist
rm /Library/LaunchDaemons/com.facebook.osqueryd.plist
rm -rf /private/var/log/osquery
rm -rf /private/var/osquery
rm /usr/local/bin/osquery*
pkgutil --forget com.facebook.osquery
curl -s --fail -o $pkg $down_url
if [ $? -eq 0 ]; then
installer -pkg $pkg -target / > /dev/null 2>&1
sleep 30
/Library/Ossec/bin/ossec-control restart > /dev/null 2>&1
fi
fi

Yes, it is pretty simple :). Update process for osquery goes perfect but last command "ossec-control restart", it is never executed and a lot of errors appears:

2021/05/06 08:47:40 wazuh-modulesd:osquery: INFO: Following osquery results file '/var/log/osquery/osqueryd.snapshots.log'.
2021/05/06 08:47:40 wazuh-modulesd:command: INFO: Starting command 'install-osquery-macos'.
2021/05/06 08:47:40 sca: INFO: Module started.
2021/05/06 08:47:40 wazuh-modulesd:control: INFO: Starting control thread.
2021/05/06 08:47:40 sca: INFO: Policy '/Library/Ossec/ruleset/sca/sca_unix_audit.yml' disabled by configuration.
2021/05/06 08:47:40 sca: INFO: Loaded policy '/Library/Ossec/etc/shared/macos_cis_yml'
2021/05/06 08:47:40 sca: INFO: Starting Security Configuration Assessment scan.
2021/05/06 08:47:40 sca: INFO: Starting evaluation of policy: '/Library/Ossec/etc/shared/macos_cis_yml'
2021/05/06 08:47:40 wazuh-modulesd:osquery: WARNING: E0506 08:47:40.885989 249183744 shutdown.cpp:69] Cannot activate filesystem logger plugin: Could not create file: /var/log/osquery/osqueryd.results.log
2021/05/06 08:47:41 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2021/05/06 08:47:41 wazuh-modulesd:osquery: INFO: Results file '/var/log/osquery/osqueryd.snapshots.log' was deleted.
2021/05/06 08:47:41 wazuh-modulesd:osquery: WARNING: Results file '/var/log/osquery/osqueryd.snapshots.log' not available: No such file or directory (2). Retrying in 1 sec.
2021/05/06 08:47:42 wazuh-modulesd:osquery: WARNING: Results file '/var/log/osquery/osqueryd.snapshots.log' not available: No such file or directory (2). Retrying in 2 sec.
2021/05/06 08:47:43 wazuh-modulesd:osquery: WARNING: E0506 08:47:43.707573 170332160 shutdown.cpp:69] Worker returned exit status
2021/05/06 08:47:43 wazuh-modulesd:osquery: ERROR: Osquery exited with code 78. Closing module.
2021/05/06 08:47:44 wazuh-modulesd:osquery: INFO: Closing module.

Why? Is it possible to reload wazuh agent after osquery is updated?

Many thanks.

[Alberto Rodriguez]

Hello Carlos

  The error: `Osquery exited with code 78. Closing module.` appears when `/var/osquery` is empty. It looks a timing issue, the Wazuh agent detects an empty folder and it closes the module just before to found the new version in the mentioned folder. Could you try stopping the agent just before upgrade osquery? If so, you could open an issue asking for more `/var/osquery` finding tries, instead of closing the module the first time the folder is empty. 

Regards, 

Alberto R

[Carlos Lopez]

Thanks Alberto ….

But only one question: If I stop the Wazuh agent before I start updating osquery, won't the script be killed?

Best regards,

C. L. Martinez

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8efbe711-abd9-46f5-8ed8-bb1f2378adb4n%40googlegroups.com.

[Carlos Lopez]

Hi,

 I have tried to stop wazuh agent and launch ossuary update but it doesn’t work ….

Best regards,

C. L. Martinez

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/10D6D795-FE28-4896-8410-A5787F52BE88%40outlook.com.

[Alberto Rodriguez]

Hello

 So, you stopped the agent (/Library/ossec/bin/ossec-control stop), then ./upgrade_osquery.sh, and then, started the agent (/Library/ossec/bin/ossec-control start). And you saw this message after the latest restart:

 wazuh-modulesd:osquery: ERROR: Osquery exited with code 78. Closing module.

Ok, could you please try again with the option with modulesd in debug mode? The option wazuh_modules.debug must be set to 2 in /Library/ossec/etc/internal_options.conf. Stop the agent, launch the script, start the agent again, and please share the logs: cat /Library/Ossec/logs/ossec.log | grep modules

Remember to restore the debug option to 0 after the debugging. 

[Carlos Lopez]

There is no errors enabling debug option. According to debug log, command is executed.

But I think we are not understanding each other. I am going to try to explain better. :)

I need the Wazuh agent itself to perform the action of updating osquery package to the version hard-coded in the script.

If I stop the agent, how do I launch the update? I can not launch the update script manually.

