From f005702c44f4874a8ef24ec39ea521c1bb9928aa Mon Sep 17 00:00:00 2001 From: Enrique Araque Date: Wed, 29 May 2024 13:19:06 +0200 Subject: [PATCH 1/4] Solve bugs when changing passwords in the manager, indexer and dashboard services --- .../passwords_tool/passwordsFunctions.sh | 88 ++++++++++++++----- .../passwords_tool/passwordsMain.sh | 26 ++++-- 2 files changed, 83 insertions(+), 31 deletions(-) diff --git a/unattended_installer/passwords_tool/passwordsFunctions.sh b/unattended_installer/passwords_tool/passwordsFunctions.sh index 25bb3cbad5..ffe6f98049 100644 --- a/unattended_installer/passwords_tool/passwordsFunctions.sh +++ b/unattended_installer/passwords_tool/passwordsFunctions.sh @@ -13,7 +13,10 @@ function passwords_changePassword() { eval "mkdir /etc/wazuh-indexer/backup/ ${debug}" eval "cp /etc/wazuh-indexer/opensearch-security/* /etc/wazuh-indexer/backup/ ${debug}" passwords_createBackUp + elif [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then + adminpass=$1 fi + for i in "${!passwords[@]}" do if [ -n "${indexer_installed}" ] && [ -f "/etc/wazuh-indexer/backup/internal_users.yml" ]; then @@ -45,8 +48,11 @@ function passwords_changePassword() { fi - if [ "${nuser}" == "admin" ] || [ -n "${changeall}" ]; then + if [ "${nuser}" == "admin" ] || [ "${nuser}" == "filebeat" ] || [ -n "${changeall}" ]; then if [ -n "${filebeat_installed}" ]; then + if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then + adminpass=$1 + fi if filebeat keystore list | grep -q password ; then eval "(echo ${adminpass} | filebeat keystore add password --force --stdin)" "${debug}" else @@ -57,7 +63,9 @@ function passwords_changePassword() { echo "${conf}" > /etc/filebeat/filebeat.yml fi passwords_restartService "filebeat" - eval "/var/ossec/bin/wazuh-keystore -f indexer -k password -v ${adminpass}" + if [ -n "${indexer_installed}" ]; then + eval "/var/ossec/bin/wazuh-keystore -f indexer -k password -v ${adminpass}" + fi passwords_restartService "wazuh-manager" fi fi @@ -74,6 +82,7 @@ function passwords_changePassword() { echo "${conf}" > /etc/wazuh-dashboard/opensearch_dashboards.yml fi passwords_restartService "wazuh-dashboard" + common_logger -nl $"The password for the kibanaserver user in the dashboard has been updated to $dashpass" fi fi @@ -82,19 +91,26 @@ function passwords_changePassword() { function passwords_changePasswordApi() { #Change API password tool if [ -n "${changeall}" ]; then - wazuh_yml_user=$(awk '/- default:/ {found=1} found && /username:/ {print $2}' /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml) + if [ -f "/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml" ]; then + wazuh_yml_user=$(awk '/- default:/ {found=1} found && /username:/ {print $2}' /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml) + fi for i in "${!api_passwords[@]}"; do if [ -n "${wazuh_installed}" ]; then - passwords_getApiUserId "${api_users[i]}" - WAZUH_PASS_API='{\"password\":\"'"${api_passwords[i]}"'\"}' - eval 'common_curl -s -k -X PUT -H \"Authorization: Bearer $TOKEN_API\" -H \"Content-Type: application/json\" -d "$WAZUH_PASS_API" "https://localhost:55000/security/users/${user_id}" -o /dev/null --max-time 300 --retry 5 --retry-delay 5 --fail' - if [ "${api_users[i]}" == "${adminUser}" ]; then - sleep 1 - adminPassword="${api_passwords[i]}" - passwords_getApiToken - fi - if [ -z "${AIO}" ] && [ -z "${indexer}" ] && [ -z "${dashboard}" ] && [ -z "${wazuh}" ] && [ -z "${start_indexer_cluster}" ]; then - common_logger -nl $"The password for Wazuh API user ${api_users[i]} is ${api_passwords[i]}" + if [ "${api_users[i]}" == "filebeat" ]; then + passwords_changePassword "${api_passwords[i]}" + common_logger -nl $"The new password for Filebeat is ${api_passwords[i]}" + else + passwords_getApiUserId "${api_users[i]}" + WAZUH_PASS_API='{\"password\":\"'"${api_passwords[i]}"'\"}' + eval 'common_curl -s -k -X PUT -H \"Authorization: Bearer $TOKEN_API\" -H \"Content-Type: application/json\" -d "$WAZUH_PASS_API" "https://localhost:55000/security/users/${user_id}" -o /dev/null --max-time 300 --retry 5 --retry-delay 5 --fail' + if [ "${api_users[i]}" == "${adminUser}" ]; then + sleep 1 + adminPassword="${api_passwords[i]}" + passwords_getApiToken + fi + if [ -z "${AIO}" ] && [ -z "${indexer}" ] && [ -z "${dashboard}" ] && [ -z "${wazuh}" ] && [ -z "${start_indexer_cluster}" ]; then + common_logger -nl $"The password for Wazuh API user ${api_users[i]} is ${api_passwords[i]}" + fi fi fi if [ "${api_users[i]}" == "${wazuh_yml_user}" ] && [ -n "${dashboard_installed}" ]; then @@ -103,11 +119,16 @@ function passwords_changePasswordApi() { done else if [ -n "${wazuh_installed}" ]; then - passwords_getApiUserId "${nuser}" - WAZUH_PASS_API='{\"password\":\"'"${password}"'\"}' - eval 'common_curl -s -k -X PUT -H \"Authorization: Bearer $TOKEN_API\" -H \"Content-Type: application/json\" -d "$WAZUH_PASS_API" "https://localhost:55000/security/users/${user_id}" -o /dev/null --max-time 300 --retry 5 --retry-delay 5 --fail' - if [ -z "${AIO}" ] && [ -z "${indexer}" ] && [ -z "${dashboard}" ] && [ -z "${wazuh}" ] && [ -z "${start_indexer_cluster}" ]; then - common_logger -nl $"The password for Wazuh API user ${nuser} is ${password}" + if [ "${nuser}" == "filebeat" ]; then + passwords_changePassword "${password}" + common_logger -nl $"The new password for Filebeat is ${password}" + else + passwords_getApiUserId "${nuser}" + WAZUH_PASS_API='{\"password\":\"'"${password}"'\"}' + eval 'common_curl -s -k -X PUT -H \"Authorization: Bearer $TOKEN_API\" -H \"Content-Type: application/json\" -d "$WAZUH_PASS_API" "https://localhost:55000/security/users/${user_id}" -o /dev/null --max-time 300 --retry 5 --retry-delay 5 --fail' + if [ -z "${AIO}" ] && [ -z "${indexer}" ] && [ -z "${dashboard}" ] && [ -z "${wazuh}" ] && [ -z "${start_indexer_cluster}" ]; then + common_logger -nl $"The password for Wazuh API user ${nuser} is ${password}" + fi fi fi if [ "${nuser}" == "${wazuh_yml_user}" ] && [ -n "${dashboard_installed}" ]; then @@ -123,7 +144,7 @@ function passwords_changeDashboardApiPassword() { if [ -f "/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml" ]; then eval "sed -i 's|password: .*|password: \"${1}\"|g' /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml ${debug}" if [ -z "${AIO}" ] && [ -z "${indexer}" ] && [ -z "${dashboard}" ] && [ -z "${wazuh}" ] && [ -z "${start_indexer_cluster}" ]; then - common_logger "Updated wazuh-wui user password in wazuh dashboard. Remember to restart the service." + common_logger "Updated wazuh-wui user password in wazuh dashboard to '${1}'. Remember to restart the service." fi file_exists=1 fi @@ -135,13 +156,15 @@ function passwords_changeDashboardApiPassword() { function passwords_checkUser() { - if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then + if { [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; } || { [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; }; then for i in "${!api_users[@]}"; do if [ "${api_users[i]}" == "${nuser}" ]; then exists=1 fi done - else + fi + + if [ -n "${indexer_installed}" ] || { [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; }; then for i in "${!users[@]}"; do if [ "${users[i]}" == "${nuser}" ]; then exists=1 @@ -269,6 +292,12 @@ function passwords_generatePassword() { exit 1; fi done + + # if the password of the user "admin" exists, it will be used as the password for the user "filebeat" + if [ -n "${passwords[0]}" ]; then + api_users+=("filebeat") + api_passwords+=("${passwords[0]}") + fi fi } @@ -290,6 +319,7 @@ function passwords_generatePasswordFile() { api_user_description=( "Password for wazuh API user" "Password for wazuh-wui API user" + "Password for Filebeat user" ) passwords_generatePassword @@ -345,6 +375,8 @@ function passwords_getApiUsers() { mapfile -t api_users < <(common_curl -s -k -X GET -H \"Authorization: Bearer $TOKEN_API\" -H \"Content-Type: application/json\" \"https://localhost:55000/security/users?pretty=true\" --max-time 300 --retry 5 --retry-delay 5 | grep username | awk -F': ' '{print $2}' | sed -e "s/[\'\",]//g") + # Add filebeat user for comunication with Wazuh indexer + api_users+=("filebeat") } function passwords_getApiIds() { @@ -442,7 +474,7 @@ For Wazuh API users, the file must have this format: fi done - if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then + if { [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; } || { [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; } then for j in "${!fileapiusers[@]}"; do supported=false for i in "${!api_users[@]}"; do @@ -479,7 +511,7 @@ For Wazuh API users, the file must have this format: fi done - if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then + if { [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; } || { [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; } then for j in "${!fileapiusers[@]}"; do supported=false for i in "${!api_users[@]}"; do @@ -507,7 +539,17 @@ For Wazuh API users, the file must have this format: fi } +function passwords_readDashboardUsers() { + + wazuh_yml_user=$(awk '/- default:/ {found=1} found && /username:/ {print $2}' /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml) + + api_users=("$wazuh_yml_user") + if [ -z "${indexer_installed}" ]; then + users=("kibanaserver") + fi + +} function passwords_readUsers() { passwords_updateInternalUsers diff --git a/unattended_installer/passwords_tool/passwordsMain.sh b/unattended_installer/passwords_tool/passwordsMain.sh index 02c1880bb3..f86fb33a3e 100644 --- a/unattended_installer/passwords_tool/passwordsMain.sh +++ b/unattended_installer/passwords_tool/passwordsMain.sh @@ -222,6 +222,8 @@ function main() { passwords_getApiToken passwords_getApiUsers passwords_getApiIds + elif [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; then + passwords_readDashboardUsers elif [ -n "${indexer_installed}" ]; then passwords_readUsers fi @@ -242,12 +244,17 @@ function main() { if [ -n "${indexer_installed}" ]; then passwords_readUsers fi - if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then - passwords_getApiToken - passwords_getApiUsers - passwords_getApiIds - else - common_logger "Wazuh API admin credentials not provided, Wazuh API passwords not changed." + + if [ -n "${wazuh_installed}" ]; then + if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then + passwords_getApiToken + passwords_getApiUsers + passwords_getApiIds + else + common_logger "Wazuh API admin credentials not provided, Wazuh API passwords not changed." + fi + elif [ -n "${dashboard_installed}" ]; then + passwords_readDashboardUsers fi if [ -n "${changeall}" ]; then passwords_generatePassword @@ -266,10 +273,13 @@ function main() { passwords_runSecurityAdmin fi - if [ -n "${api}" ] || [ -n "${changeall}" ]; then - if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then + if [ -n "${api}" ] || [ -n "${changeall}" ] || { [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; }; then + if { [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; } || { [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; }; then