Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Automated installer not setting the kibanaserver password correctly. #3056

Closed
f-galland opened this issue Jul 23, 2024 · 5 comments · Fixed by #3063
Closed

Automated installer not setting the kibanaserver password correctly. #3056

f-galland opened this issue Jul 23, 2024 · 5 comments · Fixed by #3063
Assignees
Labels
level/task Subtask issue type/bug Bug issue

Comments

@f-galland
Copy link
Member

|Wazuh version|Install type|Action performed|Platform|
|4.9.0-alpha3|Assisted Installation|Installed components one by one|Debian 11 amd64|

Hi Team,

When deploying the Wazuh Dashboard running the following command from our documentation:

bash wazuh-install.sh --wazuh-dashboard dashboard

The dashboard fails to install and the installation gets automatically reverted.

root@indexer1:~# bash wazuh-install.sh --wazuh-dashboard dashboard
22/07/2024 15:46:42 INFO: Starting Wazuh installation assistant. Wazuh version: 4.9.0
22/07/2024 15:46:42 INFO: Verbose logging redirected to /var/log/wazuh-install.log
22/07/2024 15:46:42 INFO: The recommended systems are: Red Hat Enterprise Linux 7, 8, 9; CentOS 7, 8; Amazon Linux 2; Ubuntu 16.04, 18.04, 20.04, 22.04.
22/07/2024 15:46:42 WARNING: The current system does not match with the list of recommended systems. The installation may not work properly.
22/07/2024 15:46:45 INFO: --- Dependencies ----
22/07/2024 15:46:45 INFO: Installing gawk.
22/07/2024 15:46:48 INFO: Verifying that your system meets the recommended minimum hardware requirements.
22/07/2024 15:46:52 INFO: Wazuh web interface port will be 443.
22/07/2024 15:46:52 INFO: --- Dependencies ----
22/07/2024 15:46:52 INFO: Installing lsof.
22/07/2024 15:46:57 INFO: --- Dependencies ----
22/07/2024 15:46:57 INFO: Installing debhelper.
22/07/2024 15:48:10 INFO: Wazuh development repository added.
22/07/2024 15:48:10 INFO: --- Wazuh dashboard ----
22/07/2024 15:48:10 INFO: Starting Wazuh dashboard installation.
22/07/2024 15:49:25 INFO: Wazuh dashboard installation finished.
22/07/2024 15:49:25 INFO: Wazuh dashboard post-install configuration finished.
22/07/2024 15:49:25 INFO: Starting service wazuh-dashboard.
22/07/2024 15:49:26 INFO: wazuh-dashboard service started.
22/07/2024 15:50:35 INFO: Initializing Wazuh dashboard web application.
22/07/2024 15:52:35 ERROR: Cannot connect to Wazuh dashboard.
22/07/2024 15:52:35 INFO: If you want to install Wazuh dashboard without waiting for the Wazuh indexer cluster, use the -fd option
22/07/2024 15:52:35 INFO: --- Removing existing Wazuh installation ---
22/07/2024 15:52:35 INFO: Removing Wazuh dashboard.
22/07/2024 15:52:43 INFO: Wazuh dashboard removed.
22/07/2024 15:52:44 INFO: --- Dependencies ----
22/07/2024 15:52:44 INFO: Removing gawk.
22/07/2024 15:52:45 INFO: Removing lsof.
22/07/2024 15:52:46 INFO: Installation cleaned. Check the /var/log/wazuh-install.log file to learn more about the issue.

While inspecting /var/log/wazuh-indexer/wazuh-indexer-cluster.log we determined that the dashboard tried to use the kibanaserver user credentials to login, but those were invalid:

root@indexer1:~# tail -10 /var/log/wazuh-indexer/wazuh-indexer-cluster.log 
[2024-07-22T15:46:37,730][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 192.168.56.123:37162
[2024-07-22T15:46:42,734][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 192.168.56.123:37162
[2024-07-22T15:46:47,737][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 192.168.56.123:37162
[2024-07-22T15:46:52,741][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 192.168.56.123:37162
[2024-07-22T15:46:57,741][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 192.168.56.123:37162
[2024-07-22T15:47:02,741][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 192.168.56.123:37162
[2024-07-22T15:47:07,744][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 192.168.56.123:37162
[2024-07-22T15:47:12,708][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 192.168.56.123:37162
[2024-07-22T15:47:17,743][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 192.168.56.123:37162
[2024-07-22T15:47:22,749][WARN ][o.o.s.a.BackendRegistry  ] [node-1] Authentication finally failed for kibanaserver from 192.168.56.123:37162

I was able to fix this issue by:

  • Forcing the installation of the dashboard with the -fd flag
  • Re-setting the kibanaserver password present in the wazuh-install-files/wazuh-passwords.txt file using the wazuh-passwords-tool.sh script
  • Restarting the Wazuh Dashboard service.
root@indexer1:~/wazuh-install-files# curl -ku kibanaserver:'SnV1FADz2e*YTmFyWe0P+H+W*F*Kt*K0' https://192.168.56.120:9200

root@indexer1:~/wazuh-install-files# grep kibanaserver wazuh-passwords.txt -A1
  indexer_username: 'kibanaserver'
  indexer_password: 'SnV1FADz2e*YTmFyWe0P+H+W*F*Kt*K0'

root@indexer1:~/wazuh-install-files# /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh -u kibanaserver -p 'SnV1FADz2e*YTmFyWe0P+H+W*F*Kt*K0'
23/07/2024 10:45:22 INFO: Updating the internal users.
23/07/2024 10:45:24 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
23/07/2024 10:45:24 INFO: Generating password hash
23/07/2024 10:45:27 WARNING: Password changed. Remember to update the password in the Wazuh dashboard, Wazuh server, and Filebeat nodes if necessary, and restart the services.

