Solaris 10 agent uninstall leaves unwanted files in the installation directory

[jnasselle]

Wazuh version	Install type	Action performed	Platform
4.4-rc1	Agent	Remove	Solaris 10 Sparc

Description

During wazuh/wazuh#16148 , it was found that some unwanted files are not removed after Solaris 10 sparc agent uninstall

• Uninstall procedure

# pkgrm wazuh-agent

The following package is currently installed:
   wazuh-agent  Wazuh - Improved OSSEC agent for Intrusion Detection, File Integrity Monitoring, Policy Monitoring and Rootkits Detection.
                (sparc) 4.4.0

Do you want to remove this package? [y,n,?,q] y

## Removing installed package instance <wazuh-agent>

This package contains scripts which will be executed with super-user
permission during the process of removing this package.

Do you want to continue with the removal of this package [y,n,?,q] y
## Verifying package <wazuh-agent> dependencies in global zone
## Processing package information.
## Executing preremove script.
Killing wazuh-modulesd... 
Killing wazuh-logcollector... 
Killing wazuh-syscheckd... 
Killing wazuh-agentd... 
Killing wazuh-execd... 
Wazuh v4.4.0 Stopped
## Removing pathnames in class <none>
/var/ossec/wodles/utils.py
/var/ossec/wodles/gcloud/tools.py
/var/ossec/wodles/gcloud/pubsub/subscriber.py
/var/ossec/wodles/gcloud/pubsub
/var/ossec/wodles/gcloud/integration.py
/var/ossec/wodles/gcloud/gcloud
/var/ossec/wodles/gcloud/exceptions.py
/var/ossec/wodles/gcloud/buckets/bucket.py
/var/ossec/wodles/gcloud/buckets/access_logs.py
/var/ossec/wodles/gcloud/buckets
/var/ossec/wodles/gcloud
/var/ossec/wodles/docker/DockerListener
/var/ossec/wodles/docker
/var/ossec/wodles/azure/orm.py
/var/ossec/wodles/azure/azure-logs
/var/ossec/wodles/azure
/var/ossec/wodles/aws/aws-s3
/var/ossec/wodles/aws
/var/ossec/wodles/__init__.py
/var/ossec/wodles
/var/ossec/var/wodles
/var/ossec/var/upgrade
/var/ossec/var/selinux
/var/ossec/var/run
/var/ossec/var/incoming
/var/ossec/var
/var/ossec/tmp
/var/ossec/ruleset/sca/sca_unix_audit.yml
/var/ossec/ruleset/sca
/var/ossec/ruleset
/var/ossec/queue/syscollector/norm_config.json
/var/ossec/queue/syscollector/db <non-empty directory not removed>
/var/ossec/queue/syscollector <non-empty directory not removed>
/var/ossec/queue/sockets <non-empty directory not removed>
/var/ossec/queue/rids <non-empty directory not removed>
/var/ossec/queue/logcollector <non-empty directory not removed>
/var/ossec/queue/fim/db <non-empty directory not removed>
/var/ossec/queue/fim <non-empty directory not removed>
/var/ossec/queue/diff
/var/ossec/queue/alerts <non-empty directory not removed>
/var/ossec/queue <non-empty directory not removed>
/var/ossec/logs/wazuh
/var/ossec/logs/ossec.log
/var/ossec/logs/ossec.json
/var/ossec/logs/active-responses.log
/var/ossec/logs
/var/ossec/lib/libwazuhshared.so
/var/ossec/lib/libwazuhext.so
/var/ossec/lib/libsysinfo.so
/var/ossec/lib/libsyscollector.so
/var/ossec/lib/libstdc++.so.6
/var/ossec/lib/librsync.so
/var/ossec/lib/libgcc_s.so.1
/var/ossec/lib/libdbsync.so
/var/ossec/lib
/var/ossec/etc/wpk_root.pem
/var/ossec/etc/shared/win_malware_rcl.txt
/var/ossec/etc/shared/win_audit_rcl.txt
/var/ossec/etc/shared/win_applications_rcl.txt
/var/ossec/etc/shared/system_audit_ssh.txt
/var/ossec/etc/shared/system_audit_rcl.txt
/var/ossec/etc/shared/rootkit_trojans.txt
/var/ossec/etc/shared/rootkit_files.txt
/var/ossec/etc/shared/cis_win2012r2_memberL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_memberL1_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL2_rcl.txt
/var/ossec/etc/shared/cis_win2012r2_domainL1_rcl.txt
/var/ossec/etc/shared/cis_sles12_linux_rcl.txt
/var/ossec/etc/shared/cis_sles11_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt
/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_enterprise_rcl.txt
/var/ossec/etc/shared/cis_mysql5-6_community_rcl.txt
/var/ossec/etc/shared/cis_debian_linux_rcl.txt
/var/ossec/etc/shared/cis_apache2224_rcl.txt
/var/ossec/etc/shared <non-empty directory not removed>
/var/ossec/etc/ossec.conf
/var/ossec/etc/local_internal_options.conf
/var/ossec/etc/internal_options.conf
/var/ossec/etc/client.keys
/var/ossec/etc/TIMEZONE
/var/ossec/etc <non-empty directory not removed>
/var/ossec/bin/wazuh-syscheckd
/var/ossec/bin/wazuh-modulesd
/var/ossec/bin/wazuh-logcollector
/var/ossec/bin/wazuh-execd
/var/ossec/bin/wazuh-control
/var/ossec/bin/wazuh-agentd
/var/ossec/bin/manage_agents
/var/ossec/bin/agent-auth
/var/ossec/bin
/var/ossec/backup
/var/ossec/agentless/su.exp
/var/ossec/agentless/sshlogin.exp
/var/ossec/agentless/ssh_pixconfig_diff
/var/ossec/agentless/ssh_nopass.exp
/var/ossec/agentless/ssh_integrity_check_linux
/var/ossec/agentless/ssh_integrity_check_bsd
/var/ossec/agentless/ssh_generic_diff
/var/ossec/agentless/ssh_foundry_diff
/var/ossec/agentless/ssh_asa-fwsmconfig_diff
/var/ossec/agentless/ssh.exp
/var/ossec/agentless/register_host.sh
/var/ossec/agentless/main.exp
/var/ossec/agentless
/var/ossec/active-response/bin/wazuh-slack
/var/ossec/active-response/bin/route-null
/var/ossec/active-response/bin/restart.sh
/var/ossec/active-response/bin/restart-wazuh
/var/ossec/active-response/bin/pf
/var/ossec/active-response/bin/npf
/var/ossec/active-response/bin/kaspersky.py
/var/ossec/active-response/bin/kaspersky
/var/ossec/active-response/bin/ipfw
/var/ossec/active-response/bin/ip-customblock
/var/ossec/active-response/bin/host-deny
/var/ossec/active-response/bin/firewalld-drop
/var/ossec/active-response/bin/firewall-drop
/var/ossec/active-response/bin/disable-account
/var/ossec/active-response/bin/default-firewall-drop
/var/ossec/active-response/bin
/var/ossec/active-response
/var/ossec/.ssh
/var/ossec <non-empty directory not removed>
/etc/rc3.d/S97wazuh-agent
/etc/rc2.d/S97wazuh-agent
/etc/init.d/wazuh-agent
## Executing postremove script.
## Updating system information.

