Skip to content

Commit

Permalink
Merge pull request #2968 from wazuh/bug/1854-improve-the-passwords-to…
Browse files Browse the repository at this point in the history 
…ol-behavior-in-distributed-environments

Solve bugs when changing passwords in the manager, indexer and dashboard services
  • Loading branch information
@davidcr01
davidcr01 committed Jun 17, 2024
2 parents 19a2bff + 5fa12c1 commit 25f7bd4
Show file tree
Hide file tree
Showing 2 changed files with 70 additions and 23 deletions.
62 changes: 48 additions & 14 deletions unattended_installer/passwords_tool/passwordsFunctions.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ function passwords_changePassword() {
eval "cp /etc/wazuh-indexer/opensearch-security/* /etc/wazuh-indexer/backup/ ${debug}"
passwords_createBackUp
fi

for i in "${!passwords[@]}"
do
if [ -n "${indexer_installed}" ] && [ -f "/etc/wazuh-indexer/backup/internal_users.yml" ]; then
Expand Down Expand Up @@ -56,8 +57,11 @@ function passwords_changePassword() {
conf="$(awk '{sub("password: .*", "password: '"${adminpass}"'")}1' /etc/filebeat/filebeat.yml)"
echo "${conf}" > /etc/filebeat/filebeat.yml
fi

passwords_restartService "filebeat"
eval "/var/ossec/bin/wazuh-keystore -f indexer -k password -v ${adminpass}"
common_logger -nl $"The new password for Filebeat is ${adminpass}"

passwords_restartService "wazuh-manager"
fi
fi
Expand All @@ -74,15 +78,22 @@ function passwords_changePassword() {
echo "${conf}" > /etc/wazuh-dashboard/opensearch_dashboards.yml
fi
passwords_restartService "wazuh-dashboard"

if [ -z "${indexer_installed}" ]; then
# only for when the indexer is not installed, so as not to put the same information several times.
common_logger -nl $"The password for the kibanaserver user in the dashboard has been updated to $dashpass"
fi
fi
fi

}

function passwords_changePasswordApi() {
#Change API password tool
if [ -n "${changeall}" ]; then
if [ -f "/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml" ]; then
wazuh_yml_user=$(awk '/- default:/ {found=1} found && /username:/ {print $2}' /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml)
fi
if [ -n "${changeall}" ]; then
for i in "${!api_passwords[@]}"; do
if [ -n "${wazuh_installed}" ]; then
passwords_getApiUserId "${api_users[i]}"
Expand Down Expand Up @@ -122,8 +133,16 @@ function passwords_changeDashboardApiPassword() {
until [ -n "${file_exists}" ] || [ "${j}" -eq "12" ]; do
if [ -f "/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml" ]; then
eval "sed -i 's|password: .*|password: \"${1}\"|g' /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml ${debug}"
# Restart the service only if we change the api password. If we change all, the service is restarted when changing the kibanaserver password.
if [ -z "${changeall}" ]; then
passwords_restartService "wazuh-dashboard"
fi
if [ -z "${AIO}" ] && [ -z "${indexer}" ] && [ -z "${dashboard}" ] && [ -z "${wazuh}" ] && [ -z "${start_indexer_cluster}" ]; then
common_logger "Updated wazuh-wui user password in wazuh dashboard. Remember to restart the service."
if [ -z "${wazuh_installed}" ]; then
common_logger "Updated wazuh-wui user password in wazuh dashboard to '${1}'."
else
common_logger "Updated wazuh-wui user password in wazuh dashboard."
fi
fi
file_exists=1
fi
Expand All @@ -135,20 +154,20 @@ function passwords_changeDashboardApiPassword() {

function passwords_checkUser() {

if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then
if { [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; } || { [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; }; then
for i in "${!api_users[@]}"; do
if [ "${api_users[i]}" == "${nuser}" ]; then
exists=1
fi
done
else
for i in "${!users[@]}"; do
if [ "${users[i]}" == "${nuser}" ]; then
exists=1
fi
done
fi