root@indexer1:~/wazuh-install-files# curl -ku kibanaserver:'SnV1FADz2e*YTmFyWe0P+H+W*F*Kt*K0' https://192.168.56.120:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-indexer-cluster",
  "cluster_uuid" : "gpzBHX2oSv-vPYt38fSsPw",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "deb",
    "build_hash" : "2c952aba7735bee5f4b0bb9cfc821d68ffbdd636",
    "build_date" : "2024-07-19T16:32:15.451255Z",
    "build_snapshot" : false,
    "lucene_version" : "9.10.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

The automated installer is somehow not setting the kibanaserver password correctly.

@c-bordon
Copy link
Member

Update report

I was able to replicate the error, I find myself validating the code to find where the error is, in particular I find a message that makes me think that something needs to be changed in the code, since when installing the dashboard this message appears in the logs:

23/07/2024 17:33:13 INFO: The filebeat.yml file has been updated to use the Filebeat Keystore username and password.
root@bullseye:~# bash wazuh-install.sh --wazuh-dashboard dashboard
23/07/2024 17:31:37 INFO: Starting Wazuh installation assistant. Wazuh version: 4.9.0
23/07/2024 17:31:37 INFO: Verbose logging redirected to /var/log/wazuh-install.log
23/07/2024 17:31:37 INFO: The recommended systems are: Red Hat Enterprise Linux 7, 8, 9; CentOS 7, 8; Amazon Linux 2; Ubuntu 16.04, 18.04, 20.04, 22.04.
23/07/2024 17:31:37 WARNING: The current system does not match with the list of recommended systems. The installation may not work properly.
23/07/2024 17:31:40 INFO: --- Dependencies ----
23/07/2024 17:31:40 INFO: Installing gawk.
23/07/2024 17:31:42 INFO: Verifying that your system meets the recommended minimum hardware requirements.
23/07/2024 17:31:44 INFO: Wazuh web interface port will be 443.
23/07/2024 17:31:46 INFO: --- Dependencies ----
23/07/2024 17:31:46 INFO: Installing debhelper.
23/07/2024 17:32:21 INFO: Wazuh development repository added.
23/07/2024 17:32:21 INFO: --- Wazuh dashboard ----
23/07/2024 17:32:21 INFO: Starting Wazuh dashboard installation.
23/07/2024 17:33:11 INFO: Wazuh dashboard installation finished.
23/07/2024 17:33:11 INFO: Wazuh dashboard post-install configuration finished.
23/07/2024 17:33:11 INFO: Starting service wazuh-dashboard.
23/07/2024 17:33:12 INFO: wazuh-dashboard service started.
23/07/2024 17:33:13 INFO: The filebeat.yml file has been updated to use the Filebeat Keystore username and password.
23/07/2024 17:34:36 INFO: Initializing Wazuh dashboard web application.
23/07/2024 17:36:37 ERROR: Cannot connect to Wazuh dashboard.
23/07/2024 17:36:37 INFO: If you want to install Wazuh dashboard without waiting for the Wazuh indexer cluster, use the -fd option
23/07/2024 17:36:37 INFO: --- Removing existing Wazuh installation ---
23/07/2024 17:36:37 INFO: Removing Wazuh dashboard.
23/07/2024 17:36:42 INFO: Wazuh dashboard removed.
23/07/2024 17:36:42 INFO: --- Dependencies ----
23/07/2024 17:36:42 INFO: Removing gawk.
23/07/2024 17:36:43 INFO: Installation cleaned. Check the /var/log/wazuh-install.log file to learn more about the issue.

I have to continue analyzing and testing to find the error

@c-bordon
Copy link
Member

Update report

I continued analyzing the code and the error, I could not finding the reason for the failure. Run some tests to verify, and the passwords and hashes are correct, but for the user kibanaserver it is not working correctly:

indexer start cluster

root@bullseye:~# bash wazuh-install.sh --start-cluster
24/07/2024 15:20:30 INFO: Starting Wazuh installation assistant. Wazuh version: 4.9.0
24/07/2024 15:20:30 INFO: Verbose logging redirected to /var/log/wazuh-install.log
24/07/2024 15:20:30 INFO: The recommended systems are: Red Hat Enterprise Linux 7, 8, 9; CentOS 7, 8; Amazon Linux 2; Ubuntu 16.04, 18.04, 20.04, 22.04.
24/07/2024 15:20:30 WARNING: The current system does not match with the list of recommended systems. The installation may not work properly.
24/07/2024 15:20:33 INFO: Verifying that your system meets the recommended minimum hardware requirements.
24/07/2024 15:20:37 INFO: Wazuh indexer cluster security configuration initialized.
24/07/2024 15:21:14 INFO: Updating the internal users.
24/07/2024 15:21:15 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
24/07/2024 15:21:20 INFO: password: hEZ3acUjT51N1gMJNrx.rAzKyIU3mUv+ - user: admin - hash: $2y$12$.l2MXFqE2QVgvoVOU/YkXeAB7LkSTmOGtBebMB3a62Rf03Sxh9V3K
24/07/2024 15:21:20 INFO: password: PQocsHAnvsKWl*X+IMbYV7VqMkyIHHBX - user: kibanaserver - hash: $2y$12$f8.kJdULLmnoxlJiAtgOnus6eAWtSWMTiMTstNEWEJJf/5LPaskBm
24/07/2024 15:21:20 INFO: password: XqkU4DP9d9OhMPEMwEPBsF1cPfkLTec? - user: kibanaro - hash: $2y$12$MQjN.iKXal84A5x6ajQS0OK2ssc.A8x6YTO3ZmNIBV.IVGotlhZ8W
24/07/2024 15:21:20 INFO: password: nBstqA.*6oXy6w*r*y.YGcWpO9ck6fOg - user: logstash - hash: $2y$12$8GdM3R3hnWJPvN/oBlz19OdoZlozkNVLAFpc0kNMyeQT.LYLGaCtC
24/07/2024 15:21:20 INFO: password: e4TYlUXmpQhLD9YoUh1.vCiiC*r*0AGE - user: readall - hash: $2y$12$x7scq/dcV6e2Hw9MbPYeKeO3uH4zs5FzYEy0odH3JEE2ligr8HYJq
24/07/2024 15:21:20 INFO: password: 7Y5CZPaNpKER*AJi.D1OqAwKzQt?SpRb - user: snapshotrestore - hash: 
24/07/2024 15:21:21 INFO: Wazuh indexer cluster started.

internal user file:

root@bullseye:~# cat /etc/wazuh-indexer/opensearch-security/internal_users.yml 
---
_meta:
  type: "internalusers"
  config_version: 2
admin:
  hash: $2y$12$.l2MXFqE2QVgvoVOU/YkXeAB7LkSTmOGtBebMB3a62Rf03Sxh9V3K
  reserved: true
  backend_roles:
  - "admin"
  description: "Demo admin user"
anomalyadmin:
  hash: "$2y$12$TRwAAJgnNo67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3."
  reserved: false
  opendistro_security_roles:
  - "anomaly_full_access"
  description: "Demo anomaly admin user, using internal role"
kibanaserver:
  hash: $2y$12$f8.kJdULLmnoxlJiAtgOnus6eAWtSWMTiMTstNEWEJJf/5LPaskBm
  reserved: true
  description: "Demo OpenSearch Dashboards user"
kibanaro:
  hash: $2y$12$MQjN.iKXal84A5x6ajQS0OK2ssc.A8x6YTO3ZmNIBV.IVGotlhZ8W
  reserved: false
  backend_roles:
  - "kibanauser"
  - "readall"
  attributes:
    attribute1: "value1"
    attribute2: "value2"
    attribute3: "value3"
  description: "Demo read only user, using external role mapping"
logstash:
  hash: $2y$12$8GdM3R3hnWJPvN/oBlz19OdoZlozkNVLAFpc0kNMyeQT.LYLGaCtC
  reserved: false
  backend_roles:
  - "logstash"
  description: "Demo logstash user, using external role mapping"
readall:
  hash: $2y$12$x7scq/dcV6e2Hw9MbPYeKeO3uH4zs5FzYEy0odH3JEE2ligr8HYJq
  reserved: false
  backend_roles:
  - "readall"
  description: "Demo readall user, using external role mapping"
snapshotrestore:
  hash: 
  reserved: false
  backend_roles:
  - "snapshotrestore"
  description: "Demo snapshotrestore user, using external role mapping"

Password file

root@bullseye:~# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'kibanaserver\'" -A 1
  indexer_username: 'kibanaserver'
  indexer_password: 'PQocsHAnvsKWl*X+IMbYV7VqMkyIHHBX'

In all cases you can see that the password is correct and the hash is also correct

curl test

root@bullseye:~# curl -ku kibanaserver:'PQocsHAnvsKWl*X+IMbYV7VqMkyIHHBX' https://127.0.0.1:9200
root@bullseye:~#

curl test with admin user and new password

root@bullseye:~# curl -ku admin:'hEZ3acUjT51N1gMJNrx.rAzKyIU3mUv+' https://127.0.0.1:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-indexer-cluster",
  "cluster_uuid" : "b11nryNcQUWQf7ax9plcIg",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "deb",
    "build_hash" : "2c952aba7735bee5f4b0bb9cfc821d68ffbdd636",
    "build_date" : "2024-07-19T16:32:15.451255Z",
    "build_snapshot" : false,
    "lucene_version" : "9.10.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}
root@bullseye:~#

