Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improvement Request: Simplify Password Customization over Wazuh Docker Compose #1613

Closed
che0one opened this issue Nov 6, 2024 · 1 comment
Closed

Improvement Request: Simplify Password Customization over Wazuh Docker Compose #1613

che0one opened this issue Nov 6, 2024 · 1 comment

Comments

@che0one
Copy link

che0one commented Nov 6, 2024
edited
Loading

Description: Deploying Wazuh using the self-hosted Docker Compose setup with default credentials is so easy but with custom credentials (for Indexer, Kibana, OpenSearch, API, etc.) is notably challenging. Changing default passwords and credentials often leads to errors, making it difficult to secure the deployment against open ports and links.

Issues Encountered:
Difficulty Changing Credentials: Attempting to customize passwords (specifically Kibana and API) results in errors, potentially due to hard-coded dependencies on the default values in multiple components.
Security Risks: Because changing passwords is so complex, default credentials might be left in place, increasing security risks.
Undocumented Dependencies: Changing credentials seems to break dependencies between containers. Detailed information about how each component (Indexer, OpenSearch, Logstash, Kibana, etc.) interacts would be very helpful.

Suggested Improvements:
if you add all username and password dependencies schema to docs i can rewrite compose with parameter expansion dependencies and also with bcrypt command to get hashed credentials and write that to other files, or if it possible write better compose with passwords as a parameter expansion of environment variables like that, there is absolutely 0 reasons to running commands outside of docker-compose if you can do all with only docker-compose like that:

environment:
  - INDEXER_PASSWORD=${INDEXER_PASSWORD:-indexerpasswordhere}
  - KIBANA_PASSWORD=${KIBANA_PASSWORD:-kibanapasswordhere}
  - API_PASSWORD=${API_PASSWORD:-Apipasswordhere-1}
   Opensearch password? 
   Logstack password? 
   Other services which also have hardcoded bcrypt passwords? 
command: Making bcrypt passwords, change on files and run cert creation

Documentation of Dependencies Between Components: Provide a dependency schema for authentication between services (e.g., which services rely on the API_PASSWORD or KIBANA_PASSWORD). This would enable us to update credentials with minimal disruption.

Automated Hashing for Passwords: Include optional commands (e.g., using openssl) to hash passwords, with clear instructions on how and where to apply these hashed values in the configuration. There is ton of complications about passwords on Issues page and majority of that uses with default credentials what makes extremely unsecure of usage.

wazuh-complication

Impact of Changes:
Improving these areas would make the remote deployment process of the self-hosted Wazuh much more user-friendly, secure, and adaptable to custom setups.
@che0one che0one changed the title Improvement Request: Password customization makes error, Simplify Password Customization over Wazuh Docker Compose Improvement Request: Simplify Password Customization over Wazuh Docker Compose Nov 6, 2024
@che0one
Copy link
Author

che0one commented Nov 6, 2024

That works for me: #1602 (comment)

@che0one che0one closed this as completed Nov 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@che0one