WAZUH RBAC being wrongly mapped
236 views
Skip to first unread message
Guilherme Cardoso
Sep 17, 2024, 7:23:32 AM9/17/24
to Wazuh | Mailing List
Hi
I have deployed Wazuh with SSO as backend authentication for the dashboard. In the recent version 4.9.0 the roles mappings seems to be broken on the wazuh plugin level.
I am corrected mapped for the opensearch role as you can see in the screenshot.
In Wazuh Server Management Security I have a Role mapping giving that specific and restricted role to my user as you can see.
I have Wazuh-Wui with allow_run_as as well.
For some reason sometimes when I log in I endup with the Administrator Policies as you can see
If I clean the cookies and log in again through SSO I am correctly mapped to my user role.
What am I doing wrong?
John E
Sep 17, 2024, 7:47:57 AM9/17/24
to Wazuh | Mailing List
Hello Guilherme,
I am currently looking into this.
Regards
John E
Sep 17, 2024, 7:25:03 PM9/17/24
to Wazuh | Mailing List
Hello Guilherme,
Sorry for the late response,
Please note that it is necessary to have different usernames between the SSO users and the internal user.
Regards.
Sorry for the late response,
Please note that it is necessary to have different usernames between the SSO users and the internal user.
Regards.
Guilherme Cardoso
Sep 18, 2024, 5:39:53 AM9/18/24
to Wazuh | Mailing List
Hi,
The user is provisioning by the IdP, in this case, Authentik.
For example, my user "cardoso" does not exist in the internal Wazuh directory.
At index level, the user is mapped to this OPENID_Cardoso Role
The user is provisioning by the IdP, in this case, Authentik.
For example, my user "cardoso" does not exist in the internal Wazuh directory.
At index level, the user is mapped to this OPENID_Cardoso Role
We followed the documentation in the "Create and setting a Wazuh read-only user" section.
The problem seems to be in Server Management at the opensearch plugin I have an Internal Mapping
Both of the policies are restricted to only see one agent, but for some reason login and logout, clean the cookies, I end up in the Administrator Role.
Is there some default role applying administrator to a session cookie?
John E
Sep 18, 2024, 9:09:20 AM9/18/24
to Wazuh | Mailing List
Dear Guilherme,
The roles "cluster readonly" and "Role Cardoso" you assigned to your user is where the issue is, the "cluster read-only" role cannot be restricted to see only one resource.
"cluster read-only" is a default policy, and it has a wildcard view access to all resources.
I would suggest not to use that role if you intend to restrict the users to only one agent.
Also your custom role "Role Cardoso" should be assigned the appropriate restrictive policy.
I would suggest not to use that role if you intend to restrict the users to only one agent.
Also your custom role "Role Cardoso" should be assigned the appropriate restrictive policy.
Regards.
Guilherme Cardoso
Sep 19, 2024, 3:59:23 AM9/19/24
to Wazuh | Mailing List
Hi,
So that you know- I changed it as suggested.
The policy for the "Role Cardoso" only allows "agent:read, sca:read" in the resource agent:id33
So that you know- I changed it as suggested.
The policy for the "Role Cardoso" only allows "agent:read, sca:read" in the resource agent:id33
But I continue to see every agent on the dashboard. The RBAC MODE is configured to whitelist mode, so by default, it forbids all actions.
If I go to Server Management > Dev Tools and execute "GET /security/users/me" I still get the Role Administrator.
Guilherme Cardoso
Sep 19, 2024, 9:15:44 AM9/19/24
to Wazuh | Mailing List
Hi,
Some more details in the Wazuh Manager API logs what I see is.
# When I am logged as cardoso but have Administrator Role assigned for some reason.
2024/09/19 15:00:18 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me/policies" with parameters {} and body {"idHost": "default"} done in 0.261s: 401
2024/09/19 15:00:18 INFO: wazuh-wui 10.27.10.6 "GET /agents/summary/status" with parameters {} and body {} done in 0.264s: 401
2024/09/19 15:00:18 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 0.570s: 200
2024/09/19 15:00:19 INFO: wazuh-wui 10.27.10.6 "GET /manager/info" with parameters {} and body {} done in 0.938s: 200
2024/09/19 15:00:19 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 0.876s: 200
2024/09/19 15:00:19 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 0.633s: 200
2024/09/19 15:00:19 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {"agents_list": "000"} and body {} done in 0.092s: 200
2024/09/19 15:00:19 INFO: wazuh-wui 10.27.10.6 "GET /manager/info" with parameters {} and body {} done in 0.072s: 200
2024/09/19 15:00:19 INFO: wazuh-wui 10.27.10.6 "GET /manager/info" with parameters {} and body {} done in 0.032s: 200
2024/09/19 15:00:19 INFO: wazuh-wui 10.27.10.6 "GET /cluster/status" with parameters {} and body {} done in 0.055s: 200
2024/09/19 15:00:19 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {"agents_list": "000"} and body {} done in 0.059s: 200
2024/09/19 15:00:19 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {"agents_list": "000"} and body {} done in 0.032s: 200
2024/09/19 15:00:19 INFO: wazuh-wui 10.27.10.6 "GET /cluster/status" with parameters {} and body {} done in 0.064s: 200