for i in "${!users[@]}"; do
if [ "${users[i]}" == "${nuser}" ]; then
exists=1
fi
done

if [ -z "${exists}" ]; then
common_logger -e "The given user does not exist"
exit 1;
Expand Down Expand Up @@ -442,7 +461,7 @@ For Wazuh API users, the file must have this format:
fi
done

if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then
if { [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; } || { [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; } then
for j in "${!fileapiusers[@]}"; do
supported=false
for i in "${!api_users[@]}"; do
Expand Down Expand Up @@ -479,7 +498,7 @@ For Wazuh API users, the file must have this format:
fi
done

if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then
if { [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; } || { [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; } then
for j in "${!fileapiusers[@]}"; do
supported=false
for i in "${!api_users[@]}"; do
Expand Down Expand Up @@ -507,12 +526,27 @@ For Wazuh API users, the file must have this format:
fi

}
function passwords_readDashboardUsers() {

wazuh_yml_user=$(awk '/- default:/ {found=1} found && /username:/ {print $2}' /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml)

api_users=("$wazuh_yml_user")

if [ -z "${indexer_installed}" ]; then
users+=("kibanaserver")
fi

}
function passwords_readUsers() {

passwords_updateInternalUsers
susers=$(grep -B 1 hash: /etc/wazuh-indexer/opensearch-security/internal_users.yml | grep -v hash: | grep -v "-" | awk '{ print substr( $0, 1, length($0)-1 ) }')
mapfile -t users <<< "${susers[@]}"
if [ -n "${indexer_installed}" ]; then
passwords_updateInternalUsers
susers=$(grep -B 1 hash: /etc/wazuh-indexer/opensearch-security/internal_users.yml | grep -v hash: | grep -v "-" | awk '{ print substr( $0, 1, length($0)-1 ) }')
mapfile -t users <<< "${susers[@]}"
elif [ -n "${wazuh_installed}" ]; then
# Only need the user admin for Filebeat connection
users=("admin")
fi

}

Expand Down
31 changes: 22 additions & 9 deletions unattended_installer/passwords_tool/passwordsMain.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -222,7 +222,9 @@ function main() {
passwords_getApiToken
passwords_getApiUsers
passwords_getApiIds
elif [ -n "${indexer_installed}" ]; then
elif [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; then
passwords_readDashboardUsers
elif [ -n "${indexer_installed}" ] || [ -n "${wazuh_installed}" ]; then
passwords_readUsers
fi
passwords_checkUser
Expand All @@ -239,15 +241,20 @@ function main() {


if [ -n "${changeall}" ] || [ -n "${p_file}" ]; then
if [ -n "${indexer_installed}" ]; then
if [ -n "${indexer_installed}" ] || [ -n "${wazuh_installed}" ]; then
passwords_readUsers
fi
if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then
passwords_getApiToken
passwords_getApiUsers
passwords_getApiIds
else
common_logger "Wazuh API admin credentials not provided, Wazuh API passwords not changed."

if [ -n "${wazuh_installed}" ]; then
if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then
passwords_getApiToken
passwords_getApiUsers
passwords_getApiIds
else
common_logger "Wazuh API admin credentials not provided, Wazuh API passwords not changed."
fi
elif [ -n "${dashboard_installed}" ]; then
passwords_readDashboardUsers
fi
if [ -n "${changeall}" ]; then
passwords_generatePassword
Expand All @@ -266,9 +273,15 @@ function main() {
passwords_runSecurityAdmin
fi

# Call the function to change the password for filebeat and/or kibanaserver
if [ -z "${indexer_installed}" ] && { [ -n "${wazuh_installed}" ] || [ -n "${dashboard_installed}" ]; }; then
passwords_changePassword
fi

if [ -n "${api}" ] || [ -n "${changeall}" ]; then
if [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; then
if { [ -n "${adminUser}" ] && [ -n "${adminPassword}" ]; } || { [ -z "${wazuh_installed}" ] && [ -n "${dashboard_installed}" ]; }; then
passwords_changePasswordApi

fi
fi

Expand Down

0 comments on commit 25f7bd4

Please sign in to comment.