Add new internal users to the password generation process in the Password tool

[Enaraque]

Description

The wazuh-server and wazuh-dashboard users have been added to the list of users used for generating the password file. In addition, the regex previously used to retrieve users from internal_users.yml has been modified to also include the new users, as the previous implementation excluded any users whose names contained a hyphen (-).

Tests 🧪

Below, we can see how the password file is generated and how the passwords for all users are updated.

Passwords file

[root@wazuh wazuh-user]# cat wazuh-passwords.txt 
# Admin user for the web user interface and Wazuh indexer. Use this user to log in to Wazuh dashboard
  indexer_username: 'admin'
  indexer_password: '8FWZ*GaREiY+IkQP2U0ShcyR50zThymV'

# Anomaly detection user for the web user interface
  indexer_username: 'anomalyadmin'
  indexer_password: 'WCWWN+GIdGG7taNjt5wzLb2QueZZUDcN'

# Wazuh dashboard user for establishing the connection with Wazuh indexer
  indexer_username: 'kibanaserver'
  indexer_password: '*omQMdrL1HKNvTLtqcKTH6i5yp18ljzh'

# Regular Dashboard user, only has read permissions to all indices and all permissions on the .kibana index
  indexer_username: 'kibanaro'
  indexer_password: '78zH2t8Z2M2BZ?UR6cHoXn20GCmuew1d'

# User used by Logstash to send processed logs to the Wazuh indexer
  indexer_username: 'logstash'
  indexer_password: 'z?PlwRFqSAX*uceEe2?g.TtTLp21TUr+'

# User with READ access to all indices
  indexer_username: 'readall'
  indexer_password: '?YyvAcu2B6RSEXUJbzAVepiKf3mW8z+E'

# User with permissions to perform snapshot and restore operations
  indexer_username: 'snapshotrestore'
  indexer_password: '8VEP+KuK?KgkMgnb1uWPYMn17k8aygv4'

# User for the Wazuh Server with read/write access to stateful indices and write-only access to stateless indices
  indexer_username: 'wazuh-server'
  indexer_password: 'z.jD67LI8vMHxNIw1o1mFtDF6jeJ.xVe'

# User for Wazuh Dashboard with read access to stateful and stateless indices, and management level permissionsfor the monitoring indices
  indexer_username: 'wazuh-dashboard'
  indexer_password: 'Pq4**v66YwnF.KkB0okEw1ZXy6etMef1'

# Password for wazuh API user
  api_username: 'wazuh'
  api_password: 'blQtuCZMv0mkBK5.hkmN1HjAQIaRJiKm'

# Password for wazuh-wui API user
  api_username: 'wazuh-wui'
  api_password: 'eFg8CwYZo*DwI0S*jYodJ9tD2LCYJaZA'

Change all the passwords

[root@wazuh wazuh-user]# bash wazuh-password-tool.sh -A -au wazuh -ap blQtuCZMv0mkBK5.hkmN1HjAQIaRJiKm -f wazuh-passwords.txt -a
17/12/2025 09:59:24 INFO: Updating the internal users.
17/12/2025 09:59:31 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder.
17/12/2025 10:00:19 INFO: The password for user admin is 8FWZ*GaREiY+IkQP2U0ShcyR50zThymV
17/12/2025 10:00:19 INFO: The password for user anomalyadmin is WCWWN+GIdGG7taNjt5wzLb2QueZZUDcN
17/12/2025 10:00:19 INFO: The password for user kibanaserver is *omQMdrL1HKNvTLtqcKTH6i5yp18ljzh
17/12/2025 10:00:19 INFO: The password for user kibanaro is 78zH2t8Z2M2BZ?UR6cHoXn20GCmuew1d
17/12/2025 10:00:19 INFO: The password for user logstash is z?PlwRFqSAX*uceEe2?g.TtTLp21TUr+
17/12/2025 10:00:19 INFO: The password for user readall is ?YyvAcu2B6RSEXUJbzAVepiKf3mW8z+E
17/12/2025 10:00:19 INFO: The password for user snapshotrestore is 8VEP+KuK?KgkMgnb1uWPYMn17k8aygv4
17/12/2025 10:00:19 INFO: The password for user wazuh-server is z.jD67LI8vMHxNIw1o1mFtDF6jeJ.xVe
17/12/2025 10:00:19 INFO: The password for user wazuh-dashboard is Pq4**v66YwnF.KkB0okEw1ZXy6etMef1
17/12/2025 10:00:19 WARNING: Wazuh indexer passwords changed. Remember to update the password in the Wazuh dashboard, Wazuh server and the Wazuh server nodes if necessary, and restart the services.
17/12/2025 10:00:21 INFO: The password for Wazuh API user wazuh is blQtuCZMv0mkBK5.hkmN1HjAQIaRJiKm
17/12/2025 10:00:21 INFO: The password for Wazuh API user wazuh-wui is eFg8CwYZo*DwI0S*jYodJ9tD2LCYJaZA
17/12/2025 10:00:21 INFO: Updated wazuh-wui user password in wazuh dashboard. Remember to restart the service.

