Dashboard package v3

[c-bordon]

Hello!

In this issue, we will contemplate changes for v3 of the Wazuh-Dashboard

• [x] Create a new path for the Wazuh-Dashboard app zips
• [x] Modify the specs to contemplate the different versions of the app
• [x] Test Wazuh Dashboard Keystore behavior:
  • [x] Change the password in the dashboard.yml file without removing the Keystore *
  • [x] Update password in Keystore and don't touch dashboard.yml *
  • [x] Validate the possibility of moving the Keystore
  • [x] Change Keystore password, remove and reinstall *
  • [x] Change Keystore password, update wazuh-dashboard and validate if password has changed *

[c-bordon]

Carry out the following test, change the kibanaserver password to "test" with the following:

root@Debian-Buster:~# /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh -p test
$2y$12$uoYKuT2KcSR1v.SoiK/31.GAyHfjAo3DHSXSwT0yr1NM.Hxqb6.zi

kibanaserver:
  hash: "$2y$12$uoYKuT2KcSR1v.SoiK/31.GAyHfjAo3DHSXSwT0yr1NM.Hxqb6.zi"
  reserved: true
  description: "Demo kibanaserver user"

Restarted wazuh-indexer and wazuh-dashboard and dashboard could no longer connect with indexer:

{"type":"log","@timestamp":"2022-02-14T19:28:24Z","tags":["info","savedobjects-service"],"pid":15028,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."}
{"type":"log","@timestamp":"2022-02-14T19:28:24Z","tags":["error","opensearch","data"],"pid":15028,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2022-02-14T19:28:24Z","tags":["error","savedobjects-service"],"pid":15028,"message":"Unable to retrieve version information from OpenSearch nodes."}
{"type":"log","@timestamp":"2022-02-14T19:28:26Z","tags":["error","opensearch","data"],"pid":15028,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2022-02-14T19:28:29Z","tags":["error","opensearch","data"],"pid":15028,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2022-02-14T19:28:31Z","tags":["error","opensearch","data"],"pid":15028,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2022-02-14T19:28:34Z","tags":["error","opensearch","data"],"pid":15028,"message":"[ResponseError]: Response Error"}

After this modify the file /etc/wazuh-dashboard/dashboard.yml without disabling the keystore:

server.host: 0.0.0.0
server.port: 443
opensearch.hosts: https://localhost:9700
opensearch.ssl.verificationMode: certificate
opensearch.username: kibanaserver
opensearch.password: test
opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: true
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/etc/wazuh-dashboard/certs/demo-dashboard-key.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/demo-dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
logging.dest: "/var/log/wazuh-dashboard/wazuh-dashboard.log"
uiSettings.overrides.defaultRoute: /app/wazuh?security_tenant=global

Restart wazuh-dashboard and I was able to verify that it connected correctly:

{"type":"log","@timestamp":"2022-02-14T19:56:29Z","tags":["error","opensearch","data"],"pid":15688,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2022-02-14T19:56:29Z","tags":["error","plugins","wazuh","initialize"],"pid":15688,"message":"Could not check if the index .wazuh exists due to no permissions for create, delete or check"}
{"type":"log","@timestamp":"2022-02-14T19:56:29Z","tags":["error","opensearch","data"],"pid":15688,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2022-02-14T19:56:29Z","tags":["error","opensearch","data"],"pid":15688,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2022-02-14T19:56:29Z","tags":["listening","info"],"pid":15688,"message":"Server running at https://0.0.0.0:443"}
{"type":"log","@timestamp":"2022-02-14T19:56:30Z","tags":["info","http","server","OpenSearchDashboards"],"pid":15688,"message":"http server running at https://0.0.0.0:443"}
{"type":"log","@timestamp":"2022-02-14T19:56:30Z","tags":["error","opensearch","data"],"pid":15688,"message":"[ResponseError]: Response Error"}
{"type":"error","@timestamp":"2022-02-14T19:56:42Z","tags":["connection","client","error"],"pid":15688,"level":"error","error":{"message":"139894834100032:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../dep
s/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 139894834100032:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_lay
er_s3.c:1544:SSL alert number 46\n"},"message":"139894834100032:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"}
{"type":"error","@timestamp":"2022-02-14T19:56:42Z","tags":["connection","client","error"],"pid":15688,"level":"error","error":{"message":"139894834100032:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../dep
s/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n","name":"Error","stack":"Error: 139894834100032:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_lay
er_s3.c:1544:SSL alert number 46\n"},"message":"139894834100032:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 46\n"}
{"type":"response","@timestamp":"2022-02-14T19:56:42Z","tags":[],"pid":15688,"method":"get","statusCode":302,"req":{"url":"/","method":"get","headers":{"host":"192.168.56.254","connection":"keep-alive","cache-control":"max-age=0","sec-ch
-ua":"\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"98\", \"Google Chrome\";v=\"98\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Linux\"","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","sec-fetch-site":"none","sec-fetch
-mode":"navigate","sec-fetch-user":"?1","sec-fetch-dest":"document","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9,es;q=0.8"},"remoteAddress":"192.168.56.1","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKi
t/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36"},"res":{"statusCode":302,"responseTime":9,"contentLength":9},"message":"GET / 302 9ms - 9.0B"}

