Struggling To Set The 'wazuh' User Password On the Wazuh 4.x API

[stide...@gmail.com]

Hello

I'm upgrading from Wazuh 3.11.1-1 to Wazuh 4.0.3-1 on Ubuntu 18. As per this document https://documentation.wazuh.com/4.0/user-manual/api/securing_api.html, I want to change the default password for the wazuh and wazuh-wui users.

I've authenticated and grabbed my JWT token. Then I test my token ...

curl -k -X GET "https://localhost:55000/" -H "Authorization: Bearer blah-token-blah-de-blah"

{"data": {"title": "Wazuh API REST", "api_version": "4.0.3", "revision": 40010, "license_name": "GPL 2.0", "license_url": "https://github.com/wazuh/wazuh/blob/4.0/LICENSE", "hostname": "syd-ossec-dev-01", "timestamp": "2021-01-14T04:43:07+0000"}, "error": 0}

... which seems OK. But now when I attempt to change the password, I get an obscure error ...

curl -k -X PUT "https://localhost:55000/security/users/wazuh" -H "Authorization: Bearer blah-token-blah-de-blah" -d @./data

{"title": "Bad Request", "detail": "'wazuh' is not a 'numbers'. Failed validating 'format' in schema: {'description': 'User ID', 'format': 'numbers', 'type': 'string', 'x-scope': ['', '#/components/parameters/user_id_required']}. On instance: 'wazuh'"}

... where the contents of the file "data" are as follows ...

cat data

{

   "password":"mYJ011^pAs5"

}

I don't understand the error or how I'm supposed to do this?

As a additional concern, what is the wazuh-wui user for? If I change the password of the wazuh-wui user what will potentially get broken? My intention is to use the wazuh user for the Kibana app (in /usr/share/kibana/optimize/wazuh/config/wazuh.yml).

Thanks, Simon.

[stide...@gmail.com]

Don't worry, I'm a dufus!!!

You have to look up the userid first ...

curl -k -X GET "https://localhost:55000/security/users" -H "Authorization: Bearer blah-token-blah-de-blah"

{"data": {"affected_items": [{"id": 1, "username": "wazuh", "allow_run_as": true, "roles": [1]}, {"id": 2, "username": "wazuh-wui", "allow_run_as": true, "roles": [1]}], "total_affected_items": 2, "total_failed_items": 0, "failed_items": []}, "message": "All specified users were returned", "error": 0}

... then the password change is done against /security/users/1 not /security/users/wazuh.

Simon

[carlos...@wazuh.com]

Hello,

As you have already noticed, in order to use the PUT /security/users endpoint you need to specify the ID of the user to be updated within the url, so the curl command will look something like this:

curl -k -X PUT "https://localhost:55000/security/users/001" -H "Authorization: Bearer <YOUR_JWT_TOKEN>" -H "Content-Type: application/json" -d '{"password": "<YOUR_NEW_PASSWORD>"}'

Remember you can always check our official API reference if you want to know how an specific endpoint works or check which endpoints are available.

Regarding your last question, "wazuh-wui" is the one used by the Wazuh APP (the Kibana App), so if you change its password you should uptade that for the Kibana config too. 

To sum up, the "wazuh" API user is meant to be used to access the API manually (using CURL or any other tool) while the "wazuh-wui" is meant to be used by Kibana.

I hope this solves your question.

Regards.