Account deletion question (internal users)

[Ethan Thompson]

Hello Team,

I would like to delete the account below.
However, it is not deleted from the Web UI.
Is this account essential to Wazuh operation?
So what is the account used for?
Account deletion or good reason required for security certification review.

delete: wazuh_admin, wazuh_user, admin

maintain: wazuh, kibanaserver

[Jorge Alberto Marino]

Hello Ethan,

Just to let you know I'll be taking a look at this and will reply asap.

Thank you!

[Jorge Alberto Marino]

Hello Ethan, just to clarify about these user accounts.

The wazuh_admin and wazuh_user are internal users that were added to interact with Wazuh.

Are you using Elasticsearch with Open Distro for Elasticsearch? 

I found this about those users and what they contribute to the system: LINK 

On the other hand, the admin user is a default user that came in the OpenDistro for Elasticsearch distribution and comes in OpenSearch ( and by extension in Wazuh indexer ). 

This user is assigned the role of all_access which gives him all permissions.

You can check about admin internal user in the different Indexer versions below:

OpenDistro for Elasticsearch: https://opendistro.github.io/for-elasticsearch-docs/docs/security/configuration/yaml/#internal_usersyml
OpenSearch 1.2 (Wazuh indexer 4.3.x): https://opensearch.org/docs/1.2/security-plugin/configuration/yaml#internal_usersyml
OpenSearch 2.4 (Wazuh indexer 4.4.0): https://opensearch.org/docs/2.4/security/configuration/yaml/#internal_usersyml

OpenSearch 2.6 (Wazuh indexer 4.4.1-4.4.4): https://opensearch.org/docs/2.6/security/configuration/yaml/#internal_usersyml

Depending on your security settings, these users may be reserved, making it impossible for you to edit or delete them. In case you want to delete them, you could probably modify the security settings, and apply the changes as explained in the corresponding documentation.

Since the original Wazuh setup is conceived to work with it's underlying components, I'm not completely sure if it will keep working as expected after manually removing these users and roles.

But at the same time, Wazuh relies on Open Distro so, you can try that out after checking the official documentation. Not sure if running the security scripts that created these users will remove the ones you do not define in the new files. Please be careful if you decide to give it a try. Check previous links and proceed with caution trying to remove them.

Back to the original question, in terms of a security audit, these users and roles can be thought as mandatory, and keeping the credentials safe will  be enough, just like any other admin accounts in the system.

In case I get any new information about this I'll definitely let you know, but as for now, you can assume these users as mandatory.

Thank you.