Wazuh indexer startup errors

[vcerenu]

Description

During the Release 4.8.0 - RC 1 - Specific systems test some errors were found and reported:
wazuh/wazuh#23261 (comment)
wazuh/wazuh-packages#2449

After that I did some tests and I got some warning messages in the Wazuh indexer log at the start of Wazuh indexer when installed on Amazon Linux 2, which have an impact on the OVA as well as on the Wazuh AMI:

1)

May 08 08:41:21 wazuh-server systemd-entrypoint[2335]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster_server.json" got access denied ("java.lang.RuntimePermission" "accessUserInformation")
May 08 08:41:21 wazuh-server systemd-entrypoint[2335]: ERROR StatusConsoleListener Could not define attribute view on path "/var/log/wazuh-indexer/wazuh-cluster.log" got access denied ("java.lang.RuntimePermission" "accessUserInformation")

I received this error message both during the Installation Assistant installation and in the OVA and the AMI.

I was checking the error and it is due to lack of permissions in the opensearch-security policy, so that the error message does not appear I added permissions within the /etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy file and it did not appear. I had more problems with this error in the deployment:

Before:

grant {
 permission java.lang.management.ManagementPermission "control";
 permission java.net.SocketPermission "localhost:9600","connect,resolve";
 permission java.lang.RuntimePermission "getClassLoader";
};

After:

grant {
 permission java.lang.management.ManagementPermission "control";
 permission java.net.SocketPermission "localhost:9600","connect,resolve";
 permission java.lang.RuntimePermission "getClassLoader";
 permission java.lang.RuntimePermission "accessUserInformation";
};

2)

May 08 09:23:31 wazuh-server systemd[1]: Configuration file /usr/lib/systemd/system/wazuh-indexer-performance-analyzer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
May 08 09:23:31 wazuh-server systemd[1]: Configuration file /usr/lib/systemd/system/wazuh-indexer.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.

For this message I was checking the permissions of the files mentioned in the message and it contains permissions 640:

-rw-r----- 1 root root 1828 May 3 10:19 wazuh-indexer.service
-rw-r----- 1 root root 386 May 3 10:19 wazuh-indexer-performance-analyzer.service

Checking all the files within the directory, the *.service files all have 644 permissions, e.g.:

-rw-r--r-- 1 root root 284 Feb 9 00:12 microcode.service
-rw-r--r-- 1 root root 181 Mar 19 23:29 sshd.socket
-rw-r--r-- 1 root root 260 Mar 19 23:29 sshd@.service
-rw-r--r-- 1 root root 373 Mar 19 23:29 sshd.service
-rw-r--r-- 1 root root 313 Mar 19 23:29 sshd-keygen.service
-rw-r--r-- 1 root root 263 Mar 26 03:01 grub-boot-indeterminate.service
-rw-r--r-- 1 root root 263 Mar 26 03:01 grub2-systemd-integration.service
-rw-r--r-- 1 root root 244 Apr 22 13:06 httpd.socket
-rw-r--r-- 1 root root 944 Apr 22 13:06 httpd.service
-rw-r--r-- 1 root root 314 Apr 22 13:06 httpd-init.service
-rw-r--r-- 1 root root 316 Apr 22 13:06 htcacheclean.service

I manually corrected the permissions of these files and the warning message did not appear again in the Wazuh indexer log

3)

May 08 08:41:13 wazuh-server systemd-entrypoint[2335]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)
May 08 08:41:21 wazuh-server systemd-entrypoint[2335]: WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/wazuh-indexer/lib/opensearch-2.10.0.jar)

Regarding this warning message, I have not found much, in several forums it is said that it is because the package is close to being deprecated, but I have not found any workaround to solve it.

[AlexRuiz7]

Hello @vcerenu

Thanks for reporting these logs.

1. This is a well known issues that has been there in every wazuh-indexer release until now. We have fixed that for 4.9.0 by Fix access denied error during log rotation #212.

2. File permissions have also been corrected for 4.9.0, as part of the wazuh-indexer fork project (see Generate production packages with Wazuh changes and config files #4). Here's the spec file where you can see that all these files will use 640 permissions.

   wazuh-indexer/distribution/packages/src/rpm/wazuh-indexer.rpm.spec

   Line 130 in 6833cad

   set -- "$@" "%{_prefix}/lib/systemd/system/%{name}-performance-analyzer.service"

3. I would not worry much about this warning. Invoking the securityManager within OpenSearch's startup seems perfectly reasonable. I was unable to find any report about this warning in OpenSearch's forums, so I don't think this represents any problem or risk at all. In either case, the fix will have to arrive from OpenSearch, not us.

Having said so, I conclude there is nothing to do from our side, as everything is known or fixed for 4.9.0. I therefore close this issue.