Changing Passwords

[swapnils]

Hello Team,

Greetings!

I wish to change the password(s) of the Wazuh cluster. I came across wazuh-passwords-tool.sh utility. I ran this script and multiple passwords got generated; however, I am full confused - which password to update in which file. Whether to update hash or a plain text.

I am running on a distributed environment hence it is a bit confusing for me. I started with changing default admin password of dashboard's webpage under /etc/wazuh-dashboard/opensearch_dashboards.yml, but in there, I could see only these relevant option which are already hashed.

#opensearch.username:
#opensearch.password:

Is there any document or KB to refer which will help me reset and configure passwords manually of my own? By doing this, I will get to know what and where needs configuration changes.. rather that script doing everything at the back end silently.

Checked this article but being a noob, it was hard for me to understand.

Thanks in advance!

Regards,

swapnils

[Nicolas Agustin Guevara Pihen]

Hello  Swapnils, thank you for using Wazuh! 

I will be helping you with this problem. The article that you mention is correct, note that you have two tabs there: All-in-one deployment and Distributed deployment. As you are using distributed, make sure to select the second tab to have the right documentation. 

The opensearch.username and opensearch.password are hashed in the file because they are not used. Instead, it uses credentials stored in a Keystore. Here are the steps that you need to follow in order to change your passwords and update the corresponding keystores:

In a distributed deployment, you need to run the wazuh-passwords-tool.sh two times:

1. Run it on any Wazuh Indexer node. If you want to change all, use /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh --change-all. 
   It should show an output that looks like this:
   
   INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed.
   INFO: The password for user admin is wcAny.XUwOVWHFy.+7tW9l8gUW1L8N3j
   INFO: The password for user kibanaserver is qy6fBrNOI4fD9yR9.Oj03?pihN6Ejfpp
   INFO: The password for user kibanaro is Nj*sSXSxwntrx3O7m8ehrgdHkxCc0dna
   INFO: The password for user logstash is nQg1Qw0nIQFZXUJc8r8+zHVrkelch33h
   INFO: The password for user readall is s0iWAei?RXObSDdibBfzSgXdhZCD9kH4
   INFO: The password for user snapshotrestore is Mb2EHw8SIc1d.oz.nM?dHiPBGk7s?UZB
   WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services.
   
   
2. Run it on any Wazuh manager node. You need to download it first, and then provide the admin credentials of Wazuh (the one that came in the installation, not the recently generated). By default the user and the password are "wazuh". You need to use these commands: 
   
   curl -sO https://packages.wazuh.com/4.3/wazuh-passwords-tool.sh 
   bash wazuh-passwords-tool.sh --change-all --admin-user wazuh --admin-password wazuh
   
   And it should show an output like this:
   
   INFO: The password for Wazuh API user wazuh is ivLOfmj7.jL6*7Ev?UJoFjrkGy9t6Je.
   INFO: The password for Wazuh API user wazuh-wui is fL+f?sFRPEv5pYRE559rqy9b6G4Z5pVi
   

After running those commands, these are the steps that you need to follow in order to finish the configuration:

• Update the admin password in the Filebeat keystore

To do that, you need to run this command on all your Wazuh manager nodes:   
 
echo <admin-password> | filebeat keystore add password --stdin --force

You need to replace  <admin-password> with the admin password generated on the first step, when you ran the tool in your Wazuh Indexer node. After running it, restart Filebeat with systemctl restart filebeat. This needs to be done on all your Wazuh manager nodes. 

• Update the kibanaserver password in the Wazuh dashboard keystore
  
  To do that, you need to run this command on your Wazuh dashboard node:
  
  echo <kibanaserver-password> | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add -f --stdin opensearch.password
  
  You need to replace  <kibanaserver-password> with the kibanaserver password generated on the first step.
  
  

• Update the wazuh-wui password in the Wazuh config file
  
  To do that, open /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml on your Wazuh dashboard node, and find this section:
  hosts:
      - default:
          url: https://localhost
          port: 55000
          username: wazuh-wui
          password: <wazuh-wui-password>
          run_as: false
  
  Replace  <wazuh-wui-password> with  the Wazuh wui password generated on the second step, when you ran the tool on your Wazuh manager node.
  
  After this step, restart Wazuh dashboard with systemctl restart wazuh-dashboard.
  

I hope you find this information helpful. Let me know if you have any questions or doubts. 

Kind regards,

[swapnils]

Hello Nicolas,

Thank you very much for sharing detailed steps!
I felt like I replied yesterday, but somehow could not find that thread. Don’t understand what went wrong! Apologies if my post is duplicate..

