Permissions for /var/ossec/var/multigroups
Closed this issue · 4 comments
Description
The /var/ossec/var/multigroups
directory has different permissions inside the Wazuh manager container than the version installed by RPM or DEB packages.
Currently it has a Docker volume mounted which takes the following permissions:
bash-5.2# ls -ltr /var/ossec/var/ | grep multigroups
drwxr-xr-x 2 root root 4096 Oct 29 12:34 multigroups
bash-5.2#
The permissions it has in a package installation are the following:
root@ip-172-31-44-45:~# ls -ltr /var/ossec/var/ | grep multigroups
drwxrwx--- 2 wazuh wazuh 4096 Oct 15 16:51 multigroups
root@ip-172-31-44-45:~#
Also, if the image is booted without volume, the directory does not exist.
This is causing the following errors:
2024/10/29 12:27:25 wazuh-remoted: ERROR: Cannot create multigroup directory 'var/multigroups/31ec2eac': Permission denied (13)
2024/10/29 12:27:35 wazuh-remoted: ERROR: Cannot create multigroup directory 'var/multigroups/31ec2eac': Permission denied (13)
I have been testing image builds by modifying the build-images.yml file and the multigroups directory still does not appear.
The investigation continues
Update
The error is generated due to the file handling that is performed for data persistence, I am investigating the operation of the scripts and the root cause of the failure.
Update
The error is a problem between the script that creates the directories for the permanent data and the one that impacts them during the startup of the container.
On image creation, all the directories added for permanent data are cut and pasted into a temporary directory:
for permanent_dir in "${PERMANENT_DATA[@]}"; do
# Create the directory for the permanent file if it does not exist
DIR=$(dirname "${permanent_dir}")
if [ ! -e ${PERMANENT_PATH}${DIR} ]
then
mkdir -p ${PERMANENT_PATH}${DIR}
fi
mv ${permanent_dir} ${PERMANENT_PATH}${permanent_dir}
Then at the start of the container, these files are copied, but first checking that the directories are not empty:
mount_permanent_data() {
for permanent_dir in "${PERMANENT_DATA[@]}"; do
data_tmp="${WAZUH_INSTALL_PATH}/data_tmp/permanent${permanent_dir}/"
print ${data_tmp}
# Check if the path is not empty
if find ${permanent_dir} -mindepth 1 | read; then
print "The path ${permanent_dir} is already mounted"
else
if find ${data_tmp} -mindepth 1 | read; then
print "Installing ${permanent_dir}"
exec_cmd "cp -a ${data_tmp}. ${permanent_dir}"
else
print "The path ${permanent_dir} is empty, skiped"
fi
fi
done
}
This causes the empty directories not to be copied and to be lost after the startup.
The cut of the directories in the creation of the container is modified for a complete copy with permissions to maintain the original directories and so that the permissions are not lost when we mount a volume on a directory that is not in the image:
PERMANENT_PATH=${DATA_TMP_PATH}/permanent
mkdir ${PERMANENT_PATH}
for permanent_dir in "${PERMANENT_DATA[@]}"; do