Update the kibanaserver user password

root@bullseye:~# /usr/share/wazuh-indexer/plugins/opensearch-security/tools/wazuh-passwords-tool.sh -u kibanaserver -p 'PQocsHAnvsKWl*X+IMbYV7VqMkyIHHBX'
24/07/2024 15:44:10 INFO: Updating the internal users.
24/07/2024 15:44:11 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
24/07/2024 15:44:11 INFO: Generating password hash
24/07/2024 15:44:15 WARNING: Password changed. Remember to update the password in the Wazuh dashboard, Wazuh server, and Filebeat nodes if necessary, and restart the services.
root@bullseye:~# curl -ku kibanaserver:'PQocsHAnvsKWl*X+IMbYV7VqMkyIHHBX' https://127.0.0.1:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-indexer-cluster",
  "cluster_uuid" : "b11nryNcQUWQf7ax9plcIg",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "deb",
    "build_hash" : "2c952aba7735bee5f4b0bb9cfc821d68ffbdd636",
    "build_date" : "2024-07-19T16:32:15.451255Z",
    "build_snapshot" : false,
    "lucene_version" : "9.10.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

@c-bordon
Copy link
Member

Update report

Performing new tests and comparing the code, we do not see any change or parameter that specifically affects the kibanaserver user over the rest, that is, the generation of passwords and hash is the same for all users, therefore, the behavior that only occurs with the kibanaserver user, where after changing the password it does not authenticate, it is a bit strange.

After comparing the outputs of the hashes and the passwords, we found no justification in the code of the Wazuh password tool that justifies this behavior.

As an additional test, we used the productive script (4.8.1) to install the 4.9.0 builds and ran into the same error. If with this script we install the 4.8.1 product everything works correctly.

Therefore, it is necessary for the indexer team to verify if there is any change for this user that could generate this behavior

4.8.1 script test:

root@bullseye:~# curl -sO https://packages.wazuh.com/4.8/wazuh-install.sh && curl -sO https://packages.wazuh.com/4.8/config.yml
root@bullseye:~# vim config.yml 
root@bullseye:~# vim wazuh-install.sh 
root@bullseye:~# bash wazuh-install.sh --generate-config-files
25/07/2024 16:20:30 INFO: Starting Wazuh installation assistant. Wazuh version: 4.9.0
25/07/2024 16:20:30 INFO: Verbose logging redirected to /var/log/wazuh-install.log
25/07/2024 16:20:30 ERROR: The recommended systems are: Red Hat Enterprise Linux 7, 8, 9; CentOS 7, 8; Amazon Linux 2; Ubuntu 16.04, 18.04, 20.04, 22.04. The current system does not match this list. Use -i|--ignore-check to skip this check.
root@bullseye:~# bash wazuh-install.sh --generate-config-files -i
25/07/2024 16:20:37 INFO: Starting Wazuh installation assistant. Wazuh version: 4.9.0
25/07/2024 16:20:37 INFO: Verbose logging redirected to /var/log/wazuh-install.log
25/07/2024 16:20:38 WARNING: Hardware and system checks ignored.
25/07/2024 16:20:40 INFO: --- Dependencies ----
25/07/2024 16:20:40 INFO: Installing gawk.
25/07/2024 16:20:41 INFO: --- Configuration files ---
25/07/2024 16:20:41 INFO: Generating configuration files.
25/07/2024 16:20:41 INFO: Generating the root certificate.
25/07/2024 16:20:42 INFO: Generating Admin certificates.
25/07/2024 16:20:42 INFO: Generating Wazuh indexer certificates.
25/07/2024 16:20:42 INFO: Generating Filebeat certificates.
25/07/2024 16:20:42 INFO: Generating Wazuh dashboard certificates.
25/07/2024 16:20:42 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
25/07/2024 16:20:42 INFO: --- Dependencies ----
25/07/2024 16:20:42 INFO: Removing gawk.
root@bullseye:~# bash wazuh-install.sh --wazuh-indexer node-1 -i
25/07/2024 16:22:49 INFO: Starting Wazuh installation assistant. Wazuh version: 4.9.0
25/07/2024 16:22:49 INFO: Verbose logging redirected to /var/log/wazuh-install.log
25/07/2024 16:22:50 WARNING: Hardware and system checks ignored.
25/07/2024 16:22:53 INFO: --- Dependencies ----
25/07/2024 16:22:53 INFO: Installing gawk.
25/07/2024 16:22:59 INFO: Wazuh repository added.
25/07/2024 16:22:59 INFO: --- Wazuh indexer ---
25/07/2024 16:22:59 INFO: Starting Wazuh indexer installation.
25/07/2024 16:24:49 INFO: Wazuh indexer installation finished.
25/07/2024 16:24:49 INFO: Wazuh indexer post-install configuration finished.
25/07/2024 16:24:49 INFO: Starting service wazuh-indexer.
25/07/2024 16:24:59 INFO: wazuh-indexer service started.
25/07/2024 16:24:59 INFO: Initializing Wazuh indexer cluster security settings.
25/07/2024 16:25:00 INFO: Wazuh indexer cluster initialized.
25/07/2024 16:25:00 INFO: --- Dependencies ----
25/07/2024 16:25:00 INFO: Removing gawk.
25/07/2024 16:25:01 INFO: Installation finished.
root@bullseye:~# cat /etc/wazuh-indexer/opensearch-security/internal_users.yml 
---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh

_meta:
  type: "internalusers"
  config_version: 2

# Define your internal users here

## Demo users

admin:
  hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG"
  reserved: true
  backend_roles:
  - "admin"
  description: "Demo admin user"

anomalyadmin:
  hash: "$2y$12$TRwAAJgnNo67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3."
  reserved: false
  opendistro_security_roles:
  - "anomaly_full_access"
  description: "Demo anomaly admin user, using internal role"

kibanaserver:
  hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
  reserved: true
  description: "Demo OpenSearch Dashboards user"

kibanaro:
  hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
  reserved: false
  backend_roles:
  - "kibanauser"
  - "readall"
  attributes:
    attribute1: "value1"
    attribute2: "value2"
    attribute3: "value3"
  description: "Demo read only user, using external role mapping"

logstash:
  hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
  reserved: false
  backend_roles:
  - "logstash"
  description: "Demo logstash user, using external role mapping"

readall:
  hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
  reserved: false
  backend_roles:
  - "readall"
  description: "Demo readall user, using external role mapping"

snapshotrestore:
  hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
  reserved: false
  backend_roles:
  - "snapshotrestore"
  description: "Demo snapshotrestore user, using external role mapping"
root@bullseye:~# bash wazuh-install.sh --start-cluster
25/07/2024 16:27:25 INFO: Starting Wazuh installation assistant. Wazuh version: 4.9.0
25/07/2024 16:27:25 INFO: Verbose logging redirected to /var/log/wazuh-install.log
25/07/2024 16:27:25 ERROR: The recommended systems are: Red Hat Enterprise Linux 7, 8, 9; CentOS 7, 8; Amazon Linux 2; Ubuntu 16.04, 18.04, 20.04, 22.04. The current system does not match this list. Use -i|--ignore-check to skip this check.
root@bullseye:~# bash wazuh-install.sh --start-cluster -i
25/07/2024 16:27:28 INFO: Starting Wazuh installation assistant. Wazuh version: 4.9.0
25/07/2024 16:27:28 INFO: Verbose logging redirected to /var/log/wazuh-install.log
25/07/2024 16:27:29 WARNING: Hardware and system checks ignored.
25/07/2024 16:27:32 INFO: --- Dependencies ----
25/07/2024 16:27:32 INFO: Installing gawk.
25/07/2024 16:27:35 INFO: Wazuh indexer cluster security configuration initialized.
25/07/2024 16:28:06 INFO: Updating the internal users.
25/07/2024 16:28:08 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
25/07/2024 16:28:14 INFO: --- Dependencies ----
25/07/2024 16:28:14 INFO: Removing gawk.
25/07/2024 16:28:15 INFO: Wazuh indexer cluster started.
root@bullseye:~# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'kibanaserver\'" -A 1
  indexer_username: 'kibanaserver'
  indexer_password: 'gfUmLN.uqSaB9a+I*egaACe0hVHGwZ7S'
root@bullseye:~# curl -ku kibanaserver:'gfUmLN.uqSaB9a+I*egaACe0hVHGwZ7S' https://127.0.0.1:9200
root@bullseye:~# cat /etc/wazuh-indexer/opensearch-security/internal_users.yml
---
_meta:
  type: "internalusers"
  config_version: 2
admin:
  hash: 
  reserved: true
  backend_roles:
  - "admin"
  description: "Demo admin user"
anomalyadmin:
  hash: "$2y$12$TRwAAJgnNo67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3."
  reserved: false
  opendistro_security_roles:
  - "anomaly_full_access"
  description: "Demo anomaly admin user, using internal role"
kibanaserver:
  hash: 
  reserved: true
  description: "Demo OpenSearch Dashboards user"
kibanaro:
  hash: 
  reserved: false
  backend_roles:
  - "kibanauser"
  - "readall"
  attributes:
    attribute1: "value1"
    attribute2: "value2"
    attribute3: "value3"
  description: "Demo read only user, using external role mapping"
logstash:
  hash: 
  reserved: false
  backend_roles:
  - "logstash"
  description: "Demo logstash user, using external role mapping"
readall:
  hash: 
  reserved: false
  backend_roles:
  - "readall"
  description: "Demo readall user, using external role mapping"
snapshotrestore:
  hash: 
  reserved: false
  backend_roles:
  - "snapshotrestore"
  description: "Demo snapshotrestore user, using external role mapping"

@c-bordon
Copy link
Member

I ran a new test on Debian 11 but this time installing 4.8.1 with the 4.8.1 script and the behavior is correct, the kibanaserver user works fine

