param agent: use systemd for supported debian/ubuntu distro

[aderumier]

currently we can't restart wazuh-agent service on configuration change because no service provider is defined

[rshad]

Hi @aderumier

Thank you for contributing to Wazuh!

Before I test your changes, I tested the changes you made in your branch aderumier/wazuh-puppet/tree/fix-agent-reload on Ubuntu/Xenial OS and it works as expected without any errors.

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS"

Looking at your changes and especially, at this commit fdf4569 I have the following notes.

• As you can see here, for Debian distribution, by default we set the service status and provider to false and undef respectively.

wazuh-puppet/manifests/params_agent.pp

Lines 183 to 186 in 042ea69

	case $::osfamily {
	'Debian': {
	$service_has_status = false
	$ossec_service_provider = undef

And for Ubuntu/Xenial OS we then specify no value for the mentioned variables so they still have the default values defined before. But this will not prevent the task where a reload of the service wazuh-agent is required to work correctly, specifically talking about the following task.

concat { 'ossec.conf':
    path    => $wazuh::params_agent::config_file,
    owner   => $wazuh::params_agent::config_owner,
    group   => $wazuh::params_agent::config_group,
    mode    => $wazuh::params_agent::config_mode,
    require => Package[$agent_package_name],
    notify  => Service[$agent_service_name],
  }

wazuh-agent and by default when it's installed, will get created an init service script in

• /etc/init.d
• /etc/systemd/system/wazuh-agent.service. " If systemd is supported "

When running notify => Service[$agent_service_name], and in case of setting

     $service_has_status = false 
     $ossec_service_provider = undef 

I suppose puppet will search for wazuh-agent init script in /etc/init.d/ and will not fail.

To really get to know more details about your issue which makes it necessary to have such changes, could you please paste the error message you're getting with puppet, this way I'll be guided better.

Waiting for your reply.

Kr,

Rshad Zhran

[aderumier]

Hi,
sorry to be late,

if you have "$service_has_status = false" , puppet can't reload the service on notify.

just run puppet agent in debug mode, you'll see an extra log that it skipping it, even if it's display in standard ouput that service is reloaded.

something like "Skipping restart; service is not running"

https://github.com/puppetlabs/puppet/blob/master/lib/puppet/type/service.rb

def refresh
# Only restart if we're actually running
if (@parameters[:ensure] || newattr(:ensure)).retrieve == :running
provider.restart
else
debug "Skipping restart; service is not running"
end
end

[rshad]

Hi @aderumier!

Happy new year!

I re-tested the installation with DEBUG mode and got the following log lines corresponding to the task:

concat { 'ossec.conf':
    path    => $wazuh::params_agent::config_file,
    owner   => $wazuh::params_agent::config_owner,
    group   => $wazuh::params_agent::config_group,
    mode    => $wazuh::params_agent::config_mode,
    require => Package[$agent_package_name],
    notify  => Service[$agent_service_name],
  }

Log Output

Debug: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/Concat_file[ossec.conf]/before: before to File[/var/ossec/etc/ossec.conf]
Debug: /Stage[main]/Apt/Apt::Setting[conf-update-stamp]/File[/etc/apt/apt.conf.d/15update-stamp]/notify: notify to Class[Apt::Update]
Debug: /Stage[main]/Wazuh::Repo/Apt::Source[wazuh]/Apt::Setting[list-wazuh]/File[/etc/apt/sources.list.d/wazuh.list]/notify: notify to Class[Apt::Update]
Debug: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/Concat_file[ossec.conf]: Skipping automatic relationship with File[/var/ossec/etc/ossec.conf]

Also if we look over the log output related to the task:

exec { 'agent-auth-linux':
  command => $agent_auth_command,
  unless  => "/bin/egrep -q '.' ${::wazuh::params_agent::keys_file}",
  require => Concat['ossec.conf'],
  before  => Service[$agent_service_name],
}

Debug: Exec[agent-auth-without-pwd](provider=posix): Executing '/var/ossec/bin/agent-auth -m 172.17.0.3        '
Debug: Executing: '/var/ossec/bin/agent-auth -m 172.17.0.3        '
Notice: /Stage[main]/Wazuh::Agent/Exec[agent-auth-without-pwd]/returns: executed successfully
Debug: /Stage[main]/Wazuh::Agent/Exec[agent-auth-without-pwd]: The container Class[Wazuh::Agent] will propagate my refresh event
Debug: Service[wazuh-agent](provider=upstart): Could not find wazuh-agent.conf in /etc/init
Debug: Service[wazuh-agent](provider=upstart): Could not find wazuh-agent.conf in /etc/init.d
Debug: Service[wazuh-agent](provider=upstart): Could not find wazuh-agent in /etc/init
Debug: Service[wazuh-agent](provider=upstart): Executing 'ps -ef'
Debug: Executing: 'ps -ef'
Debug: Executing: '/etc/init.d/wazuh-agent start'
Notice: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]/ensure: ensure changed 'stopped' to 'running'

Note that in response to the ensure statement

service { $agent_service_name:
    ensure    => $agent_service_ensure
.
. ...

