Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warning OpenSearchSecurityPlugin wazuh-indexer has insecure file permissions (should be 0600) #1017

Closed
pro-akim opened this issue Sep 26, 2023 · 7 comments · Fixed by #1024
Closed

Warning OpenSearchSecurityPlugin wazuh-indexer has insecure file permissions (should be 0600) #1017

pro-akim opened this issue Sep 26, 2023 · 7 comments · Fixed by #1024
Assignees
@c-bordon
Labels
level/task Subtask issue qa_known Issues that are already known by the QA team type/bug

Comments

@pro-akim
Copy link
Member

pro-akim commented Sep 26, 2023
edited
Loading

Description

While installing Wazuh single-node deployed via Docker in wazuh/wazuh#19101 , the following warning format has been found in the indexer logs:

[2023-09-22T10:10:20,136][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/plugins/opensearch-security/ldaptive-1.2.3.jar has insecure file permissions (should be 0600)
[2023-09-22T10:10:20,137][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/plugins/opensearch-security/commons-cli-1.3.1.jar has insecure file permissions (should be 0600)
[2023-09-22T10:10:20,137][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/plugins/opensearch-security/opensaml-saml-api-3.4.5.jar has insecure file permissions (should be 0600)

Doing some research
This warning message has been seen in an old issues like

This issue is opened to request further research about has insecure file permissions warning message.
@pro-akim pro-akim mentioned this issue Sep 26, 2023
Closed
2 tasks
@wazuhci wazuhci moved this to Backlog in Release 4.5.3 Sep 26, 2023
@damarisg damarisg mentioned this issue Sep 27, 2023
Closed
@c-bordon c-bordon self-assigned this Sep 27, 2023
@damarisg damarisg mentioned this issue Sep 27, 2023
Closed
@wazuhci wazuhci moved this from Backlog to In progress in Release 4.5.3 Sep 27, 2023
@c-bordon
Copy link
Member

Update report

This errors can be found in wazuh-docker 4.5.2

[root@centos7-1 single-node]# docker exec -it single-node-wazuh.indexer-1 cat /var/log/wazuh-indexer/opensearch.log | grep -i -E "error|warn"
[2023-09-27T18:33:04,584][INFO ][o.o.n.Node               ] [wazuh.indexer] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-223211738286985938, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -Xms512m, -Xmx512m, -XX:MaxDirectMemorySize=268435456, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/usr/share/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2023-09-27T18:33:05,347][WARN ][stderr                   ] [wazuh.indexer] SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
[2023-09-27T18:33:05,348][WARN ][stderr                   ] [wazuh.indexer] SLF4J: Defaulting to no-operation (NOP) logger implementation
[2023-09-27T18:33:05,348][WARN ][stderr                   ] [wazuh.indexer] SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
[2023-09-27T18:33:06,111][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] Directory /usr/share/wazuh-indexer/.cache has insecure file permissions (should be 0700)
[2023-09-27T18:33:06,112][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] Directory /usr/share/wazuh-indexer/.cache/JNA has insecure file permissions (should be 0700)
[2023-09-27T18:33:06,112][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] Directory /usr/share/wazuh-indexer/.cache/JNA/temp has insecure file permissions (should be 0700)
[2023-09-27T18:33:06,113][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] Directory /usr/share/wazuh-indexer/logs has insecure file permissions (should be 0700)
[2023-09-27T18:33:06,113][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/opensearch.yml has insecure file permissions (should be 0600)
[2023-09-27T18:33:06,113][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/LICENSE.txt has insecure file permissions (should be 0600)
[2023-09-27T18:33:06,114][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/NOTICE.txt has insecure file permissions (should be 0600)
[2023-09-27T18:33:06,114][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/VERSION has insecure file permissions (should be 0600)
[2023-09-27T18:33:06,115][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] Directory /usr/share/wazuh-indexer/bin has insecure file permissions (should be 0700)
[2023-09-27T18:33:06,115][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/bin/opensearch has insecure file permissions (should be 0600)
[2023-09-27T18:33:06,115][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/bin/opensearch-cli has insecure file permissions (should be 0600)
[2023-09-27T18:33:06,116][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/bin/opensearch-env has insecure file permissions (should be 0600)
[2023-09-27T18:33:06,116][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/bin/opensearch-env-from-file has insecure file permissions (should be 0600)
[2023-09-27T18:33:06,116][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/bin/opensearch-keystore has insecure file permissions (should be 0600)
[2023-09-27T18:33:06,117][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/bin/opensearch-node has insecure file permissions (should be 0600)
[2023-09-27T18:33:06,117][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] Directory /usr/share/wazuh-indexer/bin/opensearch-performance-analyzer has insecure file permissions (should be 0700)
[2023-09-27T18:33:06,118][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/bin/opensearch-performance-analyzer/performance-analyzer-agent has insecure file permissions (should be 0600)
[2023-09-27T18:33:06,118][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/bin/opensearch-performance-analyzer/performance-analyzer-agent-cli has insecure file permissions (should be 0600)
[2023-09-27T18:33:06,118][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/bin/opensearch-plugin has insecure file permissions (should be 0600)
[2023-09-27T18:33:06,119][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/bin/opensearch-shard has insecure file permissions (should be 0600)
[2023-09-27T18:33:06,119][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/bin/opensearch-upgrade has insecure file permissions (should be 0600)
[2023-09-27T18:33:06,120][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/bin/systemd-entrypoint has insecure file permissions (should be 0600)