passwords_changePasswordApi fi + if [ -z "${wazuh_installed}" ] && [ -z "${indexer_installed}" ] && [ -n "${dashboard_installed}" ]; then + passwords_changePassword + fi fi else From daf94fb77b022da1ec5683b76bcaff1860354628 Mon Sep 17 00:00:00 2001 From: Enrique Araque Date: Tue, 4 Jun 2024 14:50:15 +0200 Subject: [PATCH 2/4] Fix bugs with AIO deployment --- .../passwords_tool/passwordsFunctions.sh | 32 ++++++++++++------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/unattended_installer/passwords_tool/passwordsFunctions.sh b/unattended_installer/passwords_tool/passwordsFunctions.sh index ffe6f98049..fa04193cc2 100644 --- a/unattended_installer/passwords_tool/passwordsFunctions.sh +++ b/unattended_installer/passwords_tool/passwordsFunctions.sh @@ -50,7 +50,8 @@ function passwords_changePassword() { if [ "${nuser}" == "admin" ] || [ "${nuser}" == "filebeat" ] || [ -n "${changeall}" ]; then if [ -n "${filebeat_installed}" ]; then - if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then + # If the indexer is installed, we take the password from it. + if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ] && [ -z "${indexer_installed}" ]; then adminpass=$1 fi if filebeat keystore list | grep -q password ; then @@ -63,9 +64,7 @@ function passwords_changePassword() { echo "${conf}" > /etc/filebeat/filebeat.yml fi passwords_restartService "filebeat" - if [ -n "${indexer_installed}" ]; then - eval "/var/ossec/bin/wazuh-keystore -f indexer -k password -v ${adminpass}" - fi + eval "/var/ossec/bin/wazuh-keystore -f indexer -k password -v ${adminpass}" passwords_restartService "wazuh-manager" fi fi @@ -82,7 +81,11 @@ function passwords_changePassword() { echo "${conf}" > /etc/wazuh-dashboard/opensearch_dashboards.yml fi passwords_restartService "wazuh-dashboard" - common_logger -nl $"The password for the kibanaserver user in the dashboard has been updated to $dashpass" + + if [ -z "${indexer_installed}" ]; then + # only for when the indexer is not installed, so as not to put the same information several times. + common_logger -nl $"The password for the kibanaserver user in the dashboard has been updated to $dashpass" + fi fi fi @@ -90,15 +93,18 @@ function passwords_changePassword() { function passwords_changePasswordApi() { #Change API password tool + if [ -f "/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml" ]; then + wazuh_yml_user=$(awk '/- default:/ {found=1} found && /username:/ {print $2}' /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml) + fi if [ -n "${changeall}" ]; then - if [ -f "/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml" ]; then - wazuh_yml_user=$(awk '/- default:/ {found=1} found && /username:/ {print $2}' /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml) - fi for i in "${!api_passwords[@]}"; do if [ -n "${wazuh_installed}" ]; then if [ "${api_users[i]}" == "filebeat" ]; then - passwords_changePassword "${api_passwords[i]}" - common_logger -nl $"The new password for Filebeat is ${api_passwords[i]}" + # If the indexer is installed, the indexer takes care of it. + if [ -z "${indexer_installed}" ]; then + passwords_changePassword "${api_passwords[i]}" + common_logger -nl $"The new password for Filebeat is ${api_passwords[i]}" + fi else passwords_getApiUserId "${api_users[i]}" WAZUH_PASS_API='{\"password\":\"'"${api_passwords[i]}"'\"}' @@ -144,7 +150,11 @@ function passwords_changeDashboardApiPassword() { if [ -f "/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml" ]; then eval "sed -i 's|password: .