Response

Debug: Executing: '/etc/init.d/wazuh-agent start'

---

I'm not getting any error or Skipping refresh alike messages. I would really appreciate it if you paste the exact error message you get in your case.

Waiting for your reply.

Kind regards,

Rshad

[aderumier]

Hi, sorry to be late, I'll test it again.
I'll keep you in touch soon

[aderumier]

something else related:

on each puppet run, I have:

Notice: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]/ensure: ensure changed 'stopped' to 'running' (corrective)

This is because of default ensure=>running, but status of the service can't be checked with init.d script. (don't have tested with upstart)

now about the bug itself, a simple test:
edit ossec.conf, add a space or any character,
launch puppet:

Info: Computing checksum on file /var/ossec/etc/ossec.conf
Info: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: Filebucketed /var/ossec/etc/ossec.conf to puppet with sum eb941affce7a2375c2af936b9209c833
Debug: Executing: 'diff -u /var/ossec/etc/ossec.conf /tmp/puppet-file20200114-28196-akjdme'
Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: 

Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: content changed '{md5}eb941affce7a2375c2af936b9209c833' to '{md5}0b349588782ce2b7ecba5f7137ad559e' (corrective)
Debug: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: The container Concat[ossec.conf] will propagate my refresh event
Debug: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: The container ossec.conf will propagate my refresh event
Debug: ossec.conf: The container Concat[ossec.conf] will propagate my refresh event
Debug: Concat[ossec.conf]: The container Class[Wazuh::Agent] will propagate my refresh event
Info: Concat[ossec.conf]: Scheduling refresh of Service[wazuh-agent]
Debug: Exec[agent-auth-linux](provider=posix): Executing check '/bin/egrep -q '.' /var/ossec/etc/client.keys'
Debug: Executing: '/bin/egrep -q '.' /var/ossec/etc/client.keys'
Debug: /Stage[main]/Wazuh::Agent/Exec[agent-auth-linux]: '/var/ossec/bin/agent-auth -m X.X.X.X                ' won't be executed because of failed check 'unless'
Debug: Service[wazuh-agent](provider=debian): Executing 'ps -ef'
Debug: Executing: 'ps -ef'
**Debug: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: Skipping restart; service is not running**
Notice: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: Triggered 'refresh' from 1 event

service restart is skipped, because puppet can't see if the service is running or not. (because init.d status is not working).

**Debug: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: Skipping restart; service is not running**`

Also this is strange:

Debug: Service[wazuh-agent](provider=debian): Executing 'ps -ef'

not sure, but because we don't have hasstatus on service, I think puppet try to fallback looking at "wazuh-agent" process. But this is not exist (because with have multiple ossec process).

[aderumier]

Looking at your log

Debug: Service[wazuh-agent](provider=upstart): Executing 'ps -ef'
Debug: Executing: 'ps -ef'
Debug: Executing: '/etc/init.d/wazuh-agent start'
Notice: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]/ensure: ensure changed 'stopped' to 'running'

I think what you see the the agent stopped->running , that you can have at each run, because puppet is enable to find the status with "ps -ef"

maybe check your ossec process uptime, but I'm pretty sure they are not restarted.
(or maybe remove ensure=>running to avoid confusion for testing)

[aderumier]

Note that ,

$service_has_status = true

fix it (without need to change to provider systemd)

init.d script have

status() {
${DIRECTORY}/bin/ossec-control status
}
and correctly return 0 when no problem occur.

