How to create a "readonly" user for Kibana GUI and Wazuh GUI

[mauro....@cmcc.it]

Hi All,

I would like to create a "readonly" user for both Kibana and Wazuh web interface (with the same username).

I need to provide this user credentials to the IT team that should check what is happening without the admin permissions.

How can I create it?

Thank you,

Mauro

[Rafael Antonio Rodriguez Otero]

hi mauro. jejeje again.

try this frist please.

https://documentation.wazuh.com/current/learning-wazuh/build-lab/xpack-security-setup.html

when u finish that, so, you can try create the user, from administrator kibana manager.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9f2f1c9c-36e2-4190-b45f-84b02c1171ffn%40googlegroups.com.

[mauro....@cmcc.it]

Hi Rafael :)

in the end, I decided to complete this first configuration of Wazuh and let it run.

I checked your link and I read the first line of the document: "Since your Wazuh Server and Elastic Server instances are located on separate instances"...

In my case, everything is on the same server (all-in-one installation). Is there a dedicated guide for my case?

Thank you.

I know I'm your nightmare ahahahahaha

[Rafael Antonio Rodriguez Otero]

hehehe friend, calm we are here to help. You really shouldn't have any problems with the configuration, what you should do is use a single certificate for everything. basically with this:

[root @ elastic-server ~] # cat> /usr/share/elasticsearch/instances.yml << EOF
instances:
     - name: "wazuh-manager"
       ip:
         - "172.30.0.10"
EOF

you put the same certificate for everything.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e61c32f0-8e92-404c-a3cd-a71e3d2dffe9n%40googlegroups.com.

[mauro....@cmcc.it]

Thank you, but /usr/share/elasticsearch/bin/elasticsearch-certutil is not available on my Wazuh instance.

It seems it is a part of x-pack and it is not free ... what I'm doing wrong again? :-D

[Rafael Antonio Rodriguez Otero]

jejeje, is it possible you distribution operative system take the installation in other site. try this

find / -iname "elasticsearch-certutil"

this command find the binari in all system

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1072f60d-6bdc-4514-8937-4abcce633739n%40googlegroups.com.

[mauro....@cmcc.it]

file not found :-D

ok, never give up!  I still have about 3 minutes of patience :-P

I can't do the work using GUI, right?

[Juan Pablo Soliani]

Hi Mauro,

 Thank you for using Wazuh!

 You can grant read-only access to a specific user by configuring both Wazuh and Elastic with read-only attributes. Hope the following guide fits your needs.

 First of all, with admin account, we'll create a new user, go to:

  Menu >> Security >> Internal Users: and create a new user with a password, then go to: 

  Menu >> Security >> Roles: open Kibana_user role and duplicate it, edit the duplicated and set these options:

  Cluster permissions: 

   add 'kibana_all_read'

  Index permissions - Index:

   add 'wazuh-*'

  In permissions leave only 'read' and save the role.

  Open the role again and go to 'Mapped users' tab and add the user you've created before.

Then, we also need to give permissions to the WazuhApp, do the following:

Set the parameter run_as to true in the /usr/share/kibana/data/wazuh/config/wazuh.yml file and save it. Like this:

hosts:

 - default:

    url: https://localhost

    port: 55000

    username: wazuh

    password: wazuh

    run_as: true      

Then, restart kibana service with: systemctl restart kibana

In the UI, go to Wazuh menu >> Security >> Roles mapping, and create a new map, set the name for it, in Roles add 'readonly' role and in Internal users, and the user you want.

Test it in another browser, clean cache or open a new Private/Incognito browser window.

That's all.

John.-

[Rafael Antonio Rodriguez Otero]

hehehe you really can't.
That is the binary to create the certificate, you are supposed to create this where elasticsearch is installed.

What distribution do you have?

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7dfa1d4a-0160-4b0d-bcf1-d60493b9c633n%40googlegroups.com.

