Failed to install wazuh manager (using wazuh assistant)

[Haziq Mt Roslan]

Hi all, 

I have a problem where I cannot install wazuh manager. Even though I have update the system it still unable to install wazuh manager. I'm using oracle linux server and I have no problem on installing and running the wazuh indexer.

Running transaction
  Preparing        :                                                        1/1
  Running scriptlet: wazuh-manager-4.4.3-1.x86_64                           1/1
  Installing       : wazuh-manager-4.4.3-1.x86_64                           1/1Error unpacking rpm package wazuh-manager-4.4.3-1.x86_64

  Verifying        : wazuh-manager-4.4.3-1.x86_64                           1/1Error: Transaction failed


Failed:
  wazuh-manager-4.4.3-1.x86_64

When I run systemctl status wazuh-manager, it shows:

26/05/2023 09:56:05 ERROR: wazuh-manager could not be started.
-- Logs begin at Tue 2023-05-16 18:48:28 +08, end at Fri 2023-05-26 09:56:05 +08. --
May 26 09:46:49 hqvmtsdwzs01 systemd[1]: Starting Wazuh manager...
May 26 09:46:49 hqvmtsdwzs01 env[22322]: /usr/bin/env: ‘/var/ossec/bin/wazuh-control’: Permission denied
May 26 09:46:49 hqvmtsdwzs01 systemd[1]: wazuh-manager.service: Control process exited, code=exited status=126

[Victor M. Fernandez-Castro]

Hi Haziq,

I'm trying to reproduce this problem, but I'm not sure what steps you're following.

On Oracle Linux 8 and 9, the assistant tells that the platform is not supported:

$ curl -sO https://packages.wazuh.com/4.4/wazuh-install.sh && sudo bash ./wazuh-install.sh -a 

 

26/05/2023 08:44:24 ERROR: The recommended systems are: Red Hat Enterprise Linux 7, 8, 9; CentOS 7, 8; Amazon Linux 2; Ubuntu 16.04, 18.04, 20.04, 22.04. The current system does not match this list. Use -i|--ignore-check to skip this check.

If I install the package manually, it works on Oracle Linux 8:

$ sudo rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
$ wget https://packages.wazuh.com/4.x/yum/wazuh-manager-4.4.3-1.x86_64.rpm
$ sudo rpm -i wazuh-manager-4.4.3-1.x86_64.rpm

However, it won't work on Oracle Linux 9:

error: Failed dependencies:
        /sbin/service is needed by wazuh-manager-4.4.3-1.x86_64

I've raised the issue wazuh-packages/#2223 to check and fix that.

The error you posted makes me think that maybe the signature verification is failing. Please ensure the package's key is installed (the "rpm --import" command above).

If you could describe your environment (platform version) and which steps you're following more accurately, I think I could help you out better

Best regards,

Victor M. Fernandez-Castro Director of engineering vic...@wazuh.com vikman90 wazuh.com

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/668e55b7-ac21-4d52-9a90-b7361dc1bc1en%40googlegroups.com.

[Haziq Mt Roslan]

Hi, 

For the the system which is not in the recommended list we can add "-i" at the end of the bash command line to ignore the requirement. 

# bash wazuh-install.sh --wazuh-indexer node-1 -i

I already install it before in VM which completely fine and no error. I use oracle linux also as the OS of my VM and I just need to configure few things by myself such as firewall and ports and also the file configuration. Everything works but when I try to install it in the server it cause that problem where permission denied for ‘/var/ossec/bin/wazuh-control’ when installing the wazuh manager.

# bash wazuh-install.sh --wazuh-server wazuh-1 -i

After the wazuh manager fail to start during the installation, the bash script will automatically remove and clean the failed file which will removed the ossec file directory. For that reason, I would like to know what cause the problem. Any suggestion and recommendation are welcome. thanks again.

[Victor M. Fernandez-Castro]

Hi Haziq,

I'm sorry but I have not been able to reproduce your problem.