2024/09/19 15:00:19 INFO: wazuh-wui 10.27.10.6 "GET /cluster/status" with parameters {} and body {} done in 0.074s: 200
2024/09/19 15:00:19 INFO: wazuh-wui 10.27.10.6 "GET /cluster/local/info" with parameters {} and body {} done in 0.097s: 200
2024/09/19 15:00:20 INFO: wazuh-wui 10.27.10.6 "GET /cluster/local/info" with parameters {} and body {} done in 0.083s: 200
2024/09/19 15:00:20 INFO: wazuh-wui 10.27.10.6 "GET /cluster/local/info" with parameters {} and body {} done in 0.052s: 200
2024/09/19 15:00:21 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 0.877s: 200
2024/09/19 15:00:21 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 0.876s: 200
2024/09/19 15:00:21 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me/policies" with parameters {} and body {"idHost": "default"} done in 0.099s: 200
2024/09/19 15:00:21 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me/policies" with parameters {} and body {"idHost": "default"} done in 0.099s: 200
2024/09/19 15:00:21 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me/policies" with parameters {} and body {"idHost": "default"} done in 0.046s: 200
2024/09/19 15:00:21 INFO: wazuh-wui 10.27.10.6 "GET /agents/summary/status" with parameters {} and body {} done in 0.080s: 200
2024/09/19 15:00:18 INFO: wazuh-wui 10.27.10.6 "GET /agents/summary/status" with parameters {} and body {} done in 0.264s: 401
2024/09/19 15:00:18 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 0.570s: 200
2024/09/19 15:00:19 INFO: wazuh-wui 10.27.10.6 "GET /manager/info" with parameters {} and body {} done in 0.938s: 200
2024/09/19 15:00:19 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 0.876s: 200
2024/09/19 15:00:19 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 0.633s: 200
2024/09/19 15:00:19 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {"agents_list": "000"} and body {} done in 0.092s: 200
2024/09/19 15:00:19 INFO: wazuh-wui 10.27.10.6 "GET /manager/info" with parameters {} and body {} done in 0.072s: 200
2024/09/19 15:00:19 INFO: wazuh-wui 10.27.10.6 "GET /manager/info" with parameters {} and body {} done in 0.032s: 200
2024/09/19 15:00:19 INFO: wazuh-wui 10.27.10.6 "GET /cluster/status" with parameters {} and body {} done in 0.055s: 200
2024/09/19 15:00:19 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {"agents_list": "000"} and body {} done in 0.059s: 200
2024/09/19 15:00:19 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {"agents_list": "000"} and body {} done in 0.032s: 200
2024/09/19 15:00:19 INFO: wazuh-wui 10.27.10.6 "GET /cluster/status" with parameters {} and body {} done in 0.064s: 200
2024/09/19 15:00:19 INFO: wazuh-wui 10.27.10.6 "GET /cluster/status" with parameters {} and body {} done in 0.074s: 200
2024/09/19 15:00:19 INFO: wazuh-wui 10.27.10.6 "GET /cluster/local/info" with parameters {} and body {} done in 0.097s: 200
2024/09/19 15:00:20 INFO: wazuh-wui 10.27.10.6 "GET /cluster/local/info" with parameters {} and body {} done in 0.083s: 200
2024/09/19 15:00:20 INFO: wazuh-wui 10.27.10.6 "GET /cluster/local/info" with parameters {} and body {} done in 0.052s: 200
2024/09/19 15:00:21 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 0.877s: 200
2024/09/19 15:00:21 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 0.876s: 200
2024/09/19 15:00:21 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me/policies" with parameters {} and body {"idHost": "default"} done in 0.099s: 200
2024/09/19 15:00:21 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me/policies" with parameters {} and body {"idHost": "default"} done in 0.099s: 200
2024/09/19 15:00:21 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me/policies" with parameters {} and body {"idHost": "default"} done in 0.046s: 200
2024/09/19 15:00:21 INFO: wazuh-wui 10.27.10.6 "GET /agents/summary/status" with parameters {} and body {} done in 0.080s: 200
# Correct flow grant correct policies and roles
2024/09/19 15:12:25 INFO: wazuh-wui 10.27.10.6 "GET /manager/info" with parameters {} and body {} done in 0.290s: 200
2024/09/19 15:12:26 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 0.739s: 200
2024/09/19 15:12:26 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {"agents_list": "000"} and body {} done in 0.478s: 200
2024/09/19 15:12:26 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 0.590s: 200
2024/09/19 15:12:26 INFO: wazuh-wui 10.27.10.6 "GET /manager/version/check" with parameters {"force_query": "false"} and body {} done in 0.279s: 200
2024/09/19 15:12:26 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me" with parameters {} and body {} done in 0.529s: 200
2024/09/19 15:12:26 INFO: wazuh-wui 10.27.10.6 "GET /manager/info" with parameters {} and body {} done in 0.253s: 200
2024/09/19 15:12:26 INFO: wazuh-wui 10.27.10.6 "GET /cluster/status" with parameters {} and body {} done in 0.059s: 200
2024/09/19 15:12:26 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {"agents_list": "000"} and body {} done in 0.031s: 200
2024/09/19 15:12:27 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me" with parameters {} and body {} done in 0.223s: 200
2024/09/19 15:12:27 INFO: wazuh-wui 10.27.10.6 "GET /cluster/local/info" with parameters {} and body {} done in 0.230s: 200
