Wazuh Dashboard Admin Password
993 views
Skip to first unread message
Barend Botes
Aug 31, 2022, 10:56:39 AM8/31/22
to Wazuh mailing list
I cannot seem to create/change the admin password for the wazuh dashboard. I am running wazuh in kubernetes according to the kubernetes deployment documents. However, trying to change the password within the wazuh-kubernetes/wazuh/secrets/indexer-cred-secret.yaml Secret file does not work for me.
I also tried to run the wazuh-passwords-tool.sh script within the wazuh-indexer pod by exec via rancher at /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh, but it just states that "This script must be run as root." error
Nicolas Stefani
Aug 31, 2022, 11:37:34 AM8/31/22
to Wazuh mailing list
Hi thanks for using Wazuh,
I'm taking a look, i will get back with an answer as son as possible.
Nicolas Stefani
Aug 31, 2022, 2:35:19 PM8/31/22
to Wazuh mailing list
In order to change the admin password you must follow the next steps:
1) Obtain hash password into indexer pod
* outside pod:
kubectl exec -it -n wazuh pod/wazuh-indexer-0 -- bash* inside pod:
export JAVA_HOME=/usr/share/wazuh-indexer/jdk
bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh
2) Insert new password and create a new hash. Replace admin value with new hash into wazuh/indexer_stack/wazuh-indexer/indexer_conf/internal_users.yml file
3) Change value of password parameter into wazuh/secrets/indexer-cred-secret.yaml file
4) Apply changes into your k8s cluster:
kubectl apply -k envs/eks/5) Add environment variables and run securityadmin script:
export INSTALLATION_DIR=/usr/share/wazuh-indexer
export OPENSEARCH_PATH_CONF=${INSTALLATION_DIR}/config
CACERT=$OPENSEARCH_PATH_CONF/certs/root-ca.pem
KEY=$OPENSEARCH_PATH_CONF/certs/admin-key.pem
CERT=$OPENSEARCH_PATH_CONF/certs/admin.pem
export JAVA_HOME=/usr/share/wazuh-indexer/jdk
bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/ -nhnv -
cacert $CACERT -cert $CERT -key $KEY -p 9300 -icl
6) Clear cache and test your new password
Barend Botes
Sep 1, 2022, 2:27:35 AM9/1/22
to Wazuh mailing list
Awesome! Thank you soo much! Do you have any articles relating to changing the other passwords for the Kubernetes environment?
Barend Botes
Sep 1, 2022, 3:10:16 AM9/1/22
to Wazuh mailing list
Hi, thank you again, however, I am experiencing an issue now. After the password change, when I redeploy the pods - I am getting the following error: "
Exiting: error loading config file: config file ("/etc/filebeat/filebeat.yml") can only be writable by the owner but the permissions are "-rw-rw-r--" (to fix the permissions use: 'chmod go-w /etc/filebeat/filebeat.yml')" on both worker and manager nodes.
If I log into the container and run the command "
chmod go-w /etc/filebeat/filebeat.yml" which then gives me the following error on the worker and manager nodes: "
ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://wazuh-indexer-0.wazuh-indexer:9200)): 401 Unauthorized: Unauthorized"
Nicolas Stefani
Sep 1, 2022, 9:40:01 AM9/1/22
to Wazuh mailing list
You need to update the file wazuh/secret/indexer-cred-secret.yaml with the new password and also modify /etc/filebeat/filebeat.yml file into the pod.
Barend Botes
Sep 1, 2022, 10:50:26 AM9/1/22
to Wazuh mailing list
I did update the
wazuh/secret/indexer-cred-secret.yaml with the hash value that was generated from the hash.sh script within the wazuh-indexer. I also updated the permissions for /etc/filebeat/filebeat.yml on both wazuh-manager and wazuh-worker pods by exec into them and running "chmod go-w /etc/filebeat/filebeat.yml"
Barend Botes
Sep 2, 2022, 2:03:37 AM9/2/22
to Wazuh mailing list
So I think I got it to work. Since being in a containerized environment and your wazuh base images not having vim or nano it was difficult to edit the filebeat.yml fiile. I am hosting this on a local k3s kubernetes cluster with metallb loadbalancer. So I will do my breakdown of what I did in this reply so if anyone is experiencing the same issue that can just use this.
1) Obtain hash password into indexer pod
* outside pod:
kubectl exec -it -n wazuh pod/wazuh-indexer-0 -- bash* inside pod:
export JAVA_HOME=/usr/share/wazuh-indexer/jdk
bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh
2) Insert new password and create a new hash. Replace admin value with new hash into wazuh/indexer_stack/wazuh-indexer/indexer_conf/internal_users.yml file
3) Change value of password parameter into wazuh/secrets/indexer-cred-secret.yaml file by getting the base64 value first echo 'ClearTestPassword' | base64
4) Change SecretPassword in /etc/filebeat/filebeat.yml on both worker and manager with the cleartext password value:
* outside pod:
kubectl exec -it -n wazuh pod/wazuh-manager-master-0 -- bash* inside pod:
rm /etc/filebeat/filebeat.yml
touch /etc/filebeat/filebeat.yml
tee -a /etc/filebeat/filebeat.yml > /dev/null <<EOT
# Wazuh - Filebeat configuration file
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false
output.elasticsearch:
hosts: ['https://wazuh-indexer-0.wazuh-indexer:9200']
username: 'admin'
password: 'ClearTestPassword'
ssl.verification_mode: 'full'
ssl.certificate_authorities: ['/etc/ssl/root-ca.pem']
ssl.certificate: '/etc/ssl/filebeat.pem'
ssl.key: '/etc/ssl/filebeat.key'
logging.metrics.enabled: false
seccomp:
default_action: allow
syscalls:
- action: allow
names:
- rseq
EOT
# Wazuh - Filebeat configuration file
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false
output.elasticsearch:
hosts: ['https://wazuh-indexer-0.wazuh-indexer:9200']
username: 'admin'
password: 'ClearTestPassword'
ssl.verification_mode: 'full'
ssl.certificate_authorities: ['/etc/ssl/root-ca.pem']
ssl.certificate: '/etc/ssl/filebeat.pem'
ssl.key: '/etc/ssl/filebeat.key'
logging.metrics.enabled: false
seccomp:
default_action: allow
syscalls:
- action: allow
names:
- rseq
EOT
chmod go-w /etc/filebeat/filebeat.yml
5) Apply changes into your k3s cluster:
kubectl apply -k envs/local-env/6) Add environment variables and run securityadmin script:
export INSTALLATION_DIR=/usr/share/wazuh-indexer
export OPENSEARCH_PATH_CONF=${INSTALLATION_DIR}/config
CACERT=$OPENSEARCH_PATH_CONF/certs/root-ca.pem
KEY=$OPENSEARCH_PATH_CONF/certs/admin-key.pem
CERT=$OPENSEARCH_PATH_CONF/certs/admin.pem
export JAVA_HOME=/usr/share/wazuh-indexer/jdk
bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/ -nhnv -cacert $CACERT -cert $CERT -key $KEY -p 9300 -icl
7) Clear cache and test your new password
On Thursday, September 1, 2022 at 3:40:01 PM UTC+2 nicola...@wazuh.com wrote:
Nicolas Stefani
Sep 5, 2022, 5:57:31 AM9/5/22
to Barend Botes, Wazuh mailing list
Hi Barend, thanks for sharing your solution with the community!
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/37dea5df-8283-41a0-be7b-8559ace259a6n%40googlegroups.com.
--
 |
Nicolás Stefani Software Engineer |
Reply all
Reply to author
Forward
0 new messages