Additionally, we can observe that the internal_users.yml file updates the hash for all users, and the connection is successfully verified using the new passwords.

internal_users file before changing the passwords

[root@wazuh wazuh-user]# cat /etc/wazuh-indexer/opensearch-security/internal_users.yml 
---
_meta:
  type: "internalusers"
  config_version: 2
admin:
  hash: "$2y$12$OatK5yj.UX4X9ldIZKLOY.WvAPA9jGmNeJIoehU3Wz7Iil64jSCiO"
  reserved: true
  backend_roles:
  - "admin"
  description: "Demo admin user"
anomalyadmin:
  hash: "$2y$12$GqbNEvLorPZZPU.Y19T.VO9h2cwtXVPL1GgHUVmd9pEkPio7XvRGq"
  reserved: false
  opendistro_security_roles:
  - "anomaly_full_access"
  description: "Demo anomaly admin user, using internal role"
kibanaserver:
  hash: "$2y$12$Li8pkiGGn28AFmaK8iJeyOakUsYxKvzsMQzNt2C1fy/BgLLy1IjAe"
  reserved: true
  description: "Demo OpenSearch Dashboards user"
kibanaro:
  hash: "$2y$12$WVGt/9hwz5CvoL3fUEjP9eKlPTIFN4z4ka/vNWS8i52/Bn1npNLG2"
  reserved: false
  backend_roles:
  - "kibanauser"
  - "readall"
  attributes:
    attribute1: "value1"
    attribute2: "value2"
    attribute3: "value3"
  description: "Demo OpenSearch Dashboards read only user, using external role mapping"
logstash:
  hash: "$2y$12$9enpkHXouw17kU.kWQ/3x.8eF.PGYJRnNe15nrchQ4rT1tZ2Rfg/2"
  reserved: false
  backend_roles:
  - "logstash"
  description: "Demo logstash user, using external role mapping"
readall:
  hash: "$2y$12$qOe08aebkFuOMeBRcGWZEOu3RDwHGCIJbA35aAPabZsEzWD04gzBW"
  reserved: false
  backend_roles:
  - "readall"
  description: "Demo readall user, using external role mapping"
snapshotrestore:
  hash: "$2y$12$KTSdQsTZ62uIEy7AN.bQM.ko8Oabh78Hqu1KBf5YOgtLoP0jdH94u"
  reserved: false
  backend_roles:
  - "snapshotrestore"
  description: "Demo snapshotrestore user, using external role mapping"
wazuh-server:
  hash: "$2y$12$omLmMp8fOQpttz/waFFybud4xywzKCgZQJE3J.uy0F6wb7ym3XjoW"
  reserved: true
  backend_roles: []
  description: "Wazuh Server user with read/write access to stateful and write-only\
    \ access to stateless indexes."
wazuh-dashboard:
  hash: "$2y$12$pwamVWufM0TiWRsPYaEI/.CPcC9H32JQZHgWrIwE7XfQxdwKco/Wu"
  reserved: true
  backend_roles: []
  description: "Wazuh Dashboard user with read access to stateful and stateless indexes,\
    \ write access to metrics indexes and management for sample data indexes."

