wazuh-documentation
wazuh-documentation copied to clipboard
wazuh
macOS Wazuh agent uninstall step fails
Description
- Source issue: https://github.com/wazuh/wazuh-jenkins/issues/6341
- OS: macOS 12
- Documentation: https://documentation.wazuh.com/current/installation-guide/uninstalling-wazuh/agent.html#uninstalling-a-macos-wazuh-agent
- https://documentation-dev.wazuh.com/v4.8.0-beta3/installation-guide/wazuh-agent/wazuh-agent-package-macos.html#uninstall-a-wazuh-agent
- Version: 4.8.0
When uninstalling the macOS agent, an error is obtained when the following command is executed:
sh-3.2# /bin/launchctl unload /Library/LaunchDaemons/com.wazuh.agent.plist
/Library/LaunchDaemons/com.wazuh.agent.plist: Could not find specified service
Unload failed: 113: Could not find specified service
We need to fix the documentation with the correct command
sh-3.2# installer -pkg agent.pkg -target /
installer: Package name is Wazuh Agent
installer: Upgrading at base path /
installer: The upgrade was successful.
sh-3.2# ls -l /Library/LaunchDaemons/com.wazuh.agent.plist
-rw-r--r-- 1 root wheel 461 Mar 7 14:42 /Library/LaunchDaemons/com.wazuh.agent.plist
If this error is related to the package or the source code, please migrate the issue to the related repository
@rauldpm I've tested the install/uninstall procedure, and I got no errors:
System
macOS Sonoma 14.3.1 (23D60) @ arm64
Procedure
Install
installer -pkg wazuh-agent-4.8.0-1.arm64.pkg -target /
installer: Package name is Wazuh Agent installer: Installing at base path / installer: The install was successful.
Uninstall
/Library/Ossec/bin/wazuh-control stop
wazuh-modulesd not running... wazuh-logcollector not running... wazuh-syscheckd not running... wazuh-agentd not running... wazuh-execd not running... Wazuh v4.8.0 Stopped
/bin/rm -r /Library/Ossec
/bin/launchctl unload /Library/LaunchDaemons/com.wazuh.agent.plist
/bin/rm -f /Library/LaunchDaemons/com.wazuh.agent.plist
/bin/rm -rf /Library/StartupItems/WAZUH
/usr/bin/dscl . -delete "/Users/wazuh"
/usr/bin/dscl . -delete "/Groups/wazuh"
/usr/sbin/pkgutil --forget com.wazuh.pkg.wazuh-agent
Forgot package 'com.wazuh.pkg.wazuh-agent' on '/'.
@vikman90 I used a macOS 12 Monterey ARM instance
I was able to reproduce it in our M1 Monterey machine
sh-3.2# ls -l wazuh-agent-4.8.0-1.arm64.pkg
-rw-r--r-- 1 root staff 6274253 Mar 11 21:32 wazuh-agent-4.8.0-1.arm64.pkg
sh-3.2# installer -pkg wazuh-agent-4.8.0-1.arm64.pkg -target /
installer: Package name is Wazuh Agent
installer: Installing at base path /
installer: The install was successful.
sh-3.2# /Library/Ossec/bin/wazuh-control stop
wazuh-modulesd not running...
wazuh-logcollector not running...
wazuh-syscheckd not running...
wazuh-agentd not running...
wazuh-execd not running...
Wazuh v4.8.0 Stopped
sh-3.2# /bin/rm -r /Library/Ossec
sh-3.2# /bin/launchctl unload /Library/LaunchDaemons/com.wazuh.agent.plist
/Library/LaunchDaemons/com.wazuh.agent.plist: Could not find specified service
Unload failed: 113: Could not find specified service
sh-3.2# sw_vers
ProductName: macOS
ProductVersion: 12.1
BuildVersion: 21C52
The problem seems to be that you have installed the package and immediately tried to unload the service.
On this issue: https://github.com/wazuh/wazuh/issues/21636, the service has been modified to not be loaded automatically after the installation but after a system reset. If you try to unload such a service when it hasn't yet been loaded, then it will throw an error. Now, if you try the same but after rebooting the system, or after manually loading the service, then you don't get any errors.
According to this post:
launchctl stop tries to stop the daemons and their subprocesses, so it's similar to wazuh-control stop. It this is correct:
- It is a duplicate action.
- Running this after removing /Library/Ossec has no sense.
Thus, I propose either one of the following changes:
- Run
launchctl stopbeforewazuh-control stopand ignore the output. - Delete the
launchctl stopcommand from the documentation aswazuh-control stopalready performs the same action.