Skip to main content
Topic: Wazuh Agent -- OpenRC Script (Read 145 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Wazuh Agent -- OpenRC Script

In late 2023, I started work on an OpenRC script for the Wazuh agent. As of Wazuh 4.9.X and 4.11.X, it appears to still work. I've decided to share it here, in case anyone else can benefit from it:

https://github.com/wazuh/wazuh/discussions/19790

Code: [Select]
#!/sbin/openrc-run

# OpenRC script for Wazuh XDR agent
# Minimal draft written by TopHatProductions115
# TopHatProductions115@mail.txp-network.ml
# Ping-able 0900 to 1145 EST on business days

# Some references taken from
# https://github.com/wazuh/wazuh/blob/master/src/init/templates/ossec-hids-gentoo.init


# BEGIN CONFIGURATION SECTION
# Required parameters for service
name="wazuh-controld"
description="Wazuh Agent control and init for Artix OpenRC"
# This parameter should not be used or called anywhere else in this script
BASE_PATH="/var/ossec"
configfile="$BASE_PATH/etc/ossec.conf"
command="$BASE_PATH/bin/wazuh-control"

# Assuming that wazuh-controld is a well-behaved service that backgrounds itself
# command_background="yes"
# Assuming that wazuh-controld manages its own PID file
# pidfile=$PID_PATH/wazuh-controld.pid
# END CONFIGURATION SECTION


# Service Dependencies
depend() {
	need net network-online syslog-ng
	use logger syslog-ng
	provide wazuh-controld
}

# Non-standard functions that aren't included in OpenRC by default
extra_commands="info"
extra_started_commands="reload"

# Configuration file check - stub?
checkconfig() {
	ebegin "Checking Wazuh Configuration File..."
	if [ ! -r "${configfile}" ]; then
		eerror "Unable to read configuration file: ${configfile}"
		return 1
	fi
	# Maybe something to check the contents of the config file?
	return $ret
	eend $?
}


# Many sources state not to define start and stop (and sometimes even restart) functions...

# After discussing with some people online, I've learned a few details.
# By using the start-stop-daemon, I'd be committing at least two bad practices:
# Using a startup script to (attempt to) control another script
# Spawning a daemon, to (attempt to) control another daemon
# Wazuh control appears to have its own daemon, which can fork and control its own processes.
# Therefore, I won't use the start-stop-daemon here.


start() {
	checkconfig || return 1
	ebegin "Attempting to initialise $name ..."
	${command} start
	eend $?
}

stop() {
	checkconfig || return 1
	ebegin "Attempting to terminate $name ..."
	${command} stop
	eend $?
}


# Stop the service, check the config file, restart the service
# Restart tends to be defined as stop() + start()
restart() {
	# Insert OpenRC service status check here
	# Which parameter should I use in place of SERVICE_NAME ?
	# if ! service_started "${SERVICE_NAME}" ; then
	#	eerror "ERR :: $name is not running. Please start the service first before attempting a restart or reload..."
	# else
		checkconfig || return 1
		ebegin "Attempting to restart $name ..."
		${command} restart
		eend $?
	# fi
}

# Reload the config file without restarting the entire service
# Can only be attempted when the service is running
# Not a standard OpenRC command - extra_started
reload() {
	checkconfig || return 1
	ebegin "Attempting to reload $name ..."
	${command} reload
	eend $?
}

# Get general service information
# Also not a standard OpenRC command - extra
info() {
	ebegin "Retrieving all $name service info..."
	${command} info
	eend $?
}

# Get service status
status() {
	checkconfig || return 1
	# ebegin "Retrieving status of $name ..."
	${command} status
	# eend $?
}


I'm not a package maintainer, so I can't easily post this to AUR (or another repo) at the moment.

If someone wants to make this into a package, go for it :)
 
Artix forum uses a single cookie to remember youOK