2024/09/19 15:12:27 INFO: wazuh-wui 10.27.10.6 "GET /cluster/status" with parameters {} and body {} done in 0.040s: 200
2024/09/19 15:12:27 INFO: wazuh-wui 10.27.10.6 "GET /cluster/local/info" with parameters {} and body {} done in 0.042s: 200
2024/09/19 15:12:28 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 1.159s: 200
2024/09/19 15:12:28 INFO: wazuh-wui (83499f233a5739edfd60e4a2c0952782) 10.27.10.6 "POST /security/user/authenticate/run_as" with parameters {} and body {"user_name": "cardoso", "is_reserved": false, "is_hidden": false, "is_internal_user": false, "user_requested_tenant": "", "backend_roles": [], "custom_attribute_names": ["attr.jwt.iss", "attr.jwt.auth_time", "attr.jwt.preferred_username", "attr.jwt.given_name", "attr.jwt.sub", "attr.jwt.aud", "attr.jwt.acr", "attr.jwt.name", "attr.jwt.nickname", "attr.jwt.groups", "attr.jwt.exp", "attr.jwt.iat"], "tenants": {"global_tenant": false, "cardoso": true}, "roles": ["OPENID_ROLE_Cardoso"]} done in 1.637s: 200
2024/09/19 15:12:28 INFO: wazuh-wui (83499f233a5739edfd60e4a2c0952782) 10.27.10.6 "POST /security/user/authenticate/run_as" with parameters {} and body {"user_name": "cardoso", "is_reserved": false, "is_hidden": false, "is_internal_user": false, "user_requested_tenant": "", "backend_roles": [], "custom_attribute_names": ["attr.jwt.iss", "attr.jwt.auth_time", "attr.jwt.preferred_username", "attr.jwt.given_name", "attr.jwt.sub", "attr.jwt.aud", "attr.jwt.acr", "attr.jwt.name", "attr.jwt.nickname", "attr.jwt.groups", "attr.jwt.exp", "attr.jwt.iat"], "tenants": {"global_tenant": false, "cardoso": true}, "roles": ["OPENID_ROLE_Cardoso"]} done in 1.635s: 200
2024/09/19 15:12:28 INFO: wazuh-wui (83499f233a5739edfd60e4a2c0952782) 10.27.10.6 "POST /security/user/authenticate/run_as" with parameters {} and body {"user_name": "cardoso", "is_reserved": false, "is_hidden": false, "is_internal_user": false, "user_requested_tenant": "", "backend_roles": [], "custom_attribute_names": ["attr.jwt.iss", "attr.jwt.auth_time", "attr.jwt.preferred_username", "attr.jwt.given_name", "attr.jwt.sub", "attr.jwt.aud", "attr.jwt.acr", "attr.jwt.name", "attr.jwt.nickname", "attr.jwt.groups", "attr.jwt.exp", "attr.jwt.iat"], "tenants": {"global_tenant": false, "cardoso": true}, "roles": ["OPENID_ROLE_Cardoso"]} done in 1.168s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /manager/info" with parameters {} and body {} done in 0.240s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me/policies" with parameters {} and body {"idHost": "default"} done in 0.109s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me/policies" with parameters {} and body {"idHost": "default"} done in 0.112s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me/policies" with parameters {} and body {"idHost": "default"} done in 0.114s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {"agents_list": "000"} and body {} done in 0.044s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /cluster/status" with parameters {} and body {} done in 0.110s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {} and body {} done in 0.070s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {} and body {} done in 0.109s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {} and body {} done in 0.120s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /cluster/local/info" with parameters {} and body {} done in 0.051s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /" with parameters {} and body {} done in 0.030s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me/policies" with parameters {} and body {"idHost": "default"} done in 0.027s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {} and body {} done in 0.046s: 200
2024/09/19 15:12:30 INFO: wazuh-wui 10.27.10.6 "GET /agents/summary/status" with parameters {} and body {} done in 0.038s: 200
Somehow seems the Wazuh dashboard is mixing the cookies when the OIDC cookie/session is still valid and grants the Administrator Role to the User, don't execute the calls with that prefix 15:12:28 INFO: wazuh-wui (83499f233a5739edfd60e4a2c0952782)
2024/09/19 15:12:26 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 0.739s: 200
2024/09/19 15:12:26 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {"agents_list": "000"} and body {} done in 0.478s: 200
2024/09/19 15:12:26 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 0.590s: 200
2024/09/19 15:12:26 INFO: wazuh-wui 10.27.10.6 "GET /manager/version/check" with parameters {"force_query": "false"} and body {} done in 0.279s: 200
2024/09/19 15:12:26 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me" with parameters {} and body {} done in 0.529s: 200
2024/09/19 15:12:26 INFO: wazuh-wui 10.27.10.6 "GET /manager/info" with parameters {} and body {} done in 0.253s: 200
2024/09/19 15:12:26 INFO: wazuh-wui 10.27.10.6 "GET /cluster/status" with parameters {} and body {} done in 0.059s: 200
2024/09/19 15:12:26 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {"agents_list": "000"} and body {} done in 0.031s: 200
2024/09/19 15:12:27 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me" with parameters {} and body {} done in 0.223s: 200
2024/09/19 15:12:27 INFO: wazuh-wui 10.27.10.6 "GET /cluster/local/info" with parameters {} and body {} done in 0.230s: 200
