wazuh.indexer does not use internal_users.yml file
1,005 views
Skip to first unread message
Igor Burvikov
Nov 17, 2022, 7:19:03 AM11/17/22
to Wazuh mailing list
Hello.
To generate a hash, use the command
Docker single-node 4.3.9
I am changing the hash of the admin user.
The indexer continues to use the default password.
The indexer continues to use the default password.
To generate a hash, use the command
docker exec -it indexer bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh -p <password>
I am attaching this file
volumes:
- ./config/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
- ./config/internal_users.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml
Container contains modified file, but indexer continues to use the default password. File owner internal_users.yml wazuh-indexer.
Antonio David Gutiérrez
Nov 21, 2022, 3:29:07 AM11/21/22
to Wazuh mailing list
Hello,
thank you for using Wazuh.
The internal_users.yml file is used when the Wazuh indexer cluster is started for the first time and the security was initiated. This means, that if you do some changes after the cluster security was already configured, these will not apply directly. If you want to apply your changes after the security was initiated, take a look at this https://opensearch.org/docs/1.2/security-plugin/configuration/security-admin/#a-word-of-caution.
Some possibilities:
1. If you don't care about the generated data, you could destroy the environment a create a new one by modifying previously the user password in the file.
1.1 Destroy the current environment
docker-compose down -v
-v flag will remove the volumes. This is important if you have the data volume from the Wazuh indexer container
1.2 Ensure you edited the password hash of the user in the internal_config.yml
You could generate one new with:
docker run --rm -ti wazuh/wazuh-indexer:4.3.9 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh
Type in a secure password when prompted and replace the hash in internal_users.yml.
1.3 Start the environment
docker-compose up -d
2. Use the securityadmin.sh script in the current environment to change the user password
2.1 Ensure you edited the password hash of the user in the internal_config.yml file
2.2 Run the securityadmin.sh script to apply the password change
This was tested on single node Wazuh deployment v4.3.9 through Docker. If you are using another deployment type, you could have to adjust it.
More information about the securityadmin.sh script: https://opensearch.org/docs/1.2/security-plugin/configuration/security-admin/
The internal_users.yml file is used when the Wazuh indexer cluster is started for the first time and the security was initiated. This means, that if you do some changes after the cluster security was already configured, these will not apply directly. If you want to apply your changes after the security was initiated, take a look at this https://opensearch.org/docs/1.2/security-plugin/configuration/security-admin/#a-word-of-caution.
Some possibilities:
1. If you don't care about the generated data, you could destroy the environment a create a new one by modifying previously the user password in the file.
1.1 Destroy the current environment
docker-compose down -v
-v flag will remove the volumes. This is important if you have the data volume from the Wazuh indexer container
1.2 Ensure you edited the password hash of the user in the internal_config.yml
You could generate one new with:
docker run --rm -ti wazuh/wazuh-indexer:4.3.9 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh
Type in a secure password when prompted and replace the hash in internal_users.yml.
1.3 Start the environment
docker-compose up -d
2. Use the securityadmin.sh script in the current environment to change the user password
2.1 Ensure you edited the password hash of the user in the internal_config.yml file
2.2 Run the securityadmin.sh script to apply the password change
JAVA_HOME="/usr/share/wazuh-indexer/jdk" bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml -t internalusers -icl -nhnv -cacert /usr/share/wazuh-indexer/config/certs/root-ca.pem -cert /usr/share/wazuh-indexer/config/certs/admin.pem -key /usr/share/wazuh-indexer/config/certs/admin-key.pem
This was tested on single node Wazuh deployment v4.3.9 through Docker. If you are using another deployment type, you could have to adjust it.
More information about the securityadmin.sh script: https://opensearch.org/docs/1.2/security-plugin/configuration/security-admin/
Reply all
Reply to author
Forward
0 new messages