-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve the passwords tool behavior in distributed environments #1854
Comments
@Enaraque. We need to test if we can reproduce these behaviors to define if they are already fixed. |
For now I have reproduced these behaviours for the indexer and the manager. They still seem to have the same problem. When I generate the passwords in the indexer and change them in both the indexer and the manager, the passwords for Filebeat are not changed in the manager. Wazuh IndexerI generated the password file with: This command generated this password file: wazuh-password.txt
Next, I changed the wazuh indexer password:
The message Wazuh managerWhen I change the passwords in the manager, only the API passwords are changed.
The Filebeat password remains unchanged, as when testing the connection, the error "Unauthorized" is displayed.
|
Issue UpdateDuring these days we have been working on solving this issue. Wazuh IndexerRegarding the wazuh indexer, we have managed to fix the problem when changing passwords where the message Wazuh managerRegarding the wazuh manager and the filebeat password change problem, we have been working on the following aspects:
TestingHere we can see how in the indexer the admin password has been changed so the manager generates an authorisation error.
Once the script is executed you can see how the password is successfully changed.
|
Issue updateWazuh serverAdded the option if you want to change the filebeat password by giving the TestsIf we do the filebeat test after changing the Filebeat with wrong passworrd in the wazuh server
Then if we change the filebeat password on the server, giving the user instead of the change filebeat password with user option
Filebeat test output run succesfully
Wazuh dashboardThe necessary options have been added to be able to:
TestsThis part is still being tested. |
The Wazuh password tool is not working as expected in a distributed environment. In a Wazuh dashboard node, the tool is not updating the password in the Wazuh dashboard keystore nor updating the Wazuh manager API password in the
wazuh.yml
configuration file as it should.In a Wazuh server node, the tool is not updating the corresponding password in the Filebeat keystore.
Below, I'll describe the process of changing the default passwords in a Wazuh distributed environment and include comments and suggestions along the way.
Wazuh indexer node
As a first step, I generated a file with random passwords using the option
-gf, --generate-file <wazuh-passwords.txt>
.wazuh-passwords.txt
Next, I used the following command to change the Wazuh indexer passwords.
The output message states
INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed.
suggesting that the API credential should be provided. If they are provided, the output states:This message is confusing as the users do exist, the problem is that there's not a Wazuh manager API available on this node. An additional check verifying if the Wazuh manager is installed could be added to improve the output messages.
Consider talking about the "Wazuh manager API" instead of just the "Wazuh API" to avoid possible confusion with the Wazuh indexer API.
Wazuh server node
I ran the following command in a Wazuh server node.
The password tool changed the Wazuh manager API passwords but did not update the
admin
user password in Filebeat as it should.After updating the password manually and restarting Filebeat the communication is restored.
Regarding the passwords tool output message, it should indicate that as the Wazuh manager API passwords have been changed, the user should update the
wazuh.yml
configuration file in the Wazuh dashboard node.Wazuh dashboard node
Finally, I ran the passwords tool in the Wazuh dashboard node.
In this case, the passwords were not updated either in the Wazuh dashboard keystore nor in the
wazuh.yml
configuration file.I changed the
wazuh-wui
password manually in the/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
configuration file, updated thekibanaserver
user password in the Wazuh dashboard keystore and restarted the Wazuh dashboard service.After updating the passwords and restarting, everything is working as expected.
As a final remark, consider adding a check to verify if the Wazuh manager API user set in the
wazuh.yml
configuration file is indeedwazuh-wui
and consider the case where there's more than one API configured.The text was updated successfully, but these errors were encountered: