Securing your Wazuh installation API section is changing every password

[jnasselle]

During wazuh/wazuh#27183 it was found that https://documentation.wazuh.com/current/installation-guide/wazuh-dashboard/step-by-step.html#securing-your-wazuh-installation, in particular the Distributed Deployment tab, the following step is changing every password, while only should change API

This could be an issue if the Wazuh Manager co-exist with Wazuh Dashboard in the same host.

Current behavior when the Wazuh Master node and Wazuh Dashboard coexist on the same host

• Step 1

root@host1:/home/vagrant# /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all
11/12/2024 14:40:07 INFO: Updating the internal users.
11/12/2024 14:40:11 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
11/12/2024 14:40:11 INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed.
11/12/2024 14:40:21 INFO: The filebeat.yml file has been updated to use the Filebeat Keystore username and password.
11/12/2024 14:40:49 INFO: The password for user admin is iEmuZf3ttp5ANFGyHzL?u?m68WO1d9Hp
11/12/2024 14:40:49 INFO: The password for user anomalyadmin is yxP0r4y2WNGCcwIkeI+.4Jd6Fma4zF0M
11/12/2024 14:40:49 INFO: The password for user kibanaserver is U9qWxUeT7YnPZOWdlksw5HEB+1.Jinvk
11/12/2024 14:40:49 INFO: The password for user kibanaro is LiDAb0nvRCnlOpj6EmH?2CCCo8EmU7gF
11/12/2024 14:40:49 INFO: The password for user logstash is LMpc3Isb98L*owj*c4n45JA3wqs?V?A2
11/12/2024 14:40:49 INFO: The password for user readall is B3pzRh.sY?YycQGj?Tld3CiT6bEL94rP
11/12/2024 14:40:49 INFO: The password for user snapshotrestore is QhN+yDiQc+q*Q1*7F88e.eEmUrOSfRgj
11/12/2024 14:40:49 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard, Wazuh server, and Filebeat nodes if necessary, and restart the services.

• Step 2

root@host1:/home/vagrant# curl -sO https://packages.wazuh.com/4.9/wazuh-passwords-tool.sh
bash wazuh-passwords-tool.sh --api --change-all --admin-user wazuh --admin-password wazuh
11/12/2024 14:41:05 INFO: Updating the internal users.
11/12/2024 14:41:09 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
11/12/2024 14:41:21 INFO: The filebeat.yml file has been updated to use the Filebeat Keystore username and password.
11/12/2024 14:41:45 INFO: The password for user admin is *ERWBUJYcoocwG?CRYfoHSnW7q0itdbh
11/12/2024 14:41:45 INFO: The password for user anomalyadmin is lhPFuWCjv*FlIMadgmNJo+7yYrV7f0vH
11/12/2024 14:41:45 INFO: The password for user kibanaserver is pSqT3?3eBspjKdBeQnSpCgsB.O?o9c8k
11/12/2024 14:41:45 INFO: The password for user kibanaro is tFS8z4ZnlKyc2c1w0G92IYrtySkqc+nX
11/12/2024 14:41:45 INFO: The password for user logstash is gmTiv5OKbx6GGJU2DQjdoTNltdAMMc?a
11/12/2024 14:41:45 INFO: The password for user readall is axSddng6vT7UzgIIv.Gq.PyTnq.8Z*LZ
11/12/2024 14:41:45 INFO: The password for user snapshotrestore is Et5vPBqXDJN72PHSB1paFMNgS+jhpyg+
11/12/2024 14:41:45 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard, Wazuh server, and Filebeat nodes if necessary, and restart the services.
11/12/2024 14:41:47 INFO: The password for Wazuh API user wazuh is XFfgvv+Pm+olUvN3hRGSx*rIVQkVFQcE
11/12/2024 14:41:48 INFO: The password for Wazuh API user wazuh-wui is KcIFIovRmAeUho.+shLUs3FJMu*0Pvaa

Expected behavior when the Wazuh Master node and Wazuh Dashboard coexist on the same host

• Step 1

root@host1:/home/vagrant# /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all
11/12/2024 14:40:07 INFO: Updating the internal users.
11/12/2024 14:40:11 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
11/12/2024 14:40:11 INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed.
11/12/2024 14:40:21 INFO: The filebeat.yml file has been updated to use the Filebeat Keystore username and password.
11/12/2024 14:40:49 INFO: The password for user admin is iEmuZf3ttp5ANFGyHzL?u?m68WO1d9Hp
11/12/2024 14:40:49 INFO: The password for user anomalyadmin is yxP0r4y2WNGCcwIkeI+.4Jd6Fma4zF0M
11/12/2024 14:40:49 INFO: The password for user kibanaserver is U9qWxUeT7YnPZOWdlksw5HEB+1.Jinvk
11/12/2024 14:40:49 INFO: The password for user kibanaro is LiDAb0nvRCnlOpj6EmH?2CCCo8EmU7gF
11/12/2024 14:40:49 INFO: The password for user logstash is LMpc3Isb98L*owj*c4n45JA3wqs?V?A2
11/12/2024 14:40:49 INFO: The password for user readall is B3pzRh.sY?YycQGj?Tld3CiT6bEL94rP
11/12/2024 14:40:49 INFO: The password for user snapshotrestore is QhN+yDiQc+q*Q1*7F88e.eEmUrOSfRgj
11/12/2024 14:40:49 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard, Wazuh server, and Filebeat nodes if necessary, and restart the services.

• Step 2

root@host1:/home/vagrant# curl -sO https://packages.wazuh.com/4.9/wazuh-passwords-tool.sh
bash wazuh-passwords-tool.sh --api --change-all --admin-user wazuh --admin-password wazuh
11/12/2024 14:41:47 INFO: The password for Wazuh API user wazuh is XFfgvv+Pm+olUvN3hRGSx*rIVQkVFQcE
11/12/2024 14:41:48 INFO: The password for Wazuh API user wazuh-wui is KcIFIovRmAeUho.+shLUs3FJMu*0Pvaa

Conclusion

This could be the result of --change-all parameter at Step 2, but a propper RCA should be done

[jnasselle]

Reopening this issue because the related article was not fixed. Proof https://documentation-dev.wazuh.com/v4.10.0-rc2/installation-guide/wazuh-dashboard/step-by-step.html

Also, this should be considered to be backported to 4.x documentation

[JuanGarriuz]

Research 20/12

After testing in a real environment, without the --change-all parameter, the script triggers the --help message, making the parameter mandatory. Additionally, the parameter included works exactly as expected.

The following logs are from version 4.9:

root@ubuntu-jammy:/home/vagrant# systemctl status wazuh-dashboard
● wazuh-dashboard.service - wazuh-dashboard
     Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2024-12-20 09:12:45 UTC; 3min 33s ago
   Main PID: 119173 (node)
      Tasks: 11 (limit: 9477)
     Memory: 196.9M
        CPU: 13.403s
     CGroup: /system.slice/wazuh-dashboard.service
             └─119173 /usr/share/wazuh-dashboard/node/bin/node /usr/share/wazuh-dashboard/src/cli/dist