# Create the directory for the permanent file if it does not exist
DIR=$(dirname "${permanent_dir}")
mkdir -p ${PERMANENT_PATH}${DIR}
cp -ar ${permanent_dir} ${PERMANENT_PATH}${DIR}
At the start of the container, the directory copy modifiers are modified so that they do not generate errors at the start of the container and are copied correctly with their permissions:
mount_permanent_data() {
for permanent_dir in "${PERMANENT_DATA[@]}"; do
data_tmp="${WAZUH_INSTALL_PATH}/data_tmp/permanent${permanent_dir}/"
print ${data_tmp}
# Check if the path is not empty
if find ${permanent_dir} -mindepth 1 | read; then
print "The path ${permanent_dir} is already mounted"
else
print "Installing ${permanent_dir}"
exec_cmd "cp -ar ${data_tmp}. ${permanent_dir}"
fi
done
}
Tests
Upgrade from v4.8.2 with volumes to v4.9.1 with volumes
Deploy Wazuh v4.8.2 with volumes:
$ git branch
* (HEAD detached at v4.8.2)
$ cd single-node
$ docker-compose up -d
[+] Running 18/18
✔ Network single-node_default Created 0.2s
✔ Volume "single-node_wazuh_api_configuration" Created 0.0s
✔ Volume "single-node_wazuh_logs" Created 0.0s
✔ Volume "single-node_wazuh_queue" Created 0.0s
✔ Volume "single-node_wazuh_active_response" Created 0.0s
✔ Volume "single-node_wazuh-dashboard-custom" Created 0.0s
✔ Volume "single-node_wazuh_var_multigroups" Created 0.0s
✔ Volume "single-node_wazuh_integrations" Created 0.0s
✔ Volume "single-node_wazuh-indexer-data" Created 0.0s
✔ Volume "single-node_wazuh_etc" Created 0.0s
✔ Volume "single-node_filebeat_var" Created 0.0s
✔ Volume "single-node_wazuh_wodles" Created 0.0s
✔ Volume "single-node_wazuh_agentless" Created 0.0s
✔ Volume "single-node_filebeat_etc" Created 0.0s
✔ Volume "single-node_wazuh-dashboard-config" Created 0.0s
✔ Container single-node-wazuh.manager-1 Started 2.4s
✔ Container single-node-wazuh.indexer-1 Started 2.4s
✔ Container single-node-wazuh.dashboard-1 Started 3.1s
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
94e86488368e wazuh/wazuh-dashboard:4.8.2 "/entrypoint.sh" 38 seconds ago Up 36 seconds 443/tcp, 0.0.0.0:443->5601/tcp, [::]:443->5601/tcp single-node-wazuh.dashboard-1
e8f6967c231f wazuh/wazuh-manager:4.8.2 "/init" 39 seconds ago Up 37 seconds 0.0.0.0:1514-1515->1514-1515/tcp, :::1514-1515->1514-1515/tcp, 0.0.0.0:514->514/udp, :::514->514/udp, 0.0.0.0:55000->55000/tcp, :::55000->55000/tcp, 1516/tcp single-node-wazuh.manager-1
188aafdd5b07 wazuh/wazuh-indexer:4.8.2 "/entrypoint.sh open…" 39 seconds ago Up 37 seconds 0.0.0.0:9200->9200/tcp, :::9200->9200/tcp single-node-wazuh.indexer-1
$ docker exec -it single-node-wazuh.manager-1 ls -ltr /var/ossec/var
total 32
drwxrwx--- 2 root wazuh 4096 Aug 19 17:17 wodles
drwxrwx--- 2 root wazuh 4096 Aug 19 17:17 upgrade
drwxrwx--- 2 root wazuh 4096 Aug 19 17:17 download
drwxrwx--- 2 root wazuh 4096 Aug 20 13:35 selinux
drwxrwx--- 1 root wazuh 4096 Aug 20 13:35 db
drwxr-xr-x 2 root root 4096 Nov 1 13:18 multigroups
drwxrwx--- 1 root wazuh 4096 Nov 1 13:19 run
