wazuh icon indicating copy to clipboard operation
wazuh copied to clipboard

Published 20 hours ago verified publisher icon wazuh

The systemd unit is using the deprecated option `KillMode=none`

Open mrtc0 opened this issue 3 years ago • 6 comments

Wazuh version Component Install type Install method Platform
4.2.5 systemd unit file Agent Packages Ubuntu 21.04

Wazuh Agent's systemd unit file contains a deprecated setting KillMode=none .

I see the warning:

Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed.

# systemctl status wazuh-agent | cat -
● wazuh-agent.service - Wazuh agent
     Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2021-11-29 13:41:47 UTC; 2 weeks 5 days ago
      Tasks: 31 (limit: 9413)
     Memory: 712.5M
     CGroup: /system.slice/wazuh-agent.service
             ├─777819 /var/ossec/bin/wazuh-execd
             ├─777830 /var/ossec/bin/wazuh-agentd
             ├─777844 /var/ossec/bin/wazuh-syscheckd
             ├─777858 /var/ossec/bin/wazuh-logcollector
             └─777876 /var/ossec/bin/wazuh-modulesd

Dec 08 00:20:52 ubuntu systemd[1]: /lib/systemd/system/wazuh-agent.service:12: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed.

Environment

# uname -a
Linux ubuntu 5.11.0-38-generic #42-Ubuntu SMP Fri Sep 24 14:03:54 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=21.04
DISTRIB_CODENAME=hirsute
DISTRIB_DESCRIPTION="Ubuntu 21.04"

# journalctl --version
systemd 247 (247.3-3ubuntu3.6)
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid

mrtc0 avatar Dec 19 '21 00:12 mrtc0

Hi @mrtc0 ,

Thanks for reporting this issue, which happens since systemd v246 (original PR). Wazuh services use this option since v3.0.0 (commit), but there's no other justification but the commit comment about its value.

I am going to investigate which of the new allowed values suits our needs and fix it ASAP.

Rationale

Wazuh (both manager and agent) manages its daemons with wazuh-control. This tool finds each daemon's PID, tries to stop it with a one-minute timeout gracefully, and kills if it does not respond.

We set KillMode to None in 3.0.0 (https://github.com/wazuh/wazuh/commit/4ae03506288ed079e50535e46c2e4a4a1f59b6fc9), in order to prevent the agent to kill itself when upgrading via WPK.

DoD

  • [x] Research current available KillModes that meet the project needs
  • [x] Change such KillMode
  • [x] Validate it by upgrading using WPK and common scenarios
  • [x] QA coverage https://github.com/wazuh/wazuh-qa/issues/3266

Regards, Nico

jnasselle avatar Dec 23 '21 03:12 jnasselle

Same for SUSE 15.3: systemd[1]: /usr/lib/systemd/system/wazuh-agent.service:12: Unit configured to use KillMode=none. Support for KillMode=none is deprecated and will be eventually removed in future SLE versions. Please see SUSE TID https://www.suse.com/support/kb/doc/?id=000020394 for more details.

uname -a 5.3.18-150300.59.43-default #1 SMP Sun Jan 23 19:27:23 UTC 2022 (c76af22) x86_64 x86_64 x86_64 GNU/Linux

cat /etc/os-release NAME="SLES" VERSION="15-SP3" VERSION_ID="15.3" PRETTY_NAME="SUSE Linux Enterprise Server 15 SP3" ID="sles" ID_LIKE="suse" ANSI_COLOR="0;32" CPE_NAME="cpe:/o:suse:sles:15:sp3" DOCUMENTATION_URL="https://documentation.suse.com/"

journalctl --version systemd 246 (246.16+suse.191.g3850086c65) +PAM +AUDIT +SELINUX -IMA +APPARMOR -SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid

georgethemarmot avatar Feb 09 '22 16:02 georgethemarmot

ANALYSIS

systemd killmode

Specifies how processes of this unit shall be killed. Can be set to:

  • control-group:
    • All remaining processes in the control group of this unit will be killed on unit stop
  • process:
    • Only the main process itself is killed (not recommended!)
  • mixed:
    • SIGTERM signal is sent to the main process.
    • SIGKILL signal is sent to all remaining processes of the unit's control group.
  • none:
    • No process is killed (strongly recommended against!).
    • Only the stop command will be executed on unit stop, but no process will be killed otherwise.
    • Processes remaining alive after stop are left in their control group and the control group continues to exist after stop unless empty.

