Backup internal user
606 views
Skip to first unread message
Daniel Chung
May 4, 2023, 10:13:03 AM5/4/23
to Wazuh mailing list
Hi,
I created Wazuh internal user for RBAC mapping by following this guide. For some reason, after adding a 2nd node and initializing the cluster, all internal users were removed.
I did some research and people suggested backing up file "/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_us". However, there is no such file under this path.
Appreciate if anyone can point me to where and which files should be backed up ?
Thanks,
Daniel
Mateo Cervilla
May 4, 2023, 10:38:25 AM5/4/23
to Wazuh mailing list
Hi Daniel,
The file you are looking for should be located at /etc/wazuh-indexer/opensearch-security/internal_users.yml , but it may vary depending on the location of your installation.
About files that should be backed up, you can take a look at this part of the documentation:
If this isn't enough to solve your issue, let me know and I will continue to help you.
Regards,
Mateo
Daniel Chung
May 4, 2023, 11:09:12 AM5/4/23
to Wazuh mailing list
Hi Mateo,
Thanks for your prompt reply.
I looked at the file /etc/wazuh-indexer/opensearch-security/internal_users.yml, but it doesn't contain the internal user that I have created.
Regards,
Daniel
Mateo Cervilla
May 4, 2023, 1:48:59 PM5/4/23
to Wazuh mailing list
Hello again,
I have been investigating your issue. I have seen that you have commented in Slack that you used the script indexer-security-init.sh, and as Matias told you:
- I confirm that running the script "/usr/share/wazuh-indexer/bin/indexer-security-init.sh" overwrites your current users and passwords with the ones existing in file "/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/internal_users.yml" on the node that you run the script.
So, if you have changed passwords from the dashboard, these changes will be replaced with the passwords existing in "internal_users.yml". In the same way, if you have created users in the dashboard that do not exist in "internal_users.yml", these users will be removed.
With this behavior confirmed, I recommend updating the "internal_users.yml" with all current users and passwords before running the script.
Could it have been that?
Regards,
Mateo
Daniel Chung
May 5, 2023, 9:23:35 AM5/5/23
to Wazuh mailing list
Hi Mateo,
You are correct that I posted that message in Slack, but after running that script and building up the cluster, I recreated the internal user again.
Now my problem is that the recreated internal user account does not exist in the "internal_users.yml" file.
Interestingly, I have seen different paths about the "internal_users.yml" from different comments. In my case the "internal_users.yml" does not even exist in /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/, or does exist in /etc/wazuh-indexer/opensearch-security/ but it only contains the default internal user accounts.
Regards,
Daniel
Mateo Cervilla
May 8, 2023, 10:56:44 AM5/8/23
to Wazuh mailing list
Hi Daniel,
I've been talking to my team about your issue. Here is some information you may be interested about:
The internal users are stored in an index on Wazuh indexer. This could be called as .opendistro_security.
The internal_users.yml file defines a set of internal users. There are others files that define the security configuration. These definitions are loaded into Wazuh indexer through of usage of a specific tool that is securityadmin.sh script.
If the user, creates an internal user thorugh the Wazuh dashboard, this will be saved in the index. The internal_users.yml file is not changed.
The internal_users.yml file defines a set of internal users. There are others files that define the security configuration. These definitions are loaded into Wazuh indexer through of usage of a specific tool that is securityadmin.sh script.
If the user, creates an internal user thorugh the Wazuh dashboard, this will be saved in the index. The internal_users.yml file is not changed.
Regards,
Mateo
Daniel Chung
May 9, 2023, 9:18:25 AM5/9/23
to Wazuh mailing list
Hi Mateo,
Thanks for your info.
Referring to the link you've given, to backup the security config saved in the index, I should run "securityadmin.sh" to back and restore just in case of needed. Would you mind giving me sample syntax for backup and restore the internal users?
If Wazuh team can also update the backup section in the official support document Wazuh central components - Wazuh files backup · Wazuh documentation would be much appreciated.
Regards,
Daniel
Mateo Cervilla
May 12, 2023, 4:35:48 PM5/12/23
to Wazuh mailing list
Hi Daniel,
Sure, I believe it should be something like this:
- export OPENSEARCH_JAVA_HOME=/usr/share/wazuh-indexer/jdk/; bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -backup my-backup-directory -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h <indexer ip or localhost> -nhnv
Anyway, I suggest you carefully read the documentation to perform this procedure:
I hope it helps. I'm here if you have any more questions.
Regards.
Reply all
Reply to author
Forward
0 new messages