internal_users file after changing the passwords

[root@wazuh wazuh-user]# cat /etc/wazuh-indexer/opensearch-security/internal_users.yml 
---
_meta:
  type: "internalusers"
  config_version: 2
admin:
  hash: "$2y$12$wrYFl30LCHPbQJ.SUIuAc.DJr7lv.9i4l4TwjZ7Y.60mC3.1vRWvu"
  reserved: true
  backend_roles:
  - "admin"
  description: "Demo admin user"
anomalyadmin:
  hash: "$2y$12$HrkVc2Bls56Jo4F.OrY/duGB11Z0GOUs6PT.PMSbOrMT7zgCZcSFG"
  reserved: false
  opendistro_security_roles:
  - "anomaly_full_access"
  description: "Demo anomaly admin user, using internal role"
kibanaserver:
  hash: "$2y$12$0VnqOs98JGzMraBqIBQJHumDgoYSjbZWECmeskj5aPyN2pdbQoAcm"
  reserved: true
  description: "Demo OpenSearch Dashboards user"
kibanaro:
  hash: "$2y$12$Y4BilVGvZNvAB9lbLyYJZebcaEz7OFDGixIN5afMP2Myz2QbZHQ1G"
  reserved: false
  backend_roles:
  - "kibanauser"
  - "readall"
  attributes:
    attribute1: "value1"
    attribute2: "value2"
    attribute3: "value3"
  description: "Demo OpenSearch Dashboards read only user, using external role mapping"
logstash:
  hash: "$2y$12$Qcl4CZkKIq4FZwNnNAaabedb8vIOL2UIkqwvOPp.RCeGLUZzbLC7S"
  reserved: false
  backend_roles:
  - "logstash"
  description: "Demo logstash user, using external role mapping"
readall:
  hash: "$2y$12$fWQ/wcgde9D.uwwOyRUr/OS80HEVOSzwEF0XUnL/PRVVBGrEooOk6"
  reserved: false
  backend_roles:
  - "readall"
  description: "Demo readall user, using external role mapping"
snapshotrestore:
  hash: "$2y$12$h/PSzO4vzPEDlIuPwWXw0.EtYk47p4jNd2UGvNsi3IPaaaBSHwkym"
  reserved: false
  backend_roles:
  - "snapshotrestore"
  description: "Demo snapshotrestore user, using external role mapping"
wazuh-server:
  hash: "$2y$12$7GUNhYzhvX8mNlrqDsbnvOelIp98RccQqtTCFLeqD.mAxfdMyShwy"
  reserved: true
  backend_roles: []
  description: "Wazuh Server user with read/write access to stateful and write-only\
    \ access to stateless indexes."
wazuh-dashboard:
  hash: "$2y$12$u4VhYcZxPTAPCwe7EbeSQeZzY4TnoDICFMnV.6TOQYeziGLYYalba"
  reserved: true
  backend_roles: []
  description: "Wazuh Dashboard user with read access to stateful and stateless indexes,\
    \ write access to metrics indexes and management for sample data indexes."

Connection test with the new passwords

- admin
  [root@wazuh wazuh-user]# curl -k -u admin:8FWZ*GaREiY+IkQP2U0ShcyR50zThymV https://localhost:9200/
{
  "name" : "wazuh_indexer",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "4JqWVAPzQy65bkudS5xH5Q",
  "version" : {
    "distribution" : "opensearch",
    "number" : "3.3.2",
    "build_type" : "rpm",
    "build_hash" : "f5cd771284238648afb1a89097798a1ad2bd7750",
    "build_date" : "2025-12-12T00:13:34.172088479Z",
    "build_snapshot" : false,
    "lucene_version" : "10.3.1",
    "minimum_wire_compatibility_version" : "2.19.0",
    "minimum_index_compatibility_version" : "2.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