Please confirm which version of Oracle Linux you are using. I've tested a clean Oracle Linux 8 system:

vagrant init oraclelinux/8 https://oracle.github.io/vagrant-projects/boxes/oraclelinux/8.json
vagrant up
vagrant ssh

Setup:

curl -sO https://packages.wazuh.com/4.4/wazuh-install.sh
curl -sO https://packages.wazuh.com/4.4/config.yml
nano config.yml
sudo bash wazuh-install.sh --generate-config-files -i

Manager installation:

sudo bash wazuh-install.sh -i --wazuh-server wazuh-1

That command works in that environment. I would suggest doing these tests:

• Uninstall the manager with:

sudo bash wazuh-install.sh -i -u

• Enable verbose mode (-v), maybe it throws any clue of the cause of the issue.

The manager's RPM package is compatible with Oracle Linux 6-8, but per the error —that we ignore with option -i— I wonder if this OS is fully supported. Please confirm your OS version and which steps you're following for us to reproduce the issue.

Best,

Victor M. Fernandez-Castro Director of engineering vic...@wazuh.com vikman90 wazuh.com

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/16d99b49-e0f9-4405-8c10-e90f2de665edn%40googlegroups.com.

[Haziq Mt Roslan]

Hi Victor,

Sorry for the late reply. I'm currently using oracle linux 8.5 for VM but for the server I'm using oracle linux 8.7. I run the -v as you told me and the ossec file still remain unlike previous time that I try to install. But my problem still remain. My permission is denied to run the wazuh-control even though I'm on root privilege. As for the version of the OS that we use. I cannot simply change the OS that we use so I'm really grateful if I could fine a way to work around this problem. 

The file is located in the directory and I think that it is completely install in the server but the permission denied error really confused me. 

[root@abc /home/def]# ls /var/ossec/bin
agent_control    verify-agent-conf  wazuh-control      wazuh-logcollector    wazuh-regex
agent_groups     wazuh-agentlessd   wazuh-csyslogd     wazuh-logtest         wazuh-remoted
agent_upgrade    wazuh-analysisd    wazuh-db           wazuh-logtest-legacy  wazuh-reportd
clear_stats      wazuh-apid         wazuh-dbd          wazuh-maild           wazuh-syscheckd
cluster_control  wazuh-authd        wazuh-execd        wazuh-modulesd
manage_agents    wazuh-clusterd     wazuh-integratord  wazuh-monitord

[root@abc /home/def]# /var/ossec/bin/wazuh-control start
sudo: unable to execute /var/ossec/bin/wazuh-control: Permission denied

My last resort is to install everything back manually including the indexer that I successfully install perviously. 

[Daniel Folch]

Hello,

I see that you are installing the packages in a custom mount point (/usr/bin/env) could it be that the permissions of this mount point do not allow root to execute Wazuh?

Please check the permissions of the mount point, the wazuh directory and wazuh-control.

ls -la /usr/bin/env ls -la /usr/bin/env/var/ossec ls -la /usr/bin/env/var/ossec/bin/wazuh-control

Regards.
Daniel F

​

[Haziq Mt Roslan]

Hi Daniel, 

Sorry for the late reply. This is the permission of the mount point:

[root@example /home/example1]# ls -la /usr/bin/env
-rwxr-xr-x 1 root root 42432 Apr  3 20:54 /usr/bin/env

[ root@example /home/example1]# ls -la /usr/bin/env/varossec
ls: cannot access '/usr/bin/env/varossec': Not a directory

[ root@example /home/example1]# ls -la /usr/bin/env/var/ossec
ls: cannot access '/usr/bin/env/var/ossec': Not a directory

[ root@example /home/example1]# ls -la /usr/bin/env/var/ossec/bin/wazuh-control
ls: cannot access '/usr/bin/env/var/ossec/bin/wazuh-control': Not a directory

I will also include the permission to /var/ossec/bin/wazuh-control:

[root@example /home/example1]# ls -la /var/ossec
total 28
drwxr-x---  19 root  wazuh 4096 May 29 16:20 .
drwxr-xr-x. 22 root  root  4096 May 29 16:19 ..
drwxr-x---   3 root  wazuh   17 May 29 16:19 active-response
drwxr-x---   2 root  wazuh 4096 May 29 16:19 agentless
drwxr-x---   4 root  wazuh   42 May 29 16:19 api
drwxr-x---   5 root  wazuh   44 May 29 16:19 backup
drwxr-x---   2 root  wazuh 4096 May 29 16:19 bin
drwxrwx---   7 wazuh wazuh 4096 May 29 16:20 etc
drwxr-x---   5 root  wazuh   48 May 29 16:20 framework
drwxr-x---   2 root  wazuh  124 May 29 16:20 integrations
drwxr-x---   2 root  wazuh 4096 May 29 16:20 lib
drwxrwx---   8 wazuh wazuh  143 May 29 16:20 logs
drwxr-x---  15 root  wazuh 4096 May 29 16:20 queue
drwxr-x---   5 root  wazuh   46 May 29 16:20 ruleset
drwxrwx---   2 root  wazuh    6 May 25 04:05 .ssh
drwxr-x---   2 wazuh wazuh    6 May 25 04:05 stats
drwxrwx--T   2 root  wazuh    6 May 29 16:20 tmp
drwxr-x---   9 root  wazuh  106 May 29 16:20 var
drwxr-x---   6 root  wazuh   93 May 29 16:20 wodles

