Test the 4.9.1 Wazuh indexer configuration files upgrade

[rauldpm]

Description

We have been requested to test the 4.9.1 Wazuh indexer upgrade and check how the package handles the upgrade, for this, the /usr/share/wazuh-indexer/plugins/opensearch-security/tools/config.yml should be monitored, this file should not change and a new file should be created with the content of the new version

This should be tested in a CentOS and a Debian system

Tasks

• Upgrade the Wazuh indexer in CentOS and check the config.yml file
• Upgrade the Wazuh indexer in Debian and check the config.yml file

[rauldpm]

Tests results

Debian 12

4.8.2 config.yml file checksum

# sha512sum /usr/share/wazuh-indexer/plugins/opensearch-security/tools/config.yml 
dba0e4a53a63709a3f39d8916ef29d400108edde5c0c32b5a62922661742711da9d0efe9c17ea73b26cf446954fda6db712d8634ce2e56c710de63fa85fb6aed  /usr/share/wazuh-indexer/plugins/opensearch-security/tools/config.yml
# dpkg -L wazuh-indexer | grep config.yml
/etc/wazuh-indexer/opensearch-security/config.yml
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/config.yml

Upgrade to 4.9.1

root@ubuntu18stack:/home/vagrant# apt install ./wazuh-indexer_4.9.1_amd64.deb 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Note, selecting 'wazuh-indexer' instead of './wazuh-indexer_4.9.1_amd64.deb'
The following packages will be upgraded:
  wazuh-indexer
1 upgraded, 0 newly installed, 0 to remove and 10 not upgraded.
Need to get 0 B/851 MB of archives.
After this operation, 26.8 MB of additional disk space will be used.
Get:1 /home/vagrant/wazuh-indexer_4.9.1_amd64.deb wazuh-indexer amd64 4.9.1-0 [851 MB]
(Reading database ... 220693 files and directories currently installed.)
Preparing to unpack .../wazuh-indexer_4.9.1_amd64.deb ...
Running Wazuh Indexer Pre-Installation Script
Stop existing wazuh-indexer.service
Unpacking wazuh-indexer (4.9.1-0) over (4.8.2-1) ...
Setting up wazuh-indexer (4.9.1-0) ...
Installing new version of config file /etc/default/wazuh-indexer ...

Configuration file '/etc/init.d/wazuh-indexer'
 ==> Deleted (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** wazuh-indexer (Y/I/N/O/D/Z) [default=N] ? N

Configuration file '/etc/wazuh-indexer/jvm.options'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** jvm.options (Y/I/N/O/D/Z) [default=N] ? N
Installing new version of config file /etc/wazuh-indexer/log4j2.properties ...
Installing new version of config file /etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy ...

Configuration file '/etc/wazuh-indexer/opensearch-security/internal_users.yml'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** internal_users.yml (Y/I/N/O/D/Z) [default=N] ? N
Installing new version of config file /etc/wazuh-indexer/opensearch-security/roles.yml ...
Installing new version of config file /etc/wazuh-indexer/opensearch-security/roles_mapping.yml ...
Running Wazuh Indexer Post-Installation Script
### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable wazuh-indexer.service
### You can start wazuh-indexer service by executing
 sudo systemctl start wazuh-indexer.service
Processing triggers for systemd (237-3ubuntu10.57) ...
Processing triggers for ureadahead (0.100.0-21) ...

4.9.1 config.yml file checksum

# sha512sum /usr/share/wazuh-indexer/plugins/opensearch-security/tools/config.yml 
dba0e4a53a63709a3f39d8916ef29d400108edde5c0c32b5a62922661742711da9d0efe9c17ea73b26cf446954fda6db712d8634ce2e56c710de63fa85fb6aed  /usr/share/wazuh-indexer/plugins/opensearch-security/tools/config.yml

root@ubuntu18stack:/home/vagrant# ls -l /usr/share/wazuh-indexer/plugins/opensearch-security/tools/
total 100
-rwxr----- 1 wazuh-indexer wazuh-indexer  1388 Sep 19 17:47 audit_config_migrater.sh
-rw-r----- 1 wazuh-indexer wazuh-indexer   636 Sep 19 17:47 config.yml
-rwxr----- 1 wazuh-indexer wazuh-indexer  1392 Sep 19 17:47 hash.sh
-rwxr----- 1 wazuh-indexer wazuh-indexer  1417 Sep 19 17:47 securityadmin.sh
-rw-r----- 1 wazuh-indexer wazuh-indexer  4013 Sep 19 17:47 SECURITY_ADMIN_TESTS.md
-rwxr----- 1 wazuh-indexer wazuh-indexer 36475 Sep 19 17:47 wazuh-certs-tool.sh
-rwxr----- 1 wazuh-indexer wazuh-indexer 44178 Sep 19 17:47 wazuh-passwords-tool.sh

Conclusion

• Upgrade asks to overwrite configuration files
• Upgrade does not ask nor refer to the config.yml file
• The config.yml file does not change and has the same content in 4.8.2 and 4.9.1

