search

wazuh / wazuh-packages

Wazuh - Tools for packages creation
https://wazuh.com
GNU General Public License v2.0
96 stars 89 forks source link

Solve bugs when changing passwords in the manager, indexer and dashboard services #2968

Closed Enaraque closed 1 week ago

Enaraque commented 1 month ago
Related issue
#1854

Description

When changing the passwords for the different services, neither the Filebeat password in the manager nor the wazuh-wui password in the dashboard were updated. Also in the indexer there was a message indicating that there were no API users, which was a bit confusing. The steps to solve this problem have been:

Password file

In order to be able to change the filebeat password in the wazuh-manager, a new user admin has been created in the API users section. This user will have the same password as the admin user in the indexer section. This provides a way to manage the Filebeat password from the manager.

Tests

When generating the passwords we can see how a new API user admin is generated with the same password as indexer admin user.

root@debian10:/home/vagrant/passwords_good# bash wazuh-passwords-tool2.sh -gf wazuh-passwords_update.txt
root@debian10:/home/vagrant/passwords_good# cat wazuh-passwords_update.txt
# Admin user for the web user interface and Wazuh indexer. Use this user to log in to Wazuh dashboard
  indexer_username: 'admin'
  indexer_password: 'VpSUav82Y8x05AT*+*sqU406mAKIq8.g'

# Wazuh dashboard user for establishing the connection with Wazuh indexer
  indexer_username: 'kibanaserver'
  indexer_password: 'EKf49pm3QtqszKgWiz.HRfEc5adN7QFY'

# Regular Dashboard user, only has read permissions to all indices and all permissions on the .kibana index
  indexer_username: 'kibanaro'
  indexer_password: 'AO6TqgWcSLi?C5JL*3hL8Lklrmbr9+XT'

# Filebeat user for CRUD operations on Wazuh indices
  indexer_username: 'logstash'
  indexer_password: 'Pp21DOyGGgCpVUqy9*FabHC41udZqPOO'

# User with READ access to all indices
  indexer_username: 'readall'
  indexer_password: 'Zr42iiK1?5H3Zta7IlEuly224?NqPtwm'

# User with permissions to perform snapshot and restore operations
  indexer_username: 'snapshotrestore'
  indexer_password: '.cLInM3Pxb4KsOGGuP.4rvOZiiuJ7*ws'

# Password for wazuh API user
  api_username: 'wazuh'
  api_password: '9qdiBXzBX?hpXACy3W1r2h8Jjq5keEMn'

# Password for wazuh-wui API user
  api_username: 'wazuh-wui'
  api_password: 'r7jH.SQ4SMqbzVXcbJrkiyrwvWd+G*w8'

# Password for filebeat admin user
  api_username: 'admin'
  api_password: 'VpSUav82Y8x05AT*+*sqU406mAKIq8.g'

Wazuh indexer

In the indexer section we had the problem that a message appeared regarding the change of API user passwords: INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed. Which was a bit confusing if the manager was not installed on the machine. Now every time we try to change the indexer passwords without having the manager installed, we won't get the message again.

Tests

root@debian10:/home/vagrant/passwords_good# bash wazuh-passwords-tool2.sh --change-all -f wazuh-passwords_update.txt
29/05/2024 09:45:01 INFO: Updating the internal users.
29/05/2024 09:45:11 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
29/05/2024 09:45:34 INFO: The password for user admin is VpSUav82Y8x05AT*+*sqU406mAKIq8.g
29/05/2024 09:45:34 INFO: The password for user kibanaserver is EKf49pm3QtqszKgWiz.HRfEc5adN7QFY
29/05/2024 09:45:34 INFO: The password for user kibanaro is AO6TqgWcSLi?C5JL*3hL8Lklrmbr9+XT
29/05/2024 09:45:34 INFO: The password for user logstash is Pp21DOyGGgCpVUqy9*FabHC41udZqPOO
29/05/2024 09:45:34 INFO: The password for user readall is Zr42iiK1?5H3Zta7IlEuly224?NqPtwm
29/05/2024 09:45:34 INFO: The password for user snapshotrestore is .cLInM3Pxb4KsOGGuP.4rvOZiiuJ7*ws
29/05/2024 09:45:34 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard, Wazuh server, and Filebeat nodes if necessary, and restart the services.

Wazuh manager

Regarding the manager, the problem was that when we changed the passwords with the --changeall option, the Filebeat password was not changed. Now, a new user has been added to the users section of the API called Filebeat. With these changes, if we put this user with his password in the password file, it will be changed correctly in the manager. Also, being a manager user, we can change the Filebeat password with the --user and --password option as well.

Tests

When executing the filebeat test output command we see that the filebeat password is wrong and therefore we get the error ERROR 401 Unauthorized: Unauthorized.

