Solve bugs when changing passwords in the manager, indexer and dashboard services

[Enaraque]

Related issue
#1854

Description

When changing the passwords for the different services, neither the Filebeat password in the manager nor the wazuh-wui password in the dashboard were updated. Also in the indexer there was a message indicating that there were no API users, which was a bit confusing. The steps to solve this problem have been:

Password file

In order to be able to change the filebeat password in the wazuh-manager, a new user admin has been created in the API users section. This user will have the same password as the admin user in the indexer section. This provides a way to manage the Filebeat password from the manager.

Tests

When generating the passwords we can see how a new API user admin is generated with the same password as indexer admin user.

root@debian10:/home/vagrant/passwords_good# bash wazuh-passwords-tool2.sh -gf wazuh-passwords_update.txt
root@debian10:/home/vagrant/passwords_good# cat wazuh-passwords_update.txt
# Admin user for the web user interface and Wazuh indexer. Use this user to log in to Wazuh dashboard
  indexer_username: 'admin'
  indexer_password: 'VpSUav82Y8x05AT*+*sqU406mAKIq8.g'

# Wazuh dashboard user for establishing the connection with Wazuh indexer
  indexer_username: 'kibanaserver'
  indexer_password: 'EKf49pm3QtqszKgWiz.HRfEc5adN7QFY'

# Regular Dashboard user, only has read permissions to all indices and all permissions on the .kibana index
  indexer_username: 'kibanaro'
  indexer_password: 'AO6TqgWcSLi?C5JL*3hL8Lklrmbr9+XT'

# Filebeat user for CRUD operations on Wazuh indices
  indexer_username: 'logstash'
  indexer_password: 'Pp21DOyGGgCpVUqy9*FabHC41udZqPOO'

# User with READ access to all indices
  indexer_username: 'readall'
  indexer_password: 'Zr42iiK1?5H3Zta7IlEuly224?NqPtwm'

# User with permissions to perform snapshot and restore operations
  indexer_username: 'snapshotrestore'
  indexer_password: '.cLInM3Pxb4KsOGGuP.4rvOZiiuJ7*ws'

# Password for wazuh API user
  api_username: 'wazuh'
  api_password: '9qdiBXzBX?hpXACy3W1r2h8Jjq5keEMn'

# Password for wazuh-wui API user
  api_username: 'wazuh-wui'
  api_password: 'r7jH.SQ4SMqbzVXcbJrkiyrwvWd+G*w8'

# Password for filebeat admin user
  api_username: 'admin'
  api_password: 'VpSUav82Y8x05AT*+*sqU406mAKIq8.g'

Wazuh indexer

In the indexer section we had the problem that a message appeared regarding the change of API user passwords: INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed. Which was a bit confusing if the manager was not installed on the machine.
Now every time we try to change the indexer passwords without having the manager installed, we won't get the message again.

Tests

root@debian10:/home/vagrant/passwords_good# bash wazuh-passwords-tool2.sh --change-all -f wazuh-passwords_update.txt
29/05/2024 09:45:01 INFO: Updating the internal users.
29/05/2024 09:45:11 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
29/05/2024 09:45:34 INFO: The password for user admin is VpSUav82Y8x05AT*+*sqU406mAKIq8.g
29/05/2024 09:45:34 INFO: The password for user kibanaserver is EKf49pm3QtqszKgWiz.HRfEc5adN7QFY
29/05/2024 09:45:34 INFO: The password for user kibanaro is AO6TqgWcSLi?C5JL*3hL8Lklrmbr9+XT
29/05/2024 09:45:34 INFO: The password for user logstash is Pp21DOyGGgCpVUqy9*FabHC41udZqPOO
29/05/2024 09:45:34 INFO: The password for user readall is Zr42iiK1?5H3Zta7IlEuly224?NqPtwm
29/05/2024 09:45:34 INFO: The password for user snapshotrestore is .cLInM3Pxb4KsOGGuP.4rvOZiiuJ7*ws
29/05/2024 09:45:34 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard, Wazuh server, and Filebeat nodes if necessary, and restart the services.

Wazuh manager

Regarding the manager, the problem was that when we changed the passwords with the --changeall option, the Filebeat password was not changed.
Now, a new user has been added to the users section of the API called Filebeat. With these changes, if we put this user with his password in the password file, it will be changed correctly in the manager.
Also, being a manager user, we can change the Filebeat password with the --user and --password option as well.

Tests

When executing the filebeat test output command we see that the filebeat password is wrong and therefore we get the error ERROR 401 Unauthorized: Unauthorized.

