wazuh-kubernetes
wazuh-kubernetes copied to clipboard
wazuh
I can't change the Wazuh indexer passwords
Installed version: 4.3.6 Deployment: AWS EKS 1.21 The changing password script, named wazuh-passwords-tool.sh, should be executed on pods. I found the script on the dir /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh of pod wazuh-indexer-0. I execute the script with command "kubectl exec wazuh-indexer-0 -n wazuh -- /bin/bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh", but it needs root permission(This script must be run as root.)
How can I change the default password? thanks.
I used "/bin/sh" to execute shell, it reports errors: kubectl exec wazuh-indexer-0 -n wazuh /bin/sh "/usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh -a" kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. /bin/sh: 0: Can't open /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh -a command terminated with exit code 127
The passwords can't be updated in the config files either for secret updates (for that matter), some other issues with passwords include:
- updating the wazuh api password with another 32 character key doesn't work
- updating the admin password breaks the wazuh-manager and wazuh-worker connections while not allowing them to connect to wazuh-dashboards with a 401 error
- updating the wazuh auth.d password is broken
The procedure to change the password is:
1- Obtain hash password in the indexer pod:
- outside pod:
kubectl exec -it -n wazuh pod/wazuh-indexer-0 -- bash - inside pod:
export JAVA_HOME=/usr/share/wazuh-indexer/jdk bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh
2- Insert the new password and create a new hash. Replace admin value with new hash into wazuh/indexer_stack/wazuh-indexer/indexer_conf/internal_users.yml file.
3- Change value of password parameter in the wazuh/secrets/indexer-cred-secret.yaml file. You need to encrypt the password with base64:
echo -n <new_password> | base64
4- Apply changes into your k8s cluster:
kubectl apply -k envs/eks/
If this is your first start of the deployment, this is the end of the procedure, otherwise you must continue with the following tasks.
5- Add environment variables and run securityadmin script (from the Indexer pod):
export INSTALLATION_DIR=/usr/share/wazuh-indexer
export OPENSEARCH_PATH_CONF=${INSTALLATION_DIR}/config
CACERT=$OPENSEARCH_PATH_CONF/certs/root-ca.pem
KEY=$OPENSEARCH_PATH_CONF/certs/admin-key.pem
CERT=$OPENSEARCH_PATH_CONF/certs/admin.pem
export JAVA_HOME=/usr/share/wazuh-indexer/jdk
bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/ -nhnv -cacert $CACERT -cert $CERT -key $KEY -p 9300 -icl
6- Manually modify the password in the filebeat.yml file. You will have to connect to every manager pod and perform this action. From 4.3.7 this step is not needed.
7- Restart (delete) the Wazuh manager pods (master and workers).
8- Clear cache and test yout new password
For 4.4.4 I had to slightly change step 5 commands to
export INSTALLATION_DIR=/usr/share/wazuh-indexer
export OPENSEARCH_PATH_CONF=${INSTALLATION_DIR}/
CACERT=$OPENSEARCH_PATH_CONF/certs/root-ca.pem
KEY=$OPENSEARCH_PATH_CONF/certs/admin-key.pem
CERT=$OPENSEARCH_PATH_CONF/certs/admin.pem
export JAVA_HOME=/usr/share/wazuh-indexer/jdk
bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/opensearch-security/ -nhnv -cacert $CACERT -cert $CERT -key $KEY -p 9200 -icl
I think this issue can be closed as the documentation was updated recently, right ?
