Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow downgrades using RPM and DEB packages #2885

Merged
merged 6 commits into from
Mar 27, 2024
Merged

Allow downgrades using RPM and DEB packages #2885

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
110acd5
Fix user and group deletion during upgrade/downgrade
jr0me Mar 19, 2024
a1a4f28
Add files orphaned files to Wazuh user and group.
jr0me Mar 19, 2024
95fbee3
Ensure the service has been stopped.
jr0me Mar 19, 2024
153d5e1
When downgrading the postrm deb script is run as an upgrade.
jr0me Mar 19, 2024
1c3a711
Wazuh agents on mac now use the same script as Linux for upgrades. We…
jr0me Mar 22, 2024
8e72c3a
Add support for building WPKs with APK packages
jr0me Mar 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions debs/SPECS/wazuh-agent/debian/postinst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,6 @@ case "$1" in

${SCRIPTS_DIR}/gen_ossec.sh conf agent ${OS} ${VER} ${DIR} > ${DIR}/etc/ossec.conf
${SCRIPTS_DIR}/add_localfiles.sh ${DIR} >> ${DIR}/etc/ossec.conf

else
${SCRIPTS_DIR}/gen_ossec.sh conf agent ${OS} ${VER} ${DIR} > ${DIR}/etc/ossec.conf.new
chmod 660 ${DIR}/etc/ossec.conf.new
Expand Down Expand Up @@ -68,7 +67,6 @@ case "$1" in

# Install the SCA files
if [ -d "${SCA_BASE_DIR}" ]; then

. ${SCRIPTS_DIR}/src/init/dist-detect.sh

SCA_DIR="${DIST_NAME}/${DIST_VER}"
Expand All @@ -90,7 +88,6 @@ case "$1" in
SCA_TMP_FILE="${SCA_TMP_DIR}/sca.files"

if [ -r ${SCA_TMP_FILE} ]; then

rm -f ${DIR}/ruleset/sca/* || true

for sca_file in $(cat ${SCA_TMP_FILE}); do
Expand Down Expand Up @@ -142,8 +139,8 @@ case "$1" in
systemctl daemon-reload > /dev/null 2>&1
fi
fi
# Remove old ossec user and group if exists and change ownwership of files

# Remove old ossec user and group if exists and change ownwership of files
if getent group ossec > /dev/null 2>&1; then
find ${DIR}/ -group ossec -user root -exec chown root:wazuh {} \; > /dev/null 2>&1 || true
if getent passwd ossec > /dev/null 2>&1; then
Expand All @@ -158,11 +155,14 @@ case "$1" in
find ${DIR}/ -group ossec -user ossecr -exec chown wazuh:wazuh {} \; > /dev/null 2>&1 || true
deluser ossecr > /dev/null 2>&1
fi
if getent group ossec > /dev/null 2>&1; then
if getent group ossec > /dev/null 2>&1; then
delgroup ossec > /dev/null 2>&1
fi
fi

find ${DIR} -nogroup -exec chgrp ${GROUP} {} \; > /dev/null 2>&1
find ${DIR} -nouser -exec chown ${USER} {} \; > /dev/null 2>&1

if [ ! -z "$2" ]; then
if [ -f ${WAZUH_TMP_DIR}/wazuh.restart ] ; then
if command -v systemctl > /dev/null 2>&1 && systemctl > /dev/null 2>&1; then
Expand Down
34 changes: 34 additions & 0 deletions debs/SPECS/wazuh-agent/debian/postrm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,40 @@ case "$1" in
;;

upgrade)
# If the upgrade downgrades to earlier versions, restore ownership
if command -v ${DIR}/bin/ossec-control > /dev/null 2>&1; then

OSMYSHELL="/sbin/nologin"

if [ -f ${DIR}/queue/sockets/.agent_info ]; then
mv ${DIR}/queue/sockets/.agent_info ${DIR}/queue/ossec/
TomasTurina marked this conversation as resolved.
Show resolved Hide resolved
fi

rm -rf ${DIR}/queue/sockets > /dev/null 2>&1

if ! getent group ossec > /dev/null 2>&1; then
addgroup --system ossec > /dev/null 2>&1
fi

if ! getent passwd ossec > /dev/null 2>&1; then
adduser --system --home /var/ossec --shell ${OSMYSHELL} --ingroup ossec ossec > /dev/null 2>&1
fi

# Set the correct permissions to orphaned files (not owned by root)
find ${DIR} ! -group root -exec chgrp ossec {} \; > /dev/null 2>&1
TomasTurina marked this conversation as resolved.
Show resolved Hide resolved
find ${DIR} ! -user root -exec chown ossec {} \; > /dev/null 2>&1