$ docker-compose down
[+] Running 4/4
✔ Container single-node-wazuh.dashboard-1 Removed 11.6s
✔ Container single-node-wazuh.manager-1 Removed 4.1s
✔ Container single-node-wazuh.indexer-1 Removed 0.9s
✔ Network single-node_default Removed
Upgrade Wazuh v4.9.1 with volumes:
$ git branch
* (HEAD detached at v4.9.1)
$ cd single-node/
$ docker-compose up -d
[+] Running 4/4
✔ Network single-node_default Created 0.2s
✔ Container single-node-wazuh.manager-1 Started 1.4s
✔ Container single-node-wazuh.indexer-1 Started 1.2s
✔ Container single-node-wazuh.dashboard-1 Started 1.9s
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
639359ec2939 wazuh/wazuh-dashboard:4.9.1 "/entrypoint.sh" About a minute ago Up About a minute 443/tcp, 0.0.0.0:443->5601/tcp, [::]:443->5601/tcp single-node-wazuh.dashboard-1
ce2264d79a26 wazuh/wazuh-manager:4.9.1 "/init" About a minute ago Up About a minute 0.0.0.0:1514-1515->1514-1515/tcp, :::1514-1515->1514-1515/tcp, 0.0.0.0:514->514/udp, :::514->514/udp, 0.0.0.0:55000->55000/tcp, :::55000->55000/tcp, 1516/tcp single-node-wazuh.manager-1
f4661e06a932 wazuh/wazuh-indexer:4.9.1 "/entrypoint.sh open…" About a minute ago Up About a minute 0.0.0.0:9200->9200/tcp, :::9200->9200/tcp single-node-wazuh.indexer-1
$ docker exec -it single-node-wazuh.manager-1 ls -ltr /var/ossec/var
total 32
drwxrwx--- 2 root wazuh 4096 Oct 15 16:50 wodles
drwxrwx--- 2 root wazuh 4096 Oct 15 16:50 upgrade
drwxrwx--- 2 root wazuh 4096 Oct 15 16:50 multigroups
drwxrwx--- 2 root wazuh 4096 Oct 15 16:50 download
drwxrwx--- 2 root wazuh 4096 Oct 31 15:55 selinux
drwxrwx--- 1 root wazuh 4096 Oct 31 15:55 db
drwxrwx--- 1 root wazuh 4096 Nov 1 13:32 run
Upgrade from v4.8.2 without multigroup volume to v4.9.1 without multigroup volume
Deploy Wazuh v4.8.2 without multigroup volume:
$ git branch
* (HEAD detached at v4.8.2)
$ docker-compose up -d
[+] Running 17/17
✔ Network single-node_default Created 0.2s
✔ Volume "single-node_wazuh_wodles" Created 0.0s
✔ Volume "single-node_wazuh_queue" Created 0.0s
✔ Volume "single-node_wazuh-dashboard-custom" Created 0.0s
✔ Volume "single-node_wazuh_integrations" Created 0.0s
✔ Volume "single-node_wazuh-dashboard-config" Created 0.0s
✔ Volume "single-node_wazuh_etc" Created 0.0s
✔ Volume "single-node_filebeat_etc" Created 0.0s
✔ Volume "single-node_filebeat_var" Created 0.0s
✔ Volume "single-node_wazuh_agentless" Created 0.0s
✔ Volume "single-node_wazuh-indexer-data" Created 0.0s
✔ Volume "single-node_wazuh_api_configuration" Created 0.0s
✔ Volume "single-node_wazuh_logs" Created 0.0s
✔ Volume "single-node_wazuh_active_response" Created 0.0s
✔ Container single-node-wazuh.indexer-1 Started 0.9s
✔ Container single-node-wazuh.manager-1 Started 1.3s
✔ Container single-node-wazuh.dashboard-1 Started 1.9s
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
94e86488368e wazuh/wazuh-dashboard:4.8.2 "/entrypoint.sh" 49 seconds ago Up 48 seconds 443/tcp, 0.0.0.0:443->5601/tcp, [::]:443->5601/tcp single-node-wazuh.dashboard-1