[root@localhost passwords_good]# filebeat test output
elasticsearch: https://192.168.56.13:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.56.13
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... ERROR 401 Unauthorized: Unauthorized

• Change Filebeat password with the --changeall option:

[root@localhost passwords_good]# bash wazuh-passwords-tool2.sh --change-all --admin-user wazuh --admin-password 7vSm?eM.PZSe7+1zyMpZRPPaQcH5YW3p -f wazuh-passwords_update.txt
28/05/2024 09:48:06 INFO: The password for Wazuh API user wazuh is 9qdiBXzBX?hpXACy3W1r2h8Jjq5keEMn
28/05/2024 09:48:07 INFO: The password for Wazuh API user wazuh-wui is r7jH.SQ4SMqbzVXcbJrkiyrwvWd+G*w8
28/05/2024 09:49:07 INFO: The new password for Filebeat is VpSUav82Y8x05AT*+*sqU406mAKIq8.g

If we check the connection again, it reconnects:

[root@localhost passwords_good]# filebeat test output
elasticsearch: https://192.168.56.13:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.56.13
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

• We can also change the Filebeat password with --user and --password.

[root@localhost passwords_good]# bash wazuh-passwords-tool2.sh --admin-user wazuh --admin-password 9qdiBXzBX?hpXACy3W1r2h8Jjq5keEMn --api  --user admin --password VpSUav82Y8x05AT*+*sqU406mAKIq8.g
28/05/2024 10:18:59 INFO: The new password for Filebeat is VpSUav82Y8x05AT*+*sqU406mAKIq8.g

Wazuh dashboard

With the dashboard we had the problem that we couldn't change the password for kibanaserver and wazuh-wui. Like the server, we can now change the passwords of these with the --changeall option and also with --user and --password.

Tests

• Change dashboard passwords with --changeall.

root@debian9:/home/vagrant/passwords_good# bash wazuh-passwords-tool.sh --change-all -f wazuh-passwords_update.txt
29/05/2024 10:45:56 INFO: The password for the kibanaserver user in the dashboard has been updated to EKf49pm3QtqszKgWiz.HRfEc5adN7QFY
29/05/2024 10:46:07 INFO: Updated wazuh-wui user password in wazuh dashboard to 'r7jH.SQ4SMqbzVXcbJrkiyrwvWd+G*w8'. 

• Change dashboard passwords with --user and --password.

root@debian9:/home/vagrant/passwords_good# bash wazuh-passwords-tool.sh --user kibanaserver --password EKf49pm3QtqszKgWiz.HRfEc5adN7QFY
29/05/2024 10:50:55 INFO: The password for the kibanaserver user in the dashboard has been updated to EKf49pm3QtqszKgWiz.HRfEc5adN7QFY

root@debian9:/home/vagrant/passwords_good# bash wazuh-passwords-tool.sh --user wazuh-wui --password r7jH.SQ4SMqbzVXcbJrkiyrwvWd+G*w8
28/05/2024 12:22:52 INFO: Updated wazuh-wui user password in wazuh dashboard to 'r7jH.SQ4SMqbzVXcbJrkiyrwvWd+G*w8'.

When passwords are changed and the dashboard url is accessed, it works correctly.

All-in-one deployment

Tests have also been done for when there is an AIO.

Tests

• Everything has been tested for correctness when changing all passwords without specifying API users:

$ bash wazuh-passwords-tool2.sh --change-all -f wazuh-passwords_update.txt
04/06/2024 11:52:15 INFO: Updating the internal users.
04/06/2024 11:52:25 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
04/06/2024 11:52:25 INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed.
04/06/2024 11:53:46 INFO: The password for user admin is ?9zBL5vLxdiechfjoCFVL7rNAN+36.b9
04/06/2024 11:53:46 INFO: The password for user kibanaserver is 1e6bGRTx?8z5KWJnqra+Mzwnk6rCkyri
04/06/2024 11:53:46 INFO: The password for user kibanaro is kBuhapjyQ170ObEA3AmZjyISS*W.11d4
04/06/2024 11:53:46 INFO: The password for user logstash is *1pd0Ntv.YsankXLmuTYT4OqBRVX+YbD
04/06/2024 11:53:46 INFO: The password for user readall is mcdRtvPv9wz5hQyH+.QuiFVHfFoeAg?X
04/06/2024 11:53:46 INFO: The password for user snapshotrestore is 6pRcmPHVay3jZSp?*4UW?arKC+DpIBF6
04/06/2024 11:53:46 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard, Wazuh server, and Filebeat nodes if necessary, and restart the services.

• Change of all passwords where API passwords are changed as well. If we check the output of filebeat, we can see that it works correctly.