Info: Computing checksum on file /var/ossec/etc/ossec.conf
Info: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: Filebucketed /var/ossec/etc/ossec.conf to puppet with sum eb941affce7a2375c2af936b9209c833
Debug: Executing: 'diff -u /var/ossec/etc/ossec.conf /tmp/puppet-file20200115-24090-3rtl1h'
Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: 

Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: content changed '{md5}eb941affce7a2375c2af936b9209c833' to '{md5}0b349588782ce2b7ecba5f7137ad559e' (corrective)
Debug: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: The container Concat[ossec.conf] will propagate my refresh event
Debug: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: The container ossec.conf will propagate my refresh event
Debug: ossec.conf: The container Concat[ossec.conf] will propagate my refresh event
Debug: Concat[ossec.conf]: The container Class[Wazuh::Agent] will propagate my refresh event
Info: Concat[ossec.conf]: Scheduling refresh of Service[wazuh-agent]
Debug: Exec[agent-auth-linux](provider=posix): Executing check '/bin/egrep -q '.' /var/ossec/etc/client.keys'
Debug: Executing: '/bin/egrep -q '.' /var/ossec/etc/client.keys'
Debug: /Stage[main]/Wazuh::Agent/Exec[agent-auth-linux]: '/var/ossec/bin/agent-auth -m X.X.X.X                ' won't be executed because of failed check 'unless'
Debug: Executing: '/bin/systemctl is-enabled wazuh-agent'
Debug: Executing: '/bin/systemctl is-active wazuh-agent'
Debug: Executing: '/bin/systemctl restart wazuh-agent'
Notice: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: Triggered 'refresh' from 1 event
Debug: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: The container Class[Wazuh::Agent] 

[aderumier]

Hi, any news about this ?

[manuasir]

Hey @aderumier ,

Our apologies for the late review, we will take this back ASAP and will let you know about anything. Please stay tuned to this thread and thanks again for contributing here.

Cheers

[rshad]

Hi @aderumier !

Sorry for the late update. I'll review your updates and I'll be back with an analysis.

Kr,

Rshad

[rshad]

Hi @aderumier !

Testing with:

• wazuh-puppet 3.12.0_7.6.1
• Ubuntu 18.04

---

Thank you for the analysis. Actually I could not reproduce the case when the wazuh-agent service is not restarted when the file ossec.conf is modified. I don't agree with you because accepting that wazuh-agent service is not being restarted by Puppet will lead the installation to fail or better said, the agent service, when rendering the configuration of wazuh-agent by the execution of the manifest agent.pp, or at least the service wazuh-agent will not take into account the changes we apply to ossec.conf in the different tasks that agent.pp runs.

---

Running puppet agent -t after modifying ossec.conf in the agent host

After adding a new path to the directories monitored by syscheck and without manually restarting wazuh-agent I ran puppet agent -t and as I expected the ossec.conf will be restarted and no error is produced.

• I added /root/test to:

<directories check_all="yes" >/etc,/usr/bin,/usr/sbin,/root/test/</directories>

Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content:
--- /var/ossec/etc/ossec.conf   2020-03-25 14:24:37.814079928 +0000
+++ /tmp/puppet-file20200325-26470-1yjsjtk      2020-03-25 14:25:15.733029928 +0000
@@ -85,7 +85,7 @@
   <frequency>43200</frequency>
   <scan_on_start>yes</scan_on_start>

-  <directories check_all="yes" >/etc,/usr/bin,/usr/sbin,/root/test/</directories>
+  <directories check_all="yes" >/etc,/usr/bin,/usr/sbin</directories>
   <directories check_all="yes" >/bin,/sbin,/boot</directories>
   <ignore>/etc/mtab</ignore>
   <ignore>/etc/hosts.deny</ignore>
@@ -164,4 +164,4 @@

 </active-response>

-</ossec_config>
+</ossec_config>
\ No newline at end of file

Info: Computing checksum on file /var/ossec/etc/ossec.conf
Debug: Evicting cache entry for environment 'production'
Debug: Caching environment 'production' (ttl = 0 sec)
Info: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: Filebucketed /var/ossec/etc/ossec.conf to puppet with sum 4593763bcc5439a7ed8539e8554f3b47
Debug: Executing: 'diff -u /var/ossec/etc/ossec.conf /tmp/puppet-file20200325-26470-98aptl'
Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content:

Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: content changed '{md5}4593763bcc5439a7ed8539e8554f3b47' to '{md5}a5598a92b34f131dc0cb64dd3bb94054'
Debug: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: The container Concat[ossec.conf] will propagate my refresh event
Debug: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: The container ossec.conf will propagate my refresh event
Debug: ossec.conf: The container Concat[ossec.conf] will propagate my refresh event
Debug: Concat[ossec.conf]: The container Class[Wazuh::Agent] will propagate my refresh event
Info: Concat[ossec.conf]: Scheduling refresh of Service[wazuh-agent]
Debug: Exec[agent-auth-linux](provider=posix): Executing check '/bin/egrep -q '.' /var/ossec/etc/client.keys'
Debug: Executing: '/bin/egrep -q '.' /var/ossec/etc/client.keys'
Debug: Executing: '/bin/systemctl is-active wazuh-agent'
Debug: Executing: '/bin/systemctl is-enabled wazuh-agent'
Debug: Executing: '/bin/systemctl is-active wazuh-agent'
Debug: Executing: '/bin/systemctl restart wazuh-agent'
Notice: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: Triggered 'refresh' from 1 events
Debug: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: The container Class[Wazuh::Agent] will propagate my refresh event
Debug: Class[Wazuh::Agent]: The container Stage[main] will propagate my refresh event
Debug: Finishing transaction 17098800
Debug: Storing state
Debug: Stored state in 0.02 seconds
Notice: Applied catalog in 6.09 seconds

• I also tried the same scenario but by adding a character in ossec.conf so I could make it fail when running Puppet, but as expected it was overwritten by Puppet and the execution log is as follows.

Debug: Executing: 'diff -u /var/ossec/etc/ossec.conf /tmp/puppet-file20200325-28257-h9cb1i'
Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content:
--- /var/ossec/etc/ossec.conf   2020-03-25 14:52:47.445046131 +0000
+++ /tmp/puppet-file20200325-28257-h9cb1i       2020-03-25 14:53:15.297046131 +0000
@@ -1,6 +1,6 @@
 <ossec_config>
   <client>
-  s<server>
+  <server>
     <address>172.17.0.101</address>
     <protocol>udp</protocol>
     <port>1514</port>
@@ -164,4 +164,4 @@

 </active-response>

-</ossec_config>
+</ossec_config>
\ No newline at end of file

Info: Computing checksum on file /var/ossec/etc/ossec.conf
Debug: Evicting cache entry for environment 'production'
Debug: Caching environment 'production' (ttl = 0 sec)
Info: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: Filebucketed /var/ossec/etc/ossec.conf to puppet w                                                                                                                                         ith sum 3720a938e42cbbb37322a03009638bad
Debug: Executing: 'diff -u /var/ossec/etc/ossec.conf /tmp/puppet-file20200325-28257-u1o7h6'
Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content:

Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: content changed '{md5}3720a938e42cbbb373                                                                                                                                         22a03009638bad' to '{md5}1b2d40e5dea4f08ed62aef27891c50e7'
Debug: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: The container Concat[ossec.conf] will propagate m                                                                                                                                         y refresh event
Debug: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: The container ossec.conf will propagate my refres                                                                                                                                         h event
Debug: ossec.conf: The container Concat[ossec.conf] will propagate my refresh event
Debug: Concat[ossec.conf]: The container Class[Wazuh::Agent] will propagate my refresh event
Info: Concat[ossec.conf]: Scheduling refresh of Service[wazuh-agent]
Debug: Exec[agent-auth-linux](provider=posix): Executing check '/bin/egrep -q '.' /var/ossec/etc/client.keys'
Debug: Executing: '/bin/egrep -q '.' /var/ossec/etc/client.keys'
Debug: Executing: '/bin/systemctl is-active wazuh-agent'
Debug: Executing: '/bin/systemctl is-enabled wazuh-agent'
Debug: Executing: '/bin/systemctl is-active wazuh-agent'
Debug: Executing: '/bin/systemctl restart wazuh-agent'
Notice: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: Triggered 'refresh' from 1 events
Debug: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: The container Class[Wazuh::Agent] will propagate my refresh event
Debug: Class[Wazuh::Agent]: The container Stage[main] will propagate my refresh event
Debug: Finishing transaction 36848560
Debug: Storing state
Debug: Stored state in 0.02 seconds
Notice: Applied catalog in 6.99 seconds

---

Running puppet agent -t after modifying params_agent.pp in the Puppet server host

After modifying params_agent.pp by modifying the variable ossec_syscheck_directories_1 :

• From

$ossec_syscheck_directories_1 = '/etc,/usr/bin,/usr/sbin'

• To

$ossec_syscheck_directories_1 = '/etc,/usr/bin,/usr/sbin, /root/test/'

Debug: Executing: 'diff -u /var/ossec/etc/ossec.conf /tmp/puppet-file20200325-27371-1tjsc42'
Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content:
--- /var/ossec/etc/ossec.conf   2020-03-25 14:25:15.857091929 +0000
+++ /tmp/puppet-file20200325-27371-1tjsc42      2020-03-25 14:38:55.529046131 +0000
@@ -85,7 +85,7 @@
   <frequency>43200</frequency>
   <scan_on_start>yes</scan_on_start>

