Security_authentication cookie failure [wazuh-opensearch]

Security
1

OpenSearch versions: docker, latest (2.17.1)
Dashboard versions: docker, latest (2.17.1)
Server OS versions: docker - Kali GNU/Linux 2023.3
Browser versions: MIcrosoft Edge Version 129.0.2792.65 (Official build) (64-bit)

Describe the issue:
Hi everyone! Sorry for asking here but has anyone ever tried to use wazuh with opensearch integration and had problems with the security_authentication cookie?

I’ll explain better my situation: I would like to use wazuh to read data from the agents and send that data to opensearch on which I have the anomaly detection modules/plugins.

By putting up wazuh and opensearch at the same time, in the same machine and network, via the respective docker-compose file, individually they work well but it seems that both make use of the same security_authentication cookie to verify the user’s login causing continuous logouts or even the error: "statusCode": 500, "error": "Internal Server Error"

Particularly, if I log in to wazuh the “security_authentication” cookie is set to something like “xy” and I can easily use the dashboard and reload the page. However, if I then go to the opensearch interface and log in, opensearch deletes the contents of the old “security_authentication” cookie and sets it to something like “wz”. So if I go back to wazuh now, as soon as I refresh the page, this error appears on the screen:

{
    "statusCode": 500,
    "error": "Internal Server Error",
    "message": "An internal server error occurred."
}

as it no longer recognizes the authentication cookie.

Does anyone know how to solve it? Like making sure that all wazuh cookies are only visible if I’m in the wazuh interface and opensearch cookies are only visible when I’m on opensearch?

PS. For the project I created a docker network with subnet 172.18.0.0/16:

  • wazuh-dashboard is in 172.18.0.14 -ports 443:5601, displayed by browser at the address https://192.168.x.y/
  • opensearch-dashboard is in 172.18.0.23 -ports 5603:5601, displayed by browser at the address https://192.168.x.y:5603/

Relevant Logs or Screenshots:
Opensearch dashboard with wazuh dashboard cookies

Opensearch_with_wazuh_cookie
Opensearch_with_wazuh_cookie1920×954 128 KB

2

Hi @sondaosint2,

Just an idea - have you tested with some custom values for opensearch_security.cookie.name: <name> (a long shot as I can’t seem to find any documentation on it… )

here are my lab test results (opensearch_dashboards.yml):

image
image1197×416 38.1 KB

Best,
mj

3

Thank you so much! It works!!

I don’t know where you found this configuration since it doesn’t appear anywhere in the documentation and even using google dorks can’t find anything online, but it works so thanks again!

If I may ask, how did you discover this configuration? Do you have any links for me?

1 Like
4

@sondaosint2, no magic just browsed a bit of GitHub and discovered that there is some control over cookies, the rest is just trial and error.

Glad it helped, tho!

Best,
mj

1 Like