SendSIGKILL

  • Specifies whether to send SIGKILL (or the signal specified by FinalKillSignal) to remaining processes after a timeout.
  • If KillMode is set to control-group or mixed and sendSIGKILL is disabled:
    • Service will not restart if processes from prior services exist within the control group.
    • This is not an issue because we control of all the processes from this service (and ensure they are killed on restart, stop).

System output for the different KillMode

After changing the /lib/systemd/system/wazuh-agent.service I've run:

# systemctl daemon-reload 
# systemctl restart wazuh-agent.service
# journalctl | grep wazuh

Using KillMode=none

Aug 30 14:54:20 ubuntu21 systemd[1]: /lib/systemd/system/wazuh-agent.service:13: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'. Support for KillMode=none is deprecated and will eventually be removed.
Aug 30 14:54:21 ubuntu21 env[12268]: Killing wazuh-modulesd...
Aug 30 14:54:21 ubuntu21 env[12268]: Killing wazuh-logcollector...
Aug 30 14:54:21 ubuntu21 env[12268]: Killing wazuh-syscheckd...
Aug 30 14:54:21 ubuntu21 env[12268]: Killing wazuh-agentd...
Aug 30 14:54:21 ubuntu21 env[12268]: Killing wazuh-execd...
Aug 30 14:54:21 ubuntu21 systemd[1]: wazuh-agent.service: Succeeded.
Aug 30 14:54:21 ubuntu21 env[12322]: Started wazuh-execd...
Aug 30 14:54:23 ubuntu21 env[12322]: Started wazuh-agentd...
Aug 30 14:54:24 ubuntu21 env[12322]: Started wazuh-syscheckd...
Aug 30 14:54:25 ubuntu21 env[12322]: Started wazuh-logcollector...
Aug 30 14:54:26 ubuntu21 env[12322]: Started wazuh-modulesd...

Upgrading the agent

#/var/ossec/bin/agent_upgrade -l
ID    Name                                Version                  
009   ubuntu21                            Wazuh v4.2.5           

Total outdated agents: 3

#/var/ossec/bin/agent_upgrade -a 009
Upgrading...

Upgraded agents:
	Agent 009 upgraded: Wazuh v4.2.5 -> Wazuh v4.3.7

Using KillMode=mixed

Aug 30 14:57:12 ubuntu21 env[13371]: Killing wazuh-modulesd...
Aug 30 14:57:12 ubuntu21 env[13371]: Killing wazuh-logcollector...
Aug 30 14:57:12 ubuntu21 env[13371]: Killing wazuh-syscheckd...
Aug 30 14:57:12 ubuntu21 env[13371]: Killing wazuh-agentd...
Aug 30 14:57:12 ubuntu21 env[13371]: Killing wazuh-execd...
Aug 30 14:57:12 ubuntu21 systemd[1]: wazuh-agent.service: Succeeded.
Aug 30 14:57:12 ubuntu21 env[13425]: Started wazuh-execd...
Aug 30 14:57:14 ubuntu21 env[13425]: Started wazuh-agentd...
Aug 30 14:57:15 ubuntu21 env[13425]: Started wazuh-syscheckd...
Aug 30 14:57:16 ubuntu21 env[13425]: Started wazuh-logcollector...
Aug 30 14:57:17 ubuntu21 env[13425]: Started wazuh-modulesd...

Upgrading the agent

#/var/ossec/bin/agent_upgrade -l
ID    Name                                Version                  
009   ubuntu21                            Wazuh v4.2.5           

Total outdated agents: 1

#/var/ossec/bin/agent_upgrade -a 009
Upgrading...

This upgrade staled and arises an error for future upgrades (see final note).

Adding SendSIGKILL=no

#/var/ossec/bin/agent_upgrade -a 012

Upgrading...