2024/09/19 15:12:27 INFO: wazuh-wui 10.27.10.6 "GET /cluster/status" with parameters {} and body {} done in 0.040s: 200
2024/09/19 15:12:27 INFO: wazuh-wui 10.27.10.6 "GET /cluster/local/info" with parameters {} and body {} done in 0.042s: 200
2024/09/19 15:12:28 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 1.159s: 200
2024/09/19 15:12:28 INFO: wazuh-wui (83499f233a5739edfd60e4a2c0952782) 10.27.10.6 "POST /security/user/authenticate/run_as" with parameters {} and body {"user_name": "cardoso", "is_reserved": false, "is_hidden": false, "is_internal_user": false, "user_requested_tenant": "", "backend_roles": [], "custom_attribute_names": ["attr.jwt.iss", "attr.jwt.auth_time", "attr.jwt.preferred_username", "attr.jwt.given_name", "attr.jwt.sub", "attr.jwt.aud", "attr.jwt.acr", "attr.jwt.name", "attr.jwt.nickname", "attr.jwt.groups", "attr.jwt.exp", "attr.jwt.iat"], "tenants": {"global_tenant": false, "cardoso": true}, "roles": ["OPENID_ROLE_Cardoso"]} done in 1.637s: 200
2024/09/19 15:12:28 INFO: wazuh-wui (83499f233a5739edfd60e4a2c0952782) 10.27.10.6 "POST /security/user/authenticate/run_as" with parameters {} and body {"user_name": "cardoso", "is_reserved": false, "is_hidden": false, "is_internal_user": false, "user_requested_tenant": "", "backend_roles": [], "custom_attribute_names": ["attr.jwt.iss", "attr.jwt.auth_time", "attr.jwt.preferred_username", "attr.jwt.given_name", "attr.jwt.sub", "attr.jwt.aud", "attr.jwt.acr", "attr.jwt.name", "attr.jwt.nickname", "attr.jwt.groups", "attr.jwt.exp", "attr.jwt.iat"], "tenants": {"global_tenant": false, "cardoso": true}, "roles": ["OPENID_ROLE_Cardoso"]} done in 1.635s: 200
2024/09/19 15:12:28 INFO: wazuh-wui (83499f233a5739edfd60e4a2c0952782) 10.27.10.6 "POST /security/user/authenticate/run_as" with parameters {} and body {"user_name": "cardoso", "is_reserved": false, "is_hidden": false, "is_internal_user": false, "user_requested_tenant": "", "backend_roles": [], "custom_attribute_names": ["attr.jwt.iss", "attr.jwt.auth_time", "attr.jwt.preferred_username", "attr.jwt.given_name", "attr.jwt.sub", "attr.jwt.aud", "attr.jwt.acr", "attr.jwt.name", "attr.jwt.nickname", "attr.jwt.groups", "attr.jwt.exp", "attr.jwt.iat"], "tenants": {"global_tenant": false, "cardoso": true}, "roles": ["OPENID_ROLE_Cardoso"]} done in 1.168s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /manager/info" with parameters {} and body {} done in 0.240s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me/policies" with parameters {} and body {"idHost": "default"} done in 0.109s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me/policies" with parameters {} and body {"idHost": "default"} done in 0.112s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me/policies" with parameters {} and body {"idHost": "default"} done in 0.114s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {"agents_list": "000"} and body {} done in 0.044s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /cluster/status" with parameters {} and body {} done in 0.110s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {} and body {} done in 0.070s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {} and body {} done in 0.109s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {} and body {} done in 0.120s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /cluster/local/info" with parameters {} and body {} done in 0.051s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /" with parameters {} and body {} done in 0.030s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me/policies" with parameters {} and body {"idHost": "default"} done in 0.027s: 200
2024/09/19 15:12:29 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {} and body {} done in 0.046s: 200
2024/09/19 15:12:30 INFO: wazuh-wui 10.27.10.6 "GET /agents/summary/status" with parameters {} and body {} done in 0.038s: 200
Somehow seems the Wazuh dashboard is mixing the cookies when the OIDC cookie/session is still valid and grants the Administrator Role to the User, don't execute the calls with that prefix 15:12:28 INFO: wazuh-wui (83499f233a5739edfd60e4a2c0952782)
Guilherme Cardoso
Sep 19, 2024, 10:44:08 AM9/19/24
to Wazuh | Mailing List
Hi,
This is my configuration on /etc/wazuh-dashboard/opensearch_dashboards.yml
server.host: 10.27.10.6
server.port: 443
opensearch.hosts: "https://10.27.10.6:9200"
opensearch.ssl.verificationMode: certificate
#opensearch.username: "kibanaserver"
#opensearch.password: "-------------------------------"
opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: True
#opensearch_security.readonly_mode.roles: ["kibana_read_only","readall"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wz-home
#opensearch_security.session.ttl: 480000
#opensearch_security.cookie.ttl: 480000
#opensearch_security.cookie.secure: True
# Enable OpenID authentication ~
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.session.keepalive: false
opensearch_security.auth.multiple_auth_enabled: true
# The IdP metadata endpoint
opensearch_security.openid.connect_url: "https://---------------------/application/o/wazuh-internal/.well-known/openid-configuration"
# The ID of the OpenID Connect client in your IdP
opensearch_security.openid.client_id: "--------------------------------"