e8f6967c231f wazuh/wazuh-manager:4.8.2 "/init" 50 seconds ago Up 49 seconds 0.0.0.0:1514-1515->1514-1515/tcp, :::1514-1515->1514-1515/tcp, 0.0.0.0:514->514/udp, :::514->514/udp, 0.0.0.0:55000->55000/tcp, :::55000->55000/tcp, 1516/tcp single-node-wazuh.manager-1
188aafdd5b07 wazuh/wazuh-indexer:4.8.2 "/entrypoint.sh open…" 50 seconds ago Up 49 seconds 0.0.0.0:9200->9200/tcp, :::9200->9200/tcp
$ docker exec -it single-node-wazuh.manager-1 ls -ltr /var/ossec/var
total 28
drwxrwx--- 2 root wazuh 4096 Aug 19 17:17 wodles
drwxrwx--- 2 root wazuh 4096 Aug 19 17:17 upgrade
drwxrwx--- 2 root wazuh 4096 Aug 19 17:17 download
drwxrwx--- 2 root wazuh 4096 Aug 20 13:35 selinux
drwxrwx--- 1 root wazuh 4096 Aug 20 13:35 db
drwxrwx--- 1 root wazuh 4096 Nov 1 13:50 run
$ docker-compose down
[+] Running 4/4
✔ Container single-node-wazuh.dashboard-1 Removed 13.2s
✔ Container single-node-wazuh.manager-1 Removed 4.7s
✔ Container single-node-wazuh.indexer-1 Removed 1.4s
✔ Network single-node_default Removed
Upgrade Wazuh v4.9.1 without multigroup volume:
$ git branch
* (HEAD detached at v4.9.1)
$ docker-compose up -d
[+] Running 4/4
✔ Network single-node_default Created 0.2s
✔ Container single-node-wazuh.indexer-1 Started 1.1s
✔ Container single-node-wazuh.manager-1 Started 1.3s
✔ Container single-node-wazuh.dashboard-1 Started 1.9s
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d037cf00f162 wazuh/wazuh-dashboard:4.9.1 "/entrypoint.sh" 18 seconds ago Up 16 seconds 443/tcp, 0.0.0.0:443->5601/tcp, [::]:443->5601/tcp single-node-wazuh.dashboard-1
04c17a4c80f3 wazuh/wazuh-manager:4.9.1 "/init" 18 seconds ago Up 17 seconds 0.0.0.0:1514-1515->1514-1515/tcp, :::1514-1515->1514-1515/tcp, 0.0.0.0:514->514/udp, :::514->514/udp, 0.0.0.0:55000->55000/tcp, :::55000->55000/tcp, 1516/tcp single-node-wazuh.manager-1
a795c8301f59 wazuh/wazuh-indexer:4.9.1 "/entrypoint.sh open…" 18 seconds ago Up 17 seconds 0.0.0.0:9200->9200/tcp, :::9200->9200/tcp single-node-wazuh.indexer-1
$ docker exec -it single-node-wazuh.manager-1 ls -ltr /var/ossec/var
total 32
drwxrwx--- 2 root wazuh 4096 Oct 15 16:50 wodles
drwxrwx--- 2 root wazuh 4096 Oct 15 16:50 upgrade
drwxrwx--- 1 root wazuh 4096 Oct 15 16:50 multigroups
drwxrwx--- 2 root wazuh 4096 Oct 15 16:50 download
drwxrwx--- 2 root wazuh 4096 Oct 31 15:55 selinux
drwxrwx--- 1 root wazuh 4096 Oct 31 15:55 db
drwxrwx--- 1 root wazuh 4096 Nov 1 13:52 run
Upgrade from v4.8.2 with volumes to v4.9.1 without volumes
Deploy Wazuh v4.8.0 with volumes:
$ git branch
* (HEAD detached at v4.8.2)
$ docker-compose up -d
WARN[0000] /home/vcerenu/Repositorios/4.8.1/wazuh-docker/single-node/docker-compose.yml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion
[+] Running 18/18
✔ Network single-node_default Created 0.3s
✔ Volume "single-node_wazuh-dashboard-config" Created 0.0s
✔ Volume "single-node_filebeat_var" Created 0.0s
✔ Volume "single-node_wazuh_var_multigroups" Created 0.0s