Upgraded agents:
	Agent 012 upgraded: Wazuh v4.2.5 -> Wazuh v4.3.7

Using KillMode=control-group

Aug 30 14:58:02 ubuntu21 env[14459]: Killing wazuh-modulesd...
Aug 30 14:58:02 ubuntu21 env[14459]: Killing wazuh-logcollector...
Aug 30 14:58:03 ubuntu21 env[14459]: Killing wazuh-syscheckd...
Aug 30 14:58:03 ubuntu21 env[14459]: Killing wazuh-agentd...
Aug 30 14:58:03 ubuntu21 env[14459]: Killing wazuh-execd...
Aug 30 14:58:03 ubuntu21 systemd[1]: wazuh-agent.service: Succeeded.
Aug 30 14:58:04 ubuntu21 env[14513]: Started wazuh-execd...
Aug 30 14:58:05 ubuntu21 env[14513]: Started wazuh-agentd...
Aug 30 14:58:05 ubuntu21 env[14513]: Started wazuh-syscheckd...
Aug 30 14:58:06 ubuntu21 env[14513]: Started wazuh-logcollector...
Aug 30 14:58:07 ubuntu21 env[14513]: Started wazuh-modulesd...

Upgrading the agent

#/var/ossec/bin/agent_upgrade -l
ID    Name                                Version                  
009   ubuntu21                            Wazuh v4.2.5           

Total outdated agents: 1

#/var/ossec/bin/agent_upgrade -a 009
Upgrading...

This upgrade staled and arises an error for future upgrades (see final note).

Adding SendSIGKILL=no

After adding this option, is impossible to restart the agent via systemctl.

Aug 30 16:42:45 ubuntu21 systemd[1]: wazuh-agent.service: Will not start SendSIGKILL=no service of type KillMode=control-group or mixed while processes exist

Testing wazuh-control

# ./wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.3.7 Stopped

# ./wazuh-control start
Starting Wazuh v4.3.7...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

# ./wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.3.7 Stopped
Starting Wazuh v4.3.7...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

# ./wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...

Testing on other OS

First tests where made on ubuntu 21.04, I will took the same steps on other OS:

  • Centos8:
#/var/ossec/bin/agent_upgrade -a 015

Upgrading...
	Agent 015 upgraded: Wazuh v4.2.5 -> Wazuh v4.3.7
  • OpenSuse leap:
#/var/ossec/bin/agent_upgrade -a 017

Upgrading...

Upgraded agents:
	Agent 017 upgraded: Wazuh v4.2.5 -> Wazuh v4.3.7

.service proposal

Agent

[Unit]
Description=Wazuh agent
Wants=network-online.target
After=network.target network-online.target

[Service]
Type=forking

ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start
ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop
ExecReload=/usr/bin/env /var/ossec/bin/wazuh-control reload

KillMode=mixed
SendSIGKILL=no
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Manager

[Unit]
Description=Wazuh manager
Wants=network-online.target
After=network.target network-online.target

[Service]
Type=forking
LimitNOFILE=65536

ExecStart=/usr/bin/env WAZUH_HOME_TMP/bin/wazuh-control start
ExecStop=/usr/bin/env WAZUH_HOME_TMP/bin/wazuh-control stop
ExecReload=/usr/bin/env WAZUH_HOME_TMP/bin/wazuh-control reload

KillMode=mixed
SendSIGKILL=no
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

Discoveries

Possible bug

After a failed upgrade attempt:

#/var/ossec/bin/agent_upgrade -a 005
Agents that cannot be upgraded:
	Agent 005 upgrade failed. Status: Error 1820 - Upgrade procedure could not start. Agent already upgrading
  • Agent, manager and OS reset won't fix it (agent re-install needed).

sebasfalcone avatar Aug 31 '22 15:08 sebasfalcone

Table of contents

  • Updating the agent - Debian
    • Baseline
    • Installed from package (4.3.7)
      • AGENT SIDE
      • MANAGER SIDE
    • Updated with WPK to 4.4 (with modified service)
      • MANAGER SIDE
      • AGENT SIDE
    • Problems
    • Explaination

Updating the agent - Debian

Baseline

The agent was running on:

# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=21.04
DISTRIB_CODENAME=hirsute
DISTRIB_DESCRIPTION="Ubuntu 21.04"

Installed from package (4.3.7)

AGENT SIDE

# systemctl status wazuh-agent.service 
● wazuh-agent.service - Wazuh agent
     Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2022-09-01 12:58:46 -03; 16min ago
    Process: 926 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
      Tasks: 37 (limit: 1034)
     Memory: 327.2M
     CGroup: /system.slice/wazuh-agent.service
             ├─ 974 /var/ossec/bin/wazuh-execd
             ├─1023 /var/ossec/bin/wazuh-agentd
             ├─1126 /var/ossec/bin/wazuh-syscheckd
             ├─1193 /var/ossec/bin/wazuh-logcollector
             └─1267 /var/ossec/bin/wazuh-modulesd

Sep 01 12:58:39 ubuntu21 systemd[1]: Starting Wazuh agent...
Sep 01 12:58:39 ubuntu21 env[926]: Starting Wazuh v4.3.7...
Sep 01 12:58:40 ubuntu21 env[926]: Started wazuh-execd...
Sep 01 12:58:41 ubuntu21 env[926]: Started wazuh-agentd...
Sep 01 12:58:42 ubuntu21 env[926]: Started wazuh-syscheckd...
Sep 01 12:58:43 ubuntu21 env[926]: Started wazuh-logcollector...
Sep 01 12:58:44 ubuntu21 env[926]: Started wazuh-modulesd...
Sep 01 12:58:45 ubuntu21 systemd[1]: /lib/systemd/system/wazuh-agent.service:12: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management >
Sep 01 12:58:46 ubuntu21 env[926]: Completed.
Sep 01 12:58:46 ubuntu21 systemd[1]: Started Wazuh agent.

MANAGER SIDE

#/var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: ubuntu22 (server), IP: 127.0.0.1, Active/Local
   ID: 004, Name: ubuntu21, IP: any, Active

List of agentless devices:

Updated with WPK to 4.4 (with modified service)

MANAGER SIDE

# /var/ossec/bin/agent_upgrade -a 004 -d -f ~/wazuh_agent_v4.4.0-11408.systemd_linux_x86_64.wpk

Upgrading...

Upgraded agents:
	Agent 004 upgraded: Wazuh v4.3.7 -> Wazuh v4.4.0

AGENT SIDE

# systemctl status wazuh-agent.service 
● wazuh-agent.service - Wazuh agent
     Loaded: loaded (/etc/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2022-09-01 13:22:44 -03; 46s ago
    Process: 4941 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
      Tasks: 38 (limit: 1034)
     Memory: 57.6M
     CGroup: /system.slice/wazuh-agent.service
             ├─4963 /var/ossec/bin/wazuh-execd
             ├─4971 /var/ossec/bin/wazuh-agentd
             ├─4985 /var/ossec/bin/wazuh-syscheckd
             ├─4997 /var/ossec/bin/wazuh-logcollector
             └─5011 /var/ossec/bin/wazuh-modulesd

Sep 01 13:22:38 ubuntu21 systemd[1]: Starting Wazuh agent...
Sep 01 13:22:38 ubuntu21 env[4941]: Starting Wazuh v4.4.0...
Sep 01 13:22:38 ubuntu21 env[4941]: Started wazuh-execd...
Sep 01 13:22:39 ubuntu21 env[4941]: Started wazuh-agentd...
Sep 01 13:22:41 ubuntu21 env[4941]: Started wazuh-syscheckd...
Sep 01 13:22:41 ubuntu21 env[4941]: Started wazuh-logcollector...
Sep 01 13:22:42 ubuntu21 env[4941]: Started wazuh-modulesd...
Sep 01 13:22:44 ubuntu21 env[4941]: Completed.
Sep 01 13:22:44 ubuntu21 systemd[1]: Started Wazuh agent.

Problems

  • Service files location changed.
  • Update failed if agent is not restarted.

