wazuh-packages
wazuh-packages copied to clipboard
Published
20 hours ago •
wazuh
wazuh
Wazuh installation assistant modifies wazuh-api passwords
| Wazuh version | Install type | Action performed | Platform |
|---|---|---|---|
| 4.7.2 | Installation Assitant | Install | Any |
Installing Wazuh server with the wizard, after installation the default user:password (wazuh:wazuh) is modified.
Centos7
[root@centos7 vagrant]# bash wazuh-install.sh --wazuh-server wazuh-1
14/03/2024 13:37:31 INFO: Starting Wazuh installation assistant. Wazuh version: 4.7.3
14/03/2024 13:37:31 INFO: Verbose logging redirected to /var/log/wazuh-install.log
14/03/2024 13:37:38 WARNING: The system has Firewalld enabled. Please ensure that traffic is allowed on these ports: 1514, 1515, 1516, 55000.
14/03/2024 13:37:39 INFO: Wazuh repository added.
14/03/2024 13:37:39 INFO: --- Wazuh server ---
14/03/2024 13:37:39 INFO: Starting the Wazuh manager installation.
14/03/2024 13:39:18 INFO: Wazuh manager installation finished.
14/03/2024 13:39:18 INFO: Starting service wazuh-manager.
14/03/2024 13:39:32 INFO: wazuh-manager service started.
14/03/2024 13:39:32 INFO: Starting Filebeat installation.
14/03/2024 13:39:51 INFO: Filebeat installation finished.
14/03/2024 13:39:52 INFO: Filebeat post-install configuration finished.
14/03/2024 13:39:57 INFO: Starting service filebeat.
14/03/2024 13:39:57 INFO: filebeat service started.
14/03/2024 13:39:57 INFO: Installation finished.
[1]+ Done TOKEN=$(curl -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true")
[root@centos7 vagrant]# TOKEN=$(curl -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") && echo $TOKEN
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 59 100 59 0 0 206 0 --:--:-- --:--:-- --:--:-- 206
{"title": "Unauthorized", "detail": "Invalid credentials"}
[root@centos7 vagrant]# TOKEN=$(curl -u admin:admin -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") && echo $TOKEN
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 59 100 59 0 0 405 0 --:--:-- --:--:-- --:--:-- 409
{"title": "Unauthorized", "detail": "Invalid credentials"}
[root@centos7 vagrant]# cat /var/ossec/logs/api.log
2024/03/14 13:39:23 INFO: HTTPS is enabled but cannot find the private key and/or certificate. Attempting to generate them
2024/03/14 13:39:23 INFO: Generated private key file in WAZUH_PATH/api/configuration/ssl/server.key
2024/03/14 13:39:23 INFO: Generated certificate file in WAZUH_PATH/api/configuration/ssl/server.crt
2024/03/14 13:39:23 INFO: Checking RBAC database integrity...
2024/03/14 13:39:23 INFO: RBAC database not found. Initializing
2024/03/14 13:39:28 INFO: /var/ossec/api/configuration/security/rbac.db database created successfully
2024/03/14 13:39:28 INFO: RBAC database integrity check finished successfully
2024/03/14 13:39:34 INFO: Listening on 0.0.0.0:55000..