[mauro....@cmcc.it]

Thank you, John. I followed your instructions but this is the message I received trying to log into as "viewer" user

Elasticsearch. Forbidden

https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html
https://documentation.wazuh.com/current/installation-guide/

[mauro....@cmcc.it]

I'm using ubuntu 20.04 x86_64

Thank you, Rafael :)

[Rafael Antonio Rodriguez Otero]

oh sorry, you installation in all-in-one is correct?

in this case you hace kibana with https, this correct?

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/68e7170f-0d47-44a1-a53f-d05dbaadf0bdn%40googlegroups.com.

[mauro....@cmcc.it]

Yes, Rafael. It is correct: all-in-one with https

[Rafael Antonio Rodriguez Otero]

well try this:

1. Go kiabana administrator in roles:

in this seccion create a role with this configuration.

but in the kibana space privileges config this:

So, filnally,  you can create the user with this role.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3da13b67-9829-4a26-bb16-fbf79e1fa53fn%40googlegroups.com.

[Mauro Tridici]

Good morning Rafael,

thank you for your input.

I created a new role with the following properties:

Name: viewer_role

Cluster Permissions: none

Index: .kibana, .kibana-6, .kibana_*, wazuh-* (kibana indexes seem to be needed to navigate the dashboards; if they are missing,  “Elasticsearch Forbidden page appears after login  )

Index permissions: read

Tenant permission: global_tenant (read only)

I created viewer user and I added it to viewer_role.

Now, I’m able to log into the GUI with viewer user, but I noticed that tthe viewer user can create wazuh agent groups and so on…

In other words, administrative tasks are still possible.

Where is my error?

Thank you in advance,

Mauro

On 15 May 2021, at 01:47, Rafael Antonio Rodriguez Otero <rafaell.ro...@gmail.com> wrote:

well try this:

1. Go kiabana administrator in roles:

<Captura de pantalla_2021-05-14_19-32-49.png>

in this seccion create a role with this configuration.

<Captura de pantalla_2021-05-14_19-37-20.png>

but in the kibana space privileges config this:

<Captura de pantalla_2021-05-14_19-37-58.png>

So, filnally,  you can create the user with this role.

<Captura de pantalla_2021-05-14_19-46-44.png>

[Rafael Antonio Rodriguez Otero]

Hello

Friend, excuse me for not answering you quickly. I've had a lot of trouble lately. Hahaha

well. It would be good if you showed me images of the configuration. the truth, it seems super weird.

In theory, when you create this data, do it from the elasticsear user or the user who has permissions on the wazuh app in kibana. But I'm not sure if the permissions are set from wazuh admin. When I can, I do a labs and let you know.

[Mauro Tridici]

Hello Rafael,

please, take your time 😊

I just create a PDF file with the steps I have done, you can find it in attachment.

My Wazuh GUI seems to be a little different from your.

May be we are using a different version of Wazuh (my version is 4.1.4 - all-in-one unattended installation).

Thank you for your help.

Have a great day.

Mauro

[mauro....@cmcc.it]

Hi all,

anyone of you solved this issue?

I would like to create a "read only user" that should be able to navigate in Wazuh and Kibana dashboards without admin permissions.

I'm using the last version of Wazuh.

Thank you,

Mauro

[Juan Carlos Tello]

Hello Mauro,

You're almost there. You only need to map that internal user to the readonly rule within the Wazuh application.

Bear in mind that since this option affects the Wazuh API, which is separate from Elasticsearch, this step is done separately from the rest of the configuration of the account.

I agree a proper guide should be available, so for future reference I'll start from a clean installation while simplifying some of the steps you have already taken, but feel free to jump to the last three images.