Explaination

  • Upgrade fails:
#cat /var/ossec/logs/upgrade.log
2022/09/02 16:41:56 - Waiting connection... Status = pending. Remaining attempts: 3.
./var/upgrade/src/init/pkg_installer.sh: line 207: ./var/run/wazuh-agentd.state: No such file or directory
2022/09/02 16:41:57 - Waiting connection... Status = pending. Remaining attempts: 2.
./var/upgrade/src/init/pkg_installer.sh: line 207: ./var/run/wazuh-agentd.state: No such file or directory
2022/09/02 16:41:58 - Waiting connection... Status = pending. Remaining attempts: 1.
./var/upgrade/src/init/pkg_installer.sh: line 207: ./var/run/wazuh-agentd.state: No such file or directory
2022/09/02 16:42:00 - Waiting connection... Status = pending. Remaining attempts: 0.
2022/09/02 16:42:00 - Upgrade failed. Restoring...
wazuh-modulesd not running...
wazuh-logcollector not running...
wazuh-syscheckd not running...
wazuh-agentd not running...
wazuh-execd not running...
Wazuh v4.4.0 Stopped
2022/09/02 16:42:00 - Deleting upgrade files...
2022/09/02 16:42:00 - Restoring backup....
./var/upgrade/src/init/pkg_installer.sh: line 267: /sbin/chkconfig: No such file or directory
Starting Wazuh v4.3.7...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.

# ls /var/ossec/var/run/
wazuh-agentd-9009.pid  wazuh-agentd.state  wazuh-execd-8998.pid
  • When the service is restarted, then some extra files appear:
# /var/ossec/bin/wazuh-control restart
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.3.7 Stopped
Starting Wazuh v4.3.7...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
 
# ls /var/ossec/var/run/
wazuh-agentd-9696.pid  wazuh-execd-9685.pid         wazuh-modulesd-9736.pid
wazuh-agentd.state     wazuh-logcollector-9722.pid  wazuh-syscheckd-9710.pid
  • Now the upgrade is success:
# /var/ossec/bin/agent_upgrade -a 004 -f ~/wazuh_agent_v4.4.0-11408.systemd_linux_x86_64.wpk 

Upgrading...

Upgraded agents:
	Agent 004 upgraded: Wazuh v4.3.7 -> Wazuh v4.4.0

sebasfalcone avatar Sep 01 '22 16:09 sebasfalcone

Table of contents

  • Updating the agent - Centos
    • Baseline
    • Installed from package (4.3.7)
      • AGENT SIDE
      • MANAGER SIDE
    • Updated with WPK to 4.4 (with modified service)
      • MANAGER SIDE
      • AGENT SIDE
    • NOTES

Updating the agent - Debian

Baseline

The agent was running on:

# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=21.04
DISTRIB_CODENAME=hirsute
DISTRIB_DESCRIPTION="Ubuntu 21.04"

Installed from package (4.3.7)

AGENT SIDE

# systemctl status wazuh-agent.service 
● wazuh-agent.service - Wazuh agent
     Loaded: loaded (/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2022-09-01 12:58:46 -03; 16min ago
    Process: 926 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
      Tasks: 37 (limit: 1034)
     Memory: 327.2M
     CGroup: /system.slice/wazuh-agent.service
             ├─ 974 /var/ossec/bin/wazuh-execd
             ├─1023 /var/ossec/bin/wazuh-agentd
             ├─1126 /var/ossec/bin/wazuh-syscheckd
             ├─1193 /var/ossec/bin/wazuh-logcollector
             └─1267 /var/ossec/bin/wazuh-modulesd

Sep 01 12:58:39 ubuntu21 systemd[1]: Starting Wazuh agent...
Sep 01 12:58:39 ubuntu21 env[926]: Starting Wazuh v4.3.7...
Sep 01 12:58:40 ubuntu21 env[926]: Started wazuh-execd...
Sep 01 12:58:41 ubuntu21 env[926]: Started wazuh-agentd...
Sep 01 12:58:42 ubuntu21 env[926]: Started wazuh-syscheckd...
Sep 01 12:58:43 ubuntu21 env[926]: Started wazuh-logcollector...
Sep 01 12:58:44 ubuntu21 env[926]: Started wazuh-modulesd...
Sep 01 12:58:45 ubuntu21 systemd[1]: /lib/systemd/system/wazuh-agent.service:12: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's process lifecycle management >
Sep 01 12:58:46 ubuntu21 env[926]: Completed.
Sep 01 12:58:46 ubuntu21 systemd[1]: Started Wazuh agent.

MANAGER SIDE

#/var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: ubuntu22 (server), IP: 127.0.0.1, Active/Local
   ID: 004, Name: ubuntu21, IP: any, Active

List of agentless devices:

Updated with WPK to 4.4 (with modified service)

MANAGER SIDE

# /var/ossec/bin/agent_upgrade -a 004 -d -f ~/wazuh_agent_v4.4.0-11408.systemd_linux_x86_64.wpk

Upgrading...

