Issue with ossec group in reinstall Wazuh agent 4.3.4 in Solaris 11 SPARC

[c-bordon]

I found a possible problem when trying to reinstall the agent on a Solaris 11 Sparc system, this occurs after having the agent installed, uninstalling it and reinstalling it without removing the wazuh group:

steps to replay it:

• install Wazuh agent (https://packages-dev.wazuh.com/pre-release/solaris/sparc/11/wazuh-agent_v4.3.4-sol11-sparc.p5p)

root@sossp109:~# pkg install -g wazuh-agent_v4.3.4-sol11-sparc.p5p wazuh-agent
           Packages to install:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1         92/92      5.6/5.6 32.2M/s

PHASE                                          ITEMS
Installing new actions                       144/144
Updating package state database                 Done 
Updating package cache                           0/0 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           2/2 

• Validate users and groups:

root@sossp109:~# cat /etc/passwd | grep wazuh
wazuh:x:7:13:& User:/:
root@sossp109:~# cat /etc/passwd | grep ossec
root@sossp109:~# cat /etc/group | grep wazuh
wazuh::13:
root@sossp109:~# cat /etc/group | grep ossec

• Uninstall Wazuh agent:

root@sossp109:~# /var/ossec/bin/wazuh-control stop
wazuh-modulesd not running...
wazuh-logcollector not running...
wazuh-syscheckd not running...
wazuh-agentd not running...
wazuh-execd not running...
Wazuh v4.3.4 Stopped
root@sossp109:~#  pkg uninstall wazuh-agent
            Packages to remove:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

PHASE                                          ITEMS
Removing old actions                         187/187
Updating package state database                 Done 
Updating package cache                           1/1 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           2/2 

The following unexpected or editable files and directories were
salvaged while executing the requested package operation; they
have been moved to the displayed location in the image:

  ar/ossec/ruleset/sca -> /var/pkg/lost+found/var/ossec/ruleset/sca-20220607T120221Z

• Validate users and groups after uninstall:

root@sossp109:~# cat /etc/passwd | grep wazuh
root@sossp109:~# cat /etc/passwd | grep ossec
root@sossp109:~# cat /etc/group | grep ossec
root@sossp109:~# cat /etc/group | grep wazuh
wazuh::13:

• Reinstall without delete group wazuh:

root@sossp109:~# pkg install -g wazuh-agent_v4.3.4-sol11-sparc.p5p wazuh-agent
           Packages to install:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1         92/92      5.6/5.6 32.8M/s

PHASE                                          ITEMS
Installing new actions                         1/144Action install failed for 'wazuh' (pkg://wazuh/wazuh-agent):
  KeyError: 'gid'

The Boot Environment solaris failed to be updated. A snapshot was taken before the failed attempt and is mounted here /tmp/tmp6sodbp. Use 'beadm unmount solaris-1' and then 'beadm activate solaris-1' if you wish to boot to this BE.
pkg: An unexpected error happened during install: 'gid'
Traceback (most recent call last):
  File "/usr/bin/pkg", line 6254, in handle_errors
    __ret = func(*args, **kwargs)
  File "/usr/bin/pkg", line 6240, in main_func
    pargs=pargs, **opts)
  File "/usr/bin/pkg", line 1985, in install
    update_index=update_index)
  File "/usr/bin/pkg", line 1758, in __api_op
    ret_code = __api_execute_plan(_op, _api_inst)
  File "/usr/bin/pkg", line 1326, in __api_execute_plan
    api_inst.execute_plan()
  File "/usr/lib/python2.7/vendor-packages/pkg/client/api.py", line 2816, in execute_plan
    self._img.imageplan.execute()
  File "/usr/lib/python2.7/vendor-packages/pkg/client/imageplan.py", line 4593, in execute
    p.execute_install(src, dest)
  File "/usr/lib/python2.7/vendor-packages/pkg/client/pkgplan.py", line 563, in execute_install
    dest.install(self, src)
  File "/usr/lib/python2.7/vendor-packages/pkg/actions/group.py", line 80, in install
    if (cur_attrs["gid"] != self.attrs["gid"]):
KeyError: 'gid'


pkg: This is an internal error in pkg(5) version a1fb8dcc1a5e.  Please log a
Service Request about this issue including the information above and this
message.