root@bullseye:~# apt update && apt install -y vim curl && curl -sO https://packages.wazuh.com/4.8/wazuh-install.sh && curl -sO https://packages.wazuh.com/4.8/config.yml
Get:1 https://security.debian.org/debian-security bullseye-security InRelease [48.4 kB]
Get:2 https://deb.debian.org/debian bullseye InRelease [116 kB]                           
Get:3 https://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Get:4 https://deb.debian.org/debian bullseye-backports InRelease [49.0 kB]
Get:5 https://security.debian.org/debian-security bullseye-security/main Sources [184 kB]
Get:6 https://security.debian.org/debian-security bullseye-security/main amd64 Packages [280 kB]
Get:7 https://deb.debian.org/debian bullseye/main Sources [8502 kB]
Get:8 https://security.debian.org/debian-security bullseye-security/main Translation-en [180 kB]
Get:9 https://deb.debian.org/debian bullseye/main amd64 Packages [8067 kB]              
Get:10 https://deb.debian.org/debian bullseye/main Translation-en [6236 kB]
Get:11 https://deb.debian.org/debian bullseye-updates/main Sources [7908 B]
Get:12 https://deb.debian.org/debian bullseye-updates/main amd64 Packages [18.8 kB]
Get:13 https://deb.debian.org/debian bullseye-updates/main Translation-en [10.9 kB]
Get:14 https://deb.debian.org/debian bullseye-backports/main Sources [376 kB]
Get:15 https://deb.debian.org/debian bullseye-backports/main amd64 Packages [403 kB]
Get:16 https://deb.debian.org/debian bullseye-backports/main Translation-en [342 kB]
Fetched 24.9 MB in 5s (5191 kB/s)                                  
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
59 packages can be upgraded. Run 'apt list --upgradable' to see them.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  libcurl4 libgpm2 vim-runtime
Suggested packages:
  gpm ctags vim-doc vim-scripts
The following NEW packages will be installed:
  curl libcurl4 libgpm2 vim vim-runtime
0 upgraded, 5 newly installed, 0 to remove and 59 not upgraded.
Need to get 8374 kB of archives.
After this operation, 37.5 MB of additional disk space will be used.
Get:1 https://deb.debian.org/debian bullseye/main amd64 libcurl4 amd64 7.74.0-1.3+deb11u12 [347 kB]
Get:2 https://deb.debian.org/debian bullseye/main amd64 curl amd64 7.74.0-1.3+deb11u12 [271 kB]
Get:3 https://deb.debian.org/debian bullseye/main amd64 libgpm2 amd64 1.20.7-8 [35.6 kB]
Get:4 https://deb.debian.org/debian bullseye/main amd64 vim-runtime all 2:8.2.2434-3+deb11u1 [6226 kB]
Get:5 https://deb.debian.org/debian bullseye/main amd64 vim amd64 2:8.2.2434-3+deb11u1 [1494 kB]
Fetched 8374 kB in 1s (7962 kB/s)
Selecting previously unselected package libcurl4:amd64.
(Reading database ... 25140 files and directories currently installed.)
Preparing to unpack .../libcurl4_7.74.0-1.3+deb11u12_amd64.deb ...
Unpacking libcurl4:amd64 (7.74.0-1.3+deb11u12) ...
Selecting previously unselected package curl.
Preparing to unpack .../curl_7.74.0-1.3+deb11u12_amd64.deb ...
Unpacking curl (7.74.0-1.3+deb11u12) ...
Selecting previously unselected package libgpm2:amd64.
Preparing to unpack .../libgpm2_1.20.7-8_amd64.deb ...
Unpacking libgpm2:amd64 (1.20.7-8) ...
Selecting previously unselected package vim-runtime.
Preparing to unpack .../vim-runtime_2%3a8.2.2434-3+deb11u1_all.deb ...
Adding 'diversion of /usr/share/vim/vim82/doc/help.txt to /usr/share/vim/vim82/doc/help.txt.vim-tiny by vim-runtime'
Adding 'diversion of /usr/share/vim/vim82/doc/tags to /usr/share/vim/vim82/doc/tags.vim-tiny by vim-runtime'
Unpacking vim-runtime (2:8.2.2434-3+deb11u1) ...
Selecting previously unselected package vim.
Preparing to unpack .../vim_2%3a8.2.2434-3+deb11u1_amd64.deb ...
Unpacking vim (2:8.2.2434-3+deb11u1) ...
Setting up libgpm2:amd64 (1.20.7-8) ...
Setting up libcurl4:amd64 (7.74.0-1.3+deb11u12) ...
Setting up curl (7.74.0-1.3+deb11u12) ...
Setting up vim-runtime (2:8.2.2434-3+deb11u1) ...
Setting up vim (2:8.2.2434-3+deb11u1) ...
update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/vim (vim) in auto mode
update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/vimdiff (vimdiff) in auto mode
update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/rvim (rvim) in auto mode