Upgraded agents:
     Agent 004 upgraded: Wazuh v4.3.7 -> Wazuh v4.4.0

AGENT SIDE

# systemctl status wazuh-agent.service 
● wazuh-agent.service - Wazuh agent
     Loaded: loaded (/etc/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2022-09-01 13:22:44 -03; 46s ago
    Process: 4941 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
      Tasks: 38 (limit: 1034)
     Memory: 57.6M
     CGroup: /system.slice/wazuh-agent.service
             ├─4963 /var/ossec/bin/wazuh-execd
             ├─4971 /var/ossec/bin/wazuh-agentd
             ├─4985 /var/ossec/bin/wazuh-syscheckd
             ├─4997 /var/ossec/bin/wazuh-logcollector
             └─5011 /var/ossec/bin/wazuh-modulesd

Sep 01 13:22:38 ubuntu21 systemd[1]: Starting Wazuh agent...
Sep 01 13:22:38 ubuntu21 env[4941]: Starting Wazuh v4.4.0...
Sep 01 13:22:38 ubuntu21 env[4941]: Started wazuh-execd...
Sep 01 13:22:39 ubuntu21 env[4941]: Started wazuh-agentd...
Sep 01 13:22:41 ubuntu21 env[4941]: Started wazuh-syscheckd...
Sep 01 13:22:41 ubuntu21 env[4941]: Started wazuh-logcollector...
Sep 01 13:22:42 ubuntu21 env[4941]: Started wazuh-modulesd...
Sep 01 13:22:44 ubuntu21 env[4941]: Completed.
Sep 01 13:22:44 ubuntu21 systemd[1]: Started Wazuh agent.

NOTES

  • Service files location changed

sebasfalcone avatar Sep 01 '22 17:09 sebasfalcone

Table of contents

  • Updating the agent - Debian
    • Baseline
    • Installed from package (4.3.7)
      • AGENT SIDE
      • MANAGER SIDE
    • Updated with WPK to 4.4 (with modified service)
      • MANAGER SIDE
      • AGENT SIDE
    • .service proposal
      • Agent
      • Manager

Updating the agent - Debian

Baseline

The agent was running on:

# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=21.04
DISTRIB_CODENAME=hirsute
DISTRIB_DESCRIPTION="Ubuntu 21.04"

Installed from package (4.3.7)

AGENT SIDE

# systemctl status wazuh-agent.service 
● wazuh-agent.service - Wazuh agent
     Loaded: loaded (/lib/systemd/system/wazuh-agent.service; disabled; vendor preset: enabled)
     Active: active (running) since Mon 2022-09-05 14:55:48 -03; 9s ago
    Process: 5892 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
      Tasks: 34 (limit: 1034)
     Memory: 11.5M
     CGroup: /system.slice/wazuh-agent.service
             ├─5914 /var/ossec/bin/wazuh-execd
             ├─5925 /var/ossec/bin/wazuh-agentd
             ├─5938 /var/ossec/bin/wazuh-syscheckd
             ├─5950 /var/ossec/bin/wazuh-logcollector
             └─5964 /var/ossec/bin/wazuh-modulesd

Sep 05 14:55:40 ubuntu21 systemd[1]: Starting Wazuh agent...
Sep 05 14:55:40 ubuntu21 env[5892]: Starting Wazuh v4.3.7...
Sep 05 14:55:41 ubuntu21 env[5892]: Started wazuh-execd...
Sep 05 14:55:43 ubuntu21 env[5892]: Started wazuh-agentd...
Sep 05 14:55:44 ubuntu21 env[5892]: Started wazuh-syscheckd...
Sep 05 14:55:44 ubuntu21 env[5892]: Started wazuh-logcollector...
Sep 05 14:55:45 ubuntu21 env[5892]: Started wazuh-modulesd...
Sep 05 14:55:48 ubuntu21 env[5892]: Completed.
Sep 05 14:55:48 ubuntu21 systemd[1]: Started Wazuh agent.