@wazuhci wazuhci moved this to In progress in Release 4.6.0 Sep 27, 2023
@wazuhci wazuhci removed this from Release 4.5.3 Sep 27, 2023
@havidarou havidarou added the qa_known Issues that are already known by the QA team label Sep 28, 2023
@c-bordon
Copy link
Member

Update report

I found a difference between the file permissions of the Wazuh indexer base and the docker container:

docker:

[root@centos7-1 ~]# docker exec -it single-node-wazuh.indexer-1 ls -la /usr/share/wazuh-indexer/bin
total 48
drwxr-xr-x. 1 wazuh-indexer wazuh-indexer 4096 Sep  4 11:26 .
drwx------. 1 wazuh-indexer wazuh-indexer   60 Sep 27 18:33 ..
-rwxr-xr-x. 1 wazuh-indexer wazuh-indexer 3030 Feb 23  2023 opensearch
-rwxr-xr-x. 1 wazuh-indexer wazuh-indexer 1090 Feb 23  2023 opensearch-cli
-rwxr-xr-x. 1 wazuh-indexer wazuh-indexer 5299 Sep  4 11:26 opensearch-env
-rwxr-xr-x. 1 wazuh-indexer wazuh-indexer 1838 Feb 23  2023 opensearch-env-from-file
-rwxr-xr-x. 1 wazuh-indexer wazuh-indexer  222 Feb 23  2023 opensearch-keystore
-rwxr-xr-x. 1 wazuh-indexer wazuh-indexer  155 Feb 23  2023 opensearch-node
drwxr-xr-x. 1 wazuh-indexer wazuh-indexer   78 Feb 24  2023 opensearch-performance-analyzer
-rwxr-xr-x. 1 wazuh-indexer wazuh-indexer  210 Feb 23  2023 opensearch-plugin
-rwxr-xr-x. 1 wazuh-indexer wazuh-indexer  148 Feb 23  2023 opensearch-shard
-rwxr-xr-x. 1 wazuh-indexer wazuh-indexer  211 Feb 23  2023 opensearch-upgrade
-rw-r--r--. 1 wazuh-indexer wazuh-indexer  583 Sep  4 11:26 systemd-entrypoint

base:

cbordon@cbordon-MS-7C88:~/Downloads$ ls -la wazuh-indexer-base/bin
total 56
drwxr-x---  3 cbordon cbordon 4096 sep 28 08:45 .
drwxr-x--- 10 cbordon cbordon 4096 sep 28 08:45 ..
-rwxr-x---  1 cbordon cbordon 3030 jun  2 15:00 opensearch
-rwxr-x---  1 cbordon cbordon 1090 jun  2 15:00 opensearch-cli
-rwxr-x---  1 cbordon cbordon 5359 sep 22 18:20 opensearch-env
-rwxr-x---  1 cbordon cbordon 1838 jun  2 15:00 opensearch-env-from-file
-rwxr-x---  1 cbordon cbordon  222 jun  2 15:00 opensearch-keystore
-rwxr-x---  1 cbordon cbordon  155 jun  2 15:00 opensearch-node
drwxr-x---  2 cbordon cbordon 4096 sep 28 08:45 opensearch-performance-analyzer
-rwxr-x---  1 cbordon cbordon  210 jun  2 15:00 opensearch-plugin
-rwxr-x---  1 cbordon cbordon  148 jun  2 15:00 opensearch-shard
-rwxr-x---  1 cbordon cbordon  211 jun  2 15:00 opensearch-upgrade
-rw-r-----  1 cbordon cbordon  583 sep 22 18:20 systemd-entrypoint

