Bug in ossec.conf Reconstruction During Wazuh RPM Upgrade

[juliancnn]

Wazuh version	Install type	Action performed	Platform
at least since 4.1.5	Manager/Agent	Upgrade (via rpm)	-

Overview

A critical issue has been identified in the RPM upgrade process for both Wazuh Agent and Manager. This bug occurs when the ossec.conf configuration file is deleted before an upgrade or a reinstallation using RPM packages. Instead of regenerating a valid ossec.conf file, the system incorrectly inserts an incomplete and sometimes invalid configuration. This issue prevents the Wazuh Agent and Manager from starting, leading to significant operational disruptions.

Affected Versions

• First Identified: Version 4.1.5 (minimum reported version)
• Potentially Affecting: All subsequent versions until identified and patched

Issue Description

During an RPM package upgrade or reinstallation where the ossec.conf file has been manually removed, the newly generated configuration file lacks several critical default settings. Most notably, the file includes an improperly placed logging block which is either misplaced or incorrectly formatted, resulting in configuration syntax errors that prevent startup.

Specific Misconfiguration Example

The auto-generated ossec.conf incorrectly includes the following block outside the proper XML structure, causing syntax errors:

<!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
<logging>
  <log_format>plain</log_format>
</logging>

For the manager installation, while the configuration does not contain the improper logging block and thus remains syntactically valid, it still fails to include necessary localfile definitions, leading to incomplete functionality.

Steps to Reproduce

1. Initial Setup:

   • Install Wazuh agent or manager via YUM: yum install wazuh-agent

2. Remove Configuration:

   • Remove the ossec.conf file: rm /var/ossec/etc/ossec.conf

3. Trigger the Bug:

   • Reinstall the agent or manager, or upgrade to a higher version: yum reinstall wazuh-agent
   • Check the contents of the newly created ossec.conf file and attempt to start the service.

Expected Behavior

After reinstalling or upgrading the Wazuh component, a new, valid ossec.conf should be automatically generated with all necessary default configurations intact, allowing the agent or manager to start and function properly.

Actual Behavior

The agent or manager fails to start due to syntactical errors in the regenerated ossec.conf file. Additionally, necessary default configurations, such as localfile entries, are missing, crippling the functionality.

Impact

• Operational: Failure to start the agent post-upgrade severely impacts monitoring and security operations.
• Security: Inability to collect logs or monitor activities compromises the security posture of the environment.

Proposed Steps for Investigation and Fix

• Review Installation and Upgrade Scripts: Investigate how ossec.conf is generated during the RPM package installation and upgrade processes.
• Correct Configuration Generation Logic: Ensure that all necessary default configurations are included and correctly formatted in the ossec.conf.
• Comprehensive Testing: Test the fixed upgrade process across multiple scenarios to ensure no regressions or further issues.