# delete wazuh user and group
if getent passwd wazuh > /dev/null 2>&1; then
deluser wazuh
fi

if getent group wazuh > /dev/null 2>&1; then
delgroup wazuh
fi
fi

exit 0

;;

Expand Down
58 changes: 58 additions & 0 deletions debs/SPECS/wazuh-agent/debian/prerm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,64 @@ DIR="/var/ossec"
case "$1" in
upgrade|deconfigure)

# Stop the services before uninstalling the package
systemctl stop wazuh-agent || true
service wazuh-agent stop || true
${DIR}/bin/wazuh-control stop || true

# Process: wazuh-execd
if pgrep -f "wazuh-execd" > /dev/null 2>&1; then
kill -15 $(pgrep -f "wazuh-execd") > /dev/null 2>&1
fi

if pgrep -f "wazuh-execd" > /dev/null 2>&1; then
kill -9 $(pgrep -f "wazuh-execd") > /dev/null 2>&1
fi

# Process: wazuh-agentd
if pgrep -f "wazuh-agentd" > /dev/null 2>&1; then
kill -15 $(pgrep -f "wazuh-agentd") > /dev/null 2>&1
fi

if pgrep -f "wazuh-agentd" > /dev/null 2>&1; then
kill -9 $(pgrep -f "wazuh-agentd") > /dev/null 2>&1
fi

# Process: wazuh-syscheckd
if pgrep -f "wazuh-syscheckd" > /dev/null 2>&1; then
kill -15 $(pgrep -f "wazuh-syscheckd") > /dev/null 2>&1
fi

if pgrep -f "wazuh-syscheckd" > /dev/null 2>&1; then
kill -9 $(pgrep -f "wazuh-syscheckd") > /dev/null 2>&1
fi

# Process: wazuh-logcollector
if pgrep -f "wazuh-logcollector" > /dev/null 2>&1; then
kill -15 $(pgrep -f "wazuh-logcollector") > /dev/null 2>&1
fi

if pgrep -f "wazuh-logcollector" > /dev/null 2>&1; then
kill -9 $(pgrep -f "wazuh-logcollector") > /dev/null 2>&1
fi

# Process: wazuh-modulesd
if pgrep -f "wazuh-modulesd" > /dev/null 2>&1; then
kill -15 $(pgrep -f "wazuh-modulesd") > /dev/null 2>&1
fi

if pgrep -f "wazuh-modulesd" > /dev/null 2>&1; then
kill -9 $(pgrep -f "wazuh-modulesd") > /dev/null 2>&1
fi

if [ -d ${DIR}/logs/wazuh ]; then
mv ${DIR}/logs/wazuh ${DIR}/logs/ossec
fi

if [ -d ${DIR}/queue/sockets ]; then
mv ${DIR}/queue/sockets ${DIR}/queue/ossec
fi

;;

remove)
Expand Down
44 changes: 33 additions & 11 deletions rpms/SPECS/wazuh-agent.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -446,8 +446,28 @@ fi

%postun

# If the package is been uninstalled
if [ $1 = 0 ];then
DELETE_WAZUH_USER_AND_GROUP=0

# If the upgrade downgrades to earlier versions, it will create the ossec
# group and user, we need to delete wazuh ones
if [ $1 = 1 ]; then
if command -v %{_localstatedir}/bin/ossec-control > /dev/null 2>&1; then
find %{_localstatedir} -group wazuh -exec chgrp ossec {} +
find %{_localstatedir} -user wazuh -exec chown ossec {} +
DELETE_WAZUH_USER_AND_GROUP=1
fi

if [ ! -f %{_localstatedir}/etc/client.keys ]; then
if [ -f %{_localstatedir}/etc/client.keys.rpmsave ]; then
mv %{_localstatedir}/etc/client.keys.rpmsave %{_localstatedir}/etc/client.keys
elif [ -f %{_localstatedir}/etc/client.keys.rpmnew ]; then
mv %{_localstatedir}/etc/client.keys.rpmnew %{_localstatedir}/etc/client.keys
fi
fi
fi

# If the package is been uninstalled or we want to delete wazuh user and group
if [ $1 = 0 ] || [ $DELETE_WAZUH_USER_AND_GROUP = 1 ]; then
# Remove the wazuh user if it exists
if getent passwd wazuh > /dev/null 2>&1; then
userdel wazuh >/dev/null 2>&1
Expand All @@ -459,15 +479,17 @@ if [ $1 = 0 ];then
groupdel wazuh >/dev/null 2>&1
fi

