wazuh-passwords-tool.sh fails with specific /etc/wazuh-indexer/opensearch.yml configuration

[kujo-jotaro]

Wazuh version	Install type	Action performed	Platform
4.3.6	Wazuh Indexer	Install/Upgrade/Remove	Ubuntu

When running wazuh-passwords-tool.sh with the following opensearch.yml config:

#network.host: "XXX.XXX.XXX.XXX"
network.host: "0.0.0.0"
node.name: "node-1"
cluster.initial_master_nodes:
- "node-1"
#- "node-2"
#- "node-3"
cluster.name: "wazuh-cluster"
#discovery.seed_hosts:
#  - "node-1-ip"
#  - "node-2-ip"
#  - "node-3-ip"
node.max_local_storage_nodes: "3"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer

plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false

plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US"
#- "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US"
#- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"

plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]

### Option to allow Filebeat-oss 7.10.2 to work ###
compatibility.override_main_response_version: true

The script fails with the following error:

wazuh-passwords-tool.sh: line 177: 0.0.0.0: command not found
29/11/2022 21:58:41 ERROR: The backup could not be created

After checking out the script, the function passwords_getNetworkHost seems to incorrectly return both the commented-out line and the one below that, providing following functions with an extra, unexpected parameter.

This could be fixed by having the comment as the second line, but maybe it should be investigated and possibly fixed.

[davidcr01]

Update Report

Reproducing the error

With the following content (snippet) of the /etc/wazuh-indexer/opensearch.yml file:

#network.host: "X.X.X.X"
network.host: "127.0.0.1"
node.name: "node-1"
cluster.initial_master_nodes:
- "node-1"
cluster.name: "wazuh-cluster"

The error is reproduced:

The IP variable fetches the commented line

root@ubuntu22:/home/vagrant# bash wazuh-passwords-tool.sh -a
26/10/2023 10:23:49 INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed.
++ grep -hr network.host: /etc/wazuh-indexer/opensearch.yml
+ IP='#network.host: "X.X.X.X"
network.host: "127.0.0.1"'
+ NH='network.host: '
+ IP='#"X.X.X.X"
"127.0.0.1"'
+ [[ #"X.X.X.X"
"127.0.0.1" =~ _.*_ ]]
+ '[' '#"X.X.X.X"
"127.0.0.1"' == 0.0.0.0 ']'
+ set +x
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
Security Admin v7
ERR: Parsing failed.  Reason: Missing argument for option: h
usage: securityadmin.sh [-arc] [-backup <folder>] [-cacert <file>] [-cd
       <directory>] [-cert <file>] [-cn <clustername>] [-dci] [-dg] [-dra]
       [-ec <cipers>] [-ep <protocols>] [-er <number of replicas>] [-era]
       [-esa] [-f <file>] [-ff] [-h <host>] [-i <indexname>] [-icl] [-key
       <file>] [-keypass <password>] [-ks <file>] [-ksalias <alias>]
       [-kspass <password>] [-kst <type>] [-migrate <folder>] [-mo
       <folder>] [-nhnv] [-p <port>] [-prompt] [-r] [-rev] [-rl] [-si]
       [-sniff] [-t <file-type>] [-ts <file>] [-tspass <password>] [-tst
       <type>] [-us <number of replicas>] [-vc <version>] [-w]
 -arc,--accept-red-cluster                      Also operate on a red
                                                cluster. If not specified
                                                the cluster state has to
                                                be at least yellow.
 -backup <folder>                               Backup configuration to
                                                folder
 -cacert <file>                                 Path to trusted cacert
                                                (PEM format)
 -cd,--configdir <directory>                    Directory for config files
 -cert <file>                                   Path to admin certificate
                                                in PEM format
 -cn,--clustername <clustername>                Clustername (do not use
                                                together with -icl)
 -dci,--delete-config-index                     Delete
                                                '.opendistro_security'
                                                config index and exit.
 -dg,--diagnose                                 Log diagnostic trace into
                                                a file
 -dra,--disable-replica-autoexpand              Disable replica auto
                                                expand and exit
 -ec,--enabled-ciphers <cipers>                 Comma separated list of
                                                enabled TLS ciphers
 -ep,--enabled-protocols <protocols>            Comma separated list of
                                                enabled TLS protocols
 -er,--explicit-replicas <number of replicas>   Set explicit number of
                                                replicas or autoexpand
                                                expression for
                                                .opendistro_security index
 -era,--enable-replica-autoexpand               Enable replica auto expand
                                                and exit
 -esa,--enable-shard-allocation                 Enable all shard
                                                allocation and exit.
 -f,--file <file>                               file
 -ff,--fail-fast                                fail-fast if something
                                                goes wrong
 -h,--hostname <host>                           OpenSearch host (default:
                                                localhost)
 -i,--index <indexname>                         The index OpenSearch
                                                Security uses to store the
                                                configuration
 -icl,--ignore-clustername                      Ignore clustername (do not
                                                use together with -cn)
 -key <file>                                    Path to the key of admin
                                                certificate
 -keypass <password>                            Password of the key of
                                                admin certificate
                                                (optional)
 -ks,--keystore <file>                          Path to keystore
                                                (JKS/PKCS12 format
 -ksalias,--keystore-alias <alias>              Keystore alias
 -kspass,--keystore-password <password>         Keystore password
 -kst,--keystore-type <type>                    JKS or PKCS12, if not
                                                given we use the file
                                                extension to dectect the
                                                type
 -migrate <folder>                              Migrate and use folder to
                                                store migrated files
 -mo,--migrate-offline <folder>                 Migrate and use folder to
                                                store migrated files
 -nhnv,--disable-host-name-verification         Disable hostname
                                                verification
 -p,--port <port>                               OpenSearch transport port
                                                (default: 9200)
 -prompt,--prompt-for-password                  Prompt for password if not
                                                supplied
 -r,--retrieve                                  retrieve current config
 -rev,--resolve-env-vars                        Resolve/Substitute env
                                                vars in config with their
                                                value before uploading
 -rl,--reload                                   Reload the configuration
                                                on all nodes, flush all
                                                Security caches and exit
 -si,--show-info                                Show system and license
                                                info
 -sniff,--enable-sniffing                       Enable
                                                client.transport.sniff
 -t,--type <file-type>                          file-type
 -ts,--truststore <file>                        Path to truststore
                                                (JKS/PKCS12 format)
 -tspass,--truststore-password <password>       Truststore password
 -tst,--truststore-type <type>                  JKS or PKCS12, if not
                                                given we use the file
                                                extension to dectect the
                                                type
 -us,--update_settings <number of replicas>     Update the number of
                                                Security index replicas,
                                                reload configuration on
                                                all nodes and exit
 -vc,--validate-configs <version>               Validate config for
                                                version 6 or 7 (default 7)
 -w,--whoami                                    Show information about the
                                                used admin certificate
26/10/2023 10:23:55 ERROR: The backup could not be created

