keystore directory is granting read/execution permissions to user group/others

[rauldpm]

Description

Reviewing the 4.8.0 Beta 2 changelog, the following pull request has been found: #2804, this pull request mentions RPM and DEB system in the pull request name, but the changes only modify the RPM package.

While reviewing and comparing the Wazuh manager RPM package, it has been found that it set different permissions than the DEB package in the /var/ossec/keystore/ directory

root@debian11:/home/vagrant# ls -ld /var/ossec/queue/keystore
drwxr-x--- 2 wazuh wazuh 4096 Feb  5 12:09 /var/ossec/queue/keystore

[root@centos7 vagrant]# ls -ld /var/ossec/queue/keystore/
drwxr-xr-x. 2 root root 195 Feb  5 12:09 /var/ossec/queue/keystore/

We should review those permissions and check if they are correct since a read permission is being granted to user group and execution permission is being granted to others, which could lead to a security risk.

[tdrauncieal]

Hi @rauldpm
I'm asking about the procedure used in the test you mention, since I haven't been able to obtain the same results, here's a summary of what I tested using a centos7 Docker VM:

[root@05a3e797059b /]# ls -ld /var/ossec/queue/keystore/
drwxr-x--- 2 wazuh wazuh 4096 Feb 27 14:51 /var/ossec/queue/keystore/
[root@05a3e797059b /]# /var/ossec/bin/wazuh-keystore -f indexer -k username -v admin
[root@05a3e797059b /]# ls -l /var/ossec/queue/keystore/
total 144
-rw-r--r-- 1 root root  1307 Feb 26 22:16 000012.sst
-rw-r--r-- 1 root root     0 Feb 27 14:51 000015.log
-rw-r--r-- 1 root root  1307 Feb 27 14:51 000023.sst
-rw-r--r-- 1 root root    16 Feb 27 14:51 CURRENT
-rw-r--r-- 1 root root    36 Feb 26 22:16 IDENTITY
-rw-r--r-- 1 root root     0 Feb 26 22:16 LOCK
-rw-r--r-- 1 root root 54733 Feb 27 14:51 LOG
-rw-r--r-- 1 root root 44832 Feb 26 22:16 LOG.old.1709045504859047
-rw-r--r-- 1 root root   420 Feb 27 14:51 MANIFEST-000016
-rw-r--r-- 1 root root 11473 Feb 27 14:51 OPTIONS-000020
-rw-r--r-- 1 root root 11474 Feb 27 14:51 OPTIONS-000022
[root@05a3e797059b /]# ls -ld /var/ossec/queue/keystore/
drwxr-x--- 2 wazuh wazuh 4096 Feb 27 19:07 /var/ossec/queue/keystore/

You can also access the generated package to perform this test.
https://ci.wazuh.info/job/Packages_builder/188437/
https://packages-dev.wazuh.com/debug/yum/wazuh-manager-4.8.0-2854.1.x86_64.rpm

Is there a process that has been run after the installation?
What could be modifying the permissions of the aforementioned directory?

[ncvicchi]

@rauldpm, we have not been able to reproduce the behavior described in this issue. If no further steps are provided to reproduce it, we will close this issue as "not planned".

[rauldpm]

@tdrauncieal No, I just installed the 4.8.0 Beta 2 package in a CentOS 7 Vagrant box (centos/7), is it possible for Wazuh to change the keystore directory permissions temporarily? I can't reproduce it now