Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove Login item configuration from the macOS agent #2212

Open
5 tasks
rauldpm opened this issue May 22, 2023 · 2 comments
Open
5 tasks

Remove Login item configuration from the macOS agent #2212

rauldpm opened this issue May 22, 2023 · 2 comments
Assignees
@lchico
Labels
component: agent/macos level/task Subtask issue module/install type/change Change requested

Comments

@rauldpm
Copy link
Member

rauldpm commented May 22, 2023

Description

It is necessary to remove the Login item from macOS and replace it with a system service management since it is not desired for the agent to start with the system but instead to be managed by a system service such as LaunchServices or launchd

image

Related: https://developer.apple.com/documentation/servicemanagement/updating_your_app_package_installer_to_use_the_new_service_management_api?language=objc

Tasks

  • Remove macOS Login item configuration
  • Add what is necessary for the agent to start through a system service, as it is done in other systems

Validation

  • The agent is started by service and not as Login item
  • The agent does not appear in the Login item list (interface)
  • The agent is built, installed, and working properly
@wazuhci wazuhci moved this to Triage in Release 4.4.3 May 23, 2023
@wazuhci wazuhci moved this from Triage to Backlog in Release 4.4.3 May 23, 2023
@wazuhci wazuhci moved this to Backlog in Release 4.4.4 May 23, 2023
@verdx verdx self-assigned this May 24, 2023
@wazuhci wazuhci moved this from Backlog to In progress in Release 4.4.4 May 24, 2023
@verdx
Copy link
Contributor

verdx commented May 24, 2023
edited
Loading

Update: Test leaving only the LaunchDaemon

Based on this article(https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html#//apple_ref/doc/uid/10000172i-SW7-BCIEDDBJ), a test has been done to remove the Wazuh Login Item, trying to only leave the LaunchDaemon, to use launchctl as a system service.

The LaunchDaemon calls a different script to start the application, and the one in /Library/StartupItems/WAZUH was being used, so to remove the StartupItem, the launcher script should be moved elsewhere, for example, /Libary/Ossec.

First solution: failed

To avoid having to create a different branch in https://github.com/wazuh/wazuh, the darwin-init.sh script run in postinstall.sh has been removed, and the changes have been done in preinstall.sh. A package has been created and the installation tested, but it fails with an unknown error:

Installation error 
sh-3.2# launchctl setenv WAZUH_MANAGER "10.0.0.2" && installer -pkg wazuh-agent-4.4.2-2212.pkg -target /
installer: Package name is Wazuh Agent
installer: Installing at base path /
installer: The install failed. (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. An error occurred while running scripts from the package “wazuh-agent-4.4.2-2212.pkg”.)
sh-3.2# launchctl setenv WAZUH_MANAGER "10.0.0.2" && installer -pkg wazuh-agent-4.4.2-2212.pkg -target / -verbose 
installer: Package name is Wazuh Agent
installer: Installing at base path /
installer: Preparing for installation….....
installer: Preparing the disk….....
installer: Preparing Wazuh Agent….....
installer: Waiting for other installations to complete….....
installer: Configuring the installation….....
installer: 	
#
installer: Writing files….....
#
installer: Writing files….....
installer: Writing files….....
installer: Writing files….....
installer: Writing files….....
installer: Validating packages….....
#
installer: The install failed. (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. An error occurred while running scripts from the package “wazuh-agent-4.4.2-2212.pkg”.)
sh-3.2# launchctl setenv WAZUH_MANAGER "10.0.0.2" && installer -pkg wazuh-agent-4.4.2-2212.pkg -target / -verboseR 
installer: Package name is Wazuh Agent
installer: Installing at base path /
installer:PHASE:Preparing for installation…
installer:PHASE:Preparing the disk…
installer:PHASE:Preparing Wazuh Agent…
installer:PHASE:Waiting for other installations to complete…
installer:PHASE:Configuring the installation…
installer:STATUS:
installer:%8.844464
installer:PHASE:Writing files…
installer:%12.699488
installer:PHASE:Writing files…
installer:PHASE:Writing files…
installer:PHASE:Writing files…
installer:%36.084737
installer:PHASE:Running package scripts…
installer:PHASE:Validating packages…
installer:%97.750000
installer: The install failed. (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance. An error occurred while running scripts from the package “wazuh-agent-4.4.2-2212.pkg”.)

Second solution: Change darwin-init.sh

A new test will be done, now changing only darwin-init.sh, even if it is temporary for the testing, as it is much simpler, only a script run after installing, instead of having to worry with the package creation. The package creation has finished correctly.