opensearch_security.openid.scope: "openid profile email"
# The client secret of the OpenID Connect client
opensearch_security.openid.client_secret: "----------------------------------"
# mTLS Options for obtaining endpoints from IdP
#opensearch_security.openid.root_ca: /usr/share/opensearch-dashboards/config/certs/ca.pem
#opensearch_security.openid.certificate: /usr/share/opensearch-dashboards/config/certs/cert.pem
#opensearch_security.openid.private_key: /usr/share/opensearch-dashboards/config/certs/key.pem
opensearch_security.openid.header: "Authorization"
This is my configuration on /etc/wazuh-dashboard/opensearch_dashboards.yml
server.host: 10.27.10.6
server.port: 443
opensearch.hosts: "https://10.27.10.6:9200"
opensearch.ssl.verificationMode: certificate
#opensearch.username: "kibanaserver"
#opensearch.password: "-------------------------------"
opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: True
#opensearch_security.readonly_mode.roles: ["kibana_read_only","readall"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/etc/wazuh-dashboard/certs/dashboard-key.pem"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/dashboard.pem"
opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wz-home
#opensearch_security.session.ttl: 480000
#opensearch_security.cookie.ttl: 480000
#opensearch_security.cookie.secure: True
# Enable OpenID authentication ~
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.session.keepalive: false
opensearch_security.auth.multiple_auth_enabled: true
# The IdP metadata endpoint
opensearch_security.openid.connect_url: "https://---------------------/application/o/wazuh-internal/.well-known/openid-configuration"
# The ID of the OpenID Connect client in your IdP
opensearch_security.openid.client_id: "--------------------------------"
opensearch_security.openid.scope: "openid profile email"
# The client secret of the OpenID Connect client
opensearch_security.openid.client_secret: "----------------------------------"
# mTLS Options for obtaining endpoints from IdP
#opensearch_security.openid.root_ca: /usr/share/opensearch-dashboards/config/certs/ca.pem
#opensearch_security.openid.certificate: /usr/share/opensearch-dashboards/config/certs/cert.pem
#opensearch_security.openid.private_key: /usr/share/opensearch-dashboards/config/certs/key.pem
opensearch_security.openid.header: "Authorization"
And this in /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
hosts:
- default:
url: https://10.27.10.5
port: 55000
username: wazuh-wui
password: --------------------------
run_as: true
customization.reports.footer: "--------- SIEM"
customization.reports.header: "--------- SIEM"
customization.logo.app: "custom/images/customization.logo.app.jpg?v=1704276894913"
customization.logo.healthcheck: "custom/images/customization.logo.healthcheck.png?v=1704276894942"
customization.logo.reports: "custom/images/customization.logo.reports.png"
customization.logo.sidebar: "custom/images/customization.logo.sidebar.jpg?v=1704276894962"
cron.statistics.index.creation: "w"
wazuh.monitoring.replicas: 0
cron.statistics.index.replicas: 0
hosts:
- default:
url: https://10.27.10.5
port: 55000
username: wazuh-wui
password: --------------------------
run_as: true
customization.reports.footer: "--------- SIEM"
customization.reports.header: "--------- SIEM"
customization.logo.app: "custom/images/customization.logo.app.jpg?v=1704276894913"
customization.logo.healthcheck: "custom/images/customization.logo.healthcheck.png?v=1704276894942"
customization.logo.reports: "custom/images/customization.logo.reports.png"
customization.logo.sidebar: "custom/images/customization.logo.sidebar.jpg?v=1704276894962"
cron.statistics.index.creation: "w"
wazuh.monitoring.replicas: 0
cron.statistics.index.replicas: 0
John E
Sep 19, 2024, 10:21:43 PM9/19/24
to Wazuh | Mailing List
Hello Guilherme,
I had to create an Environment to test your scenario, and yes i experienced your concern. But there is an explanation for it.
Doing the below, will not restrict the user to only the specified agent.
.png?part=0.1&view=1)
I had to create an Environment to test your scenario, and yes i experienced your concern. But there is an explanation for it.
Doing the below, will not restrict the user to only the specified agent.
That is a wrong approach to agent segregation. Doing this will have no effect on the user's roles and permissions and the user will remain an administrator.
The right way to do this is by first grouping the agents, and then setting a document level restriction when creating Roles in the Index manager, the Guide shared earlier contains instructions on how to do this.
Also this scenario was tested during an end to end test here is the testing report that covered same scenario for your reference. https://github.com/wazuh/wazuh/issues/24857
Also this scenario was tested during an end to end test here is the testing report that covered same scenario for your reference. https://github.com/wazuh/wazuh/issues/24857
Regards
Guilherme Cardoso
Sep 20, 2024, 3:33:21 AM9/20/24
to Wazuh | Mailing List
Hi,
Thank for your feedback.
I am doing exactly that but not restricted based on agent group but on agent ID at index level.
