Security monitoring and incident response capabilities are critical for modern enterprises. Wazuh has emerged as a powerful open-source security SIEM, with amazing capabilities (especially when combined with other tools). However, deploying Wazuh with Docker securely with proper password management can be particularly challenging. This post introduces our automated approach to deploying Wazuh via Docker with enhanced security controls.

What is Wazuh and Why Docker?

Wazuh provides security visibility through log analysis, integrity monitoring, vulnerability detection, and compliance monitoring. Its architecture consists of multiple components including indexers, dashboards, and managers.

Docker containerization offers several advantages for Wazuh deployment:

• Isolation – Components run in separate containers
• Version control – Predictable upgrades and rollbacks
• Resource efficiency – Lower overhead than VMs
• Simplified deployment – Repeatable across environments

However, default Docker deployments often have security weaknesses, particularly around credential management.

The Security Problem

Default Wazuh Docker deployments have several security issues:

1. Default credentials – Known passwords for admin, kibanaserver, and API users
2. Plain text passwords – Often stored in configuration files or environment variables
3. Password management complexity – Difficult to implement properly in accordance with secure practices
4. Manual password management – Error-prone and time-consuming

These issues create significant security risks (MITRE ATT&CK T1078 – Valid Accounts) where attackers can gain unauthorized access to sensitive security data.

Our Automation Solution

We’ve developed two scripts to address these security challenges that are now available on GitHub:

Note: These scripts are specifically designed for Wazuh single-node deployments. Single-node deployments offer a good balance of simplicity and performance for many small-scale use cases.

Wazuh Docker Full Setup

This script performs a complete Wazuh installation with Docker:

• Clones the official Wazuh Docker repository
• Generates SSL certificates
• Replaces all default passwords with secure random passwords
• Sets up the complete stack with security hardening
• Displays all generated credentials for safekeeping

sudo bash -c "$(wget -qLO - https://github.com/TridentStack/wazuh-docker-secure/raw/refs/heads/main/wazuhDockerFullSetup.sh)"

Wazuh Password Reset

This script allows you to reset passwords for any Wazuh user:

• Lists all available users from your current Wazuh installation
• Generates secure random passwords appropriate for each user type
• Updates configuration files and applies changes
• Restarts services to apply the new credentials

sudo bash -c "$(wget -qLO - https://github.com/TridentStack/wazuh-docker-secure/raw/refs/heads/main/wazuhResetPassword.sh)"

Requirements

• Docker with Docker Compose V2 installed (scripts use docker compose, not docker-compose)
• Git installed
• Sufficient permissions (sudo access)
• Outbound internet access for downloading the Wazuh repository

These scripts have been tested on Ubuntu 24.04 using the official Docker installation method from https://docs.docker.com/engine/install/ubuntu/

Important Caution

⚠️ Before running these scripts on an existing Wazuh deployment, ensure you have created proper backups of your configuration and data. While these scripts are designed to be safe and include their own backup mechanisms for configuration files, it’s always best practice to have a complete backup of your environment before making system-wide changes.

How the Setup Script Works

Our full setup script implements a phased approach:

# Phase 1: Generate Certificates
docker compose -f generate-indexer-certs.yml run --rm generator

# Phase 2: Initial Stack Startup with Default Credentials
docker compose up -d

# Phase 3: Stop Stack for Password Changes
docker compose down

# Phase 4: Generate All New Password Hashes
# Phase 5: Restart with New Credentials
# Phase 6: Apply Security Settings

Enhanced Password Security

The script implements robust password generation:

# Generate a password that meets API password requirements
generate_api_password() {
    # Start with a base of random alphanumeric characters
    local base=$(tr -dc 'A-Za-z0-9' 

Security Considerations

• Standard user passwords consist of alphanumeric characters only (14 characters), as Wazuh has compatibility issues with special characters for these users
• Only API passwords include special characters, following Wazuh’s specific API requirements
• Password length is limited to 14 characters as Wazuh has issues with longer passwords
• All passwords are randomly generated with high entropy using /dev/urandom
• Passwords meet NIST 800-63B guidelines by being sufficiently long and randomly generated
• Scripts create backups of critical configuration files before modification
• All credentials are displayed at the end of execution for secure storage by the administrator

Testing and Verification

After deployment, verify your setup:

1. Container health check:

docker ps | grep wazuh

2. Dashboard access:
   Access https://<server-ip>:443 with your new admin credentials
3. Security verification:

• Ensure all password changes took effect
• Verify no default credentials remain
• Check SSL certificate validity

Advanced Configuration

External Authentication Integration

Wazuh supports LDAP/SAML integration for enterprise identity providers. After deployment, configure:

1. Edit opensearch-security/config.yml to enable external authentication
2. Configure opensearch-security/roles_mapping.yml for appropriate role mapping
3. Update wazuh.yml for dashboard authentication settings

Backup Strategies

Implement a backup strategy for Wazuh Docker deployments:

1. Data volumes backup:

docker run --rm -v wazuh-indexer-data:/source:ro -v /backup:/backup \
   busybox tar -czf /backup/wazuh-data-$(date +%Y%m%d).tar.gz /source

2. Configuration backup:

tar -czf wazuh-config-$(date +%Y%m%d).tar.gz single-node/config/

Conclusion

A secure Wazuh deployment is essential for maintaining the integrity of your security monitoring platform. Our automation scripts enable:

• Rapid deployment with security best practices
• Complex password management without manual intervention
• Consistent configuration across environments
• Simple password management for administrator turnover

By implementing these scripts, you can ensure your Wazuh deployment meets security requirements while minimizing the operational overhead of manual configuration.

For more details and access to the scripts, visit our GitHub repository.

For questions or assistance with secure Wazuh deployments, contact us at security@tridentstack.com or visit TridentStack.com.