✔ Volume "single-node_wazuh_queue" Created 0.0s
✔ Volume "single-node_wazuh_wodles" Created 0.0s
✔ Volume "single-node_filebeat_etc" Created 0.0s
✔ Volume "single-node_wazuh-dashboard-custom" Created 0.0s
✔ Volume "single-node_wazuh_logs" Created 0.0s
✔ Volume "single-node_wazuh_etc" Created 0.0s
✔ Volume "single-node_wazuh_active_response" Created 0.0s
✔ Volume "single-node_wazuh_agentless" Created 0.0s
✔ Volume "single-node_wazuh_api_configuration" Created 0.0s
✔ Volume "single-node_wazuh-indexer-data" Created 0.0s
✔ Volume "single-node_wazuh_integrations" Created 0.0s
✔ Container single-node-wazuh.indexer-1 Started 1.1s
✔ Container single-node-wazuh.manager-1 Started 1.4s
✔ Container single-node-wazuh.dashboard-1 Started 1.9s
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b3703fb2fcee wazuh/wazuh-dashboard:4.8.2 "/entrypoint.sh" About a minute ago Up About a minute 443/tcp, 0.0.0.0:443->5601/tcp, [::]:443->5601/tcp single-node-wazuh.dashboard-1
9468248e8a5b wazuh/wazuh-indexer:4.8.2 "/entrypoint.sh open…" About a minute ago Up About a minute 0.0.0.0:9200->9200/tcp, :::9200->9200/tcp single-node-wazuh.indexer-1
830b8d95bee1 wazuh/wazuh-manager:4.8.2 "/init" About a minute ago Up About a minute 0.0.0.0:1514-1515->1514-1515/tcp, :::1514-1515->1514-1515/tcp, 0.0.0.0:514->514/udp, :::514->514/udp, 0.0.0.0:55000->55000/tcp, :::55000->55000/tcp, 1516/tcp single-node-wazuh.manager-1
$ docker exec -it single-node-wazuh.manager-1 ls -ltr /var/ossec/api/
total 8
drwxr-x--- 2 root wazuh 4096 Aug 20 13:35 scripts
drwxrwx--- 4 root wazuh 4096 Nov 1 13:59 configuration
$ docker exec -it single-node-wazuh.manager-1 ls -ltr /var/ossec/
total 76
drwxr-x--- 1 root wazuh 4096 Aug 20 13:35 backup
drwxr-x--- 1 root wazuh 4096 Aug 20 13:35 framework
drwxr-x--- 5 root wazuh 4096 Aug 20 13:35 ruleset
drwxr-x--- 2 root wazuh 4096 Aug 20 13:35 bin
dr--r----- 2 root wazuh 4096 Aug 20 13:35 templates
drwxr-x--- 2 root wazuh 4096 Aug 20 13:35 lib
drwxr-x--- 1 root wazuh 4096 Nov 1 13:58 api
drwxr-x--- 1 root wazuh 4096 Nov 1 13:58 active-response
drwxr-xr-x 2 root root 4096 Nov 1 13:59 integrations
drwxr-xr-x 2 root root 4096 Nov 1 13:59 agentless
drwxr-x--- 6 root wazuh 4096 Nov 1 13:59 wodles
drwxrwx--- 7 wazuh wazuh 4096 Nov 1 13:59 etc
drwxrwx--- 8 wazuh wazuh 4096 Nov 1 13:59 logs
drwxr-x--- 1 wazuh wazuh 4096 Nov 1 13:59 stats
drwxr-x--- 1 root wazuh 4096 Nov 1 13:59 var
drwxr-x--- 19 root wazuh 4096 Nov 1 14:00 queue
drwxrwx--T 1 root wazuh 4096 Nov 1 14:00 tmp
$ docker exec -it single-node-wazuh.manager-1 ls -ltr /var/ossec/var/
total 32
drwxrwx--- 2 root wazuh 4096 Aug 19 17:17 wodles
drwxrwx--- 2 root wazuh 4096 Aug 19 17:17 upgrade
drwxrwx--- 2 root wazuh 4096 Aug 19 17:17 download
drwxrwx--- 2 root wazuh 4096 Aug 20 13:35 selinux
drwxrwx--- 1 root wazuh 4096 Aug 20 13:35 db
drwxr-xr-x 2 root root 4096 Nov 1 13:58 multigroups
drwxrwx--- 1 root wazuh 4096 Nov 1 14:05 run
