search

wazuh / wazuh-docker

Wazuh - Docker containers
https://wazuh.com
Other
709 stars 400 forks source link

Default password for kibanaserver cannot be changed in docker editions of Wazuh without breaking the indexer #1602

Open XStylus opened 1 week ago

XStylus commented 1 week ago

Hi there --

I have been trying to change the default password for the kibanaserver account on Wazuh. After exhaustive, days-long efforts I have found it impossible to do without breaking the indexer. The documentation and instructions on how to do so have not yielded success.( https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html#setting-a-new-hash)

Here is what I have tried:

Attempt 1: I followed the steps at https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html#setting-a-new-hash precisely:

  1. I ran docker run --rm -ti wazuh/wazuh-indexer:4.9.1 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh to generate a new hash for the kibanaserver based on a 12-character password containing a mix of characters (though I avoided using $ or &).
  2. I downed the Wazuh stack.
  3. Using the generated hash, I replaced the hash for “kibanaserver” in the “config/wazuh_indexer/internal_users.yml” file.
  4. I changed the “DASHBOARD_PASSWORD” entry in my docker-compose.yml file to the plaintext version of the password.
  5. I then attempted to bring the stack back up, but the indexer would fail to start. The following error would be repeatedly present in the logs:
    1. [wazuh.indexer] Authentication finally failed for kibanaserver from [docker IP address:port]

Attempt 2: Using a fresh default deployment of the Wazuh docker stack, I bash-shelled into the Indexer instance as root and attempted to run /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all. I was presented with the following error: ERROR: The sudo package is not installed and it is necessary for the installation.

Attempt 3: This attempt was a bit of a Hail-Mary hack: In the “config/wazuh_indexer/internal_users.yml” file, I changed the "reserved" attribute to "false" for the kibanaserver account. I then logged into the kibanaserver account via the web interface and used the password reset functionality. This was unsuccessful, and almost immediately resulted in the same errors Attempt 2 got.

I would welcome any advice as to what I am doing wrong. I must say that It is quite ironic for a security platform to have such extreme complication in changing default credentials.

t0x01 commented 6 days ago

Hello @XStylus

What seems to be missing from the steps you've taken is an execution of securityadmin.sh script, as described in Applying the changes.

The password change process' complexity in Wazuh is due to use of the Opensearch project. You can read more about internal_users.yml, securityadmin.sh and their caveats in the Opensearch documentation, specifically here:

Additionally you can read about Opensearch security plugin tools (including securityadmin.sh) scheduled replacement in favor of more convenient API methods here.