First, select from the top left menu Security, then Internal users and Create internal user:

Provide the username and credentials, I have chosen readonly as an example:

Then select Roles and Create Role, provide a name for the role (I have chosen readonly as an example) and give it cluster_composite_ops_ro and kibana_all_read Cluster permissions, then type in into "Index" wazuh* and  .kibana* and select read as the permissions given to these indices and click Create:

Then select Mapped users and click on Map users:

Select the user and click on Map:

Then repeat this process but for the built-in kibana_user role:

Finally, go back into the Wazuh application, then select Security and Roles mapping and click on Create Role mapping:

Give it a name, assign the built-in readonly Role and select the internal user you previously created before clicking Save role mapping:

It's important, as mentioned by John previously to modify the run_as setting in /usr/share/kibana/data/wazuh/config/wazuh.yml and set it to true before restarting the Kibana service. And ensuring that the there aren't any pre-existing cookies when testing the new user's role.

This user will be able to see but not modify the groups, write options will be greyed out and hovering over them will specify the missing permissions:

For reference, I created this guide using Wazuh 4.1.5 and Open Distro 1.13.2 (which is equivalent to Elastic v7.10.2) from a newly imported Wazuh OVA

Please let me know if you have any questions.

Best Regards,

Juan Carlos Tello

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/47139c9e-e9ab-444e-83eb-5a7cc613cc8en%40googlegroups.com.

[Mauro Tridici]

Hello Juan Carlos,

thank you very much for the detailed instructions.

I really appreciated.

I think that your answer will be useful also for other guys.

Have a nice day!

Kind Regards,

Mauro

On 5 Jul 2021, at 16:56, Juan Carlos Tello <juancarl...@wazuh.com> wrote:

Hello Mauro,

You're almost there. You only need to map that internal user to the readonly rule within the Wazuh application.

Bear in mind that since this option affects the Wazuh API, which is separate from Elasticsearch, this step is done separately from the rest of the configuration of the account.

I agree a proper guide should be available, so for future reference I'll start from a clean installation while simplifying some of the steps you have already taken, but feel free to jump to the last three images.

First, select from the top left menu Security, then Internal users and Create internal user:

<image.png>

Provide the username and credentials, I have chosen readonly as an example:

<image.png>

Then select Roles and Create Role, provide a name for the role (I have chosen readonly as an example) and give it cluster_composite_ops_ro and kibana_all_read Cluster permissions, then type in into "Index" wazuh* and  .kibana* and select read as the permissions given to these indices and click Create:

<image.png>

Then select Mapped users and click on Map users:

<image.png>

Select the user and click on Map:

<image.png>

Then repeat this process but for the built-in kibana_user role:

<image.png>

Finally, go back into the Wazuh application, then select Security and Roles mapping and click on Create Role mapping:

<image.png>

Give it a name, assign the built-in readonly Role and select the internal user you previously created before clicking Save role mapping:

<image.png>

It's important, as mentioned by John previously to modify the run_as setting in /usr/share/kibana/data/wazuh/config/wazuh.yml and set it to true before restarting the Kibana service. And ensuring that the there aren't any pre-existing cookies when testing the new user's role.

This user will be able to see but not modify the groups, write options will be greyed out and hovering over them will specify the missing permissions:

[Flek Kontrec]

Hi,

I know it's an old thread but maybe it can be reactivated.

I've followed these instructions to create readonly user for Kibana and Wazuh but my user is able to do some things which are not exactly read only. For example, it can create/delete visualizations, delete/create/edit dashboards, create policy under index mgmt, remove/create index pattern under stack mgmt, delete/export/import saved objects under stack mgmt,...

Is there a way to remove these permissions? I'd like my read only user to be able to see data under Discover/Dashboard, Wazuh - Modules, and Wazuh list of agents.

User which logs into Wazuh is authenticated via LDAP, where backend roles are provided. Backend role is then mapped to a kibana_user role and to custom readonly role. Custom readonly role has got cluster permissions for cluster_composite_ops_ro and kibana_all_read. Its index permissions are wazuh* and .kibana*. 

Regards

[Flek Kontrec]

Nevermind, I've found a way how to do it. When a custom readonly role is created, under Tenant permissions, tenant global_tenant should be added, with Read only rights.