CentOS 7

4.8.2 config.yml file checksum

# sha512sum /usr/share/wazuh-indexer/plugins/opensearch-security/tools/config.yml 
dba0e4a53a63709a3f39d8916ef29d400108edde5c0c32b5a62922661742711da9d0efe9c17ea73b26cf446954fda6db712d8634ce2e56c710de63fa85fb6aed  /usr/share/wazuh-indexer/plugins/opensearch-security/tools/config.yml
# repoquery --installed -l wazuh-indexer | grep config.yml
/etc/wazuh-indexer/opensearch-security/config.yml
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/config.yml

Upgrade to 4.9.1

[root@centos7 vagrant]# yum upgrade wazuh-indexer-4.9.1.x86_64.rpm 
Loaded plugins: fastestmirror
Examining wazuh-indexer-4.9.1.x86_64.rpm: wazuh-indexer-4.9.1-0.x86_64
Marking wazuh-indexer-4.9.1.x86_64.rpm as an update to wazuh-indexer-4.8.2-1.x86_64
Resolving Dependencies
--> Running transaction check
---> Package wazuh-indexer.x86_64 0:4.8.2-1 will be updated
---> Package wazuh-indexer.x86_64 0:4.9.1-0 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================
 Package                 Arch             Version           Repository                             Size
========================================================================================================
Updating:
 wazuh-indexer           x86_64           4.9.1-0           /wazuh-indexer-4.9.1.x86_64           1.0 G

Transaction Summary
========================================================================================================
Upgrade  1 Package

Total size: 1.0 G
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Stop existing wazuh-indexer.service
  Updating   : wazuh-indexer-4.9.1-0.x86_64                                                         1/2 
warning: /etc/wazuh-indexer/jvm.options created as /etc/wazuh-indexer/jvm.options.rpmnew
warning: /etc/wazuh-indexer/opensearch-security/internal_users.yml created as /etc/wazuh-indexer/opensearch-security/internal_users.yml.rpmnew
### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable wazuh-indexer.service
### You can start wazuh-indexer service by executing
 sudo systemctl start wazuh-indexer.service
  Cleanup    : wazuh-indexer-4.8.2-1.x86_64                                                         2/2 
  Verifying  : wazuh-indexer-4.9.1-0.x86_64                                                         1/2 
  Verifying  : wazuh-indexer-4.8.2-1.x86_64                                                         2/2 

Updated:
  wazuh-indexer.x86_64 0:4.9.1-0                                                                        

Complete!

4.9.1 config.yml file checksum

# sha512sum /usr/share/wazuh-indexer/plugins/opensearch-security/tools/config.yml 
dba0e4a53a63709a3f39d8916ef29d400108edde5c0c32b5a62922661742711da9d0efe9c17ea73b26cf446954fda6db712d8634ce2e56c710de63fa85fb6aed  /usr/share/wazuh-indexer/plugins/opensearch-security/tools/config.yml

# ls -l /usr/share/wazuh-indexer/plugins/opensearch-security/tools/
total 100
-rwxr-----. 1 wazuh-indexer wazuh-indexer  1388 Sep 19 17:55 audit_config_migrater.sh
-rw-r-----. 1 wazuh-indexer wazuh-indexer   636 Sep 19 17:55 config.yml
-rwxr-----. 1 wazuh-indexer wazuh-indexer  1392 Sep 19 17:55 hash.sh
-rwxr-----. 1 wazuh-indexer wazuh-indexer  1417 Sep 19 17:55 securityadmin.sh
-rw-r-----. 1 wazuh-indexer wazuh-indexer  4013 Sep 19 17:55 SECURITY_ADMIN_TESTS.md
-rwxr-----. 1 wazuh-indexer wazuh-indexer 36475 Sep 19 17:55 wazuh-certs-tool.sh
-rwxr-----. 1 wazuh-indexer wazuh-indexer 44178 Sep 19 17:55 wazuh-passwords-tool.sh

Conclusion

• Upgrade does not ask to overwrite configuration files
• Upgrade does not ask nor refer to the config.yml file
• The config.yml file does not change and has the same content in 4.8.2 and 4.9.1

General conclusion

• There is an incongruence between the .deb and the .rpm package about how the upgrade handles the configuration
  files
• Probably related Update RPM spec file to avoid overwriting modified config files wazuh-indexer#410
• The config.yml file is not updated and has the same content in both versions
• Found a bug in the Wazuh indexer removal after being upgraded from 4.8.2, reported in The Wazuh indexer removal does not remove the installation directory after upgrade wazuh-indexer#416
• Found inconsistency in the Debian system in the upgrade process, reported in The Wazuh indexer for Debian systems keeps asking to overwrite configuration files in the upgrade wazuh-indexer#417
• Created issue to improve package generation documentation Improve the Wazuh indexer package generation guide wazuh-indexer#419
• Created issue to fix wrong GitHub reference (version) Wrong version reference in the Wazuh indexer package generation guide wazuh-indexer#418

[hossam1522]

LGTM!