wazuh-kubernetes icon indicating copy to clipboard operation
wazuh-kubernetes copied to clipboard

Published 20 hours ago verified publisher icon wazuh

Unable to change secret values for elasticsearch/api credentials in kustomize

Open gianlorenzop opened this issue 3 years ago • 5 comments

Hi, I have always this error indicating an error in a sed during the init phase that prevents filebeat and ossec to take the updated credentials and apply them to the configurations, i tested version 4.0.4 and 4.1.1 both have the same errors. The credentials have no special characters and I tested also a redeployment from scratch. Only the default credentials in the secrets seems to work properly. This is the error I get on wazuh-manager-master-0 and on workers as well:

[...snip...]
Updating /var/ossec/agentless/ssh.exp
Updating /var/ossec/wodles/aws/aws-s3
Updating /var/ossec/wodles/aws/aws-s3.py
Updating /var/ossec/wodles/azure/azure-logs
Updating /var/ossec/wodles/azure/azure-logs.py
Updating /var/ossec/wodles/docker/DockerListener
Updating /var/ossec/wodles/docker/DockerListener.py
Updating /var/ossec/wodles/gcloud/gcloud
Updating /var/ossec/wodles/gcloud/gcloud.py
Updating /var/ossec/wodles/gcloud/integration.py
Updating /var/ossec/wodles/gcloud/tools.py
Identified Wazuh configuration files to mount...
'/wazuh-config-mount/etc/ossec.conf' -> '/var/ossec/etc/ossec.conf'
'/wazuh-config-mount/etc/authd.pass' -> '/var/ossec/etc/authd.pass'
sed: -e expression #1, char 80: unterminated `s' command
[cont-init.d] 0-wazuh-init: exited 0.
[cont-init.d] 1-config-filebeat: executing... 
Customize Elasticsearch ouput IP
Configuring username.
Configuring password.
sed: -e expression #1, char 53: unterminated `s' command
[cont-init.d] 1-config-filebeat: exited 1.
[cont-init.d] 2-manager: executing... 
wazuh-clusterd: Configuration error. Exiting
[cont-init.d] 2-manager: exited 1.
[cont-init.d] 2-manager: exited 1.
[cont-init.d] done.
[services.d] starting services
tail: cannot open '/var/ossec/logs/ossec.log' for reading: No such file or directory
tail: no files remaining
[services.d] done.
starting Filebeat
2021-03-18T10:58:18.824Z	INFO	instance/beat.go:645	Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2021-03-18T10:58:18.826Z	INFO	instance/beat.go:653	Beat ID: c8198583-ceda-4cec-bd1d-5973442b3f0b
2021-03-18T10:58:18.828Z	INFO	[seccomp]	seccomp/seccomp.go:124	Syscall filter successfully installed
2021-03-18T10:58:18.828Z	INFO	[beat]	instance/beat.go:981	Beat info	{"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "c8198583-ceda-4cec-bd1d-5973442b3f0b"}}}
2021-03-18T10:58:18.828Z	INFO	[beat]	instance/beat.go:990	Build info	{"system_info": {"build": {"commit": "1428d58cf2ed945441fb2ed03961cafa9e4ad3eb", "libbeat": "7.10.0", "time": "2020-11-09T18:58:18.000Z", "version": "7.10.0"}}}
2021-03-18T10:58:18.828Z	INFO	[beat]	instance/beat.go:993	Go runtime info	{"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":8,"version":"go1.14.7"}}}
2021-03-18T10:58:18.830Z	INFO	[beat]	instance/beat.go:997	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2021-02-18T20:10:16Z","containerized":true,"name":"wazuh-manager-master-0","ip":["omitted"],"kernel_version":"4.15.0-106-generic","mac":["omitted"],"os":{"family":"redhat","platform":"centos","name":"CentOS Linux","version":"7 (Core)","major":7,"minor":9,"patch":2009,"codename":"Core"},"timezone":"UTC","timezone_offset_sec":0}}}
2021-03-18T10:58:18.830Z	INFO	[beat]	instance/beat.go:1026	Process info	{"system_info": {"process": {"capabilities": {"inheritable":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"permitted":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"effective":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"bounding":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","setfcap"],"ambient":null}, "cwd": "/run/s6/services/filebeat", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 403, "ppid": 395, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2021-03-18T10:58:18.740Z"}}}
2021-03-18T10:58:18.831Z	INFO	instance/beat.go:299	Setup Beat: filebeat; Version: 7.10.0
2021-03-18T10:58:18.831Z	INFO	eslegclient/connection.go:99	elasticsearch url: https://wazuh-elasticsearch-0.wazuh-elasticsearch:9200
2021-03-18T10:58:18.831Z	INFO	[publisher]	pipeline/module.go:113	Beat name: wazuh-manager-master-0
2021-03-18T10:58:18.833Z	INFO	beater/filebeat.go:117	Enabled modules/filesets: wazuh (alerts),  ()
2021-03-18T10:58:18.834Z	INFO	[monitoring]	log/log.go:118	Starting metrics logging every 30s
2021-03-18T10:58:18.834Z	INFO	instance/beat.go:455	filebeat start running.
2021-03-18T10:58:18.841Z	INFO	memlog/store.go:119	Loading data file of '/var/lib/filebeat/registry/filebeat' succeeded. Active transaction id=0
2021-03-18T10:58:18.841Z	INFO	memlog/store.go:124	Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=0
2021-03-18T10:58:18.843Z	INFO	[registrar]	registrar/registrar.go:109	States Loaded from registrar: 0
2021-03-18T10:58:18.843Z	INFO	[crawler]	beater/crawler.go:71	Loading Inputs: 1
2021-03-18T10:58:18.843Z	INFO	log/input.go:157	Configured paths: [/var/ossec/logs/alerts/alerts.json]
2021-03-18T10:58:18.843Z	INFO	[crawler]	beater/crawler.go:141	Starting input (ID: 5186532178842293092)
2021-03-18T10:58:18.843Z	INFO	[crawler]	beater/crawler.go:108	Loading and starting Inputs completed. Enabled inputs: 1
tail: cannot open '/var/ossec/logs/ossec.log' for reading: No such file or directory
tail: no files remaining
tail: cannot open '/var/ossec/logs/ossec.log' for reading: No such file or directory
tail: no files remaining
tail: cannot open '/var/ossec/logs/ossec.log' for reading: No such file or directory
tail: no files remaining
tail: cannot open '/var/ossec/logs/ossec.log' for reading: No such file or directory
[...snip...]