Wazuh-alerts*
{
"bool": {
"must": {
"match": {
"agent.id": "033"
}
}
}
}
Wazuh-monitoring*
{
"bool": {
"must": {
"match": {
"id": "033"
}
}
}
}
wazuh-states*
{
"bool": {
"must": {
"match": {
"agent.id": "033"
}
}
}
}
Thank for your feedback.
I am doing exactly that but not restricted based on agent group but on agent ID at index level.
Wazuh-alerts*
{
"bool": {
"must": {
"match": {
"agent.id": "033"
}
}
}
}
Wazuh-monitoring*
{
"bool": {
"must": {
"match": {
"id": "033"
}
}
}
}
wazuh-states*
{
"bool": {
"must": {
"match": {
"agent.id": "033"
}
}
}
}
The problem seems to be something related to session cookies from the openID, when I log in as cardoso with OpenID as authentication backend, until the session expires in the IdP and cookies are still valid, I can refresh the page and elevate my privileges to Administrator Role. In a fresh browser, without cookies or a session in the IdP, I end up in the ROLE_Cardoso correctly mapped, but if I had my session already initialized in the IdP the Wazuh Dashboard don't do the query to the API correctly.
Wrong Query being made to the Wazuh API
2024/09/20 09:26:31 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me/policies" with parameters {} and body {"idHost": "default"} done in 0.888s: 200
2024/09/20 09:26:31 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 1.155s: 200
2024/09/20 09:26:32 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 0.978s: 200
2024/09/20 09:26:32 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 0.747s: 200
2024/09/20 09:26:32 INFO: wazuh-wui 10.27.10.6 "GET /manager/info" with parameters {} and body {} done in 0.092s: 200
2024/09/20 09:26:32 INFO: wazuh-wui 10.27.10.6 "GET /manager/info" with parameters {} and body {} done in 0.165s: 200
2024/09/20 09:26:32 INFO: wazuh-wui 10.27.10.6 "GET /manager/version/check" with parameters {"force_query": "false"} and body {} done in 0.170s: 200
2024/09/20 09:26:32 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {"agents_list": "000"} and body {} done in 0.087s: 200
2024/09/20 09:26:32 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {"agents_list": "000"} and body {} done in 0.077s: 200
2024/09/20 09:26:32 INFO: wazuh-wui 10.27.10.6 "GET /cluster/status" with parameters {} and body {} done in 0.043s: 200
2024/09/20 09:26:32 INFO: wazuh-wui 10.27.10.6 "GET /cluster/status" with parameters {} and body {} done in 0.055s: 200
2024/09/20 09:26:32 INFO: wazuh-wui 10.27.10.6 "GET /cluster/local/info" with parameters {} and body {} done in 0.035s: 200
2024/09/20 09:26:32 INFO: wazuh-wui 10.27.10.6 "GET /cluster/local/info" with parameters {} and body {} done in 0.036s: 200
2024/09/20 09:26:32 INFO: wazuh-wui 10.27.10.6 "GET /" with parameters {} and body {} done in 0.034s: 200
2024/09/20 09:26:33 INFO: wazuh-wui 10.27.10.6 "GET /agents/summary/status" with parameters {} and body {} done in 0.048s: 200
2024/09/20 09:26:31 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 1.155s: 200
2024/09/20 09:26:32 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 0.978s: 200
2024/09/20 09:26:32 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 0.747s: 200
2024/09/20 09:26:32 INFO: wazuh-wui 10.27.10.6 "GET /manager/info" with parameters {} and body {} done in 0.092s: 200
2024/09/20 09:26:32 INFO: wazuh-wui 10.27.10.6 "GET /manager/info" with parameters {} and body {} done in 0.165s: 200
2024/09/20 09:26:32 INFO: wazuh-wui 10.27.10.6 "GET /manager/version/check" with parameters {"force_query": "false"} and body {} done in 0.170s: 200
2024/09/20 09:26:32 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {"agents_list": "000"} and body {} done in 0.087s: 200
2024/09/20 09:26:32 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {"agents_list": "000"} and body {} done in 0.077s: 200
2024/09/20 09:26:32 INFO: wazuh-wui 10.27.10.6 "GET /cluster/status" with parameters {} and body {} done in 0.043s: 200
2024/09/20 09:26:32 INFO: wazuh-wui 10.27.10.6 "GET /cluster/status" with parameters {} and body {} done in 0.055s: 200
2024/09/20 09:26:32 INFO: wazuh-wui 10.27.10.6 "GET /cluster/local/info" with parameters {} and body {} done in 0.035s: 200
2024/09/20 09:26:32 INFO: wazuh-wui 10.27.10.6 "GET /cluster/local/info" with parameters {} and body {} done in 0.036s: 200
2024/09/20 09:26:32 INFO: wazuh-wui 10.27.10.6 "GET /" with parameters {} and body {} done in 0.034s: 200
2024/09/20 09:26:33 INFO: wazuh-wui 10.27.10.6 "GET /agents/summary/status" with parameters {} and body {} done in 0.048s: 200
Correct Query being made to the Wazuh API
2024/09/20 09:30:55 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 0.750s: 200