$ docker exec -it single-node-wazuh.manager-1 ls -ltr /var/ossec/active-response/
total 4
drwxr-xr-x 2 root root 4096 Nov 1 13:59 bin
$ docker exec -it single-node-wazuh.manager-1 ls -ltr /etc/ | grep filebeat
drwxr-xr-x 3 root root 4096 Nov 1 13:59 filebeat
Deploy Wazuh v4.9.1 without volumes:
$ git branch
* (HEAD detached at v4.9.1)
$ docker-compose up -d
[+] Running 4/4
✔ Network single-node_default Created 0.3s
✔ Container single-node-wazuh.indexer-1 Started 1.2s
✔ Container single-node-wazuh.manager-1 Started 1.4s
✔ Container single-node-wazuh.dashboard-1 Started 2.1s
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
56e27ccfb9a0 wazuh/wazuh-dashboard:4.9.1 "/entrypoint.sh" 30 seconds ago Up 27 seconds 443/tcp, 0.0.0.0:443->5601/tcp, [::]:443->5601/tcp single-node-wazuh.dashboard-1
532a7e2fe32d wazuh/wazuh-indexer:4.9.1 "/entrypoint.sh open…" 30 seconds ago Up 28 seconds 0.0.0.0:9200->9200/tcp, :::9200->9200/tcp single-node-wazuh.indexer-1
30e1d0519b8c wazuh/wazuh-manager:4.9.1 "/init" 30 seconds ago Up 28 seconds 0.0.0.0:1514-1515->1514-1515/tcp, :::1514-1515->1514-1515/tcp, 0.0.0.0:514->514/udp, :::514->514/udp, 0.0.0.0:55000->55000/tcp, :::55000->55000/tcp, 1516/tcp single-node-wazuh.manager-1
$ docker exec -it single-node-wazuh.manager-1 ls -ltr /var/ossec/api/
total 12
drwxr-x--- 2 root wazuh 4096 Oct 31 15:55 scripts
drwxrwx--- 1 root wazuh 4096 Nov 1 14:10 configuration
$ docker exec -it single-node-wazuh.manager-1 ls -ltr /var/ossec/
total 104
drwxr-x--- 1 root wazuh 4096 Oct 31 15:54 active-response
drwxr-x--- 1 root wazuh 4096 Oct 31 15:54 api
drwxr-x--- 1 root wazuh 4096 Oct 31 15:54 backup
drwxr-x--- 1 root wazuh 4096 Oct 31 15:55 framework
drwxr-x--- 5 root wazuh 4096 Oct 31 15:55 ruleset
drwxr-x--- 2 root wazuh 4096 Oct 31 15:55 bin
dr--r----- 2 root wazuh 4096 Oct 31 15:55 templates
drwxr-x--- 2 root wazuh 4096 Oct 31 15:55 lib
drwxr-x--- 1 root wazuh 4096 Nov 1 14:10 integrations
drwxrwx--- 1 root wazuh 4096 Nov 1 14:10 agentless
drwxr-x--- 1 root wazuh 4096 Nov 1 14:10 wodles
drwxrwx--- 1 wazuh wazuh 4096 Nov 1 14:10 etc
drwxrwx--- 1 wazuh wazuh 4096 Nov 1 14:10 logs
drwxr-x--- 1 wazuh wazuh 4096 Nov 1 14:10 stats
drwxrwx--T 1 root wazuh 4096 Nov 1 14:10 tmp
drwxr-x--- 1 root wazuh 4096 Nov 1 14:10 var
drwxr-x--- 1 root wazuh 4096 Nov 1 14:11 queue
$ docker exec -it single-node-wazuh.manager-1 ls -ltr /var/ossec/var/
total 32
drwxrwx--- 2 root wazuh 4096 Oct 15 16:50 wodles
drwxrwx--- 2 root wazuh 4096 Oct 15 16:50 upgrade
drwxrwx--- 1 root wazuh 4096 Oct 15 16:50 multigroups
drwxrwx--- 2 root wazuh 4096 Oct 15 16:50 download
drwxrwx--- 2 root wazuh 4096 Oct 31 15:55 selinux
drwxrwx--- 1 root wazuh 4096 Oct 31 15:55 db
drwxrwx--- 1 root wazuh 4096 Nov 1 14:11 run
$ docker exec -it single-node-wazuh.manager-1 ls -ltr /var/ossec/active-response/
total 4
drwxrwx--- 1 root wazuh 4096 Nov 1 14:10 bin
$ docker exec -it single-node-wazuh.manager-1 ls -ltr /etc/ | grep filebeat
drwxr-xr-x 1 root root 4096 Nov 1 14:10 filebeat