Anyways, Need some more clarification on -

1. If I ran password tool on any indexer, will the changes get replicated to all nodes? After passwords get generated, we get this message - WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services. There are 6 new passwords. admin & kibanaserver passwords are to be configured in the manager & dashboard respectively? What about the remaining user’s passwords i.e. kibanaro, logstash, readall & snapshotrestore?

2. After running the tool on any manager, it will generate password for two users - wazuh & wazuh-wui. This wazuh-wui password is to be updated in dashboard’s waszuh.yml? So this will be the only clear-text password.

3. Which one is the Dashboard GUI login password here? Is it the one which got generated on indexer for admin user which is to be updated on manager (filebeat)?

4. Is there any way where in I can bypass password generation tool and do everything manually? I will understand better with that approach.. I guess!

5. Is it possible to view already configured passwords?

6. Am I allowed to set my own password instead of the one generated by the script?

Regards,
swapnils

​

[Nicolas Agustin Guevara Pihen]

Hello  Swapnils,

I will be answering your questions:

1. If you run the tool on an Indexer node, the changes will be replicated in all of them.  admin & kibanaserver should be configured in the manager & dashboard respectively. The remaining passwords are for Indexer's internal usage, and is not necessary to configure them in any place. 
   
2. That is correct, it is the only clear-text password. 
   
3. The Dashboard GUI login password is the admin password generated in the first step, which you configured in Filebeat. 
4. We recommend using the script, as it has validations and simplified steps that will allow changing any password easily. It is possible to read the script and replicate manually the steps, but we don't have documentation for doing that. 
5. It is not possible to see already configured passwords.
6. Yes. You can change a password using your desired one, and also you can change a single password instead of all of them. You can see this documentation to know all the available options. You can also run bash wazuh-passwords-tool.sh --h to see the available options for the command.

I hope you find that information helpful.

Kind regards,

[swapnils]

Thank you Nicolas! That helps a lot. :)

However, getting following error:

/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh -u admin -p 123.Xyzab
Security Admin v7
ERR: Parsing failed.  Reason: Missing argument for option: cacert
usage: securityadmin.sh [-arc] [-backup <folder>] [-cacert <file>] [-cd
       <directory>] [-cert <file>] [-cn <clustername>] [-dci] [-dg] [-dra]
       [-ec <cipers>] [-ep <protocols>] [-er <number of replicas>] [-era]
       [-esa] [-f <file>] [-ff] [-h <host>] [-i <indexname>] [-icl] [-key
       <file>] [-keypass <password>] [-ks <file>] [-ksalias <alias>]
       [-kspass <password>] [-kst <type>] [-migrate <folder>] [-mo
       <folder>] [-nhnv] [-noopenssl] [-nrhn] [-p <port>] [-prompt] [-r]
       [-rev] [-rl] [-si] [-sniff] [-t <file-type>] [-ts <file>] [-tsalias
       <alias>] [-tspass <password>] [-tst <type>] [-us <number of
       replicas>] [-vc <version>] [-w]
...
...
...
25/11/2022 17:58:08 ERROR: The backup could not be created

Also tried with following command -

/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh -f file-name
cat file-name
# Admin user for the web user interface and Wazuh indexer. Use this user to log in to Wazuh dashboard
  indexer_username: 'admin'
  indexer_password: 'pq@Abc1xy'

Getting same error as well. (Password is altered)
Followed this article.

Regards,
swapnils

​

[swapnils]

Hello Nicolas/Team,

Kindly help me in this please!

[Nicolas Agustin Guevara Pihen]

Hello Swapnils, 

Apologies for the delayed response.
That error is related to the securityadmin script, that runs internally in the command. In order to troubleshoot that, I will require the following:

• Run the wazuh password tool with the -v flag, to display the complete output
  
• Verify if the file /etc/wazuh-indexer/opensearch.yml exists. In that case, verify if the option plugins.security.ssl.transport.pemtrustedcas_filepath is in the file. 
  
• If you are using custom certificates, verify that the certifcates configured on  plugins.security.ssl.transport.pemtrustedcas_filepath matches yours.

I will be looking forward to your answer! 
Regards,

[swapnils]

Hello Nicolas,

Here is the truncated verbose output :

/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh -v -f adm-pwd
29/11/2022 15:10:03 INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed.
mkdir: cannot create directory ‘/usr/share/wazuh-indexer/backup’: File exists
Security Admin v7
ERR: Parsing failed.  Reason: Missing argument for option: cacert
usage: securityadmin.sh [-arc] [-backup <folder>] [-cacert <file>] [-cd
...
...
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh: line 177: /etc/wazuh-indexer/certs/root-ca.pem: Permission denied
cp: cannot stat ‘/usr/share/wazuh-indexer/backup/*’: No such file or directory
Security Admin v7
ERR: Parsing failed.  Reason: Missing argument for option: cacert
...
...
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh: line 549: /etc/wazuh-indexer/certs/root-ca.pem: Permission denied
29/11/2022 15:10:05 INFO: The password for user admin is XXXXXXXX
29/11/2022 15:10:05 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services.