Dec 20 09:12:55 ubuntu-jammy opensearch-dashboards[119173]: {"type":"log","@timestamp":"2024-12-20T09:12:55Z","tags":["info","http","server","OpenSearchDashboards"],"pid":119173,"message":"http server running>
Dec 20 09:12:55 ubuntu-jammy opensearch-dashboards[119173]: {"type":"log","@timestamp":"2024-12-20T09:12:55Z","tags":["info","plugins","wazuh","cron-scheduler"],"pid":119173,"message":"Updated the wazuh-stati>
Dec 20 09:12:55 ubuntu-jammy opensearch-dashboards[119173]: {"type":"log","@timestamp":"2024-12-20T09:12:55Z","tags":["info","plugins","wazuh","monitoring"],"pid":119173,"message":"Updated the wazuh-agent tem>
Dec 20 09:12:55 ubuntu-jammy opensearch-dashboards[119173]: {"type":"log","@timestamp":"2024-12-20T09:12:55Z","tags":["error","plugins","wazuh","monitoring"],"pid":119173,"message":"Request failed with status>
Dec 20 09:13:01 ubuntu-jammy opensearch-dashboards[119173]: [agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
Dec 20 09:13:01 ubuntu-jammy opensearch-dashboards[119173]: {"type":"response","@timestamp":"2024-12-20T09:13:01Z","tags":[],"pid":119173,"method":"get","statusCode":200,"req":{"url":"/status","method":"get",>
Dec 20 09:15:01 ubuntu-jammy opensearch-dashboards[119173]: {"type":"log","@timestamp":"2024-12-20T09:15:01Z","tags":["error","opensearch","data"],"pid":119173,"message":"[resource_already_exists_exception]: >
Dec 20 09:15:01 ubuntu-jammy opensearch-dashboards[119173]: {"type":"log","@timestamp":"2024-12-20T09:15:01Z","tags":["info","plugins","wazuh","cron-scheduler"],"pid":119173,"message":"wazuh-statistics-2024.5>
Dec 20 09:15:01 ubuntu-jammy opensearch-dashboards[119173]: {"type":"log","@timestamp":"2024-12-20T09:15:01Z","tags":["info","plugins","wazuh","monitoring"],"pid":119173,"message":"wazuh-monitoring-2024.51w i>
Dec 20 09:15:01 ubuntu-jammy opensearch-dashboards[119173]: {"type":"log","@timestamp":"2024-12-20T09:15:01Z","tags":["info","plugins","wazuh","monitoring"],"pid":119173,"message":"Settings added to wazuh-mon>

root@ubuntu-jammy:/home/vagrant# systemctl status wazuh-manager
● wazuh-manager.service - Wazuh manager
     Loaded: loaded (/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2024-12-20 09:10:52 UTC; 5min ago
      Tasks: 213 (limit: 9477)
     Memory: 5.3G
        CPU: 3min 25.161s
     CGroup: /system.slice/wazuh-manager.service
             ├─115912 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py
             ├─115913 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py
             ├─115916 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py
             ├─115919 /var/ossec/framework/python/bin/python3 /var/ossec/api/scripts/wazuh_apid.py
             ├─115960 /var/ossec/bin/wazuh-authd
             ├─115976 /var/ossec/bin/wazuh-db
             ├─115986 /var/ossec/bin/wazuh-execd
             ├─116016 /var/ossec/bin/wazuh-analysisd
             ├─116113 /var/ossec/bin/wazuh-syscheckd
             ├─116139 /var/ossec/bin/wazuh-remoted
             ├─116195 /var/ossec/bin/wazuh-logcollector
             ├─116211 /var/ossec/bin/wazuh-monitord
             └─116247 /var/ossec/bin/wazuh-modulesd

Dec 20 09:10:46 ubuntu-jammy env[115849]: Started wazuh-analysisd...
Dec 20 09:10:47 ubuntu-jammy env[115849]: Started wazuh-syscheckd...
Dec 20 09:10:48 ubuntu-jammy env[115849]: Started wazuh-remoted...
Dec 20 09:10:48 ubuntu-jammy env[115849]: Started wazuh-logcollector...
Dec 20 09:10:49 ubuntu-jammy env[115849]: Started wazuh-monitord...
Dec 20 09:10:49 ubuntu-jammy env[116245]: 2024/12/20 09:10:49 wazuh-modulesd:router: INFO: Loaded router module.
Dec 20 09:10:49 ubuntu-jammy env[116245]: 2024/12/20 09:10:49 wazuh-modulesd:content_manager: INFO: Loaded content_manager module.
Dec 20 09:10:50 ubuntu-jammy env[115849]: Started wazuh-modulesd...
Dec 20 09:10:52 ubuntu-jammy env[115849]: Completed.
Dec 20 09:10:52 ubuntu-jammy systemd[1]: Started Wazuh manager.
root@ubuntu-jammy:/home/vagrant# systemctl status wazuh-indexer
Unit wazuh-indexer.service could not be found.