[root@example /home/example1  ]# ls -la /var/ossec/bin/
total 22960
drwxr-x---  2 root wazuh    4096 May 29 16:19 .
drwxr-x--- 19 root wazuh    4096 May 29 16:20 ..
-rwxr-x---  1 root root   464493 May 25 04:05 agent_control
-rwxr-x---  1 root wazuh    1045 May 25 04:05 agent_groups
-rwxr-x---  1 root wazuh    1045 May 25 04:05 agent_upgrade
-rwxr-x---  1 root root   111450 May 25 04:05 clear_stats
-rwxr-x---  1 root wazuh    1045 May 25 04:05 cluster_control
-rwxr-x---  1 root root   479245 May 25 04:05 manage_agents
-rwxr-x---  1 root wazuh 1274450 May 25 04:05 verify-agent-conf
-rwxr-x---  1 root root  1287054 May 25 04:05 wazuh-agentlessd
-rwxr-x---  1 root root  1695001 May 25 04:05 wazuh-analysisd
-rwxr-x---  1 root wazuh    1013 May 25 04:05 wazuh-apid
-rwxr-x---  1 root root  1316909 May 25 04:05 wazuh-authd
-rwxr-x---  1 root wazuh    1045 May 25 04:05 wazuh-clusterd
-rwxr-x---  1 root root    16085 May 25 04:05 wazuh-control
-rwxr-x---  1 root root  1291660 May 25 04:05 wazuh-csyslogd
-rwxr-x---  1 root root  1543880 May 25 04:05 wazuh-db
-rwxr-x---  1 root root  1311708 May 25 04:05 wazuh-dbd
-rwxr-x---  1 root root  1304186 May 25 04:05 wazuh-execd
-rwxr-x---  1 root root  1287130 May 25 04:05 wazuh-integratord
-rwxr-x---  1 root root  1347671 May 25 04:05 wazuh-logcollector
-rwxr-x---  1 root wazuh    1045 May 25 04:05 wazuh-logtest
-rwxr-x---  1 root root  1705020 May 25 04:05 wazuh-logtest-legacy
-rwxr-x---  1 root root  1307578 May 25 04:05 wazuh-maild
-rwxr-x---  1 root root  1277468 May 25 04:05 wazuh-modulesd
-rwxr-x---  1 root root  1304570 May 25 04:05 wazuh-monitord
-rwxr-x---  1 root root   125967 May 25 04:05 wazuh-regex
-rwxr-x---  1 root root  1373499 May 25 04:05 wazuh-remoted
-rwxr-x---  1 root root   149542 May 25 04:05 wazuh-reportd
-rwxr-x---  1 root root  1453443 May 25 04:05 wazuh-syscheckd

[root@example /home/example1]# ls -la /var/ossec/bin/wazuh-control
-rwxr-x--- 1 root root 16085 May 25 04:05 /var/ossec/bin/wazuh-control

Is there a way to work around this because I already check SElinux, firewall, AppArmor. All of it are not causing any problem that can cause this to happen. By the way, I also disable IPv6 in this machine as well. Anyone have any suggestion and recommendation are welcome to share it. Thanks in advance.

[Haziq Mt Roslan]

I solve this problem. To anyone encountering the same issue check your mount using this command:

# mount | grep /var

This command will show you the status of the mount in your system. Try look for "noexec" status if it appeared in the list meaning it is the one that responsible to denied your permission to run certain file because it means "No execution" . To enable the "exec" you can run this command:

# mount -0 remount,exec /var

To enable "noexec" back

# mount -0 remount,noexec /var