$ bash wazuh-passwords-tool2.sh --change-all --admin-user wazuh --admin-password 7Ei?ypDsCK.49JCkamajmBYrP5RlJICu -f wazuh-passwords_update.txt
04/06/2024 12:04:57 INFO: Updating the internal users.
04/06/2024 12:05:05 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
04/06/2024 12:06:31 INFO: The password for user admin is ?9zBL5vLxdiechfjoCFVL7rNAN+36.b9
04/06/2024 12:06:31 INFO: The password for user kibanaserver is 1e6bGRTx?8z5KWJnqra+Mzwnk6rCkyri
04/06/2024 12:06:31 INFO: The password for user kibanaro is kBuhapjyQ170ObEA3AmZjyISS*W.11d4
04/06/2024 12:06:31 INFO: The password for user logstash is *1pd0Ntv.YsankXLmuTYT4OqBRVX+YbD
04/06/2024 12:06:31 INFO: The password for user readall is mcdRtvPv9wz5hQyH+.QuiFVHfFoeAg?X
04/06/2024 12:06:31 INFO: The password for user snapshotrestore is 6pRcmPHVay3jZSp?*4UW?arKC+DpIBF6
04/06/2024 12:06:31 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard, Wazuh server, and Filebeat nodes if necessary, and restart the services.
04/06/2024 12:06:34 INFO: The password for Wazuh API user wazuh is 7Ei?ypDsCK.49JCkamajmBYrP5RlJICu
04/06/2024 12:06:35 INFO: The password for Wazuh API user wazuh-wui is HPAhx+gmunIeoyb8ImYga3v6858*baQd
04/06/2024 12:06:35 INFO: Updated wazuh-wui user password in wazuh dashboard.
$ filebeat test output
elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.2
    dial up... OK
  talk to server... OK
  version: 7.10.2

• When the dashboard is installed in a distributed deployment, we can change the password of the user that communicates with the server without giving the admin credentials. In this case, as the manager is installed, we would have to specify them. If we try this, we get the following output:

$ bash wazuh-passwords-tool2.sh --user wazuh-wui --password 59_pRcmPHVay3jZSp?*4UW?nMrKF+DpIFF3
04/06/2024 12:15:31 INFO: Updating the internal users.
04/06/2024 12:15:39 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
04/06/2024 12:15:39 ERROR: The given user does not exist

If we do it with the right credentials, we can see that it does change:

$ bash wazuh-passwords-tool2.sh --user wazuh-wui --password
root@ip-172-31-44-59:/home/ubuntu# bash wazuh-passwords-tool2.sh --api --admin-user wazuh --admin-password 7Ei?ypDsCK.49JCkamajmBYrP5RlJICu --user wazuh-wui --password 59_pRcmPHVay3jZSp?*4UW?nMrKF+DpIFF3
04/06/2024 12:33:05 INFO: The password for Wazuh API user wazuh-wui is 59_pRcmPHVay3jZSp?*4UW?nMrKF+DpIFF3
04/06/2024 12:33:05 INFO: Updated wazuh-wui user password in wazuh dashboard.

Everything works correctly with the changes:

[Enaraque]

PR Update

We have found a way to use the indexer admin user in the wazuh manager so there is no need to add another user in the API user section.
It has also been added in the dashboard that in order to change the password of wazuh-wui, the option --api should be set so that it does not try to change the password of kibanaserver also if there is an indexer installed on the same system.

Password file

The password file is the same as before, no new users are added

Passwords file

# Admin user for the web user interface and Wazuh indexer. Use this user to log in to Wazuh dashboard
  indexer_username: 'admin'
  indexer_password: 'VpSUav82Y8x05AT*+*sqU406mAKIq8.g'

# Wazuh dashboard user for establishing the connection with Wazuh indexer
  indexer_username: 'kibanaserver'
  indexer_password: 'EKf49pm3QtqszKgWiz.HRfEc5adN7QFY'

# Regular Dashboard user, only has read permissions to all indices and all permissions on the .kibana index
  indexer_username: 'kibanaro'
  indexer_password: 'AO6TqgWcSLi?C5JL*3hL8Lklrmbr9+XT'

# Filebeat user for CRUD operations on Wazuh indices
  indexer_username: 'logstash'
  indexer_password: 'Pp21DOyGGgCpVUqy9*FabHC41udZqPOO'

# User with READ access to all indices
  indexer_username: 'readall'
  indexer_password: 'Zr42iiK1?5H3Zta7IlEuly224?NqPtwm'

# User with permissions to perform snapshot and restore operations
  indexer_username: 'snapshotrestore'
  indexer_password: '.cLInM3Pxb4KsOGGuP.4rvOZiiuJ7*ws'

# Password for wazuh API user
  api_username: 'wazuh'
  api_password: '9qdiBXzBX?hpXACy3W1r2h8Jjq5keEMn'

# Password for wazuh-wui API user
  api_username: 'wazuh-wui'
  api_password: 'r7jH.SQ4SMqbzVXcbJrkiyrwvWd+G*w8'

Wazuh manager

In order to change the Filebeat password, we indicate it with the user admin instead of Filebeat.