*|password: \"${1}\"|g' /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml ${debug}" if [ -z "${AIO}" ] && [ -z "${indexer}" ] && [ -z "${dashboard}" ] && [ -z "${wazuh}" ] && [ -z "${start_indexer_cluster}" ]; then - common_logger "Updated wazuh-wui user password in wazuh dashboard to '${1}'. Remember to restart the service." + if [ -z "${wazuh_installed}" ]; then + common_logger "Updated wazuh-wui user password in wazuh dashboard to '${1}'. Remember to restart the service." + else + common_logger "Updated wazuh-wui user password in wazuh dashboard. Remember to restart the service." + fi fi file_exists=1 fi From 15909d2b68aa9aa62d089772cf14bef1d4f224a0 Mon Sep 17 00:00:00 2001 From: Enrique Araque Date: Thu, 6 Jun 2024 14:38:41 +0200 Subject: [PATCH 3/4] Change the user name filebeat to admin. Add restart dashboard In the api users, the filebeat user name has been changed to admin for less confusion. Also added automatic restart of the dashboard when updating the wazuh-wui user. --- .../passwords_tool/passwordsFunctions.sh | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/unattended_installer/passwords_tool/passwordsFunctions.sh b/unattended_installer/passwords_tool/passwordsFunctions.sh index fa04193cc2..2d3b44ff96 100644 --- a/unattended_installer/passwords_tool/passwordsFunctions.sh +++ b/unattended_installer/passwords_tool/passwordsFunctions.sh @@ -48,7 +48,7 @@ function passwords_changePassword() { fi - if [ "${nuser}" == "admin" ] || [ "${nuser}" == "filebeat" ] || [ -n "${changeall}" ]; then + if [ "${nuser}" == "admin" ] || [ -n "${changeall}" ]; then if [ -n "${filebeat_installed}" ]; then # If the indexer is installed, we take the password from it. if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ] && [ -z "${indexer_installed}" ]; then @@ -99,7 +99,7 @@ function passwords_changePasswordApi() { if [ -n "${changeall}" ]; then for i in "${!api_passwords[@]}"; do if [ -n "${wazuh_installed}" ]; then - if [ "${api_users[i]}" == "filebeat" ]; then + if [ "${api_users[i]}" == "admin" ]; then # If the indexer is installed, the indexer takes care of it. if [ -z "${indexer_installed}" ]; then passwords_changePassword "${api_passwords[i]}" @@ -125,7 +125,7 @@ function passwords_changePasswordApi() { done else if [ -n "${wazuh_installed}" ]; then - if [ "${nuser}" == "filebeat" ]; then + if [ "${nuser}" == "admin" ]; then passwords_changePassword "${password}" common_logger -nl $"The new password for Filebeat is ${password}" else @@ -149,11 +149,12 @@ function passwords_changeDashboardApiPassword() { until [ -n "${file_exists}" ] || [ "${j}" -eq "12" ]; do if [ -f "/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml" ]; then eval "sed -i 's|password: .*|password: \"${1}\"|g' /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml ${debug}" + passwords_restartService "wazuh-dashboard" if [ -z "${AIO}" ] && [ -z "${indexer}" ] && [ -z "${dashboard}" ] && [ -z "${wazuh}" ] && [ -z "${start_indexer_cluster}" ]; then if [ -z "${wazuh_installed}" ]; then - common_logger "Updated wazuh-wui user password in wazuh dashboard to '${1}'. Remember to restart the service." + common_logger "Updated wazuh-wui user password in wazuh dashboard to '${1}'." else - common_logger "Updated wazuh-wui user password in wazuh dashboard. Remember to restart the service." + common_logger "Updated wazuh-wui user password in wazuh dashboard." fi fi file_exists=1 @@ -303,9 +304,9 @@ function passwords_generatePassword() { fi done - # if the password of the user "admin" exists, it will be used as the password for the user "filebeat" + # if the password of the indexer user "admin" exists, it will be used as the password for the API user "admin" if [ -n "${passwords[0]}" ]; then - api_users+=("filebeat") + api_users+=("admin") api_passwords+=("${passwords[0]}") fi fi @@ -329,7 +330,7 @@ function passwords_generatePasswordFile() { api_user_description=( "Password for wazuh API user" "Password for wazuh-wui API user" - "Password for Filebeat user" + "Password for filebeat admin user" ) passwords_generatePassword @@ -385,8 +386,8 @@ function passwords_getApiUsers() { mapfile -t api_users < <(common_curl -s -k -X GET -H \"Authorization: Bearer $TOKEN_API\" -H \"Content-Type: application/json\" \"https://localhost:55000/security/users?pretty=true\" --max-time 300 --retry 5 --retry-delay 5 | grep username | awk -F': ' '{print $2}' | sed -e "s/[\'\",]//g") - # Add filebeat user for comunication with Wazuh indexer - api_users+=("filebeat") + # Add admin user for comunication with Wazuh indexer + api_users+=("admin") } function passwords_getApiIds() { From 5fa12c17d6b35d024569f6c644a6119ade2a7d0d Mon Sep 17 00:00:00 2001 From: Enrique Araque Date: Fri, 7 Jun 2024 14:58:03 +0200 Subject: [PATCH 4/4] Remove admin user from api users. Improve dashboard restart Change admin user to use only the admin user from the indexer and restart only the dashboard only once time instead of twice when change wazuh-wui and kibanaserver password --- .../passwords_tool/passwordsFunctions.sh | 91 ++++++++----------- .../passwords_tool/passwordsMain.sh | 15 +-- 2 files changed, 45 insertions(+), 61 deletions(-) diff --git a/unattended_installer/passwords_tool/passwordsFunctions.sh b/unattended_installer/passwords_tool/passwordsFunctions.sh index 2d3b44ff96..987869bd67 100644 --- a/unattended_installer/passwords_tool/passwordsFunctions.sh +++ b/unattended_installer/passwords_tool/passwordsFunctions.sh @@ -13,8 +13,6 @@ function passwords_changePassword() { eval "mkdir /etc/wazuh-indexer/backup/ ${debug}" eval "cp /etc/wazuh-indexer/opensearch-security/* /etc/wazuh-indexer/backup/ ${debug}" passwords_createBackUp - elif [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then - adminpass=$1 fi for i in "${!passwords[@]}" @@ -50,10 +48,6 @@ function passwords_changePassword() { if [ "${nuser}" == "admin" ] || [ -n "${changeall}" ]; then if [ -n "${filebeat_installed}" ]; then - # If the indexer is installed, we take the password from it. - if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ] && [ -z "${indexer_installed}" ]; then - adminpass=$1 - fi if filebeat keystore list | grep -q password ; then eval "(echo ${adminpass} | filebeat keystore add password --force --stdin)" "${debug}" else @@ -63,8 +57,11 @@ function passwords_changePassword() { conf="$(awk '{sub("password: .*", "password: '"${adminpass}"'")}1' /etc/filebeat/filebeat.yml)" echo "${conf}" > /etc/filebeat/filebeat.yml fi + passwords_restartService "filebeat" eval "/var/ossec/bin/wazuh-keystore -f indexer -k password -v ${adminpass}" + common_logger -nl $"The new password for Filebeat is ${adminpass}" + passwords_restartService "wazuh-manager" fi fi @@ -99,24 +96,16 @@ function passwords_changePasswordApi() { if [ -n "${changeall}" ]; then for i in "${!api_passwords[@]}"; do if [ -n "${wazuh_installed}" ]; then - if [ "${api_users[i]}" == "admin" ]; then - # If the indexer is installed, the indexer takes care of it. - if [ -z "${indexer_installed}" ]; then - passwords_changePassword "${api_passwords[i]}" - common_logger -nl $"The new password for Filebeat is ${api_passwords[i]}" - fi - else - passwords_getApiUserId "${api_users[i]}" - WAZUH_PASS_API='{\"password\":\"'"${api_passwords[i]}"'\"}' - eval 'common_curl -s -k -X PUT -H \"Authorization: Bearer $TOKEN_API\" -H \"Content-Type: application/json\" -d "$WAZUH_PASS_API" "https://localhost:55000/security/users/${user_id}" -o /dev/null --max-time 300 --retry 5 --retry-delay 5 --fail' - if [ "${api_users[i]}" == "${adminUser}" ]; then - sleep 1 - adminPassword="${api_passwords[i]}" - passwords_getApiToken - fi - if [ -z "${AIO}" ] && [ -z "${indexer}" ] && [ -z "${dashboard}" ] && [ -z "${wazuh}" ] && [ -z "${start_indexer_cluster}" ]; then - common_logger -nl $"The password for Wazuh API user ${api_users[i]} is ${api_passwords[i]}" - fi + passwords_getApiUserId "${api_users[i]}" + WAZUH_PASS_API='{\"password\":\"'"${api_passwords[i]}"'\"}' + eval 'common_curl -s -k -X PUT -H \"Authorization: Bearer $TOKEN_API\" -H \"Content-Type: application/json\" -d "$WAZUH_PASS_API" "https://localhost:55000/security/users/${user_id}" -o /dev/null --max-time 300 --retry 5 --retry-delay 5 --fail' + if [ "${api_users[i]}" == "${adminUser}" ]; then + sleep 1 + adminPassword="${api_passwords[i]}" + passwords_getApiToken + fi + if [ -z "${AIO}" ] && [ -z "${indexer}" ] && [ -z "${dashboard}" ] && [ -z "${wazuh}" ] && [ -z "${start_indexer_cluster}" ]; then + common_logger -nl $"The password for Wazuh API user ${api_users[i]} is ${api_passwords[i]}" fi fi if [ "${api_users[i]}" == "${wazuh_yml_user}" ] && [ -n "${dashboard_installed}" ]; then @@ -125,16 +114,11 @@ function passwords_changePasswordApi() { done else if [ -n "${wazuh_installed}" ]; then - if [ "${nuser}" == "admin" ]; then - passwords_changePassword "${password}" - common_logger -nl $"The new password for Filebeat is ${password}" - else - passwords_getApiUserId "${nuser}" - WAZUH_PASS_API='{\"password\":\"'"${password}"'\"}' - eval 'common_curl -s -k -X PUT -H \"Authorization: Bearer $TOKEN_API\" -H \"Content-Type: application/json\" -d "$WAZUH_PASS_API" "https://localhost:55000/security/users/${user_id}" -o /dev/null --max-time 300 --retry 5 --retry-delay 5 --fail' - if [ -z "${AIO}" ] && [ -z "${indexer}" ] && [ -z "${dashboard}" ] && [ -z "${wazuh}" ] && [ -z "${start_indexer_cluster}" ]; then - common_logger -nl $"The password for Wazuh API user ${nuser} is ${password}" - fi + passwords_getApiUserId "${nuser}" + WAZUH_PASS_API='{\"password\":\"'"${password}"'\"}' + eval 'common_curl -s -k -X PUT -H \"Authorization: Bearer $TOKEN_API\" -H \"Content-Type: application/json\" -d "$WAZUH_PASS_API" "https://localhost:55000/security/users/${user_id}" -o /dev/null --max-time 300 --retry 5 --retry-delay 5 --fail' + if [ -z "${AIO}" ] && [ -z "${indexer}" ] && [ -z "${dashboard}" ] && [ -z "${wazuh}" ] && [ -z "${start_indexer_cluster}" ]; then + common_logger -nl $"The password for Wazuh API user ${nuser} is ${password}" fi fi if [ "${nuser}" == "${wazuh_yml_user}" ] && [ -n "${dashboard_installed}" ]; then @@ -149,7 +133,10 @@ function passwords_changeDashboardApiPassword() { until [ -n "${file_exists}" ] || [ "${j}" -eq "12" ]; do if [ -f "/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml" ]; then eval "sed -i 's|password: .*|password: \"${1}\"|g' /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml ${debug}" - passwords_restartService "wazuh-dashboard" + # Restart the service only if we change the api password. If we change all, the service is restarted when changing the kibanaserver password. + if [ -z "${changeall}" ]; then + passwords_restartService "wazuh-dashboard" + fi if [ -z "${AIO}" ] && [ -z "${indexer}" ] && [ -z "${dashboard}" ] && [ -z "${wazuh}" ] && [ -z "${start_indexer_cluster}" ]; then if [ -z "${wazuh_installed}" ]; then common_logger "Updated wazuh-wui user password in wazuh dashboard to '${1}'." @@ -175,13 +162,11 @@ function passwords_checkUser() { done fi - if [ -n "${indexer_installed}" ] || { [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; }; then - for i in "${!users[@]}"; do - if [ "${users[i]}" == "${nuser}" ]; then - exists=1 - fi - done - fi + for i in "${!users[@]}"; do + if [ "${users[i]}" == "${nuser}" ]; then + exists=1 + fi + done if [ -z "${exists}" ]; then common_logger -e "The given user does not exist" @@ -303,12 +288,6 @@ function passwords_generatePassword() { exit 1; fi done - - # if the password of the indexer user "admin" exists, it will be used as the password for the API user "admin" - if [ -n "${passwords[0]}" ]; then - api_users+=("admin") - api_passwords+=("${passwords[0]}") - fi fi } @@ -330,7 +309,6 @@ function passwords_generatePasswordFile() { api_user_description=( "Password for wazuh API user" "Password for wazuh-wui API user" - "Password for filebeat admin user" ) passwords_generatePassword @@ -386,8 +364,6 @@ function passwords_getApiUsers() { mapfile -t api_users < <(common_curl -s -k -X GET -H \"Authorization: Bearer $TOKEN_API\" -H \"Content-Type: application/json\" \"https://localhost:55000/security/users?pretty=true\" --max-time 300 --retry 5 --retry-delay 5 | grep username | awk -F': ' '{print $2}' | sed -e "s/[\'\",]//g") - # Add admin user for comunication with Wazuh indexer - api_users+=("admin") } function passwords_getApiIds() { @@ -557,15 +533,20 @@ function passwords_readDashboardUsers() { api_users=("$wazuh_yml_user") if [ -z "${indexer_installed}" ]; then - users=("kibanaserver") + users+=("kibanaserver") fi } function passwords_readUsers() { - passwords_updateInternalUsers - susers=$(grep -B 1 hash: /etc/wazuh-indexer/opensearch-security/internal_users.yml | grep -v hash: | grep -v "-" | awk '{ print substr( $0, 1, length($0)-1 ) }') - mapfile -t users <<< "${susers[@]}" + if [ -n "${indexer_installed}" ]; then + passwords_updateInternalUsers + susers=$(grep -B 1 hash: /etc/wazuh-indexer/opensearch-security/internal_users.yml | grep -v hash: | grep -v "-" | awk '{ print substr( $0, 1, length($0)-1 ) }') + mapfile -t users <<< "${susers[@]}" + elif [ -n "${wazuh_installed}" ]; then + # Only need the user admin for Filebeat connection + users=("admin") + fi } diff --git a/unattended_installer/passwords_tool/passwordsMain.sh b/unattended_installer/passwords_tool/passwordsMain.sh index f86fb33a3e..b46c89c46c 100644 --- a/unattended_installer/passwords_tool/passwordsMain.sh +++ b/unattended_installer/passwords_tool/passwordsMain.sh @@ -224,7 +224,7 @@ function main() { passwords_getApiIds elif [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; then passwords_readDashboardUsers - elif [ -n "${indexer_installed}" ]; then + elif [ -n "${indexer_installed}" ] || [ -n "${wazuh_installed}" ]; then passwords_readUsers fi passwords_checkUser @@ -241,7 +241,7 @@ function main() { if [ -n "${changeall}" ] || [ -n "${p_file}" ]; then - if [ -n "${indexer_installed}" ]; then + if [ -n "${indexer_installed}" ] || [ -n "${wazuh_installed}" ]; then passwords_readUsers fi @@ -273,12 +273,15 @@ function main() { passwords_runSecurityAdmin fi - if [ -n "${api}" ] || [ -n "${changeall}" ] || { [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; }; then + # Call the function to change the password for filebeat and/or kibanaserver + if [ -z "${indexer_installed}" ] && { [ -n "${wazuh_installed}" ] || [ -n "${dashboard_installed}" ]; }; then + passwords_changePassword + fi + + if [ -n "${api}" ] || [ -n "${changeall}" ]; then if { [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; } || { [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; }; then passwords_changePasswordApi - fi - if [ -z "${wazuh_installed}" ] && [ -z "${indexer_installed}" ] && [ -n "${dashboard_installed}" ]; then - passwords_changePassword + fi fi