MANAGER SIDE

#/var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: ubuntu22 (server), IP: 127.0.0.1, Active/Local
   ID: 005, Name: ubuntu21, IP: any, Active

List of agentless devices:

Updated with WPK to 4.4 (with modified service)

MANAGER SIDE

# /var/ossec/bin/agent_upgrade -a 005 -f ~/wazuh_agent_v4.4.0-11408.systemd.killmode.process_linux_x86_64.wpk 

Upgrading...

Upgraded agents:
  Agent 005 upgraded: Wazuh v4.3.7 -> Wazuh v4.4.0

=========

# /var/ossec/bin/agent_control -i 005

Wazuh agent_control. Agent information:
   Agent ID:   005
   Agent Name: ubuntu21
   IP address: any
   Status:     Active

   Operating system:    Linux |ubuntu21 |5.11.0-49-generic |#55-Ubuntu SMP Wed Jan 12 17:36:34 UTC 2022 |x86_64
   Client version:      Wazuh v4.4.0
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    4a8724b20dee0124ff9656783c490c4e
   Last keep alive:     1662401965

   Syscheck last started at:  Mon Sep  5 15:05:58 2022
   Syscheck last ended at:    Mon Sep  5 15:06:00 2022

AGENT SIDE

#tail /var/ossec/logs/upgrade.log
 - Update completed.

2022/09/05 15:06:03 - Installation result = 0
2022/09/05 15:06:04 - Waiting connection... Status = connected. Remaining attempts: 29.
2022/09/05 15:06:04 - Connected to manager.
2022/09/05 15:06:04 - Upgrade finished successfully.

=========

# cat /etc/systemd/system/wazuh-agent.service
[Unit]
Description=Wazuh agent
Wants=network-online.target
After=network.target network-online.target

[Service]
Type=forking

ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start
ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop
ExecReload=/usr/bin/env /var/ossec/bin/wazuh-control reload

KillMode=process
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

=========

# systemctl status wazuh-agent.service 
● wazuh-agent.service - Wazuh agent
     Loaded: loaded (/etc/systemd/system/wazuh-agent.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2022-09-05 15:23:14 -03; 46s ago
    Process: 4941 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
      Tasks: 38 (limit: 1034)
     Memory: 57.6M
     CGroup: /system.slice/wazuh-agent.service
             ├─4963 /var/ossec/bin/wazuh-execd
             ├─4971 /var/ossec/bin/wazuh-agentd
             ├─4985 /var/ossec/bin/wazuh-syscheckd
             ├─4997 /var/ossec/bin/wazuh-logcollector
             └─5011 /var/ossec/bin/wazuh-modulesd

Sep 05 15:22:38 ubuntu21 systemd[1]: Starting Wazuh agent...
Sep 05 15:22:38 ubuntu21 env[4941]: Starting Wazuh v4.4.0...
Sep 05 15:22:38 ubuntu21 env[4941]: Started wazuh-execd...
Sep 05 15:22:39 ubuntu21 env[4941]: Started wazuh-agentd...
Sep 05 15:22:41 ubuntu21 env[4941]: Started wazuh-syscheckd...
Sep 05 15:22:41 ubuntu21 env[4941]: Started wazuh-logcollector...
Sep 05 15:22:42 ubuntu21 env[4941]: Started wazuh-modulesd...
Sep 05 15:22:44 ubuntu21 env[4941]: Completed.
Sep 05 13:22:44 ubuntu21 systemd[1]: Started Wazuh agent.

.service proposal

Agent

[Unit]
Description=Wazuh agent
Wants=network-online.target
After=network.target network-online.target

[Service]
Type=forking

ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start
ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop
ExecReload=/usr/bin/env /var/ossec/bin/wazuh-control reload

KillMode=process

[Install]
WantedBy=multi-user.target

Manager

[Unit]
Description=Wazuh manager
Wants=network-online.target
After=network.target network-online.target

[Service]
Type=forking
LimitNOFILE=65536

ExecStart=/usr/bin/env WAZUH_HOME_TMP/bin/wazuh-control start
ExecStop=/usr/bin/env WAZUH_HOME_TMP/bin/wazuh-control stop
ExecReload=/usr/bin/env WAZUH_HOME_TMP/bin/wazuh-control reload

KillMode=process
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

sebasfalcone avatar Sep 05 '22 18:09 sebasfalcone