Fixing the problem

The line that perform this operation is the following:
IP=$(grep -hr "network.host:" /etc/wazuh-indexer/opensearch.yml)

By addint the ^ character to "network.host:" should solve the problem, as the commented lines (which start with #) will be ommited:
IP=$(grep -hr "^network.host:" /etc/wazuh-indexer/opensearch.yml)

🟢 With this change, the passwords are correctly changed, and no errors are generated:

root@ubuntu22:/home/vagrant# bash wazuh-passwords-tool.sh -a
26/10/2023 10:26:00 INFO: Wazuh API admin credentials not provided, Wazuh API passwords not changed.
++ grep -hr '^network.host:' /etc/wazuh-indexer/opensearch.yml
+ IP='network.host: "127.0.0.1"'
+ NH='network.host: '
+ IP='"127.0.0.1"'
+ [[ "127.0.0.1" =~ _.*_ ]]
+ '[' '"127.0.0.1"' == 0.0.0.0 ']'
+ set +x
26/10/2023 10:26:18 INFO: The password for user admin is 1ZCfgE5oxmdR*aIP+BBMg1*jN?UfMd?1
26/10/2023 10:26:18 INFO: The password for user kibanaserver is s03CvlCfz5Z+LL5zg3l7J8xVjkXjYV8O
26/10/2023 10:26:18 INFO: The password for user kibanaro is zuZkPzc7LwCbSzRemGKNe+9eSrgbL8a5
26/10/2023 10:26:18 INFO: The password for user logstash is nnr9G*nFD*G0CwW?keUyL9LO7tM2fsFK
26/10/2023 10:26:18 INFO: The password for user readall is 5TvTfGZDJVTVFVhvPfa*C*sM6pyS2uLk
26/10/2023 10:26:18 INFO: The password for user snapshotrestore is hsNr8+lBK+a7YzK0.hJpdUn2hicdz.9a
26/10/2023 10:26:18 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard and Filebeat nodes if necessary, and restart the services.
root@ubuntu22:/home/vagrant#