wazuh-documentation icon indicating copy to clipboard operation
wazuh-documentation copied to clipboard

Published 20 hours ago verified publisher icon wazuh

Improve on instructions on how to install and uninstall the Wazuh macOS agent

Open javimed opened this issue 1 year ago • 1 comments

Currently, instructions on how to install and uninstall a macOS agent include starting and stopping the Wazuh agent service through the utility wazuh-control

https://documentation.wazuh.com/current/installation-guide/wazuh-agent/wazuh-agent-package-macos.html imagen

We could improve these steps recommending the use of a launchctl command for this.

javimed avatar Aug 17 '23 19:08 javimed

Update

(02/07/2024) Researching launchctl usage and suitability for our case. (03/07/2024) After deep research I have found that it's said in different sites that launchctl should be used with the load or unload arguments. Ref:

  • https://apple.stackexchange.com/questions/29056/launchctl-difference-between-load-and-start-unload-and-stop
  • https://discussions.apple.com/thread/5006946?sortBy=best

If we do so, the wazuh agent starts and stop by using load and unload, but the options start, stop and restart do not work and using them do not start, stop or restart the wazuh agent service.

(04/07/2024) macOS lets you see the status of a service using launchctl print system/com.wazuh.agent, but to do start or stop, if you do it with launchctl start system/com.wazuh.agent does nothing, you have to remove thesystem/.

The service can be managed with launchctl start com.wazuh.agent and launchctl stop com.wazuh.agent starting and stopping without any problem. Previously it is necessary to run launchctl load /Library/LaunchDaemons/com.wazuh.agent.plist to load the service and be able to manage it.

The configuration file of the service, /Library/LaunchDaemons/com.wazuh.agent.plist, adds a clause so that when it is loaded, it is launched, this is the root cause of this issue:

Not loading the service but having this clause was causing the agent to start automatically.

Regarding the documentation, if we want to manage the agent as a service we need to first run the launchctl load /Library/LaunchDaemons/com.wazuh.agent.plistcommand and then start/stop or stop with launchctl start/stop com.wazuh.agent. Restart cannot be used with launchctl.

(08/07/2024) Updated PR with final solution. (10/07/2024) Updated PR with requested change.

mjcr99 avatar Jul 02 '24 16:07 mjcr99