- anomalyadmin
  [root@wazuh wazuh-user]# curl -k -u anomalyadmin:WCWWN+GIdGG7taNjt5wzLb2QueZZUDcN https://localhost:9200/
{
  "name" : "wazuh_indexer",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "4JqWVAPzQy65bkudS5xH5Q",
  "version" : {
    "distribution" : "opensearch",
    "number" : "3.3.2",
    "build_type" : "rpm",
    "build_hash" : "f5cd771284238648afb1a89097798a1ad2bd7750",
    "build_date" : "2025-12-12T00:13:34.172088479Z",
    "build_snapshot" : false,
    "lucene_version" : "10.3.1",
    "minimum_wire_compatibility_version" : "2.19.0",
    "minimum_index_compatibility_version" : "2.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

- kibnaro (is ok due to its permissions, if the password is bad, the output only will be "Unauthorized")
  [root@wazuh wazuh-user]# curl -k -u kibanaro:78zH2t8Z2M2BZ?UR6cHoXn20GCmuew1d https://localhost:9200/
{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [cluster:monitor/main] and User [name=kibanaro, backend_roles=[kibanauser, readall], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [cluster:monitor/main] and User [name=kibanaro, backend_roles=[kibanauser, readall], requestedTenant=null]"},"status":403}

- logstash
  [root@wazuh wazuh-user]# curl -k -u logstash:z?PlwRFqSAX*uceEe2?g.TtTLp21TUr+ https://localhost:9200/
{
  "name" : "wazuh_indexer",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "4JqWVAPzQy65bkudS5xH5Q",
  "version" : {
    "distribution" : "opensearch",
    "number" : "3.3.2",
    "build_type" : "rpm",
    "build_hash" : "f5cd771284238648afb1a89097798a1ad2bd7750",
    "build_date" : "2025-12-12T00:13:34.172088479Z",
    "build_snapshot" : false,
    "lucene_version" : "10.3.1",
    "minimum_wire_compatibility_version" : "2.19.0",
    "minimum_index_compatibility_version" : "2.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

- readall (the same as kibanaro)
  [root@wazuh wazuh-user]# curl -k -u readall:?YyvAcu2B6RSEXUJbzAVepiKf3mW8z+E https://localhost:9200/
{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [cluster:monitor/main] and User [name=readall, backend_roles=[readall], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [cluster:monitor/main] and User [name=readall, backend_roles=[readall], requestedTenant=null]"},"status":403}[root@wazuh wazuh-user]

- snapshotrestore (same as kibanaro)
  [root@wazuh wazuh-user]# curl -k -u snapshotrestore:8VEP+KuK?KgkMgnb1uWPYMn17k8aygv4 https://localhost:9200/
{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [cluster:monitor/main] and User [name=snapshotrestore, backend_roles=[snapshotrestore], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [cluster:monitor/main] and User [name=snapshotrestore, backend_roles=[snapshotrestore], requestedTenant=null]"},"status":403}

- wazuh-server (same as kibanaro)
[root@wazuh wazuh-user]# curl -k -u wazuh-server:z.jD67LI8vMHxNIw1o1mFtDF6jeJ.xVe https://localhost:9200/
{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [cluster:monitor/main] and User [name=wazuh-server, backend_roles=[], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [cluster:monitor/main] and User [name=wazuh-server, backend_roles=[], requestedTenant=null]"},"status":403}

- wazuh-dashboard (same as kibanaro)
  [root@wazuh wazuh-user]# curl -k -u wazuh-dashboard:Pq4**v66YwnF.KkB0okEw1ZXy6etMef1 https://localhost:9200/
{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [cluster:monitor/main] and User [name=wazuh-dashboard, backend_roles=[], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [cluster:monitor/main] and User [name=wazuh-dashboard, backend_roles=[], requestedTenant=null]"},"status":403}