Test on macOS Ventura

🟢 Correct installation 
sh-3.2# launchctl setenv WAZUH_MANAGER "10.0.0.2" && installer -pkg wazuh-agent-4.4.2-2212-darwin-init.pkg -target / -verboseR 
installer: Package name is Wazuh Agent
installer: Installing at base path /
installer:PHASE:Preparing for installation…
installer:PHASE:Preparing the disk…
installer:PHASE:Preparing Wazuh Agent…
installer:PHASE:Waiting for other installations to complete…
installer:PHASE:Configuring the installation…
installer:STATUS:
installer:%8.844093
installer:PHASE:Writing files…
installer:%12.699133
installer:PHASE:Writing files…
installer:PHASE:Writing files…
installer:PHASE:Writing files…
installer:%86.049994
installer:PHASE:Running package scripts…
installer:%87.973933
installer:PHASE:Running package scripts…
installer:PHASE:Validating packages…
installer:%97.750000
installer:STATUS:Running installer actions…
installer:STATUS:
installer:PHASE:Finishing the Installation…
installer:STATUS:
installer:%100.000000
installer:PHASE:The software was successfully installed.
installer: The install was successful.
🟢 Checking all service files have been installed correctly 
sh-3.2# ls /Library/StartupItems/
sh-3.2# ls /Library/LaunchDaemons/
com.amazon.aws.ssm.plist				com.amazon.ec2.macos-init.plist				com.wazuh.agent.plist
com.amazon.ec2.ena-ethernet.plist			com.amazon.ec2.monitoring.agents.cpuutilization.plist
sh-3.2# cat /Library/LaunchDaemons/com.wazuh.agent.plist 
<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
     <dict>
         <key>Label</key>
         <string>com.wazuh.agent</string>
         <key>ProgramArguments</key>
         <array>
             <string>/Library/Ossec/Wazuh-service-launcher.sh</string>
         </array>
         <key>RunAtLoad</key>
         <true/>
     </dict>
 </plist>
sh-3.2# cat /Library/Ossec/Wazuh-service-launcher.sh 
#!/bin/sh

capture_sigterm() {
    /Library/Ossec/bin/wazuh-control stop
    exit $?
}

if ! /Library/Ossec/bin/wazuh-control start; then
    /Library/Ossec/bin/wazuh-control stop
fi

while : ; do
    trap capture_sigterm SIGTERM
    sleep 3
done
🟢 wazuh-control starts and stops correctly 
sh-3.2# /Library/Ossec/bin/wazuh-control start
Starting Wazuh v4.4.2...
wazuh-execd already running...
wazuh-agentd already running...
wazuh-syscheckd already running...
wazuh-logcollector already running...
wazuh-modulesd already running...
Completed.
sh-3.2# /Library/Ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.4.2 Stopped
🟡 The Login Item still appear on Settings->General->Login Items

image

🟢 After a restart the service is started 
ec2-user@ip-172-31-42-52 ~ % sudo su
sh-3.2# /Library/Ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
sh-3.2#

Test on macOS Big Sur

🟢 Install Wazuh agent 4.4.1 
sh-3.2# curl -O https://packages.wazuh.com/4.x/macos/wazuh-agent-4.4.1-1.pkg
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 5501k  100 5501k    0     0  15.6M      0 --:--:-- --:--:-- --:--:-- 15.6M
sh-3.2# launchctl setenv WAZUH_MANAGER "10.0.0.2" && installer -pkg wazuh-agent-4.4.1-1.pkg -target /
installer: Package name is Wazuh Agent
installer: Installing at base path /
installer: The install was successful.
sh-3.2# ls /Library/StartupItems/
WAZUH
sh-3.2# ls /Library/LaunchDaemons/
com.amazon.aws.ssm.plist				com.amazon.ec2.macos-init.plist				com.wazuh.agent.plist
com.amazon.ec2.ena-ethernet.plist			com.amazon.ec2.monitoring.agents.cpuutilization.plist
🟢 Restart the machine to check if service starts 
sh-3.2# /Library/Ossec/bin/wazuh-control status
wazuh-modulesd not running...
wazuh-logcollector not running...
wazuh-syscheckd not running...
wazuh-agentd not running...
wazuh-execd not running...
sh-3.2# shutdown -r now
Shutdown NOW!
                                                                               
*** FINAL System shutdown message from [email protected] *
**                                                                            
System going down IMMEDIATELY                                                  
                                                                               
                                                                               

System shutdown time has arrived

Last login: Wed May 24 12:35:47 2023 from 79.148.180.51

    ┌───┬──┐   __|  __|_  )
    │ ╷╭╯╷ │   _|  (     /
    │  └╮  │  ___|\___|___|
    │ ╰─┼╯ │  Amazon EC2
    └───┴──┘  macOS Big Sur 11.7.4

ec2-user@ip-172-31-35-49 ~ % sudo su 
sh-3.2# /Library/Ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
🟢 Upgrade to 4.4.2 with custom package

The restart is done correctly and the changed files are correctly updated but the Startup Items are not removed. The service doesn't stop with the update.

