wazuh-helm icon indicating copy to clipboard operation
wazuh-helm copied to clipboard
verified publisher icon morgoved

Kibana users: security implication?

Open JonnyBDev opened this issue 4 months ago • 6 comments

Checked the _helpers.tpl for the other issue regarding incorrect templating of the kibanaserver user.

With that I see that there are several users defined already with a non changeable password already set. Disclaimer from my side: I am not an expert in Kibana but creating users with already defined hashes seems kinda sus, even if called "demo users". I guess that's the the "live config" due to the mentioned problem with the user.

https://github.com/morgoved/wazuh-helm/blob/main/charts/wazuh/templates/_helpers.tpl#L1415

JonnyBDev avatar Aug 16 '25 09:08 JonnyBDev

I'm looking at the templating as well and noticed that, while also trying to better understand the workflow being specified for customizing this, and several other items.

In the value.yaml these are defined like:

  config:
    opensearch: |-
      {{ include "wazuh.indexer.opensearchConfig" . }}
    internalUsers: |-
      {{ include "wazuh.indexer.internalUsers" . }}
    securityConfig: |-
      {{ include "wazuh.indexer.securityConfig" . }}
    rolesMapping: |-
      {{ include "wazuh.indexer.rolesMapping" . }}
    roles: |-
      {{ include "wazuh.indexer.roles" . }}

While the define statements in the _helpers.tpl that these include use variables for portions it seems like the only way to customize is to remove the templating include and just add your customized replacements.

jbouse avatar Aug 19 '25 20:08 jbouse

If you are looking for e.g. the hash for the "kibanaro" user, you'll find this.

Seems like they've been copied 1:1 to this configuration. As mentionde earlier, I don't know if that's common practice but hardcoding unknown values as password the users with permissions does not seem like a good practice.

JonnyBDev avatar Aug 19 '25 20:08 JonnyBDev

Seems like someone found the passwords for this.

JonnyBDev avatar Aug 19 '25 20:08 JonnyBDev

Yeah, I would agree that hardcoding the values and not having an easy way to change it is not an ideal security posture to take.

jbouse avatar Aug 19 '25 23:08 jbouse

@jbouse you can change it in install process) or add something for more flexible manage it into chart, up to you) if you have some idea about it you can create PR;)

morgoved avatar Aug 24 '25 05:08 morgoved

Hello,

In our case we use ArgoCD for deploy helm chart, if we change the hash/password via command line we create a difference beetween the default values carry by the helm chart and the state of the application deployed by argocd. Same things if we deployed wazuh only with helm release, each helm upgrade will be apply the default values of theses user's hashs.

So for me, it's necessary to have kibanaro/logstash/readall/snapshotrestore hash in the values.yaml file.

I want proposal like following:

....
indexer:
   kibanaro:
       hash: $X$...$XXXXX
  readall:
      hash: $x$xxxxx
  snapshotrestore:
      hash: $x$xxxxx
  logstash:

And integrate theses values in the _helpers.tpl.

lenglet-k avatar Oct 28 '25 08:10 lenglet-k