[root@localhost passwords_good]# filebeat test output
elasticsearch: https://192.168.56.13:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.56.13
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... ERROR 401 Unauthorized: Unauthorized

If we check the connection again, it reconnects:

[root@localhost passwords_good]# filebeat test output
elasticsearch: https://192.168.56.13:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.56.13
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

Wazuh dashboard

With the dashboard we had the problem that we couldn't change the password for kibanaserver and wazuh-wui. Like the server, we can now change the passwords of these with the --changeall option and also with --user and --password.

Tests

root@debian9:/home/vagrant/passwords_good# bash wazuh-passwords-tool.sh --user wazuh-wui --password r7jH.SQ4SMqbzVXcbJrkiyrwvWd+Gw8 28/05/2024 12:22:52 INFO: Updated wazuh-wui user password in wazuh dashboard to 'r7jH.SQ4SMqbzVXcbJrkiyrwvWd+Gw8'.


When passwords are changed and the dashboard url is accessed, it works correctly.

### All-in-one deployment

Tests have also been done for when there is an AIO. 

#### Tests

- Everything has been tested for correctness when changing all passwords without specifying API users:
```console
$ bash wazuh-passwords-tool2.sh --change-all -f wazuh-passwords_update.txt
04/06/2024 11:52:15 INFO: Updating the internal users.
04/06/2024 11:52:25 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
04/06/2024 11:52:25 INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed.
04/06/2024 11:53:46 INFO: The password for user admin is ?9zBL5vLxdiechfjoCFVL7rNAN+36.b9
04/06/2024 11:53:46 INFO: The password for user kibanaserver is 1e6bGRTx?8z5KWJnqra+Mzwnk6rCkyri
04/06/2024 11:53:46 INFO: The password for user kibanaro is kBuhapjyQ170ObEA3AmZjyISS*W.11d4
04/06/2024 11:53:46 INFO: The password for user logstash is *1pd0Ntv.YsankXLmuTYT4OqBRVX+YbD
04/06/2024 11:53:46 INFO: The password for user readall is mcdRtvPv9wz5hQyH+.QuiFVHfFoeAg?X
04/06/2024 11:53:46 INFO: The password for user snapshotrestore is 6pRcmPHVay3jZSp?*4UW?arKC+DpIBF6
04/06/2024 11:53:46 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard, Wazuh server, and Filebeat nodes if necessary, and restart the services.
$ bash wazuh-passwords-tool2.sh --user wazuh-wui --password
root@ip-172-31-44-59:/home/ubuntu# bash wazuh-passwords-tool2.sh --api --admin-user wazuh --admin-password 7Ei?ypDsCK.49JCkamajmBYrP5RlJICu --user wazuh-wui --password 59_pRcmPHVay3jZSp?*4UW?nMrKF+DpIFF3
04/06/2024 12:33:05 INFO: The password for Wazuh API user wazuh-wui is 59_pRcmPHVay3jZSp?*4UW?nMrKF+DpIFF3
04/06/2024 12:33:05 INFO: Updated wazuh-wui user password in wazuh dashboard.

Everything works correctly with the changes: Captura de pantalla 2024-06-04 a las 14 38 34

Enaraque commented 3 weeks ago

PR Update

We have found a way to use the indexer admin user in the wazuh manager so there is no need to add another user in the API user section. It has also been added in the dashboard that in order to change the password of wazuh-wui, the option --api should be set so that it does not try to change the password of kibanaserver also if there is an indexer installed on the same system.

Password file

The password file is the same as before, no new users are added

Passwords file ``` # Admin user for the web user interface and Wazuh indexer. Use this user to log in to Wazuh dashboard indexer_username: 'admin' indexer_password: 'VpSUav82Y8x05AT*+*sqU406mAKIq8.g' # Wazuh dashboard user for establishing the connection with Wazuh indexer indexer_username: 'kibanaserver' indexer_password: 'EKf49pm3QtqszKgWiz.HRfEc5adN7QFY' # Regular Dashboard user, only has read permissions to all indices and all permissions on the .kibana index indexer_username: 'kibanaro' indexer_password: 'AO6TqgWcSLi?C5JL*3hL8Lklrmbr9+XT' # Filebeat user for CRUD operations on Wazuh indices indexer_username: 'logstash' indexer_password: 'Pp21DOyGGgCpVUqy9*FabHC41udZqPOO' # User with READ access to all indices indexer_username: 'readall' indexer_password: 'Zr42iiK1?5H3Zta7IlEuly224?NqPtwm' # User with permissions to perform snapshot and restore operations indexer_username: 'snapshotrestore' indexer_password: '.cLInM3Pxb4KsOGGuP.4rvOZiiuJ7*ws' # Password for wazuh API user api_username: 'wazuh' api_password: '9qdiBXzBX?hpXACy3W1r2h8Jjq5keEMn' # Password for wazuh-wui API user api_username: 'wazuh-wui' api_password: 'r7jH.SQ4SMqbzVXcbJrkiyrwvWd+G*w8' ```