-  <directories check_all="yes" >/etc,/usr/bin,/usr/sbin</directories>
+  <directories check_all="yes" >/etc,/usr/bin,/usr/sbin,/root/test/</directories>
   <directories check_all="yes" >/bin,/sbin,/boot</directories>
   <ignore>/etc/mtab</ignore>
   <ignore>/etc/hosts.deny</ignore>

Info: Computing checksum on file /var/ossec/etc/ossec.conf
Debug: Evicting cache entry for environment 'production'
Debug: Caching environment 'production' (ttl = 0 sec)
Info: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: Filebucketed /var/ossec/etc/ossec.conf to puppet with sum a5598a92b34f131dc0cb64dd3bb94054
Notice: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]/content: content changed '{md5}a5598a92b34f131dc0cb64dd3bb94054' to '{md5}1b2d40e5dea4f08ed62aef27891c50e7'
Debug: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: The container Concat[ossec.conf] will propagate my refresh event
Debug: /Stage[main]/Wazuh::Agent/Concat[ossec.conf]/File[/var/ossec/etc/ossec.conf]: The container ossec.conf will propagate my refresh event
Debug: ossec.conf: The container Concat[ossec.conf] will propagate my refresh event
Debug: Concat[ossec.conf]: The container Class[Wazuh::Agent] will propagate my refresh event
Info: Concat[ossec.conf]: Scheduling refresh of Service[wazuh-agent]
Debug: Exec[agent-auth-linux](provider=posix): Executing check '/bin/egrep -q '.' /var/ossec/etc/client.keys'
Debug: Executing: '/bin/egrep -q '.' /var/ossec/etc/client.keys'
Debug: Executing: '/bin/systemctl is-active wazuh-agent'
Debug: Executing: '/bin/systemctl is-enabled wazuh-agent'
Debug: Executing: '/bin/systemctl is-active wazuh-agent'
Debug: Executing: '/bin/systemctl restart wazuh-agent'
Notice: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: Triggered 'refresh' from 1 events
Debug: /Stage[main]/Wazuh::Agent/Service[wazuh-agent]: The container Class[Wazuh::Agent] will propagate my refresh event
Debug: Class[Wazuh::Agent]: The container Stage[main] will propagate my refresh event
Debug: Finishing transaction 36650120
Debug: Storing state
Debug: Stored state in 0.02 seconds
Notice: Applied catalog in 6.73 seconds

ossec.log

2020/03/25 14:38:57 ossec-syscheckd: INFO: Started (pid: 27694).
2020/03/25 14:38:57 ossec-syscheckd: INFO: (6003): Monitoring directory/file: '/etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2020/03/25 14:38:57 ossec-syscheckd: INFO: (6003): Monitoring directory/file: '/usr/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2020/03/25 14:38:57 ossec-syscheckd: INFO: (6003): Monitoring directory/file: '/usr/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2020/03/25 14:38:57 ossec-syscheckd: INFO: (6003): Monitoring directory/file: '/root/test', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2020/03/25 14:38:57 ossec-syscheckd: INFO: (6003): Monitoring directory/file: '/bin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2020/03/25 14:38:57 ossec-syscheckd: INFO: (6003): Monitoring directory/file: '/sbin', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.
2020/03/25 14:38:57 ossec-syscheckd: INFO: (6003): Monitoring directory/file: '/boot', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | scheduled'.

As you can see, the changes are added and wazuh-agent service was restarted correctly.

Please take into account, that with the module of wazuh-puppet and behaving with the mechanism of how Puppet works, when we need to add new configuration or modify a file which is ossec.conf in our case, then you need to modify the manifest itself agent.pp and or it's related parameters in params_agent.pp in the Puppet server node and then run puppet agent -t from the agent host. This way you can control wazuh-agent service to be restarted or not by setting the correct configuration which is already existing.

---

Waiting for your reply,

Kr,

Rshad

[jm404]

Hi @aderumier,

Changing the base of the PR generated some conflicts, please have a look at them.

Best regards,

Jose

[chrisboulton]

We've actually run into this on new machines (Debian Buster), as well. Setting the systemd provider for the service also resolves the issue to us, so I am in favour of this coming down 👍. Part of the problem here is the combination of Puppet handling for SystemD services + sysvinit scripts, and the same backwards compatibility in Debian. The easiest path to resolution is as the fix proposes -- setting the provider on the service.

[jm404]

Fixed conflicts, I will test it and update with the results.

Best regards,

Jose