Does that mean password got changed?

cat adm-pwd 
# Admin user for the web user interface and Wazuh indexer. Use this user to log in to Wazuh dashboard
  indexer_username: 'admin'
  indexer_password: 'XXXXXXXXX'

Also checked the File -

grep ^plugins.security.ssl.transport.pemtrustedcas /etc/wazuh-indexer/opensearch.yml
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem

Thank you!
swapnils

​

[Nicolas Agustin Guevara Pihen]

Hi,

It is possible that the password is changed now. The problem I can see is that the script cannot read the certificate due to lack of permissions

/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh: line 549: /etc/wazuh-indexer/certs/root-ca.pem: Permission denied

Usually, to modify any configuration regarding Wazuh, superuser permissions are required. You can run sudo su on the terminal before changing the configuration, or run any command with sudo <command>. Could you confirm if you are running the Password Tool with the correct permissions?

Regards, 

[swapnils]

Hello Nicolas,

All the commands were run with the root user.

# ll /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh
-rwxr----- 1 wazuh-indexer wazuh-indexer 37937 Nov 11 19:00 /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh

# ll /etc/wazuh-indexer/certs/root-ca.pem
-r-------- 1 wazuh-indexer wazuh-indexer 1184 Aug 26 12:53 /etc/wazuh-indexer/certs/root-ca.pem

# whoami
root

Following command also gives me same error -

# /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh -v -u admin -p XXXXXXXX
Security Admin v7
ERR: Parsing failed.  Reason: Missing argument for option: cacert
...
...
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh: line 177: /etc/wazuh-indexer/certs/root-ca.pem: Permission denied
30/11/2022 08:56:10 INFO: Generating password hash
cp: cannot stat ‘/usr/share/wazuh-indexer/backup/*’: No such file or directory
Security Admin v7
ERR: Parsing failed.  Reason: Missing argument for option: cacert
...
...
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh: line 549: /etc/wazuh-indexer/certs/root-ca.pem: Permission denied
30/11/2022 08:56:11 WARNING: Password changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services.

Do I need to give read permission to others? Or what else needs to be done?

Regards,
swapnils

​

[swapnils]

Hello Nicolas/Team,

I updated password under filebeat of all managers generated in earlier with the command /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh -v -u admin -p XXXXXXXX. Restarted filebeat service and tried logging in to the dashboard GUI; but it took old password itself.
How to make it work? Please help!

Thanks,
swapnils

​

[swapnils]

Hello Nicolas,

I figured out the issue. The certificate error was getting popped up because of the following entries -

[root@indexer1 ~]# grep "plugins.security.ssl.transport.pemtrustedcas_filepath: " /etc/wazuh-indexer/opensearch.yml
#plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca1.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca2.pem

I tweaked a little in password script as -
grep "^plugins.security.ssl.transport.pemtrustedcas_filepath: " /etc/wazuh-indexer/opensearch.yml

This worked for me. This change can be considered to incorporated with in the Wazuh script available online. (to have exact match)

For remaining users/accounts, I shall work and let you know if assistance is needed.
Appreciate your help!

Regards,
swapnils

​

[Nicolas Agustin Guevara Pihen]

Hello Swapnils, 

Once again, apologies for the late response. I'm glad to know that it is now working and really appreciate the recommendation, I will send it to the corresponding team. 

If you have any other questions, don't hesitate to contact us again. 

Kind regards,

[swapnils]

Hello Nicolas,

Sorry to bother you again. Small query here -
Once I reset the passwords, will I be able to validate whether passwords got changed successfully?

In earlier (initial) scenario, we felt that password got changed but when checked, it was using old admin password (Dashboard GUI) whereas in my latest post, password got changed and was in effect.

Thanks,

swapnils

[Nicolas Agustin Guevara Pihen]

Hello Swapnils,

Hope you are well. 

Unfortunately, there is no command or tool to verify automatically if the passwords were changed.
In your initial scenario, although the Wazuh Password Tool showed a message telling you that the password was changed, it also failed with an error. You can verify that the script doesn't fails and also shows that message to know that they were changed successfully. 

Regards,