2024/09/20 09:30:55 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {"agents_list": "000"} and body {} done in 0.453s: 200
2024/09/20 09:30:55 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 0.546s: 200
2024/09/20 09:30:55 INFO: wazuh-wui 10.27.10.6 "GET /manager/version/check" with parameters {"force_query": "false"} and body {} done in 0.291s: 200
2024/09/20 09:30:55 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me" with parameters {} and body {} done in 0.445s: 200
2024/09/20 09:30:55 INFO: wazuh-wui 10.27.10.6 "GET /manager/info" with parameters {} and body {} done in 0.150s: 200
2024/09/20 09:30:55 INFO: wazuh-wui 10.27.10.6 "GET /cluster/status" with parameters {} and body {} done in 0.077s: 200
2024/09/20 09:30:55 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {"agents_list": "000"} and body {} done in 0.099s: 200
2024/09/20 09:30:55 INFO: wazuh-wui 10.27.10.6 "GET /cluster/local/info" with parameters {} and body {} done in 0.053s: 200
2024/09/20 09:30:56 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me" with parameters {} and body {} done in 0.831s: 200
2024/09/20 09:30:57 INFO: wazuh-wui (83499f233a5739edfd60e4a2c0952782) 10.27.10.6 "POST /security/user/authenticate/run_as" with parameters {} and body {"user_name": "cardoso", "is_reserved": false, "is_hidden": false, "is_internal_user": false, "user_requested_tenant": "", "backend_roles": [], "custom_attribute_names": ["attr.jwt.iss", "attr.jwt.auth_time", "attr.jwt.preferred_username", "attr.jwt.given_name", "attr.jwt.sub", "attr.jwt.aud", "attr.jwt.acr", "attr.jwt.name", "attr.jwt.nickname", "attr.jwt.groups", "attr.jwt.exp", "attr.jwt.iat"], "tenants": {"global_tenant": false, "cardoso": true}, "roles": ["OPENID_ROLE_Cardoso"]} done in 1.205s: 200
2024/09/20 09:30:57 INFO: wazuh-wui (83499f233a5739edfd60e4a2c0952782) 10.27.10.6 "POST /security/user/authenticate/run_as" with parameters {} and body {"user_name": "cardoso", "is_reserved": false, "is_hidden": false, "is_internal_user": false, "user_requested_tenant": "", "backend_roles": [], "custom_attribute_names": ["attr.jwt.iss", "attr.jwt.auth_time", "attr.jwt.preferred_username", "attr.jwt.given_name", "attr.jwt.sub", "attr.jwt.aud", "attr.jwt.acr", "attr.jwt.name", "attr.jwt.nickname", "attr.jwt.groups", "attr.jwt.exp", "attr.jwt.iat"], "tenants": {"global_tenant": false, "cardoso": true}, "roles": ["OPENID_ROLE_Cardoso"]} done in 1.201s: 200
2024/09/20 09:30:57 INFO: wazuh-wui (83499f233a5739edfd60e4a2c0952782) 10.27.10.6 "POST /security/user/authenticate/run_as" with parameters {} and body {"user_name": "cardoso", "is_reserved": false, "is_hidden": false, "is_internal_user": false, "user_requested_tenant": "", "backend_roles": [], "custom_attribute_names": ["attr.jwt.iss", "attr.jwt.auth_time", "attr.jwt.preferred_username", "attr.jwt.given_name", "attr.jwt.sub", "attr.jwt.aud", "attr.jwt.acr", "attr.jwt.name", "attr.jwt.nickname", "attr.jwt.groups", "attr.jwt.exp", "attr.jwt.iat"], "tenants": {"global_tenant": false, "cardoso": true}, "roles": ["OPENID_ROLE_Cardoso"]} done in 0.781s: 200
2024/09/20 09:30:57 INFO: wazuh-wui 10.27.10.6 "GET /cluster/status" with parameters {} and body {} done in 0.537s: 200
2024/09/20 09:30:57 INFO: wazuh-wui 10.27.10.6 "GET /cluster/local/info" with parameters {} and body {} done in 0.028s: 200
2024/09/20 09:30:57 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me/policies" with parameters {} and body {"idHost": "default"} done in 0.367s: 200
2024/09/20 09:30:57 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me/policies" with parameters {} and body {"idHost": "default"} done in 0.370s: 200
2024/09/20 09:30:57 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me/policies" with parameters {} and body {"idHost": "default"} done in 0.371s: 200
2024/09/20 09:30:55 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {"agents_list": "000"} and body {} done in 0.453s: 200
2024/09/20 09:30:55 INFO: wazuh-wui 10.27.10.6 "POST /security/user/authenticate" with parameters {} and body {} done in 0.546s: 200
2024/09/20 09:30:55 INFO: wazuh-wui 10.27.10.6 "GET /manager/version/check" with parameters {"force_query": "false"} and body {} done in 0.291s: 200
2024/09/20 09:30:55 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me" with parameters {} and body {} done in 0.445s: 200
2024/09/20 09:30:55 INFO: wazuh-wui 10.27.10.6 "GET /manager/info" with parameters {} and body {} done in 0.150s: 200
2024/09/20 09:30:55 INFO: wazuh-wui 10.27.10.6 "GET /cluster/status" with parameters {} and body {} done in 0.077s: 200