Tests

Option with username and password

[root@localhost passwords_good]# bash wazuh-passwords-tool.sh -u admin -p PF?whFMYzTyHFI8PqVXjjS5NqsE7xEDx
07/06/2024 12:10:23 INFO: The new password for Filebeat is PF?whFMYzTyHFI8PqVXjjS5NqsE7xEDx
[root@localhost passwords_good]# filebeat test output
elasticsearch: https://192.168.56.13:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.56.13
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.10.2

For the Filebeat password it is not necessary to add the credentials of the API admin user.

--change-all option

  [root@localhost passwords_good]# bash wazuh-passwords-tool.sh --change-all -au wazuh -ap e0xS4CHkYinyaqtzN9JQ+X7b8F+KKaah -f wazuh-passwords_070624.txt
07/06/2024 12:31:11 INFO: The new password for Filebeat is PF?whFMYzTyHFI8PqVXjjS5NqsE7xEDx
07/06/2024 12:32:06 INFO: The password for Wazuh API user wazuh is e0xS4CHkYinyaqtzN9JQ+X7b8F+KKaah
07/06/2024 12:32:09 INFO: The password for Wazuh API user wazuh-wui is *Kiq7c+MWpj+CCb*jyyx4MMmaAgvd.Ok

Wazuh dashboard

The change of passwords in the dashboard has been improved. To change API user passwords, the --api option is used so that if the dashboard is installed on the same machine as the indexer it does not try to change kibanaserver passwords as well.

Tests

Change password for wazuh-wui with --api option

root@debian9:/home/vagrant/passwords_good# bash wazuh-passwords-tool.sh -u wazuh-wui -p *Kiq7c+MWpj+CCb*jyyx4MMmaAgvd.Ok --api
07/06/2024 12:42:20 INFO: Updated wazuh-wui user password in wazuh dashboard to '*Kiq7c+MWpj+CCb*jyyx4MMmaAgvd.Ok'.

AIO deployment

Now when changing passwords in AIO, the message also appears when changing the Filebeat password.

Tests

--change-all option

root@ip-172-31-44-59:/home/ubuntu# bash wazuh-passwords-tool.sh --change-all -f wazuh_passwords-07052024.txt
07/06/2024 12:29:52 INFO: Updating the internal users.
07/06/2024 12:29:56 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
07/06/2024 12:29:56 INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed.
07/06/2024 12:30:08 INFO: The new password for Filebeat is yMMu1HXyG2dPiw6sP2yUCDNiQ+8FeVKh
07/06/2024 12:30:37 INFO: The password for user admin is yMMu1HXyG2dPiw6sP2yUCDNiQ+8FeVKh
07/06/2024 12:30:37 INFO: The password for user kibanaserver is .SUO*oQZvwj36pj3ThT7M8N16cv034*9
07/06/2024 12:30:37 INFO: The password for user kibanaro is SJNS*.2r+?m.g0l3Wn1r0Lb8+m?YARsP
07/06/2024 12:30:37 INFO: The password for user logstash is W+HJI++yk*GhAUEuAQapMHER1eh0UynA
07/06/2024 12:30:37 INFO: The password for user readall is CJlfJcG2B6.Sb42xhfq5sjQQtFnPmm*J
07/06/2024 12:30:37 INFO: The password for user snapshotrestore is P0dP+bcXx42NIuYamVrL9jwv.Y?Xi2F2
07/06/2024 12:30:37 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard, Wazuh server, and Filebeat nodes if necessary, and restart the services.

Option with username and password

root@ip-172-31-44-59:/home/ubuntu# bash wazuh-passwords-tool.sh -u admin -p yMMu1HXyG2dPiw6sP2yUCDNiQ+8FeVKh
07/06/2024 12:39:02 INFO: Updating the internal users.
07/06/2024 12:39:06 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
07/06/2024 12:39:06 INFO: Generating password hash
07/06/2024 12:39:12 INFO: The new password for Filebeat is yMMu1HXyG2dPiw6sP2yUCDNiQ+8FeVKh
07/06/2024 12:39:37 WARNING: Password changed. Remember to update the password in the Wazuh dashboard, Wazuh server, and Filebeat nodes if necessary, and restart the services.
root@ip-172-31-44-59:/home/ubuntu# filebeat test output
elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.2
    dial up... OK
  talk to server... OK
  version: 7.10.2