ossec-hids-agent 2.8.3 Ubuntu package question

[Terence Kent]

Hello!

I'm trying to track down where I should file reports for two issues with the ossec-hids-agent package hosted on ossec.wazuh.com and I'm hoping you can help.

First, I should ask if these packages are going to be maintained since I know there is significant effort being put into the wazuh ossec fork. If you don't intend to continue to maintain the ossec-hids-agent package (I noticed atomicorp is now referenced on the official ossec.github.io site), then I probably shouldn't file anything :-).

Assuming you are maintaining these packages, I could not figure out which repository to file the issues against. The specific files that are causing an issue are the dpkg postinstall and preremove scripts. After looking through the git repositories of both the official ossec-hids project and the wazuh fork, I couldn't find the offending files anywhere. Even going through the git history didn't yield any results in my searches. This leads me to believe the files that effected are in some other fork or repository that I haven't found yet, and that's where I should probably file my issue.

Thanks!

Terence

[Jose Luis Ruiz]

Hi Terence

Answering the first question, yes the packages will continue to be maintained, in fact we are working now in the laster OSSEC version in order to release the packages as soon as possible.

About your second question, you can found all scripts to create the packages in the following link: https://github.com/santiago-bassett/ossec-debian

But can you give me some more details about your problem in order to try to help you?

thanks!

Regards

-----------------------

Jose Luis Ruiz
Wazuh Inc.
jo...@wazuh.com

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2081dffc-e26b-4f55-97f9-1939af8c5587%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Terence Kent]

Hey Jose,

Thanks for the quick reply, and I'm happy to hear that wazuh will be maintaining the ossec-hids-agent package for debian/ubuntu systems!

The issue I'm running into is with the prerm and postinst scripts with ossec-hids-agent 2.8.3-4trusty. However, even in the repository you sent me there is no prerm script and the postinst script doesn't have the offending section.

Since the problems are easy to explain, I'll just list them here. They are minor and we only ran into this when we were doing some salt state upgrades.

1. In the prerm script, the  "set -e" is used and there is an attempt to stop the ossec service. This is a problem because prerm is called both on apt-get remove and apt-get purge. If a remove happens before a purge, you can't remove the package because the attempt to stop the service returns a non 0 exit value.

2. In the postinst script, again "set -e" is used and there is a reference to a logrotgate configuration file that is not available/present.

Again, neither of these issues are in the GitHub repo you referenced, so maybe you fixed them *prior* to the GitHub repo's history? Or, I'm blind and the code is somewhere I haven't found yet.

Thanks!

Terence

On Monday, April 3, 2017 at 6:58:41 PM UTC-7, Jose Luis Ruiz wrote:

Hi Terence

Answering the first question, yes the packages will continue to be maintained, in fact we are working now in the laster OSSEC version in order to release the packages as soon as possible.

About your second question, you can found all scripts to create the packages in the following link: https://github.com/santiago-bassett/ossec-debian

But can you give me some more details about your problem in order to try to help you?

thanks!

Regards

-----------------------

Jose Luis Ruiz
Wazuh Inc.

On April 3, 2017 at 9:35:38 PM, Terence Kent () wrote:

Hello!

I'm trying to track down where I should file reports for two issues with the ossec-hids-agent package hosted on ossec.wazuh.com and I'm hoping you can help.

First, I should ask if these packages are going to be maintained since I know there is significant effort being put into the wazuh ossec fork. If you don't intend to continue to maintain the ossec-hids-agent package (I noticed atomicorp is now referenced on the official ossec.github.io site), then I probably shouldn't file anything :-).

Assuming you are maintaining these packages, I could not figure out which repository to file the issues against. The specific files that are causing an issue are the dpkg postinstall and preremove scripts. After looking through the git repositories of both the official ossec-hids project and the wazuh fork, I couldn't find the offending files anywhere. Even going through the git history didn't yield any results in my searches. This leads me to believe the files that effected are in some other fork or repository that I haven't found yet, and that's where I should probably file my issue.

Thanks!

Terence

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Jose Luis Ruiz]

Hi Terence,

You are right, this repository doesn’t have this file, i thought was there, my bad sorry:

#!/bin/sh
# prerm script for ossec-hids-agent

set -e

case "$1" in
    remove|upgrade|deconfigure)
    service ossec stop > /dev/null 2>&1
    ;;

    failed-upgrade)
    service ossec stop > /dev/null 2>&1
    ;;

    *)
        echo "prerm called with unknown argument \`$1'" >&2
        exit 1
    ;;

esac

exit 0

The next content has been copied from https://wiki.debian.org/MaintainerScripts, as i can see here the “prerm" is only run once, in the removal section, i’m doing some test’s whit in our lab with remove, purge, purge+remove, etc and i cannot reproduce the error, but anyway this file has been deleted for the next version the 2.9.x, we process all in the postrm.

Tell me your thoughts about that :)

When removing a package that was previously installed, if everything goes well, the package will be left in the Config Files state, this means that it needs to be purged before it is in the Not installed state. 

If something goes wrong at the postrm stage, and the postinst abort-remove script is called, then the package might be left in a strange state: it is still Installed, but the files are not there anymore. If any of the processes fails, when the package removal is tried again, it will resume from where it left (i.e. if the prerm worked and the postrm didn't, it'll resume from the postrm). 

Purging

If a package that is in state Config Files has to be purged, the cycle is really simple: the conffiles are deleted and then postrm purge is called. 

Removing and Purging

If the package is to be removed and purged at the same time, both diagrams combine, forming a diagram in which the package passes to be Not installed if everything goes ok.

Regards

-----------------------

Jose Luis Ruiz
Wazuh Inc.

jo...@wazuh.com

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/de4ed1f5-a3a5-4f2a-adf4-8de51e1d1cfb%40googlegroups.com.

[Terence Kent]

Hey! Thanks again for the quick reply.

Regarding the prerm script, since you've removed it - that'll work just fine. IMO, I would keep the script, just have it test for the existence of the ossec service before attempting to stop it.

In case you where interested in reproducing the issue, you have to first do an apt-get remove (or equivalent) *then* and apt-get purge (or equivelant). When you're in the removed-but-not-purged state, you can't purge the package without modifying the prerm script.

Separately on the logrotate file reference is also not in the repository you linked too. I assume that means that's another "this area of code has already been changed and won't be relevant anymore" thing?

If that's all true, looks like there was nothing to report after all!

Best,

Terence

[Jose Luis Ruiz]

Hi Terence,

You are right, i will check that and update the packages, thanks for your feedback as always!

We will release a repository with the debs and rpm’s files soon.

Regards

-----------------------

Jose Luis Ruiz
Wazuh Inc.
jo...@wazuh.com

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0ff10d5d-8b91-4831-bb45-e73ddc829867%40googlegroups.com.