update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/rview (rview) in auto mode
update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/vi (vi) in auto mode
update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/view (view) in auto mode
update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/ex (ex) in auto mode
Processing triggers for man-db (2.9.4-2) ...
Processing triggers for libc-bin (2.31-13+deb11u6) ...
root@bullseye:~# vim config.yml 
root@bullseye:~# bash wazuh-install.sh --generate-config-files -i
25/07/2024 16:38:17 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.1
25/07/2024 16:38:17 INFO: Verbose logging redirected to /var/log/wazuh-install.log
25/07/2024 16:38:18 WARNING: Hardware and system checks ignored.
25/07/2024 16:38:20 INFO: --- Dependencies ----
25/07/2024 16:38:20 INFO: Installing gawk.
25/07/2024 16:38:21 INFO: --- Configuration files ---
25/07/2024 16:38:21 INFO: Generating configuration files.
25/07/2024 16:38:22 INFO: Generating the root certificate.
25/07/2024 16:38:22 INFO: Generating Admin certificates.
25/07/2024 16:38:22 INFO: Generating Wazuh indexer certificates.
25/07/2024 16:38:22 INFO: Generating Filebeat certificates.
25/07/2024 16:38:22 INFO: Generating Wazuh dashboard certificates.
25/07/2024 16:38:22 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation.
25/07/2024 16:38:22 INFO: --- Dependencies ----
25/07/2024 16:38:22 INFO: Removing gawk.
root@bullseye:~# bash wazuh-install.sh --wazuh-indexer node-1 -i
25/07/2024 16:38:33 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.1
25/07/2024 16:38:33 INFO: Verbose logging redirected to /var/log/wazuh-install.log
25/07/2024 16:38:34 WARNING: Hardware and system checks ignored.
25/07/2024 16:38:36 INFO: --- Dependencies ----
25/07/2024 16:38:36 INFO: Installing gawk.
25/07/2024 16:38:39 INFO: --- Dependencies ----
25/07/2024 16:38:39 INFO: Installing apt-transport-https.
25/07/2024 16:38:39 INFO: Installing software-properties-common.
25/07/2024 16:38:44 INFO: Installing gnupg.
25/07/2024 16:38:48 INFO: Wazuh repository added.
25/07/2024 16:38:48 INFO: --- Wazuh indexer ---
25/07/2024 16:38:48 INFO: Starting Wazuh indexer installation.
25/07/2024 16:40:48 INFO: Wazuh indexer installation finished.
25/07/2024 16:40:48 INFO: Wazuh indexer post-install configuration finished.
25/07/2024 16:40:48 INFO: Starting service wazuh-indexer.
25/07/2024 16:40:57 INFO: wazuh-indexer service started.
25/07/2024 16:40:57 INFO: Initializing Wazuh indexer cluster security settings.
25/07/2024 16:40:58 INFO: Wazuh indexer cluster initialized.
25/07/2024 16:40:58 INFO: --- Dependencies ----
25/07/2024 16:40:58 INFO: Removing gawk.
25/07/2024 16:40:59 INFO: Installation finished.
root@bullseye:~# bash wazuh-install.sh --start-cluster -i
25/07/2024 16:41:16 INFO: Starting Wazuh installation assistant. Wazuh version: 4.8.1
25/07/2024 16:41:16 INFO: Verbose logging redirected to /var/log/wazuh-install.log
25/07/2024 16:41:17 WARNING: Hardware and system checks ignored.
25/07/2024 16:41:19 INFO: --- Dependencies ----
25/07/2024 16:41:19 INFO: Installing gawk.
25/07/2024 16:41:22 INFO: Wazuh indexer cluster security configuration initialized.
25/07/2024 16:41:49 INFO: Updating the internal users.
25/07/2024 16:41:50 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
25/07/2024 16:41:56 INFO: --- Dependencies ----
25/07/2024 16:41:56 INFO: Removing gawk.
25/07/2024 16:41:57 INFO: Wazuh indexer cluster started.
root@bullseye:~# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'kibanaserver\'" -A 1
  indexer_username: 'kibanaserver'
  indexer_password: '1t4pMotba5.1nfqwfzygDQr20jKcGnJP'
root@bullseye:~# curl -ku kibanaserver:'1t4pMotba5.1nfqwfzygDQr20jKcGnJP' https://127.0.0.1:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-indexer-cluster",
  "cluster_uuid" : "6ExZx36gTBGX1AJ-0a9Zqg",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "eee49cb340edc6c4d489bcd9324dda571fc8dc03",
    "build_date" : "2023-09-20T23:54:29.889267151Z",
    "build_snapshot" : false,
    "lucene_version" : "9.7.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