After this, I edited the dashboard.yml again and commented the user and password and restarted wazuh-dashboard and again the connection with indexer failed:

{"type":"log","@timestamp":"2022-02-14T19:58:11Z","tags":["info","plugins-system"],"pid":15688,"message":"Stopping all plugins."}
{"type":"log","@timestamp":"2022-02-14T19:58:14Z","tags":["info","plugins-service"],"pid":15729,"message":"Plugin \"visTypeXy\" is disabled."}
{"type":"log","@timestamp":"2022-02-14T19:58:14Z","tags":["info","plugins-system"],"pid":15729,"message":"Setting up [45] plugins: [alertingDashboards,usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,home,console,apmOss,management,indexPatternManagement,advancedSettings,savedObjects,securityDashboards,reportsDashboards,indexManagementDashboards,anomalyDetectionDashboards,dashboard,visualizations,visTypeVega,visTypeTimeline,timeline,visTypeTable,visTypeMarkdown,tileMap,regionMap,inputControlVis,visualize,ganttChartDashboards,queryWorkbenchDashboards,bfetch,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,observabilityDashboards,discover,wazuh,savedObjectsManagement]"}
{"type":"log","@timestamp":"2022-02-14T19:58:14Z","tags":["info","savedobjects-service"],"pid":15729,"message":"Waiting until all OpenSearch nodes are compatible with OpenSearch Dashboards before starting saved objects migrations..."}
{"type":"log","@timestamp":"2022-02-14T19:58:14Z","tags":["error","opensearch","data"],"pid":15729,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2022-02-14T19:58:14Z","tags":["error","savedobjects-service"],"pid":15729,"message":"Unable to retrieve version information from OpenSearch nodes."}
{"type":"log","@timestamp":"2022-02-14T19:58:17Z","tags":["error","opensearch","data"],"pid":15729,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2022-02-14T19:58:19Z","tags":["error","opensearch","data"],"pid":15729,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2022-02-14T19:58:22Z","tags":["error","opensearch","data"],"pid":15729,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2022-02-14T19:58:24Z","tags":["error","opensearch","data"],"pid":15729,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2022-02-14T19:58:27Z","tags":["error","opensearch","data"],"pid":15729,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2022-02-14T19:58:29Z","tags":["error","opensearch","data"],"pid":15729,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2022-02-14T19:58:32Z","tags":["error","opensearch","data"],"pid":15729,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2022-02-14T19:58:34Z","tags":["error","opensearch","data"],"pid":15729,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2022-02-14T19:58:37Z","tags":["error","opensearch","data"],"pid":15729,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2022-02-14T19:58:39Z","tags":["error","opensearch","data"],"pid":15729,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2022-02-14T19:58:42Z","tags":["error","opensearch","data"],"pid":15729,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2022-02-14T19:58:44Z","tags":["error","opensearch","data"],"pid":15729,"message":"[ResponseError]: Response Error"}

[c-bordon]

You can only edit the Keystore password interactively, in any case you have to delete the existing one and add the new one:

root@Debian-Buster:~# echo "test" | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add opensearch.password
Setting opensearch.password already exists. Overwrite? [y/N] test
Exiting without modifying keystore.

root@Debian-Buster:~# echo "test" | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add opensearch.password --stdin
Setting opensearch.password already exists, exiting without modifying keystore.

root@Debian-Buster:~# /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root remove opensearch.password 
root@Debian-Buster:~# echo "test" | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add opensearch.password --stdin

[c-bordon]

The error message that is thrown when Wazuh-Dashboard is not available yet has been modified

[c-bordon]

I ran the tests again with the keystore, to change the password in indexer the following steps were followed:

root@Debian-Buster:~# /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh -p test
$2y$12$PhMpM3kUPdUF3.zrQg4bJeuqE4/.t8QA7/ysALcPlHdurfLvBG2nO
root@Debian-Buster:~# vim /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
root@Debian-Buster:~# /usr/share/wazuh-indexer/bin/indexerSecurityInitializer.sh

If we replace the Keystore password, the connection is successful:

root@Debian-Buster:~# /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore remove opensearch.password --allow-root                      
root@Debian-Buster:~# /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore add opensearch.password --allow-root      
Enter value for opensearch.password: ****

If we go back the change, that is, we put the "kibanaserver" password back in the Keystore, and we edit the /etc/wazuh-dashboard/dashboard.yml file with the new "test" key, we will see that the dashboard is not can connect to the Indexer because the key set in the Keystore has priority. Therefore, for the key change through the file to work, what we have to do is remove the keys from the Keystore

[c-bordon]

The remove process eliminates the /usr/share/wazuh-dashboard directory, therefore the config, that is, the Keystore is eliminated in the process, so when we do a reinstall we have to reload the password in the Keystore

[c-bordon]

After the Upgrade, in the install process it is detected that there is a Keystore and it asks us if we want to replace it or not, if we do not replace it, the upgrade is carried out correctly:

Setting up wazuh-dashboard (99.99.0-1) ...
An OpenSearch Dashboards keystore already exists. Overwrite? [y/N] N
Exiting without modifying keystore.
Setting opensearch.username already exists, exiting without modifying keystore.
Setting opensearch.password already exists, exiting without modifying keystore.