root@ubuntu-jammy:/home/vagrant# bash wazuh-passwords-tool.sh --api --admin-user wazuh --admin-password 70sKv*Qd5dSFLr3d4AT0qoZcxsOsc72U

NAME
        wazuh-passwords-tool.sh - Manage passwords for Wazuh indexer users.

SYNOPSIS
        wazuh-passwords-tool.sh [OPTIONS]

DESCRIPTION
        -a,  --change-all
                Changes all the Wazuh indexer and Wazuh API user passwords and prints them on screen.
                To change API passwords -au|--admin-user and -ap|--admin-password are required.

        -A,  --api
                Change the Wazuh API password.
                Requires -u|--user, and -p|--password, -au|--admin-user and -ap|--admin-password.

        -au,  --admin-user <adminUser>
                Admin user for Wazuh API, Required to change Wazuh API passwords.
                Requires -A|--api.

        -ap,  --admin-password <adminPassword>
                Password for Wazuh API admin user, Required to change Wazuh API passwords.
                Requires -A|--api.

        -u,  --user <user>
                Indicates the name of the user whose password will be changed.
                If no password specified it will generate a random one.

        -p,  --password <password>
                Indicates the new password, must be used with option -u.

        -c,  --cert <route-admin-certificate>
                Indicates route to the admin certificate.

        -k,  --certkey <route-admin-certificate-key>
                Indicates route to the admin certificate key.

        -v,  --verbose
                Shows the complete script execution output.

        -f,  --file <wazuh-passwords.txt>
                Changes the passwords for the ones given in the file.

                Wazuh indexer users must have this format:

                    # Description
                      indexer_username: <user>
                      indexer_password: <password>

                Wazuh API users must have this format:

                    # Description
                      api_username: <user>
                      api_password: <password>

        -gf, --generate-file <wazuh-passwords.txt>
                Generate password file with random passwords for standard users.

        -h,  --help
                Shows help.

root@ubuntu-jammy:/home/vagrant# bash wazuh-passwords-tool.sh --api --change-all --admin-user wazuh --admin-password 4?Z?C9IfDEr1r?fb3gmD4mOABQeHgpe4
20/12/2024 09:19:48 INFO: The password for Wazuh API user wazuh is YXrGF*L2SxjBGBJiDz.?WxzNpC+K5b8B
20/12/2024 09:19:48 INFO: The password for Wazuh API user wazuh-wui is IFTA?xb0oAOcJ0dh7TnxNC2H5AcHy.HS
20/12/2024 09:19:48 INFO: Updated wazuh-wui user password in wazuh dashboard. Remember to restart the service.

[Desvelao]

Hi @jnasselle, it seems you got a different output than @JuanGarriuz.

Was the Wazuh indexer deployed in the same host that the Wazuh server where you run the command to change the password for the Wazuh server API users?

According to the documentation (https://documentation.wazuh.com/4.9/user-manual/user-administration/password-management.html) the --change-all flag is used to change the Wazuh indexer and Wazuh server API users.

According to the information provided by @JuanGarriuz, omitting the usage of --change-all causes the help is displayed instead of changing the password for the Wazuh server API users.

We should investigate the logic to change the password and the usage of options.

[guidomodarelli]

I confirm the test done by @JuanGarriuz.

When I use this command sudo bash wazuh-passwords-tool.sh -a -au wazuh -ap KTb+Md+rR74J2yHfoGGnFGHGm03Gadyu, I get the help in an all-in-one deployment.

I tried to test all the possibilities.

[javimed]

PRs reviewing and merging blocked. Waiting for definitions about closing the PRs still open and reverting merged ones.