# Remove lingering folders and files
rm -rf %{_localstatedir}/etc/shared/
rm -rf %{_localstatedir}/queue/
rm -rf %{_localstatedir}/var/
rm -rf %{_localstatedir}/bin/
rm -rf %{_localstatedir}/logs/
rm -rf %{_localstatedir}/backup/
rm -rf %{_localstatedir}/ruleset/
rm -rf %{_localstatedir}/tmp
if [ $1 = 0 ];then
# Remove lingering folders and files
rm -rf %{_localstatedir}/etc/shared/
rm -rf %{_localstatedir}/queue/
rm -rf %{_localstatedir}/var/
rm -rf %{_localstatedir}/bin/
rm -rf %{_localstatedir}/logs/
rm -rf %{_localstatedir}/backup/
rm -rf %{_localstatedir}/ruleset/
rm -rf %{_localstatedir}/tmp
fi
fi

# posttrans code is the last thing executed in a install/upgrade
Expand Down
15 changes: 9 additions & 6 deletions wpk/generate_wpk_package.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -324,21 +324,24 @@ function main() {
fi

if [[ "${HAVE_TARGET}" == true ]] && [[ "${HAVE_BRANCH}" == true ]] && [[ "${HAVE_DESTINATION}" == true ]] && [[ "${HAVE_OUT_NAME}" == true ]]; then
if [[ "${TARGET}" == "windows" || "${TARGET}" == "macos" ]]; then
if [[ "${TARGET}" == "linux" || "${TARGET}" == "windows" || "${TARGET}" == "macos" ]]; then
if [[ "${HAVE_PKG_NAME}" == true ]]; then
build_container ${COMMON_BUILDER} ${COMMON_BUILDER_DOCKERFILE} || clean ${COMMON_BUILDER_DOCKERFILE} 1
local CONTAINER_NAME="${COMMON_BUILDER}"
pack_wpk ${BRANCH} ${DESTINATION} ${CONTAINER_NAME} ${JOBS} ${PKG_NAME} ${OUT_NAME} ${CHECKSUM} ${CHECKSUMDIR} ${INSTALLATION_PATH} ${AWS_REGION} ${WPK_KEY} ${WPK_CERT} || clean ${COMMON_BUILDER_DOCKERFILE} 1
clean ${COMMON_BUILDER_DOCKERFILE} 0
elif [[ "${TARGET}" == "linux" ]]; then
build_container ${LINUX_BUILDER} ${LINUX_BUILDER_DOCKERFILE} || clean ${LINUX_BUILDER_DOCKERFILE} 1
local CONTAINER_NAME="${LINUX_BUILDER}"
build_wpk_linux ${BRANCH} ${DESTINATION} ${CONTAINER_NAME} ${JOBS} ${OUT_NAME} ${CHECKSUM} ${CHECKSUMDIR} ${INSTALLATION_PATH} ${AWS_REGION} ${WPK_KEY} ${WPK_CERT} || clean ${LINUX_BUILDER_DOCKERFILE} 1
clean ${LINUX_BUILDER_DOCKERFILE} 0
else
echo "ERROR: No MSI/PKG package name specified for Windows or macOS WPK"
echo "ERROR: Only Linux can be built without a package name."
help 1
fi
else
build_container ${LINUX_BUILDER} ${LINUX_BUILDER_DOCKERFILE} || clean ${LINUX_BUILDER_DOCKERFILE} 1
local CONTAINER_NAME="${LINUX_BUILDER}"
build_wpk_linux ${BRANCH} ${DESTINATION} ${CONTAINER_NAME} ${JOBS} ${OUT_NAME} ${CHECKSUM} ${CHECKSUMDIR} ${INSTALLATION_PATH} ${AWS_REGION} ${WPK_KEY} ${WPK_CERT} || clean ${LINUX_BUILDER_DOCKERFILE} 1
clean ${LINUX_BUILDER_DOCKERFILE} 0
echo "ERROR: Target system must be linux, windows or macos."
help 1
fi
else
echo "ERROR: Need more parameters"
Expand Down
50 changes: 28 additions & 22 deletions wpk/run.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ INSTALLATION_PATH="/var/ossec"
PKG_NAME=""
HAVE_PKG_NAME_WIN=false
HAVE_PKG_NAME_MAC=false
HAVE_PKG_NAME_LINUX=false
AWS_REGION="us-east-1"
KEYPATH="/etc/wazuh"
WPKCERT="${KEYPATH}/wpkcert.pem"
Expand Down Expand Up @@ -85,6 +86,12 @@ main() {
HAVE_PKG_NAME_WIN=true
elif [ "${PKG_NAME: -4}" == ".pkg" ]; then
HAVE_PKG_NAME_MAC=true
elif [ "${PKG_NAME: -4}" == ".rpm" ]; then
TomasTurina marked this conversation as resolved.
Show resolved Hide resolved
HAVE_PKG_NAME_LINUX=true
elif [ "${PKG_NAME: -4}" == ".deb" ]; then
HAVE_PKG_NAME_LINUX=true
elif [ "${PKG_NAME: -4}" == ".apk" ]; then
HAVE_PKG_NAME_LINUX=true
fi
shift 2
fi
Expand Down Expand Up @@ -185,28 +192,27 @@ main() {
if [ "${DIST_NAME}" = "centos" ]; then
${PYTHON} /usr/local/bin/wpkpack ${OUTPUT} ${WPKCERT} ${WPKKEY} *
else