Removal of <wazuh-agent> was successful.

• Checking installation dir

# ls -la /var/ossec/
total 14
drwxr-x---   4 root     57447          4 Feb 15 19:17 .
drwxr-xr-x  49 root     sys           49 Feb 15 14:35 ..
drwxrwx---   3 57452    57447          3 Feb 15 19:17 etc
drwxr-x---   8 root     57447          8 Feb 15 19:17 queue
# bash                                          
# ls -la /var/ossec/queue/
total 24
drwxr-x---   8 root     57447          8 Feb 15 19:17 .
drwxr-x---   4 root     57447          4 Feb 15 19:17 ..
drwxrwx---   2 57452    57447          4 Feb 15 19:03 alerts
drwxr-x---   3 57452    57447          3 Feb 15 14:35 fim
drwxr-x---   2 57452    57447          3 Feb 15 18:55 logcollector
drwxr-x---   2 57452    57447          4 Feb 15 18:56 rids
drwxrwx---   2 57452    57447         10 Feb 15 19:03 sockets
drwxr-x---   3 57452    57447          3 Feb 15 19:17 syscollector

This situation could also happen in amd64/i386 architectures, so should be validated

[rauldpm]

It is also necessary to investigate the HP-UX, AIX, and Solaris 11 systems to see if this behavior also occurs. (On AIX it happens wazuh/wazuh#16148 (comment))

[davidjiglesias]

We need to investigate if this comes from 4.3, if it does it will be a Known issue for 4.4.