2024/03/14 13:39:54 INFO: wazuh 127.0.0.1 "POST /security/user/authenticate" with parameters {"raw": "true"} and body {} done in 0.415s: 200
2024/03/14 13:39:54 INFO: wazuh 127.0.0.1 "GET /security/users" with parameters {"pretty": "true"} and body {} done in 0.107s: 200
2024/03/14 13:39:55 INFO: wazuh 127.0.0.1 "GET /security/users" with parameters {"pretty": "true"} and body {} done in 0.014s: 200
2024/03/14 13:39:55 INFO: wazuh 127.0.0.1 "PUT /security/users/1" with parameters {} and body {"password": "****"} done in 0.236s: 200
2024/03/14 13:39:57 INFO: wazuh 127.0.0.1 "POST /security/user/authenticate" with parameters {"raw": "true"} and body {} done in 0.303s: 200
2024/03/14 13:39:57 INFO: wazuh 127.0.0.1 "PUT /security/users/2" with parameters {} and body {"password": "****"} done in 0.245s: 200
2024/03/14 13:40:55 INFO: wazuh 127.0.0.1 "POST /security/user/authenticate" with parameters {"raw": "true"} and body {} done in 0.153s: 401
[root@centos7 vagrant]# systemctl disable firewalld.service
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@centos7 vagrant]# TOKEN=$(curl -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") && echo $TOKEN
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 59 100 59 0 0 207 0 --:--:-- --:--:-- --:--:-- 207
{"title": "Unauthorized", "detail": "Invalid credentials"}
[root@centos7 vagrant]# netstat -tuln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:1514 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1515 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:55000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp 0 0 127.0.0.1:323 0.0.0.0:*
udp6 0 0 ::1:323 :::*
Ubuntu22.04
root@ubuntu-jammy:/home/vagrant# bash wazuh-install.sh --wazuh-server wazuh-1
14/03/2024 13:45:50 INFO: Starting Wazuh installation assistant. Wazuh version: 4.7.3
14/03/2024 13:45:50 INFO: Verbose logging redirected to /var/log/wazuh-install.log
14/03/2024 13:46:01 INFO: --- Dependencies ----
14/03/2024 13:46:01 INFO: Installing apt-transport-https.
14/03/2024 13:46:07 INFO: Wazuh repository added.
14/03/2024 13:46:07 INFO: --- Wazuh server ---
14/03/2024 13:46:07 INFO: Starting the Wazuh manager installation.
14/03/2024 13:47:21 INFO: Wazuh manager installation finished.
14/03/2024 13:47:21 INFO: Starting service wazuh-manager.
14/03/2024 13:47:38 INFO: wazuh-manager service started.
14/03/2024 13:47:38 INFO: Starting Filebeat installation.
14/03/2024 13:47:46 INFO: Filebeat installation finished.
14/03/2024 13:47:47 INFO: Filebeat post-install configuration finished.
14/03/2024 13:47:52 INFO: Starting service filebeat.
14/03/2024 13:47:53 INFO: filebeat service started.
14/03/2024 13:47:53 INFO: Installation finished.
root@ubuntu-jammy:/home/vagrant# TOKEN=$(curl -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") && echo $TOKEN
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 59 100 59 0 0 163 0 --:--:-- --:--:-- --:--:-- 163
{"title": "Unauthorized", "detail": "Invalid credentials"}
root@ubuntu-jammy:/home/vagrant# TOKEN=$(curl -u admin:admin -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") && echo $TOKEN
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 59 100 59 0 0 2415 0 --:--:-- --:--:-- --:--:-- 2458
{"title": "Unauthorized", "detail": "Invalid credentials"}
root@ubuntu-jammy:/home/vagrant# cat /var/ossec/logs/api.log
2024/03/14 13:47:27 INFO: HTTPS is enabled but cannot find the private key and/or certificate. Attempting to generate them
2024/03/14 13:47:28 INFO: Generated private key file in WAZUH_PATH/api/configuration/ssl/server.key
2024/03/14 13:47:28 INFO: Generated certificate file in WAZUH_PATH/api/configuration/ssl/server.crt
2024/03/14 13:47:28 INFO: Checking RBAC database integrity...
2024/03/14 13:47:28 INFO: RBAC database not found. Initializing
2024/03/14 13:47:30 INFO: /var/ossec/api/configuration/security/rbac.db database created successfully
2024/03/14 13:47:30 INFO: RBAC database integrity check finished successfully
2024/03/14 13:47:35 INFO: Listening on 0.0.0.0:55000..