if [ "${HAVE_PKG_NAME_WIN}" == true ]; then
CURRENT_DIR=$(pwd)
echo "wpkpack ${OUTPUT} ${WPKCERT} ${WPKKEY} ${PKG_NAME} upgrade.bat do_upgrade.ps1"
cd ${OUTDIR}
cp ${CURRENT_DIR}/src/win32/{upgrade.bat,do_upgrade.ps1} .
cp /var/pkg/${PKG_NAME} ${OUTDIR} 2>/dev/null
wpkpack ${OUTPUT} ${WPKCERT} ${WPKKEY} ${PKG_NAME} upgrade.bat do_upgrade.ps1
rm -f upgrade.bat do_upgrade.ps1 ${PKG_NAME}
elif [ "${HAVE_PKG_NAME_MAC}" == true ]; then
CURRENT_DIR=$(pwd)
echo "wpkpack ${OUTPUT} ${WPKCERT} ${WPKKEY} ${PKG_NAME} upgrade.sh pkg_installer_mac.sh"
cd ${OUTDIR}
cp ${CURRENT_DIR}/src/init/pkg_installer_mac.sh .
cp ${CURRENT_DIR}/upgrade.sh .
cp /var/pkg/${PKG_NAME} ${OUTDIR} 2>/dev/null
wpkpack ${OUTPUT} ${WPKCERT} ${WPKKEY} ${PKG_NAME} upgrade.sh pkg_installer_mac.sh
rm -f upgrade.sh pkg_installer_mac.sh ${PKG_NAME}
else
echo "ERROR: MSI/PKG package is needed to build the Windows or macOS WPK"
help 1
fi
if [ "${HAVE_PKG_NAME_WIN}" == true ]; then
CURRENT_DIR=$(pwd)
echo "wpkpack ${OUTPUT} ${WPKCERT} ${WPKKEY} ${PKG_NAME} upgrade.bat do_upgrade.ps1"
cd ${OUTDIR}
cp ${CURRENT_DIR}/src/win32/{upgrade.bat,do_upgrade.ps1} .
cp /var/pkg/${PKG_NAME} ${OUTDIR} 2>/dev/null
wpkpack ${OUTPUT} ${WPKCERT} ${WPKKEY} ${PKG_NAME} upgrade.bat do_upgrade.ps1
rm -f upgrade.bat do_upgrade.ps1 ${PKG_NAME}
elif [ "${HAVE_PKG_NAME_MAC}" == true ] || [ "${HAVE_PKG_NAME_LINUX}" == true ]; then
CURRENT_DIR=$(pwd)
echo "wpkpack ${OUTPUT} ${WPKCERT} ${WPKKEY} ${PKG_NAME} upgrade.sh pkg_installer.sh"
cd ${OUTDIR}
cp ${CURRENT_DIR}/src/init/pkg_installer.sh .
cp ${CURRENT_DIR}/upgrade.sh .
cp /var/pkg/${PKG_NAME} ${OUTDIR} 2>/dev/null
wpkpack ${OUTPUT} ${WPKCERT} ${WPKKEY} ${PKG_NAME} upgrade.sh pkg_installer.sh
rm -f upgrade.sh pkg_installer.sh ${PKG_NAME}
else
echo "ERROR: a package (MSI/PKG/RPM/DEB) is needed to build the WPK"
help 1
fi
fi
echo "PACKED FILE -> ${OUTPUT}"
cd ${OUTDIR}
Expand Down
Loading