Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Solve bugs when changing passwords in the manager, indexer and dashboard services #2968

Merged
merged 4 commits into from
Jun 17, 2024
Merged

Solve bugs when changing passwords in the manager, indexer and dashboard services #2968

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f005702
Solve bugs when changing passwords in the manager, indexer and dashbo…
Enaraque May 29, 2024
daf94fb
Fix bugs with AIO deployment
Enaraque Jun 4, 2024
15909d2
Change the user name filebeat to admin. Add restart dashboard
Enaraque Jun 6, 2024
5fa12c1
Remove admin user from api users. Improve dashboard restart
Enaraque Jun 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 48 additions & 14 deletions unattended_installer/passwords_tool/passwordsFunctions.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ function passwords_changePassword() {
eval "cp /etc/wazuh-indexer/opensearch-security/* /etc/wazuh-indexer/backup/ ${debug}"
passwords_createBackUp
fi

for i in "${!passwords[@]}"
do
if [ -n "${indexer_installed}" ] && [ -f "/etc/wazuh-indexer/backup/internal_users.yml" ]; then
Expand Down Expand Up @@ -56,8 +57,11 @@ function passwords_changePassword() {
conf="$(awk '{sub("password: .*", "password: '"${adminpass}"'")}1' /etc/filebeat/filebeat.yml)"
echo "${conf}" > /etc/filebeat/filebeat.yml
fi

passwords_restartService "filebeat"
eval "/var/ossec/bin/wazuh-keystore -f indexer -k password -v ${adminpass}"
common_logger -nl $"The new password for Filebeat is ${adminpass}"

passwords_restartService "wazuh-manager"
fi
fi
Expand All @@ -74,15 +78,22 @@ function passwords_changePassword() {
echo "${conf}" > /etc/wazuh-dashboard/opensearch_dashboards.yml
fi
passwords_restartService "wazuh-dashboard"

if [ -z "${indexer_installed}" ]; then
# only for when the indexer is not installed, so as not to put the same information several times.
common_logger -nl $"The password for the kibanaserver user in the dashboard has been updated to $dashpass"
fi
fi
fi

}

function passwords_changePasswordApi() {
#Change API password tool
if [ -n "${changeall}" ]; then
if [ -f "/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml" ]; then
wazuh_yml_user=$(awk '/- default:/ {found=1} found && /username:/ {print $2}' /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml)
fi
if [ -n "${changeall}" ]; then
for i in "${!api_passwords[@]}"; do
if [ -n "${wazuh_installed}" ]; then
passwords_getApiUserId "${api_users[i]}"
Expand Down Expand Up @@ -122,8 +133,16 @@ function passwords_changeDashboardApiPassword() {
until [ -n "${file_exists}" ] || [ "${j}" -eq "12" ]; do
if [ -f "/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml" ]; then
eval "sed -i 's|password: .*|password: \"${1}\"|g' /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml ${debug}"
# Restart the service only if we change the api password. If we change all, the service is restarted when changing the kibanaserver password.
if [ -z "${changeall}" ]; then
passwords_restartService "wazuh-dashboard"
fi
if [ -z "${AIO}" ] && [ -z "${indexer}" ] && [ -z "${dashboard}" ] && [ -z "${wazuh}" ] && [ -z "${start_indexer_cluster}" ]; then
common_logger "Updated wazuh-wui user password in wazuh dashboard. Remember to restart the service."
if [ -z "${wazuh_installed}" ]; then
common_logger "Updated wazuh-wui user password in wazuh dashboard to '${1}'."
else
common_logger "Updated wazuh-wui user password in wazuh dashboard."
fi
fi
file_exists=1
fi
Expand All @@ -135,20 +154,20 @@ function passwords_changeDashboardApiPassword() {

function passwords_checkUser() {

if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then
if { [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; } || { [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; }; then
for i in "${!api_users[@]}"; do
if [ "${api_users[i]}" == "${nuser}" ]; then
exists=1
fi
done
else
for i in "${!users[@]}"; do
if [ "${users[i]}" == "${nuser}" ]; then
exists=1
fi
done
fi