the secrets changed are the ones in wazuh/secrets/ this makes me impossible to replace the default passwords in authd, elasticsearch, api, and the cluster key.

I also attach the secret content with the credentials I was trying to apply, all of them are base64 encoded:

/wazuh/secrets$ cat *.yaml
# Copyright (C) 2021 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.

# Wazuh API credentials secret

apiVersion: v1
kind: Secret
metadata:
  name: elastic-cred
data:
  username: YWRtaW4=              # string "admin" base64 encoded
  password: MzJ5VVhHbkdKRko1eUtKU2FHcXJKbnpnZTJ4Cg==  # string "32yUXGnGJFJ5yKJSaGqrJnzge2x" base64 encoded
# Copyright (C) 2021 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.

# Wazuh API credentials secret

apiVersion: v1
kind: Secret
metadata:
  name: wazuh-api-cred
  namespace: wazuh
data:
  username: dWFSNGRZYjZIZnBSdDY1Two=  # string "uaR4dYb6HfpRt65O" base64 encoded
  password: TXlTM2NyMzdQNDUwci4qLQ==  # string "MyS3cr37P450r.*-" base64 encoded
# Copyright (C) 2021 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.

# Wazuh authd password secret

apiVersion: v1
kind: Secret
metadata:
  name: wazuh-authd-pass
  namespace: wazuh
data:
  authd.pass: YjYyeUJQOVpoOWJHY3o4TldoRVhxRmdNYnVvb2NjNQo= # string "b62yBP9Zh9bGcz8NWhEXqFgMbuoocc5" base64 encoded
# Copyright (C) 2021 Wazuh Inc.
#
# This program is a free software; you can redistribute it
# and/or modify it under the terms of the GNU General Public
# License (version 2) as published by the FSF - Free Software
# Foundation.

# Wazuh cluster key secret

apiVersion: v1
kind: Secret
metadata:
  name: wazuh-cluster-key
  namespace: wazuh
data:
  key: SGk2S29lOWNxSkRKejVhV3BvUTc5cHZTQnRmRHRXTgo=  # string "Hi6Koe9cqJDJz5aWpoQ79pvSBtfDtWN" base64 encoded

Please let me know if anything else is needed. Many thanks! Best, GL

gianlorenzop avatar Mar 18 '21 11:03 gianlorenzop

Hit the same issue today. In wazuh/elastic_stack/elasticsearch/elastic_conf/internal_users.yml do we need to change the hash values?

Edit: Did not know the following documentation. If anyone has this kind of problem. Here.

HamzaOralK avatar Mar 26 '21 08:03 HamzaOralK

Changing them in the mentioned file using the elastic embedded system seems to work for me, but I'm absolutely unable to change the cluster key, without the default one everything stucks

Il giorno ven 26 mar 2021 alle ore 09:42 Hamza Oral < @.***> ha scritto:

Hit the same issue today. In wazuh/elastic_stack/elasticsearch/elastic_conf/internal_users.yml do we need to change the hash values?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/wazuh/wazuh-kubernetes/issues/154#issuecomment-808042202, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJEKAJOVFGZ2QWEIO6HRDMLTFRCIPANCNFSM4ZMNCBMA .

-- Gian Lorenzo Pontrandolfi

Tel. +393314001334 E-mail: @.** *Fax: *+391782224293

gianlorenzop avatar Mar 27 '21 11:03 gianlorenzop

Hi @gianlorenzop, use the following command for getting base64 conversion.

echo -n "password" | base64 -w 0

HamzaOralK avatar Mar 30 '21 12:03 HamzaOralK

The only one I get stuck on is elastic-cred I can change all the others if I encode them, but the 'elastic-cred` is the only one I am unable to change from default SecretPassword value.

matthew-williams avatar Nov 10 '21 18:11 matthew-williams

For successfully changing elastic-cred you have to: Change the password in the secret, e.g. using a kustomize patch like:

$patch: merge
apiVersion: v1
kind: Secret
metadata:
  name: elastic-cred
  namespace: wazuh
data:
  # echo -n admin | base64 -w 0
  username: YWRtaW4=
  # echo -n new-password | base64 -w 0
  password: bmV3LXBhc3N3b3Jk

Then you also have to change the password hash for the admin user in: ./wazuh/elastic_stack/elasticsearch/elastic_conf/internal_users.yml

using a hash created by:

kubectl exec -ti wazuh-elasticsearch-0 -- \
   /bin/sh /usr/share/elasticsearch/plugins/opendistro_security/tools/hash.sh -p new-password

or alternatively/simpler:

python -c 'import crypt; print(crypt.crypt("new-password", crypt.mksalt(crypt.METHOD_BLOWFISH)))'

Then after redeploying everything from scratch it worked for me.

asteven avatar Nov 12 '21 09:11 asteven