Skip to content

Change the way the Wazuh admin password is generated to always be valid #1170

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jul 22, 2024
Merged

Change the way the Wazuh admin password is generated to always be valid #1170

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e3a6ef4
Change the way the Wazuh admin password is generated to always be valid
MaxBed4d Jul 18, 2024
0276fc9
Update the password generator to be neater and work with the auto enc…
MaxBed4d Jul 18, 2024
0f01703
Changed password generation method.
MaxBed4d Jul 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion etc/kayobe/ansible/templates/wazuh-secrets.yml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ secrets_wazuh:
# Strengthen default wazuh api user pass
wazuh_api_users:
- username: "wazuh"
password: "{{ secrets_wazuh.wazuh_api_users[0].password | default(lookup('password', '/dev/null length=30' ), true) }}"
password: "{{ secrets_wazuh.wazuh_api_users[0].password | wazuh_password }}"
# OpenSearch 'admin' user pass
opendistro_admin_password: "{{ secrets_wazuh.opendistro_admin_password | default(lookup('password', '/dev/null'), true) }}"
# OpenSearch 'kibanaserver' user pass
Expand Down
48 changes: 48 additions & 0 deletions etc/kayobe/ansible/wazuh-secrets.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,54 @@
path: "{{ wazuh_secrets_path | dirname }}"
state: directory

- name: Generate a random password which meets the Wazuh password requirements
cmd: python3
stdin: |
import random
import string
import re

# The password requirements required by Wazuh (wazuh/framework/wazuh/security.py)
valid_password = re.compile(r'^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^A-Za-z0-9]).{8,}$')

# Generate a random password containg at least one of each:
# special character, digit, lowercase letter, uppercase letter
def pw_gen(pw_len):
random_pass = ([random.choice("@$!%*?&-_"),
random.choice(string.digits),
random.choice(string.ascii_lowercase),
random.choice(string.ascii_uppercase),
]
+ [random.choice(string.ascii_lowercase
+ string.ascii_uppercase
+ "@$!%*?&-_"
+ string.digits) for i in range(pw_len)])

random.shuffle(random_pass)
random_pass = ''.join(random_pass)
return random_pass

# Check if the generated password meets the requirements
def check_user_password(password):
if valid_password.match(password):
return True
else:
return False

# Generate a password
random_pass = pw_gen(30)

# Check if the generated password meets the requirements
# if not, keep generating a new password until it does
while not check_user_password(random_pass):
random_pass = pw_gen(30)

register: random_pass

- name: Store the valid password
set_fact:
wazuh_password: "{{ random_pass }}"

- name: Template new secrets
template:
src: wazuh-secrets.yml.j2
Expand Down
Loading