• After delete group wazuh:

root@sossp109:~# groupdel wazuh
root@sossp109:~# pkg install -g wazuh-agent_v4.3.4-sol11-sparc.p5p wazuh-agent
           Packages to install:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1         92/92      5.6/5.6    0B/s

PHASE                                          ITEMS
Installing new actions                         1/144Action install failed for 'ossec' (pkg://wazuh/wazuh-agent):
  KeyError: 'gid'

The Boot Environment solaris failed to be updated. A snapshot was taken before the failed attempt and is mounted here /tmp/tmpfd7VnD. Use 'beadm unmount solaris-2' and then 'beadm activate solaris-2' if you wish to boot to this BE.
pkg: An unexpected error happened during install: 'gid'
Traceback (most recent call last):
  File "/usr/bin/pkg", line 6254, in handle_errors
    __ret = func(*args, **kwargs)
  File "/usr/bin/pkg", line 6240, in main_func
    pargs=pargs, **opts)
  File "/usr/bin/pkg", line 1985, in install
    update_index=update_index)
  File "/usr/bin/pkg", line 1758, in __api_op
    ret_code = __api_execute_plan(_op, _api_inst)
  File "/usr/bin/pkg", line 1326, in __api_execute_plan
    api_inst.execute_plan()
  File "/usr/lib/python2.7/vendor-packages/pkg/client/api.py", line 2816, in execute_plan
    self._img.imageplan.execute()
  File "/usr/lib/python2.7/vendor-packages/pkg/client/imageplan.py", line 4593, in execute
    p.execute_install(src, dest)
  File "/usr/lib/python2.7/vendor-packages/pkg/client/pkgplan.py", line 563, in execute_install
    dest.install(self, src)
  File "/usr/lib/python2.7/vendor-packages/pkg/actions/group.py", line 80, in install
    if (cur_attrs["gid"] != self.attrs["gid"]):
KeyError: 'gid'


pkg: This is an internal error in pkg(5) version a1fb8dcc1a5e.  Please log a
Service Request about this issue including the information above and this
message.

• We can see that group ossec is created:

root@sossp109:~# cat /etc/group | grep ossec                                  
ossec::11:

• After delete wazuh group the reinstallation was succeded:

root@sossp109:~# groupdel ossec
root@sossp109:~# pkg install -g wazuh-agent_v4.3.4-sol11-sparc.p5p wazuh-agent
           Packages to install:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1         92/92      5.6/5.6    0B/s

PHASE                                          ITEMS
Installing new actions                       144/144
Updating package state database                 Done 
Updating package cache                           0/0 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           2/2 

I repeated the tests again but this time eliminating the wazuh group before trying the reinstall and there the reinstallation worked correctly, that is, in the reinstall process if the wazuh group exists it generates the ossec group

[c-bordon]

I am investigating how to apply a possible fix and I still cannot find the solution, consulted documentation:

https://docs.oracle.com/cd/E23824_01/html/E21798/firstboot-2.html
https://docs.oracle.com/cd/E23824_01/html/E21798/provision-2.html#provision-4
https://subscription.packtpub.com/book/networking-and-servers/9781849688260/1/ch01lvl1sec20/creating-your-own-package-and-publishing-it

[c-bordon]

At the moment, the solution is given by a Note in the documentation, which I omitted in my tests and is what generated the error when trying to reinstall the package after removing it.

As the note indicates, in Solaris 11.4 and later releases, the package does not remove the wazuh group.

I've been looking into the possibility of adding pre-validation to the installation process, but this is not supported by Solaris packages, so it leaves us with 2 options:

• Change the documentation, adding an extra step in the uninstall process with the validation of the existence of the wazuh group and eventual elimination of it if it exists

• Add a postremove script that is responsible for this validation, understanding that this script remains after uninstallation
  @okynos @alberpilot

[alberpilot]

We conclude that the problem was present in other Wazuh versions and we will re-evaluate how to solve this with an additional package.

[jnasselle]

Reopening this issue because the problem still exist event the wazuh group was removed