@c-bordon
Copy link
Member

Update report

I was able to find this type of warnings in the package installation by removing the --quiet from the execution command of the wazuh-indexer service. I am putting together a package without this option to validate if the warning depends on this

[root@centos72 ~]# cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
[2023-09-28T14:00:43,951][INFO ][o.o.n.Node               ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1g, -Xmx1g, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-8904316335491359020, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=536870912, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2023-09-28T14:00:45,321][WARN ][o.o.s.OpenSearchSecurityPlugin] [node-1] Directory /etc/wazuh-indexer/certs has insecure file permissions (should be 0700)
[2023-09-28T14:00:45,323][WARN ][o.o.s.OpenSearchSecurityPlugin] [node-1] File /etc/wazuh-indexer/certs/indexer-key.pem has insecure file permissions (should be 0600)
[2023-09-28T14:00:45,323][WARN ][o.o.s.OpenSearchSecurityPlugin] [node-1] File /etc/wazuh-indexer/certs/indexer.pem has insecure file permissions (should be 0600)
[2023-09-28T14:00:45,323][WARN ][o.o.s.OpenSearchSecurityPlugin] [node-1] File /etc/wazuh-indexer/certs/admin-key.pem has insecure file permissions (should be 0600)
[2023-09-28T14:00:45,324][WARN ][o.o.s.OpenSearchSecurityPlugin] [node-1] File /etc/wazuh-indexer/certs/admin.pem has insecure file permissions (should be 0600)
[2023-09-28T14:00:45,324][WARN ][o.o.s.OpenSearchSecurityPlugin] [node-1] File /etc/wazuh-indexer/certs/root-ca.pem has insecure file permissions (should be 0600)
[2023-09-28T14:00:48,324][WARN ][o.o.s.c.Salt             ] [node-1] If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes
[2023-09-28T14:00:48,347][ERROR][o.o.s.a.s.SinkProvider   ] [node-1] Default endpoint could not be created, auditlog will not work properly.
[2023-09-28T14:00:48,347][WARN ][o.o.s.a.r.AuditMessageRouter] [node-1] No default storage available, audit log may not work properly. Please check configuration.
[2023-09-28T14:00:49,772][WARN ][o.o.g.DanglingIndicesState] [node-1] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually
[2023-09-28T14:00:50,594][WARN ][o.o.p.c.s.h.ConfigOverridesClusterSettingHandler] [node-1] Config override setting update called with empty string. Ignoring.
[2023-09-28T14:00:51,613][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-28T14:00:51,613][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-28T14:00:51,613][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-28T14:00:51,613][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-28T14:00:51,613][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-28T14:00:51,614][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-28T14:00:51,614][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-28T14:00:51,614][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-28T14:00:51,614][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-28T14:00:51,614][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-28T18:27:20,300][INFO ][o.o.n.Node               ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1g, -Xmx1g, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-14116258971567549839, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=536870912, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2023-09-28T18:27:21,648][WARN ][o.o.s.OpenSearchSecurityPlugin] [node-1] Directory /etc/wazuh-indexer/certs has insecure file permissions (should be 0700)
[2023-09-28T18:27:21,649][WARN ][o.o.s.OpenSearchSecurityPlugin] [node-1] File /etc/wazuh-indexer/certs/indexer-key.pem has insecure file permissions (should be 0600)
[2023-09-28T18:27:21,649][WARN ][o.o.s.OpenSearchSecurityPlugin] [node-1] File /etc/wazuh-indexer/certs/indexer.pem has insecure file permissions (should be 0600)
[2023-09-28T18:27:21,649][WARN ][o.o.s.OpenSearchSecurityPlugin] [node-1] File /etc/wazuh-indexer/certs/admin-key.pem has insecure file permissions (should be 0600)
[2023-09-28T18:27:21,649][WARN ][o.o.s.OpenSearchSecurityPlugin] [node-1] File /etc/wazuh-indexer/certs/admin.pem has insecure file permissions (should be 0600)
[2023-09-28T18:27:21,650][WARN ][o.o.s.OpenSearchSecurityPlugin] [node-1] File /etc/wazuh-indexer/certs/root-ca.pem has insecure file permissions (should be 0600)
[2023-09-28T18:27:24,977][WARN ][o.o.s.c.Salt             ] [node-1] If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes
[2023-09-28T18:27:25,002][ERROR][o.o.s.a.s.SinkProvider   ] [node-1] Default endpoint could not be created, auditlog will not work properly.
[2023-09-28T18:27:25,003][WARN ][o.o.s.a.r.AuditMessageRouter] [node-1] No default storage available, audit log may not work properly. Please check configuration.
[2023-09-28T18:27:26,630][WARN ][o.o.g.DanglingIndicesState] [node-1] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually
[2023-09-28T18:27:27,678][WARN ][o.o.p.c.s.h.ConfigOverridesClusterSettingHandler] [node-1] Config override setting update called with empty string. Ignoring.
[2023-09-28T18:27:27,806][WARN ][o.o.o.i.ObservabilityIndex] [node-1] message: index [.opensearch-observability/c-7Pl3EOSl2rYmgfch8_UQ] already exists
[2023-09-28T18:27:28,217][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
[2023-09-28T18:27:28,230][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
[2023-09-28T18:27:28,233][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)
[2023-09-28T18:27:28,235][ERROR][o.o.s.a.BackendRegistry  ] [node-1] Not yet initialized (you may need to run securityadmin)