sh-3.2# launchctl setenv WAZUH_MANAGER "10.0.0.2" && installer -pkg wazuh-agent-4.4.2-2212-darwin-init.pkg -target /
installer: Package name is Wazuh Agent
installer: Upgrading at base path /
installer: The upgrade was successful.
🟡 Check service files and service status 
sh-3.2# ls /Library/StartupItems/
WAZUH
sh-3.2# cat /Library/LaunchDaemons/com.wazuh.agent.plist 
<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
     <dict>
         <key>Label</key>
         <string>com.wazuh.agent</string>
         <key>ProgramArguments</key>
         <array>
             <string>/Library/Ossec/Wazuh-service-launcher.sh</string>
         </array>
         <key>RunAtLoad</key>
         <true/>
     </dict>
 </plist>
sh-3.2# cat /Library/Ossec/Wazuh-service-launcher.sh 
#!/bin/sh

capture_sigterm() {
    /Library/Ossec/bin/wazuh-control stop
    exit $?
}

if ! /Library/Ossec/bin/wazuh-control start; then
    /Library/Ossec/bin/wazuh-control stop
fi

while : ; do
    trap capture_sigterm SIGTERM
    sleep 3
done

sh-3.2# /Library/Ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
🟢 Stop the service and restart the system to check if it is started correctly 
sh-3.2# /Library/Ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.4.2 Stopped
sh-3.2# shutdown -r now
Shutdown NOW!
                                                                               
*** FINAL System shutdown message from [email protected] *
**                                                                            
System going down IMMEDIATELY                                                  
                                                                               
                                                                               

System shutdown time has arrived

Last login: Wed May 24 12:40:50 2023 from 79.148.180.51

    ┌───┬──┐   __|  __|_  )
    │ ╷╭╯╷ │   _|  (     /
    │  └╮  │  ___|\___|___|
    │ ╰─┼╯ │  Amazon EC2
    └───┴──┘  macOS Big Sur 11.7.4

ec2-user@ip-172-31-35-49 ~ % sudo su
sh-3.2# /Library/Ossec/bin/wazuh-control status
wazuh-modulesd is running...
wazuh-logcollector is running...
wazuh-syscheckd is running...
wazuh-agentd is running...
wazuh-execd is running...
sh-3.2#
🟢 Uninstall the Wazuh agent 
sh-3.2# /Library/Ossec/bin/wazuh-control stop
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
/bin/rm -r /Library/OssecKilling wazuh-execd... 
Wazuh v4.4.2 Stopped
sh-3.2# /bin/rm -r /Library/Ossec
sh-3.2# /bin/launchctl unload /Library/LaunchDaemons/com.wazuh.agent.plist
sh-3.2# /bin/rm -f /Library/LaunchDaemons/com.wazuh.agent.plist
sh-3.2# /bin/rm -rf /Library/StartupItems/WAZUH
sh-3.2# /usr/bin/dscl . -delete "/Users/wazuh"
sh-3.2# /usr/bin/dscl . -delete "/Groups/wazuh"
sh-3.2# /usr/sbin/pkgutil --forget com.wazuh.pkg.wazuh-agent
Forgot package 'com.wazuh.pkg.wazuh-agent' on '/'.
sh-3.2#

Summary

Login Item in Settings->General->Login Items cannot be removed

After more investigation and even as it is said in the article from which this issue was created, https://developer.apple.com/documentation/servicemanagement/updating_your_app_package_installer_to_use_the_new_service_management_api#4116272, on macOS Ventura every service appears as a Login Item in Settings->General->Login Items. There are various ways of creating a service that starts with the system.

Current service administration

  • Service launcher is /Library/StartupItems/WAZUH/launcher.sh
  • Launch Daemon defined at /Library/LaunchDaemon/com.wazuh.agent.plist points to the service launcher
  • Startup Item defined at /Library/StartupItems/WAZUH/WAZUH also points to the service manager

More testing would be needed, but the fact that both services are defined probably comes from a deprecation between macOS versions.

Options for change

First of all, the Launch Daemon seems a more appropriate service manager for Wazuh, more similar to the services used in other systems, the Startup Items is not part of the booting process and is not called by launchd.

  • It has been tested in macOS Ventura that moving the service launcher to /Library/Ossec and removing the Startup Item works as we want, although the Login Item in the Settings keeps appearing. It does not change the behaviour, at least perceptively, but it could be a good change. All other supported macOS versions should be also tested.

@wazuhci wazuhci moved this from In progress to Pending review in Release 4.4.4 May 24, 2023
@havidarou havidarou assigned DFolchA and unassigned verdx Jun 1, 2023
@havidarou havidarou removed this from Release 4.4.4 Jun 1, 2023
@verdx verdx mentioned this issue Jun 1, 2023
Closed
8 tasks
@lchico lchico assigned lchico and unassigned DFolchA and lchico Jan 16, 2024
@lchico lchico self-assigned this Feb 16, 2024
@lchico
Copy link
Member

lchico commented Feb 16, 2024
edited
Loading

Update

Just started working on this, conducting some research.

Update 02-19-2024

Move to block; this will be addressed in issue 21755

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lchico lchico

Labels
component: agent/macos level/task Subtask issue module/install type/change Change requested
Projects
None yet
Milestone
No milestone
5 participants
@vikman90 @rauldpm @DFolchA @lchico @verdx