2024/03/14 13:47:49 INFO: wazuh 127.0.0.1 "POST /security/user/authenticate" with parameters {"raw": "true"} and body {} done in 0.614s: 200
2024/03/14 13:47:49 INFO: wazuh 127.0.0.1 "GET /security/users" with parameters {"pretty": "true"} and body {} done in 0.195s: 200
2024/03/14 13:47:49 INFO: wazuh 127.0.0.1 "GET /security/users" with parameters {"pretty": "true"} and body {} done in 0.025s: 200
2024/03/14 13:47:50 INFO: wazuh 127.0.0.1 "PUT /security/users/1" with parameters {} and body {"password": "****"} done in 0.376s: 200
2024/03/14 13:47:52 INFO: wazuh 127.0.0.1 "POST /security/user/authenticate" with parameters {"raw": "true"} and body {} done in 0.499s: 200
2024/03/14 13:47:52 INFO: wazuh 127.0.0.1 "PUT /security/users/2" with parameters {} and body {"password": "****"} done in 0.409s: 200
2024/03/14 13:47:56 INFO: wazuh 127.0.0.1 "POST /security/user/authenticate" with parameters {"raw": "true"} and body {} done in 0.341s: 401
root@ubuntu-jammy:/home/vagrant# systemctl disable firewalld.service
Failed to disable unit: Unit file firewalld.service does not exist.
root@ubuntu-jammy:/home/vagrant# TOKEN=$(curl -u wazuh:wazuh -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") && echo $TOKEN
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 59 100 59 0 0 168 0 --:--:-- --:--:-- --:--:-- 168
{"title": "Unauthorized", "detail": "Invalid credentials"}
root@ubuntu-jammy:/home/vagrant# netstat -tuln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:55000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1514 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1515 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
udp 0 0 127.0.0.53:53 0.0.0.0:*
udp 0 0 10.0.2.15:68 0.0.0.0:*
Checking the passwords:
root@ubuntu-jammy:/home/vagrant# tar -xvf wazuh-install-files.tar
wazuh-install-files/
wazuh-install-files/admin-key.pem
wazuh-install-files/admin.pem
wazuh-install-files/dashboard-key.pem
wazuh-install-files/dashboard.pem
wazuh-install-files/node-1-key.pem
wazuh-install-files/node-1.pem
wazuh-install-files/root-ca.key
wazuh-install-files/root-ca.pem
wazuh-install-files/wazuh-1-key.pem
wazuh-install-files/wazuh-1.pem
wazuh-install-files/wazuh-2-key.pem
wazuh-install-files/wazuh-2.pem
wazuh-install-files/clusterkey
wazuh-install-files/wazuh-passwords.txt
wazuh-install-files/config.yml
root@ubuntu-jammy:/home/vagrant# cat wazuh-install-files/wazuh-passwords.txt
root@ubuntu-jammy:/home/vagrant# cat wazuh-install-files/wazuh-passwords.txt | grep api
api_username: 'wazuh'
api_password: 'X1VtrT.UGZGUV6nY?ZfU99bwz*9RmHZc'
api_username: 'wazuh-wui'
api_password: 'ibF*ZnwH15bhJ617AmxBx13dDCqc.zIU'
root@ubuntu-jammy:/home/vagrant# TOKEN=$(curl -u wazuh:X1VtrT.UGZGUV6nY?ZfU99bwz*9RmHZc -k -X POST "https://localhost:55000/security/user/authenticate?raw=true") && echo $TOKEN
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 398 100 398 0 0 407 0 --:--:-- --:--:-- --:--:-- 407
eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ3YXp1aCIsImF1ZCI6IldhenVoIEFQSSBSRVNUIiwibmJmIjoxNzEwNDI4OTA1LCJleHAiOjE3MTA0Mjk4MDUsInN1YiI6IndhenVoIiwicnVuX2FzIjpmYWxzZSwicmJhY19yb2xlcyI6WzFdLCJyYmFjX21vZGUiOiJ3aGl0ZSJ9.ACDP7b6AUaGW7RCfTGxYxL4UTt3bA4gamR-INJnQGM_qj8iOibtHQVhJfNQT0Oud_IBRymJQBhot3JHO2wv7wMR7AEEZaba9l90uP-Z1lT1F69dJ0WgG8G3kEURlPXDa-mxQUEjhCZvi3MoD65dB_gTaJJoTOKXA3Vg7Fxpg8kbVLHOw
The documentation does not mention anything regarding this change
Tasks:
- [ ] Fix the output (show the password or how to get the password after the installation)
- [ ] Documentation should report this behavior