@c-bordon
Copy link
Member

Update report

With the custom package the result was the same, the certificate files are the ones that show the Warning, while the rest of the files have the same permissions as in the case of docker and do not appear

[root@centos72 ~]# cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -i -E "error|warn"
[2023-09-28T19:27:08,849][INFO ][o.o.n.Node               ] [node-1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1g, -Xmx1g, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-3319218916942495824, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -XX:MaxDirectMemorySize=536870912, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/etc/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2023-09-28T19:27:10,225][WARN ][o.o.s.OpenSearchSecurityPlugin] [node-1] Directory /etc/wazuh-indexer/certs has insecure file permissions (should be 0700)
[2023-09-28T19:27:10,225][WARN ][o.o.s.OpenSearchSecurityPlugin] [node-1] File /etc/wazuh-indexer/certs/indexer-key.pem has insecure file permissions (should be 0600)
[2023-09-28T19:27:10,225][WARN ][o.o.s.OpenSearchSecurityPlugin] [node-1] File /etc/wazuh-indexer/certs/indexer.pem has insecure file permissions (should be 0600)
[2023-09-28T19:27:10,226][WARN ][o.o.s.OpenSearchSecurityPlugin] [node-1] File /etc/wazuh-indexer/certs/admin-key.pem has insecure file permissions (should be 0600)
[2023-09-28T19:27:10,226][WARN ][o.o.s.OpenSearchSecurityPlugin] [node-1] File /etc/wazuh-indexer/certs/admin.pem has insecure file permissions (should be 0600)
[2023-09-28T19:27:10,226][WARN ][o.o.s.OpenSearchSecurityPlugin] [node-1] File /etc/wazuh-indexer/certs/root-ca.pem has insecure file permissions (should be 0600)
[2023-09-28T19:27:13,462][WARN ][o.o.s.c.Salt             ] [node-1] If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes
[2023-09-28T19:27:13,487][ERROR][o.o.s.a.s.SinkProvider   ] [node-1] Default endpoint could not be created, auditlog will not work properly.
[2023-09-28T19:27:13,488][WARN ][o.o.s.a.r.AuditMessageRouter] [node-1] No default storage available, audit log may not work properly. Please check configuration.
[2023-09-28T19:27:14,988][WARN ][o.o.g.DanglingIndicesState] [node-1] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually
[2023-09-28T19:27:15,830][WARN ][o.o.p.c.s.h.ConfigOverridesClusterSettingHandler] [node-1] Config override setting update called with empty string. Ignoring.
[2023-09-28T19:27:16,851][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-28T19:27:16,851][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-28T19:27:16,851][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-28T19:27:16,851][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-28T19:27:16,852][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-28T19:27:16,852][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-28T19:27:16,852][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-28T19:27:16,852][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-28T19:27:16,852][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)
[2023-09-28T19:27:16,853][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [node-1] Failure no such index [.opendistro_security] retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, ALLOWLIST, AUDIT] (index=.opendistro_security)