Wazuh manager

In order to change the Filebeat password, we indicate it with the user admin instead of Filebeat.

Tests

Option with username and password ``` [root@localhost passwords_good]# bash wazuh-passwords-tool.sh -u admin -p PF?whFMYzTyHFI8PqVXjjS5NqsE7xEDx 07/06/2024 12:10:23 INFO: The new password for Filebeat is PF?whFMYzTyHFI8PqVXjjS5NqsE7xEDx [root@localhost passwords_good]# filebeat test output elasticsearch: https://192.168.56.13:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 192.168.56.13 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2 ``` For the Filebeat password it is not necessary to add the credentials of the API admin user.
--change-all option ``` [root@localhost passwords_good]# bash wazuh-passwords-tool.sh --change-all -au wazuh -ap e0xS4CHkYinyaqtzN9JQ+X7b8F+KKaah -f wazuh-passwords_070624.txt 07/06/2024 12:31:11 INFO: The new password for Filebeat is PF?whFMYzTyHFI8PqVXjjS5NqsE7xEDx 07/06/2024 12:32:06 INFO: The password for Wazuh API user wazuh is e0xS4CHkYinyaqtzN9JQ+X7b8F+KKaah 07/06/2024 12:32:09 INFO: The password for Wazuh API user wazuh-wui is *Kiq7c+MWpj+CCb*jyyx4MMmaAgvd.Ok ```

Wazuh dashboard

The change of passwords in the dashboard has been improved. To change API user passwords, the --api option is used so that if the dashboard is installed on the same machine as the indexer it does not try to change kibanaserver passwords as well.

Tests
Change password for wazuh-wui with --api option ``` root@debian9:/home/vagrant/passwords_good# bash wazuh-passwords-tool.sh -u wazuh-wui -p *Kiq7c+MWpj+CCb*jyyx4MMmaAgvd.Ok --api 07/06/2024 12:42:20 INFO: Updated wazuh-wui user password in wazuh dashboard to '*Kiq7c+MWpj+CCb*jyyx4MMmaAgvd.Ok'. ```

AIO deployment

Now when changing passwords in AIO, the message also appears when changing the Filebeat password.

Tests

--change-all option ``` root@ip-172-31-44-59:/home/ubuntu# bash wazuh-passwords-tool.sh --change-all -f wazuh_passwords-07052024.txt 07/06/2024 12:29:52 INFO: Updating the internal users. 07/06/2024 12:29:56 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. 07/06/2024 12:29:56 INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed. 07/06/2024 12:30:08 INFO: The new password for Filebeat is yMMu1HXyG2dPiw6sP2yUCDNiQ+8FeVKh 07/06/2024 12:30:37 INFO: The password for user admin is yMMu1HXyG2dPiw6sP2yUCDNiQ+8FeVKh 07/06/2024 12:30:37 INFO: The password for user kibanaserver is .SUO*oQZvwj36pj3ThT7M8N16cv034*9 07/06/2024 12:30:37 INFO: The password for user kibanaro is SJNS*.2r+?m.g0l3Wn1r0Lb8+m?YARsP 07/06/2024 12:30:37 INFO: The password for user logstash is W+HJI++yk*GhAUEuAQapMHER1eh0UynA 07/06/2024 12:30:37 INFO: The password for user readall is CJlfJcG2B6.Sb42xhfq5sjQQtFnPmm*J 07/06/2024 12:30:37 INFO: The password for user snapshotrestore is P0dP+bcXx42NIuYamVrL9jwv.Y?Xi2F2 07/06/2024 12:30:37 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard, Wazuh server, and Filebeat nodes if necessary, and restart the services. ```
Option with username and password ``` root@ip-172-31-44-59:/home/ubuntu# bash wazuh-passwords-tool.sh -u admin -p yMMu1HXyG2dPiw6sP2yUCDNiQ+8FeVKh 07/06/2024 12:39:02 INFO: Updating the internal users. 07/06/2024 12:39:06 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. 07/06/2024 12:39:06 INFO: Generating password hash 07/06/2024 12:39:12 INFO: The new password for Filebeat is yMMu1HXyG2dPiw6sP2yUCDNiQ+8FeVKh 07/06/2024 12:39:37 WARNING: Password changed. Remember to update the password in the Wazuh dashboard, Wazuh server, and Filebeat nodes if necessary, and restart the services. root@ip-172-31-44-59:/home/ubuntu# filebeat test output elasticsearch: https://127.0.0.1:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 ```