@c-bordon
Copy link
Member

After validating with @f-galland that the problem was due to a new user configured in the internal-users.yml file, I made the necessary changes for the fix, and the configuration worked correctly.

root@ubuntu-jammy:~# bash wazuh-install.sh --wazuh-indexer node-1
30/07/2024 14:00:15 INFO: Starting Wazuh installation assistant. Wazuh version: 4.9.0
30/07/2024 14:00:15 INFO: Verbose logging redirected to /var/log/wazuh-install.log
30/07/2024 14:00:19 INFO: Verifying that your system meets the recommended minimum hardware requirements.
30/07/2024 14:00:30 INFO: Wazuh development repository added.
30/07/2024 14:00:31 INFO: --- Wazuh indexer ---
30/07/2024 14:00:31 INFO: Starting Wazuh indexer installation.
30/07/2024 14:00:41 INFO: Wazuh indexer installation finished.
30/07/2024 14:00:41 INFO: Wazuh indexer post-install configuration finished.
30/07/2024 14:00:41 INFO: Starting service wazuh-indexer.
30/07/2024 14:00:51 INFO: wazuh-indexer service started.
30/07/2024 14:00:51 INFO: Initializing Wazuh indexer cluster security settings.
30/07/2024 14:00:52 INFO: user:  - password:  - hash: 
30/07/2024 14:00:52 INFO: Wazuh indexer cluster initialized.
30/07/2024 14:00:52 INFO: Installation finished.
root@ubuntu-jammy:~# bash wazuh-install.sh --start-cluster
30/07/2024 14:01:12 INFO: Starting Wazuh installation assistant. Wazuh version: 4.9.0
30/07/2024 14:01:12 INFO: Verbose logging redirected to /var/log/wazuh-install.log
30/07/2024 14:01:16 INFO: Verifying that your system meets the recommended minimum hardware requirements.
30/07/2024 14:01:23 INFO: Wazuh indexer cluster security configuration initialized.
30/07/2024 14:01:59 INFO: Updating the internal users.
30/07/2024 14:02:01 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
30/07/2024 14:02:01 INFO: users: admin
30/07/2024 14:02:06 INFO: user: admin - password: ?mxN9VPGYy*Gqf51tVSpudwlolxh6.eT - hash: $2y$12$1oub7XJ.Ja2wLPfOAJXXtuFEUS./mwOHreygR/04VlfbDaD0b9T7O
30/07/2024 14:02:06 INFO: user: anomalyadmin - password: +37dDy0z*SJu9?7Dd2RIS1n90d+Z4dLg - hash: $2y$12$6i1Ow4WPetDelA4h25oQVuUvPNEMJqhLVE0pX9qnJCfTXER6sTqCe
30/07/2024 14:02:06 INFO: user: kibanaserver - password: BpI3EJWIWXkLrsAi9A9Er7*d?t+MP21W - hash: $2y$12$bW8GBCO.D62W5GwzQTbQSOx8q6iSprupImJ3yh6AYtVA8M4R6vKju
30/07/2024 14:02:06 INFO: user: kibanaro - password: NLiBUguBZah8NCytwDWLR4QzO1B*0c6? - hash: $2y$12$0ybcrtJNoHJnmwpNHt4mCe.X.DKabPa1k9U9Fgqoh2kMpKldqV19y
30/07/2024 14:02:06 INFO: user: logstash - password: +HZDli5RlSoK.Pt1BJv5?qVSFTsn7vYC - hash: $2y$12$qPlVZxS2NzViqQlNDUrJ3eTZJR5zIvBvnDpphP/Fz48U9HW0cYrnG
30/07/2024 14:02:06 INFO: user: readall - password: sWRlq8rGenS26VHvj+6qW+pDrffNT2MU - hash: $2y$12$Zb1tro74tsYUKIbwzcVt0OAZNIiMF/eQP5kfQB3g3inhgXj9/cPfu
30/07/2024 14:02:06 INFO: user: snapshotrestore - password: O8Aj7WA3+XgWjPnJ6*2Buv66Dp52EMzp - hash: $2y$12$1bsekrMA2USZpKTkp8pZ4.xkypqdOa8RKZc0uCDChfGHQc24DP062
30/07/2024 14:02:07 INFO: Wazuh indexer cluster started.
root@ubuntu-jammy:~# cat /etc/wazuh-indexer/opensearch-security/internal_users.yml 
---
_meta:
  type: "internalusers"
  config_version: 2
admin:
  hash: "$2y$12$1oub7XJ.Ja2wLPfOAJXXtuFEUS./mwOHreygR/04VlfbDaD0b9T7O"
  reserved: true
  backend_roles:
  - "admin"
  description: "Demo admin user"
anomalyadmin:
  hash: "$2y$12$6i1Ow4WPetDelA4h25oQVuUvPNEMJqhLVE0pX9qnJCfTXER6sTqCe"
  reserved: false
  opendistro_security_roles:
  - "anomaly_full_access"
  description: "Demo anomaly admin user, using internal role"
kibanaserver:
  hash: "$2y$12$bW8GBCO.D62W5GwzQTbQSOx8q6iSprupImJ3yh6AYtVA8M4R6vKju"
  reserved: true
  description: "Demo OpenSearch Dashboards user"
kibanaro:
  hash: "$2y$12$0ybcrtJNoHJnmwpNHt4mCe.X.DKabPa1k9U9Fgqoh2kMpKldqV19y"
  reserved: false
  backend_roles:
  - "kibanauser"
  - "readall"
  attributes:
    attribute1: "value1"
    attribute2: "value2"
    attribute3: "value3"
  description: "Demo read only user, using external role mapping"
logstash:
  hash: "$2y$12$qPlVZxS2NzViqQlNDUrJ3eTZJR5zIvBvnDpphP/Fz48U9HW0cYrnG"
  reserved: false
  backend_roles:
  - "logstash"
  description: "Demo logstash user, using external role mapping"
readall:
  hash: "$2y$12$Zb1tro74tsYUKIbwzcVt0OAZNIiMF/eQP5kfQB3g3inhgXj9/cPfu"
  reserved: false
  backend_roles:
  - "readall"
  description: "Demo readall user, using external role mapping"
snapshotrestore:
  hash: "$2y$12$1bsekrMA2USZpKTkp8pZ4.xkypqdOa8RKZc0uCDChfGHQc24DP062"
  reserved: false
  backend_roles:
  - "snapshotrestore"
  description: "Demo snapshotrestore user, using external role mapping"
root@ubuntu-jammy:~# tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'kibanaserver\'" -A 1
  indexer_username: 'kibanaserver'
  indexer_password: 'BpI3EJWIWXkLrsAi9A9Er7*d?t+MP21W'
root@ubuntu-jammy:~# curl -ku kibanaserver:'BpI3EJWIWXkLrsAi9A9Er7*d?t+MP21W' https://127.0.0.1:9200
{
  "name" : "node-1",
  "cluster_name" : "wazuh-indexer-cluster",
  "cluster_uuid" : "6O85sXbJQSWKkuef490gqQ",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "deb",
    "build_hash" : "2c952aba7735bee5f4b0bb9cfc821d68ffbdd636",
    "build_date" : "2024-07-19T16:32:15.451255Z",
    "build_snapshot" : false,
    "lucene_version" : "9.10.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

This script has changes to show the generated hashes and passwords, I will create a new test without these outputs to confirm correct operation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
level/task Subtask issue type/bug Bug issue
Projects
No open projects
Status: Done
Development

Successfully merging a pull request may close this issue.

3 participants