@c-bordon
Copy link
Member

c-bordon commented Oct 2, 2023

Update report

I checked what was happening with the OpenSearch docker package, and although it has even more permissions than our files, the warnings do not appear:

OpenSearch 
[opensearch@854b360a117f ~]$ ls -la bin/
total 40
drwxr-xr-x. 3 opensearch opensearch  264 Jun  3 06:58 .
drwx------. 1 opensearch opensearch   71 Oct  2 15:46 ..
-rwxr-xr-x. 1 opensearch opensearch 3030 Jun  2 18:00 opensearch
-rwxr-xr-x. 1 opensearch opensearch 1090 Jun  2 18:00 opensearch-cli
-rwxr-xr-x. 1 opensearch opensearch 5366 Jun  2 18:00 opensearch-env
-rwxr-xr-x. 1 opensearch opensearch 1838 Jun  2 18:00 opensearch-env-from-file
-rwxr-xr-x. 1 opensearch opensearch  222 Jun  2 18:00 opensearch-keystore
-rwxr-xr-x. 1 opensearch opensearch  155 Jun  2 18:00 opensearch-node
drwxr-xr-x. 2 opensearch opensearch   78 Jun  3 06:58 opensearch-performance-analyzer
-rwxr-xr-x. 1 opensearch opensearch  210 Jun  2 18:00 opensearch-plugin
-rwxr-xr-x. 1 opensearch opensearch  148 Jun  2 18:00 opensearch-shard
-rwxr-xr-x. 1 opensearch opensearch  211 Jun  2 18:00 opensearch-upgrade

[root@centos72 ~]# docker logs opensearch-node1  | grep -i -E "error|warn"
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/opensearch/lib/opensearch-2.8.0.jar)
WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
WARNING: System::setSecurityManager will be removed in a future release
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/opensearch/lib/opensearch-2.8.0.jar)
WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
WARNING: System::setSecurityManager will be removed in a future release
 ** Warning: Do not use on production or public reachable systems **
### (Ignore the SSL certificate warning because we installed self-signed demo certificates)
[2023-10-02T15:58:58,724][INFO ][o.o.n.Node               ] [opensearch-node1] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1g, -Xmx1g, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-12928892774388390308, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=logs/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=/usr/share/opensearch/config/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -Dopensearch.cgroups.hierarchy.override=/, -Xms512m, -Xmx512m, -XX:MaxDirectMemorySize=268435456, -Dopensearch.path.home=/usr/share/opensearch, -Dopensearch.path.conf=/usr/share/opensearch/config, -Dopensearch.distribution.type=tar, -Dopensearch.bundled_jdk=true]
[2023-10-02T15:59:01,234][WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch-node1] Directory /usr/share/opensearch/config has insecure file permissions (should be 0700)
[2023-10-02T15:59:06,950][WARN ][o.o.s.c.Salt             ] [opensearch-node1] If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes
[2023-10-02T15:59:09,081][WARN ][o.o.g.DanglingIndicesState] [opensearch-node1] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually
[2023-10-02T15:59:10,919][WARN ][o.o.p.c.s.h.ConfigOverridesClusterSettingHandler] [opensearch-node1] Config override setting update called with empty string. Ignoring.
[2023-10-02T15:59:12,195][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-node1] Not yet initialized (you may need to run securityadmin)
[2023-10-02T15:59:12,212][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-node1] Not yet initialized (you may need to run securityadmin)
[2023-10-02T15:59:13,601][WARN ][o.o.s.a.r.AuditMessageRouter] [opensearch-node1] No endpoint configured for categories [BAD_HEADERS, FAILED_LOGIN, MISSING_PRIVILEGES, GRANTED_PRIVILEGES, OPENDISTRO_SECURITY_INDEX_ATTEMPT, SSL_EXCEPTION, AUTHENTICATED, INDEX_EVENT, COMPLIANCE_DOC_READ, COMPLIANCE_DOC_WRITE, COMPLIANCE_EXTERNAL_CONFIG, COMPLIANCE_INTERNAL_CONFIG_READ, COMPLIANCE_INTERNAL_CONFIG_WRITE], using default endpoint

I have done some tests changing the permissions as indicated by the Warning and this generates a bigger problem, since the binaries do not have the necessary permissions and therefore cannot be executed:

Binaries with 0600 
[root@centos7-1 single-node]# docker logs single-node-wazuh.indexer-1
could not find java in JAVA_HOME at /usr/share/wazuh-indexer/jdk/bin/java
could not find java in JAVA_HOME at /usr/share/wazuh-indexer/jdk/bin/java
could not find java in JAVA_HOME at /usr/share/wazuh-indexer/jdk/bin/java
could not find java in JAVA_HOME at /usr/share/wazuh-indexer/jdk/bin/java
could not find java in JAVA_HOME at /usr/share/wazuh-indexer/jdk/bin/java
could not find java in JAVA_HOME at /usr/share/wazuh-indexer/jdk/bin/java
could not find java in JAVA_HOME at /usr/share/wazuh-indexer/jdk/bin/java
could not find java in JAVA_HOME at /usr/share/wazuh-indexer/jdk/bin/java

[root@centos7-1 single-node]# docker logs single-node-wazuh.indexer-1
/entrypoint.sh: line 25: /usr/share/wazuh-indexer/bin/opensearch: Permission denied
/entrypoint.sh: line 25: /usr/share/wazuh-indexer/bin/opensearch: Permission denied
/entrypoint.sh: line 25: /usr/share/wazuh-indexer/bin/opensearch: Permission denied
/entrypoint.sh: line 25: /usr/share/wazuh-indexer/bin/opensearch: Permission denied
/entrypoint.sh: line 25: /usr/share/wazuh-indexer/bin/opensearch: Permission denied
/entrypoint.sh: line 25: /usr/share/wazuh-indexer/bin/opensearch: Permission denied
/entrypoint.sh: line 25: /usr/share/wazuh-indexer/bin/opensearch: Permission denied
/entrypoint.sh: line 25: /usr/share/wazuh-indexer/bin/opensearch: Permission denied

For the most part, the warnings do not make sense, because they ask you to change the binary permissions to 600, and if we do this, these binaries stop working, this does not happen in package installation, since all the files have the same permissions. Here is the complete list of warnings:

all warnings 
[root@centos7-1 single-node]# docker logs single-node-wazuh.indexer-1  | grep -i -E "error|warn"
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.8.0.jar)
WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
WARNING: System::setSecurityManager will be removed in a future release
WARNING: A terminally deprecated method in java.lang.System has been called
WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.8.0.jar)
WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
WARNING: System::setSecurityManager will be removed in a future release
[2023-10-02T18:28:47,099][INFO ][o.o.n.Node               ] [wazuh.indexer] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-12842106626904119362, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/wazuh-indexer, -XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=file:///usr/share/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -Xms512m, -Xmx512m, -XX:MaxDirectMemorySize=268435456, -Dopensearch.path.home=/usr/share/wazuh-indexer, -Dopensearch.path.conf=/usr/share/wazuh-indexer, -Dopensearch.distribution.type=rpm, -Dopensearch.bundled_jdk=true]
[2023-10-02T18:28:48,788][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] Directory /usr/share/wazuh-indexer/.cache has insecure file permissions (should be 0700)
[2023-10-02T18:28:48,789][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] Directory /usr/share/wazuh-indexer/.cache/JNA has insecure file permissions (should be 0700)
[2023-10-02T18:28:48,789][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] Directory /usr/share/wazuh-indexer/.cache/JNA/temp has insecure file permissions (should be 0700)
[2023-10-02T18:28:48,789][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] Directory /usr/share/wazuh-indexer/extensions has insecure file permissions (should be 0700)
[2023-10-02T18:28:48,790][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] Directory /usr/share/wazuh-indexer/logs has insecure file permissions (should be 0700)
[2023-10-02T18:28:48,790][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/opensearch.yml has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,790][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/bin/opensearch has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,791][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/bin/opensearch-cli has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,791][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/bin/opensearch-env has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,791][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/bin/opensearch-env-from-file has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,792][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/bin/opensearch-keystore has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,792][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/bin/opensearch-node has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,792][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/bin/opensearch-performance-analyzer/performance-analyzer-agent has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,793][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/bin/opensearch-performance-analyzer/performance-analyzer-agent-cli has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,793][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/bin/opensearch-plugin has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,794][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/bin/opensearch-shard has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,794][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/bin/opensearch-upgrade has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,794][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/jar has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,795][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/jarsigner has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,795][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/java has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,795][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/javac has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,796][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/javadoc has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,796][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/javap has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,797][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/jcmd has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,797][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/jconsole has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,797][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/jdb has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,798][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/jdeprscan has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,798][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/jdeps has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,798][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/jfr has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,799][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/jhsdb has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,799][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/jimage has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,799][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/jinfo has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,799][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/jlink has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,800][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/jmap has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,800][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/jmod has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,800][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/jpackage has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,801][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/jps has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,801][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/jrunscript has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,801][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/jshell has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,802][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/jstack has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,802][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/jstat has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,802][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/jstatd has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,803][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/keytool has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,803][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/rmiregistry has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,803][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/bin/serialver has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,804][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/jdk/lib/jspawnhelper has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,804][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/opensearch-security/internal_users.yml has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,804][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/performance-analyzer-rca/bin/performance-analyzer-agent has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,805][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/performance-analyzer-rca/bin/performance-analyzer-rca has insecure file permissions (should be 0600)
[2023-10-02T18:28:48,805][WARN ][o.o.s.OpenSearchSecurityPlugin] [wazuh.indexer] File /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-certs-tool.sh has insecure file permissions (should be 0600)

