Skip to content

Commit

Permalink
Merge pull request #6591 from wazuh/6574-add-k8s-password-change-to-d…
Browse files Browse the repository at this point in the history 
…ocumentation

Add K8s password change to documentation
  • Loading branch information
@javimed
javimed committed Oct 3, 2023
2 parents 3eb6919 + 8d9a944 commit 5a69dcc
Showing 1 changed file with 177 additions and 0 deletions.
177 changes: 177 additions & 0 deletions source/deployment-options/deploying-with-kubernetes/kubernetes-deployment.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,183 @@ The Wazuh dashboard will be accessible on ``https://localhost:8443``.

The default credentials are ``admin:SecretPassword``.

Change the password of Wazuh users
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

To improve security, you can change the default password of the Wazuh users. There are two types of Wazuh users:

- Wazuh indexer users
- Wazuh API users

Wazuh indexer users
~~~~~~~~~~~~~~~~~~~

To change the password of the default ``admin`` and ``kibanaserver`` users, do the following.

.. warning::

If you have custom users, add them to the ``internal_users.yml`` file. Otherwise, executing this procedure deletes them.

Setting a new hash
..................

#. Start a Bash shell in ``wazuh-indexer-0``.

.. code-block:: console
# kubectl exec -it wazuh-indexer-0 -n wazuh -- /bin/bash
#. Run these commands to generate the hash of your new password. When prompted, input the new password and press **Enter**.

.. code-block:: console
wazuh-indexer@wazuh-indexer-0:~$ export JAVA_HOME=/usr/share/wazuh-indexer/jdk
wazuh-indexer@wazuh-indexer-0:~$ bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh

#. Copy the generated hash and exit the Bash shell.

#. Open the ``wazuh/indexer_stack/wazuh-indexer/indexer_conf/internal_users.yml`` file. Locate the block for the user you are changing password for.

#. Replace the hash.

- ``admin`` user

.. code-block:: YAML
:emphasize-lines: 3
...
admin:
hash: "$2y$12$K/SpwjtB.wOHJ/Nc6GVRDuc1h0rM1DfvziFRNPtk27P.c4yDr9njO"
reserved: true
backend_roles:
- "admin"
description: "Demo admin user"
...
- ``kibanaserver`` user

.. code-block:: YAML
:emphasize-lines: 3
...
kibanaserver:
hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
reserved: true
description: "Demo kibanaserver user"
...
Setting the new password
........................

#. Encode your new password in base64 format. Avoid inserting a trailing newline character to maintain the hash value. For example, use the ``-n`` option with the ``echo`` command as follows.

.. code-block::
# echo -n "NewPassword" | base64
#. Edit the indexer or dashbboard secrets configuration file as follows. Replace the value of the ``password`` field with your new encoded password.

- To change the ``admin`` user password, edit the ``wazuh/secrets/indexer-cred-secret.yaml`` file.

.. code-block:: YAML
:emphasize-lines: 8
...
apiVersion: v1
kind: Secret
metadata:
name: indexer-cred
data:
username: YWRtaW4= # string "admin" base64 encoded
password: U2VjcmV0UGFzc3dvcmQ= # string "SecretPassword" base64 encoded
...
- To change the ``kibanaserver`` user password, edit the ``wazuh/secrets/dashboard-cred-secret.yaml`` file.

.. code-block:: YAML
:emphasize-lines: 8
...
apiVersion: v1
kind: Secret
metadata:
name: dashboard-cred
data:
username: a2liYW5hc2VydmVy # string "kibanaserver" base64 encoded
password: a2liYW5hc2VydmVy # string "kibanaserver" base64 encoded
...
Applying the changes
....................

#. Apply the manifest changes

.. code-block:: console
# kubectl apply -k envs/eks/
#. Start a bash shell in ``wazuh-indexer-0`` once more.

.. code-block:: console
# kubectl exec -it wazuh-indexer-0 -n wazuh -- /bin/bash
#. Set the following variables:

.. code-block:: console
export INSTALLATION_DIR=/usr/share/wazuh-indexer
CACERT=$INSTALLATION_DIR/certs/root-ca.pem
KEY=$INSTALLATION_DIR/certs/admin-key.pem
CERT=$INSTALLATION_DIR/certs/admin.pem
export JAVA_HOME=/usr/share/wazuh-indexer/jdk
#. Wait for the Wazuh indexer to initialize properly. The waiting time can vary from two to five minutes. It depends on the size of the cluster, the assigned resources, and the speed of the network. Then, run the ``securityadmin.sh`` script to apply all changes.

.. code-block:: console
$ bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/opensearch-security/ -nhnv -cacert $CACERT -cert $CERT -key $KEY -p 9200 -icl -h $NODE_NAME
#. Login with the new credentials on the Wazuh dashboard.

Wazuh API users
~~~~~~~~~~~~~~~

The ``wazuh-wui`` user is the user to connect with the Wazuh API by default. Follow these steps to change the password.

.. note::

The password for Wazuh API users must be between 8 and 64 characters long. It must contain at least one uppercase and one lowercase letter, a number, and a symbol.

#. Encode your new password in base64 format. Avoid inserting a trailing newline character to maintain the hash value. For example, use the ``-n`` option with the ``echo`` command as follows.

.. code-block::
# echo -n "NewPassword" | base64
#. Edit the ``wazuh/secrets/wazuh-api-cred-secret.yaml`` file and replace the value of the ``password`` field.

.. code-block:: YAML
:emphasize-lines: 8
apiVersion: v1
kind: Secret
metadata:
name: wazuh-api-cred
namespace: wazuh
data:
username: d2F6dWgtd3Vp # string "wazuh-wui" base64 encoded
password: UGFzc3dvcmQxMjM0LmE= # string "MyS3cr37P450r.*-" base64 encoded
#. Apply the manifest changes.

.. code-block:: console
# kubectl apply -k envs/eks/
#. Restart pods for Wazuh dashboard and Wazuh manager master.

Agents
^^^^^^
Expand Down

0 comments on commit 5a69dcc

Please sign in to comment.