2024/09/20 09:30:55 INFO: wazuh-wui 10.27.10.6 "GET /agents" with parameters {"agents_list": "000"} and body {} done in 0.099s: 200
2024/09/20 09:30:55 INFO: wazuh-wui 10.27.10.6 "GET /cluster/local/info" with parameters {} and body {} done in 0.053s: 200
2024/09/20 09:30:56 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me" with parameters {} and body {} done in 0.831s: 200
2024/09/20 09:30:57 INFO: wazuh-wui (83499f233a5739edfd60e4a2c0952782) 10.27.10.6 "POST /security/user/authenticate/run_as" with parameters {} and body {"user_name": "cardoso", "is_reserved": false, "is_hidden": false, "is_internal_user": false, "user_requested_tenant": "", "backend_roles": [], "custom_attribute_names": ["attr.jwt.iss", "attr.jwt.auth_time", "attr.jwt.preferred_username", "attr.jwt.given_name", "attr.jwt.sub", "attr.jwt.aud", "attr.jwt.acr", "attr.jwt.name", "attr.jwt.nickname", "attr.jwt.groups", "attr.jwt.exp", "attr.jwt.iat"], "tenants": {"global_tenant": false, "cardoso": true}, "roles": ["OPENID_ROLE_Cardoso"]} done in 1.205s: 200
2024/09/20 09:30:57 INFO: wazuh-wui (83499f233a5739edfd60e4a2c0952782) 10.27.10.6 "POST /security/user/authenticate/run_as" with parameters {} and body {"user_name": "cardoso", "is_reserved": false, "is_hidden": false, "is_internal_user": false, "user_requested_tenant": "", "backend_roles": [], "custom_attribute_names": ["attr.jwt.iss", "attr.jwt.auth_time", "attr.jwt.preferred_username", "attr.jwt.given_name", "attr.jwt.sub", "attr.jwt.aud", "attr.jwt.acr", "attr.jwt.name", "attr.jwt.nickname", "attr.jwt.groups", "attr.jwt.exp", "attr.jwt.iat"], "tenants": {"global_tenant": false, "cardoso": true}, "roles": ["OPENID_ROLE_Cardoso"]} done in 1.201s: 200
2024/09/20 09:30:57 INFO: wazuh-wui (83499f233a5739edfd60e4a2c0952782) 10.27.10.6 "POST /security/user/authenticate/run_as" with parameters {} and body {"user_name": "cardoso", "is_reserved": false, "is_hidden": false, "is_internal_user": false, "user_requested_tenant": "", "backend_roles": [], "custom_attribute_names": ["attr.jwt.iss", "attr.jwt.auth_time", "attr.jwt.preferred_username", "attr.jwt.given_name", "attr.jwt.sub", "attr.jwt.aud", "attr.jwt.acr", "attr.jwt.name", "attr.jwt.nickname", "attr.jwt.groups", "attr.jwt.exp", "attr.jwt.iat"], "tenants": {"global_tenant": false, "cardoso": true}, "roles": ["OPENID_ROLE_Cardoso"]} done in 0.781s: 200
2024/09/20 09:30:57 INFO: wazuh-wui 10.27.10.6 "GET /cluster/status" with parameters {} and body {} done in 0.537s: 200
2024/09/20 09:30:57 INFO: wazuh-wui 10.27.10.6 "GET /cluster/local/info" with parameters {} and body {} done in 0.028s: 200
2024/09/20 09:30:57 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me/policies" with parameters {} and body {"idHost": "default"} done in 0.367s: 200
2024/09/20 09:30:57 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me/policies" with parameters {} and body {"idHost": "default"} done in 0.370s: 200
2024/09/20 09:30:57 INFO: wazuh-wui 10.27.10.6 "GET /security/users/me/policies" with parameters {} and body {"idHost": "default"} done in 0.371s: 200
John E
Sep 20, 2024, 6:48:01 AM9/20/24
to Wazuh | Mailing List
Hello
Guilherme,
I have not tested this using external authentication backends.
Can you confirm the same issue is experienced with internal users.
I did my tests with internal users, i want to be able to tell if the issue occurs only when an external auth backend is used.
Regards.
I have not tested this using external authentication backends.
Can you confirm the same issue is experienced with internal users.
I did my tests with internal users, i want to be able to tell if the issue occurs only when an external auth backend is used.
Regards.
Guilherme Cardoso
Sep 20, 2024, 8:23:13 AM9/20/24
to Wazuh | Mailing List
Hi,
With internal users this doesn't happen.
Only the ones with an external authentication backend.
With internal users this doesn't happen.
Only the ones with an external authentication backend.
Message has been deleted
John E
Sep 20, 2024, 9:05:28 AM9/20/24
to Wazuh | Mailing List
Thank you Guilherme,
I will send this to the responsible team to look into it, will let you know what they discover.
Regards.
John E
Sep 25, 2024, 2:19:53 AM9/25/24
to Wazuh | Mailing List
Hello Guilherme,
It appears this is a known issue that has been fixed in 4.9.1 with this pull request.
This problem was caused by the endpoint api/check-stored-api. This endpoint was not retrieving the run_as setting and it was overwriting the previously loaded configuration.
Regards.
Regards.
Reply all
Reply to author
Forward
0 new messages