Incorrect Exit Statuses

[paulcalabro]

A new installation of the ansible-wazuh-manager role does not, by default, enable the following daemons:

• ossec-maild
• wazuh-clusterd

As a result, service wazuh-manager status returns an exit code of 1, which is customarily reserved for failures.

This behavior is caused by the following code, found in /var/ossec/bin/ossec-control :

DAEMONS="wazuh-modulesd ossec-monitord ossec-logcollector ossec-remoted ossec-syscheckd ossec-analysisd ossec-maild ossec-execd wazuh-db ${DB_DAEMON} ${CSYSLOG_DAEMON} ${AGENTLESS_DAEMON} ${INTEGRATOR_DAEMON} ${AUTH_DAEMON

...

if ! is_rhel_le_5
then
    DAEMONS="wazuh-clusterd $DAEMONS"
fi

...

    for i in ${DAEMONS}; do
        if [ $USE_JSON = true ] && [ $first = false ]; then
            echo -n ','
        else
            first=false
        fi
        pstatus ${i};
        if [ $? = 0 ]; then
            if [ $USE_JSON = true ]; then
                echo -n '{"daemon":"'${i}'","status":"stopped"}'
            else
                echo "${i} not running..."
            fi
            RETVAL=1
        else
            if [ $USE_JSON = true ]; then
                echo -n '{"daemon":"'${i}'","status":"running"}'
            else
                echo "${i} is running..."
            fi
        fi
    done

Given that a user might not want clustering nor email email notifications, having those services not enabled is not necessarily indicative of a failure. Having a return code of 1 causes misreporting of playbook executions.

A better test might be: checking the configuration to see if they are configured to be enabled, but are not able to start successfully.

Or, less ideally IMO, configuring a one node cluster with email support by default.

[paulcalabro]

Some additional debug information:

# bash -x /var/ossec/bin/ossec-control status 2>&1 | egrep -i 'echo.*running|retval' 

+ RETVAL=0
+ echo 'wazuh-clusterd not running...'
+ RETVAL=1
+ echo 'wazuh-modulesd is running...'
+ echo 'ossec-monitord is running...'
+ echo 'ossec-logcollector is running...'
+ echo 'ossec-remoted is running...'
+ echo 'ossec-syscheckd is running...'
+ echo 'ossec-analysisd is running...'
+ echo 'ossec-maild not running...'
+ RETVAL=1
+ echo 'ossec-execd is running...'
+ echo 'wazuh-db is running...'
+ echo 'ossec-authd is running...'

[paulcalabro]

Now that I look at the other Wazuh project, it looks like this should be working based on this code:

https://github.com/wazuh/wazuh/blob/af6c7fcde4c169966d4b81d4c4d845d6f5388e4f/src/init/ossec-server.sh#L305

...digging further.

[paulcalabro]

I think this is actually an error in the other project. I've opened a PR there that should resolve the issue:

wazuh/wazuh#2103

[dj-wasabi]

I encounter this issue while making the Ansible roles idempotent. The molecule test command will fail on this task, but I can disable the idempotence check for now until this is resolved/merged.

[jm404]

Hi @paulcalabro , @dj-wasabi,

I'm moving this issue to wazuh/wazuh as it's related with the binaries and not with Ansible directly.

Best regards,

Jose

[jm404]

Issue moved to wazuh/wazuh #4811 via ZenHub