Changing Default Passwords : securityadmin.sh script fails , "which" is not found ?

[decyphertek-io]

Wazuh : Changing Default Passwords

I have a script that worked in version 4.7.3 , now testing it in version 4.8.0 , it states that it fails. It says that line 31 requires
which and does not exist. I tried to install it, no root access. I even tried to wget the binary, wget not installed. Can you make
sure that the next release has which installed. This is the current way to update passwords for Opensearch. I know that it will be deprecated, except there is no other way to change the default passwords.

#!/bin/bash

(cat << EOF
INDEXER_PASSWORD=$(openssl rand -hex 8 | tr -d '\n')
API_PASSWORD='!'$(openssl rand -hex 6 | sed 's/\(.\{2\}\)/\U&/; s/\(.\{2\}\)/\L&/2' | tr -d '\n')$(openssl rand -hex 1 | tr -dc '0-9' | tr -d '\n')$(openssl rand -hex 1 | tr -dc '!@#$%^&*()_+-=' | tr -d '\n')
DASHBOARD_PASSWORD=$(openssl rand -hex 8 | tr -d '\n')
EOF
) > /home/adminotaur/.docker/wazuh-docker/single-node/.env

# Source the passwords
source /home/adminotaur/.docker/wazuh-docker/single-node/.env

# Generate password hashes
INDEXER_HASH=$(echo -n $INDEXER_PASSWORD | docker run --rm -i wazuh/wazuh-indexer:4.8.0 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh -p $INDEXER_PASSWORD | tail -n 1)
DASHBOARD_HASH=$(echo -n $DASHBOARD_PASSWORD | docker run --rm -i wazuh/wazuh-indexer:4.8.0 bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/hash.sh -p $DASHBOARD_PASSWORD | tail -n 1)

# Update configuration files with the new password hashes
sed -i "s|decyphertek|$INDEXER_HASH|g" /home/adminotaur/.docker/wazuh-docker/single-node/config/wazuh_indexer/internal_users.yml
sed -i "s|adminotaur|$DASHBOARD_HASH|g" /home/adminotaur/.docker/wazuh-docker/single-node/config/wazuh_indexer/internal_users.yml
sed -i "s|decyphertek|$API_PASSWORD|g" /home/adminotaur/.docker/wazuh-docker/single-node/config/wazuh_dashboard/wazuh.yml

# Run docker-compose commands
cd /home/adminotaur/.docker/wazuh-docker/single-node/
/usr/bin/docker compose -f generate-indexer-certs.yml run --rm generator
/usr/bin/docker compose pull 
/usr/bin/docker compose up -d

# Configure the Wazuh indexer
docker exec -it single-node-wazuh.indexer-1 bash -c 'export INSTALLATION_DIR=/usr/share/wazuh-indexer; export CACERT=$INSTALLATION_DIR/certs/root-ca.pem; export KEY=$INSTALLATION_DIR/certs/admin-key.pem; export CERT=$INSTALLATION_DIR/certs/admin.pem; export JAVA_HOME=/usr/share/wazuh-indexer/jdk'
sleep 120
docker exec -it single-node-wazuh.indexer-1 bash -c 'bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/opensearch-security/ -nhnv -cacert  $CACERT -cert $CERT -key $KEY -p 9200 -icl'
docker restart single-node-wazuh.manager-1

ERROR:

adminotaur@siem-build:~/.docker/wazuh-docker/single-node$ docker exec -it single-node-wazuh.indexer-1 bash -c 'bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/opensearch-security/ -nhnv -cacert  $CACERT -cert $CERT -key $KEY -p 9200 -icl'
**************************************************************************
** This tool will be deprecated in the next major release of OpenSearch **
** https://github.com/opensearch-project/security/issues/1755           **
**************************************************************************
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh: line 31: which: command not found
WARNING: nor OPENSEARCH_JAVA_HOME nor JAVA_HOME is set, will use 

[decyphertek-io]

Wazuh-passwords-tool.sh

It appears that Wazuh has a password tool script. Except the docs still say to run the securityadmin.sh script.

https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html
5.Wait for the Wazuh indexer to initialize properly. The waiting time can vary from two to five minutes. It depends on the size of the cluster, the assigned resources, and the speed of the network. Then, run the securityadmin.sh script to apply all changes.

bash-5.2$ ls
SECURITY_ADMIN_TESTS.md  audit_config_migrater.sh  hash.sh  securityadmin.sh  wazuh-certs-tool.sh  wazuh-passwords-tool.sh

[deniskozlovzaz]

Same problem

[4p0hk]

i was changing my SSO setup/URLs and i encountered the same issue when trying to ingest an updated security_config.yml to the indexer container. it seems that the indexer container environment is missing some things for the script to just work.

the script tries to get the java path from the environment variables. the script has a logic block that checks whether the binary path was found. if it wasn't it tries to use 'which' to find the binary. 'which' is not included in the indexer's containerized environment. so there are a few issues here. i found a quick solution for now

find java with:

find / -name "java" -type f 2>/dev/null

on 4.8, that gives /usr/share/wazuh-indexer/jdk/bin/java"

inside the container, to ingest the updated secrity_config.yml:

export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /usr/share/wazuh-indexer/opensearch-security/ -icl -key /usr/share/wazuh-indexer/certs/admin-key.pem -cert /usr/share/wazuh-indexer/certs/admin.pem -cacert /usr/share/wazuh-indexer/certs/root-ca.pem -h localhost -nhnv

this resulted in Done with success

hopefully that can be adapted to your needs. look for the java location first before running the one liner

after looking through my notes, i found an older page on the docs that mentions needing the EXPORT piece:

wazuh-4.4-docs

cheers