C. L. Martinez

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fd612a13-fd61-48d6-9522-f2543e981393n%40googlegroups.com.

[Alberto Rodriguez]

Ok, I understand. So you are using remote commands / centralized configuration to perform those osquery upgrades, right? Could you please indicate exactly how? I can't reproduce the issue in my lab, having the same configuration could help. 

Regards, 

Alberto R

[Carlos Lopez]

Correct Alberto.

I am trying to perform these updates using the wodle command in interval basis:

<wodle name="command">
<disabled>no</disabled>
<tag>install-wazuh-addons-macos</tag>
<command>/bin/bash /Library/Ossec/etc/shared/install_addons_test.sh</command>
<interval>3d</interval>
<ignore_output>no</ignore_output>

<run_on_start>yes</run_on_start>
<timeout>0</timeout>
</wodle>

And install_addons_test.sh content is:

#!/bin/bash

osquery_version="4.8.0"
down_url_osquery="https://pkg.osquery.io/darwin/osquery-${osquery_version}.pkg"
pkg_osquery="/tmp/osquery.pkg"


/Library/Ossec/bin/ossec-control stop > /dev/null 2>&1

if [ ! -x /usr/local/bin/osqueryi ]; then

 curl -s --fail -o $pkg_osquery $down_url_osquery

 if [ $? -eq 0 ]; then

 installer -pkg $pkg_osquery -target / > /dev/null 2>&1
 fi
elif [ "$(/usr/local/bin/osqueryi --version | awk '{print $3}')" != "$osquery_version" ]; then

launchctl unload /Library/LaunchDaemons/com.facebook.osqueryd.plist
rm /Library/LaunchDaemons/com.facebook.osqueryd.plist
rm -rf /private/var/log/osquery
rm -rf /private/var/osquery
rm /usr/local/bin/osquery*
pkgutil --forget com.facebook.osquery

curl -s --fail -o $pkg_osquery $down_url_osquery

if [ $? -eq 0 ]; then

installer -pkg $pkg_osquery -target / > /dev/null 2>&1
fi
fi

/Library/Ossec/bin/ossec-control restart > /dev/null 2>&1

 If I remove first Ossec-control, sometimes the script works, but most of the time osquery module doesn’t start.

Best regards,

C. L. Martinez

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ea1a506e-9278-4586-b2cc-0fff5c9478ben%40googlegroups.com.

[Carlos Lopez]

Good morning Alberto,

 Any news regarding this issue?

Best regards,

C. L. Martinez

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0B97A19F-8B05-4D4F-AA46-B824E9893525%40outlook.com.

[Alberto Rodriguez]

Hello Carlos

  We are looking into this, I will reply to you as soon as possible. 

Regards, 

--

Alberto Rodriguez CICD TL  The Open Source Security Platform

* This message and the information contained in or attached to it are private and confidential and intended exclusively for the addressee. Any dissemination, copying or distribution to third parties without the express consent of the sender is strictly prohibited. If you have received this message in error, please delete it immediately and notify the sender. Thank you for your collaboration.

[Alberto Rodriguez]

Hello Carlos

Sorry for the late response. I tested your script and maybe it's not recommended to restart the wazuh-agent from a centralized command shared conf. I tested the attached script and looks good to me. As you can see, I left only one if, in those cases where osqueryi doesn't exist OR present a different version from the variable given, it will install the new package. I don't see the need of removing the old one, as it is an upgrade. Additionally, I added a function for configuration file restoring to lose the file in the upgrade. Could this solve your problem? What do you think? Let me know if it could fit your use case. 

Regards, 

Alberto R

[Carlos Lopez]

Good morning Alberto,

 Many thanks. The thing is that I manage osquery config through Wazuh using osquery’s wodle. That is to say, I use a unique configuration through the shared config option in all my agents (differentiating between macOS, Windows and Linux).

 In my tests,  if I do not force a restart of the wazuh agent, osquery does not run with the new version and the process crashes. This does not happen in a normal osquery update.

 Yeah, I know it … It is not recommended to restart wazuh agent from central config. But it is the only case I do so.

 I would prefer to restart wazuh’s agent automatically if it detects a version change in osquery, like it does when there is a change in centralised configuration.

Maybe making a specific rule? Although this has the problem that with each new osquery version, the rule will have to be changed/updated and restart the processes in all servers.

Best regards,

C. L. Martinez

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/31c6bc4f-c323-4c7a-8108-7cca0a5d9064n%40googlegroups.com.
<upgrade_osquery.sh.txt>

[Alberto Rodriguez]

This case is very specific and totally justified. I understand. I'm checking it with the team. 

[Alberto Rodriguez]

Hello Carlos

Please check if this change works. Use setsid /Library/Ossec/bin/ossec-control restart > /dev/null 2>&1 instead of /Library/Ossec/bin/ossec-control restart > /dev/null 2>&1. Regards,

[Carlos Lopez]

Thanks Alberto. But same result: it fails.

Best regards,

C. L. Martinez