@c-bordon
Copy link
Member

c-bordon commented Oct 3, 2023

Update report

After investigating a little more and comparing the configuration files, I have not found differences that indicate why in the deployment with docker the OpenSearch security plugin throws these Warnings, which cannot be applied, since if we remove the execution permissions to These binaries stop working, the only files that we could modify would be these:

/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
/usr/share/wazuh-indexer/opensearch.yml

The issue is that these files inherit permissions since they are files mounted using a docker volume, I have to check with @vcerenu to confirm if we can change the permissions of these files

@wazuhci wazuhci moved this from In progress to On hold in Release 4.6.0 Oct 3, 2023
@c-bordon c-bordon mentioned this issue Oct 4, 2023
Merged
@c-bordon c-bordon linked a pull request Oct 4, 2023 that will close this issue
Updated file permissions to have the same permissions as in package installation in Wazuh indexer #1024
Merged
@c-bordon
Copy link
Member

c-bordon commented Oct 4, 2023
edited
Loading

After meeting with @vcerenu we came to the conclusion that the best thing for the moment is to ignore these Warnings and understand that they are a known issue since applying the permission changes suggested by the plugin implies that the product stops working as demonstrated in the evidence.

On the other hand, with respect to the configuration files, these files assume different permissions since they are mounted files so that the user can persist changes to them. These permissions do not affect the operation of the product, which is why we also understand that it is not necessary to modify them.

Finally, we perform a new comparison between the security policy configuration files and we have the same configuration as OpenSearch:

OpenSearch 
[opensearch@3da952e1b1e4 ~]$ cat config/opensearch-performance-analyzer/opensearch_security.policy 
grant {
    permission java.lang.management.ManagementPermission "control";
    permission java.net.SocketPermission "localhost:9600","connect,resolve";
    permission java.lang.RuntimePermission "getClassLoader";
};

grant codebase "file:${java.home}/../lib/tools.jar" {
  permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.attach" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.internal.jvmstat" {
    permission java.security.AllPermission;
};
Wazuh indexer 
wazuh-indexer@wazuh:~$ cat opensearch-performance-analyzer/opensearch_security.policy 
grant {
    permission java.lang.management.ManagementPermission "control";
    permission java.net.SocketPermission "localhost:9600","connect,resolve";
    permission java.lang.RuntimePermission "getClassLoader";
};

grant codebase "file:${java.home}/../lib/tools.jar" {
  permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.attach" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.internal.jvmstat" {
    permission java.security.AllPermission;
};

In this PR we are looking to level the permissions to have the same permissions on the files and directories that we have in the package installation

@wazuhci wazuhci moved this from On hold to Pending review in Release 4.6.0 Oct 4, 2023
@wazuhci wazuhci moved this from Pending review to Done in Release 4.6.0 Oct 5, 2023
@teddytpc1 teddytpc1 mentioned this issue Nov 27, 2024
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@c-bordon c-bordon

Labels
level/task Subtask issue qa_known Issues that are already known by the QA team type/bug
Projects
No open projects
Release 4.6.0
Status: Done
Milestone
No milestone
4 participants
@havidarou @teddytpc1 @c-bordon @pro-akim