for i in "${!users[@]}"; do
if [ "${users[i]}" == "${nuser}" ]; then
exists=1
fi
done

if [ -z "${exists}" ]; then
common_logger -e "The given user does not exist"
exit 1;
Expand Down Expand Up @@ -442,7 +461,7 @@ For Wazuh API users, the file must have this format:
fi
done

if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then
if { [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; } || { [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; } then
for j in "${!fileapiusers[@]}"; do
supported=false
for i in "${!api_users[@]}"; do
Expand Down Expand Up @@ -479,7 +498,7 @@ For Wazuh API users, the file must have this format:
fi
done

if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then
if { [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; } || { [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; } then
for j in "${!fileapiusers[@]}"; do
supported=false
for i in "${!api_users[@]}"; do
Expand Down Expand Up @@ -507,12 +526,27 @@ For Wazuh API users, the file must have this format:
fi

}
function passwords_readDashboardUsers() {

wazuh_yml_user=$(awk '/- default:/ {found=1} found && /username:/ {print $2}' /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml)

api_users=("$wazuh_yml_user")

if [ -z "${indexer_installed}" ]; then
users+=("kibanaserver")
fi

}
function passwords_readUsers() {

passwords_updateInternalUsers
susers=$(grep -B 1 hash: /etc/wazuh-indexer/opensearch-security/internal_users.yml | grep -v hash: | grep -v "-" | awk '{ print substr( $0, 1, length($0)-1 ) }')
mapfile -t users <<< "${susers[@]}"
if [ -n "${indexer_installed}" ]; then
passwords_updateInternalUsers
susers=$(grep -B 1 hash: /etc/wazuh-indexer/opensearch-security/internal_users.yml | grep -v hash: | grep -v "-" | awk '{ print substr( $0, 1, length($0)-1 ) }')
mapfile -t users <<< "${susers[@]}"
elif [ -n "${wazuh_installed}" ]; then
# Only need the user admin for Filebeat connection
users=("admin")
fi

}

Expand Down
31 changes: 22 additions & 9 deletions unattended_installer/passwords_tool/passwordsMain.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -222,7 +222,9 @@ function main() {
passwords_getApiToken
passwords_getApiUsers
passwords_getApiIds
elif [ -n "${indexer_installed}" ]; then
elif [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; then
passwords_readDashboardUsers
elif [ -n "${indexer_installed}" ] || [ -n "${wazuh_installed}" ]; then
passwords_readUsers
fi
passwords_checkUser
Expand All @@ -239,15 +241,20 @@ function main() {


if [ -n "${changeall}" ] || [ -n "${p_file}" ]; then
if [ -n "${indexer_installed}" ]; then
if [ -n "${indexer_installed}" ] || [ -n "${wazuh_installed}" ]; then
passwords_readUsers
fi
if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then
passwords_getApiToken
passwords_getApiUsers
passwords_getApiIds
else
common_logger "Wazuh API admin credentials not provided, Wazuh API passwords not changed."

if [ -n "${wazuh_installed}" ]; then
if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then
passwords_getApiToken
passwords_getApiUsers
passwords_getApiIds
else
common_logger "Wazuh API admin credentials not provided, Wazuh API passwords not changed."
fi
elif [ -n "${dashboard_installed}" ]; then
passwords_readDashboardUsers
fi
if [ -n "${changeall}" ]; then
passwords_generatePassword
Expand All @@ -266,9 +273,15 @@ function main() {
passwords_runSecurityAdmin
fi

# Call the function to change the password for filebeat and/or kibanaserver
if [ -z "${indexer_installed}" ] && { [ -n "${wazuh_installed}" ] || [ -n "${dashboard_installed}" ]; }; then
passwords_changePassword
fi

if [ -n "${api}" ] || [ -n "${changeall}" ]; then
if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then
if { [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; } || { [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; }; then
passwords_changePasswordApi

fi
fi

Expand Down
Loading