Vulnerability scan access for RBAC user
144 views
Skip to first unread message
Anmol Moudgil
Jan 27, 2025, 12:41:07 AM1/27/25
to Wazuh | Mailing List
Hello Team,
I have setup a few RBAC user (using this guide) and enabled Vulnerability scan on wazuh manager. When I try to view the Vulnerability scan report from the user I able to view the report for all the groups, not just the one for which ive logged in. How can I limit a user to view the vulnerability scan for the agents enrolled in the user's group alone.
I have attached the Security Policy and Rolemapping screenshot for the user below. Let me know if any more information is required from my end.
Abdullah Al Rafi Fahim
Jan 27, 2025, 2:28:56 AM1/27/25
to Wazuh | Mailing List
Hello Anmol,
In the recent versions of Wazuh (since 4.8.0), the vulnerability detection module and its way of indexing the vulnerability states have been redesigned. Currently, the vulnerability states for the active vulnerability across your endpoints are getting indexed in a separate index pattern ( wazuh-states-vulnerabilities-*) . As you are setting document-level security for the wazuh-alerts* and wazuh-monitoring* to only include the documents matching the label or group name, you can see the alerts and endpoint summary only for the agents relevant to that group. However, you did not set any document-level security for wazuh-states-vulnerabilities-* index there to specify role to allow showing the vulnerability states only for a group of agents, it is showing vulnerability for all the agents.
In the recent versions of Wazuh (since 4.8.0), the vulnerability detection module and its way of indexing the vulnerability states have been redesigned. Currently, the vulnerability states for the active vulnerability across your endpoints are getting indexed in a separate index pattern ( wazuh-states-vulnerabilities-*) . As you are setting document-level security for the wazuh-alerts* and wazuh-monitoring* to only include the documents matching the label or group name, you can see the alerts and endpoint summary only for the agents relevant to that group. However, you did not set any document-level security for wazuh-states-vulnerabilities-* index there to specify role to allow showing the vulnerability states only for a group of agents, it is showing vulnerability for all the agents.
As of now, the vulnerability states in the wazuh-states-vulnerabilities-* index do not include the agent.group or agent.labels info. However, they have agent specific fields like agent.id or agent.name in the documents. Therefore a workaround can be to Add another index permission in the step 3 of Creating and mapping an internal user as below:
Index:
wazuh-states-vulnerabilities-*
Index permissions: read
Document level security:
{
"bool": {
"must": {
"terms": {
"agent.id": ["028", "029"]
}
}
}
}
You need to replace ["028", "029"] with the list of agent.id that you have in this group of agents. It will exclude the vulnerability states for other agents and show the vulnerabilities only relevant to these agents when an user mapped to this role logs in.
Index permissions: read
Document level security:
{
"bool": {
"must": {
"terms": {
"agent.id": ["028", "029"]
}
}
}
}
You need to replace ["028", "029"] with the list of agent.id that you have in this group of agents. It will exclude the vulnerability states for other agents and show the vulnerabilities only relevant to these agents when an user mapped to this role logs in.
Anmol Moudgil
Jan 27, 2025, 7:21:25 AM1/27/25
to Wazuh | Mailing List
Hi
Abdullah,
Thank you for your prompt response. The solution you provided addresses the issue effectively; however, given the large number of groups and the multiple agents enrolled in each, it would be impractical to manually add the agent.id for each agent within a group to every corresponding user group's role.
Could you kindly provide any insight into whether there are plans or a roadmap to incorporate agent.labels information into the wazuh-states-vulnerabilities-* index?
Thanks
Abdullah Al Rafi Fahim
Jan 27, 2025, 11:06:11 PM1/27/25
to Wazuh | Mailing List
Hello Anmol,
Yes, the problem is already noticed by Wazuh team and we are already working on fixing this with a more efficient approach. You can review this github issue to know the updates on this topic: https://github.com/wazuh/wazuh/issues/24118
Anmol Moudgil
Jan 28, 2025, 12:31:40 AM1/28/25
to Wazuh | Mailing List
Hello Abdullah
Till the time this issue is resolved we would like to deactivate the Vulnerability Detection section. I tried adding this config to the server config, now when I try to access the Vulnerability Detection section, I get a prompt telling that this is section is disabled currently but all the dashboards and data is still accessible. Is there any config part that I can add so that no vulnerability data is collected or is visible to the user.
<vulnerability-detection>
<enabled>no</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
<indexer>
<enabled>no</enabled>
<hosts>
<host>https://wazuh.indexer:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/ssl/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/ssl/filebeat.pem</certificate>
<key>/etc/ssl/filebeat.key</key>
</ssl>
</indexer>
<enabled>no</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
<indexer>
<enabled>no</enabled>
<hosts>
<host>https://wazuh.indexer:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/ssl/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/ssl/filebeat.pem</certificate>
<key>/etc/ssl/filebeat.key</key>
</ssl>
</indexer>
Thanks
Abdullah Al Rafi Fahim
Jan 29, 2025, 12:00:14 AM1/29/25
to Wazuh | Mailing List
Hello Anmol,
I would suggest a way to restrict these vulnerability states data for the custom read-only users and still be available for your admin user instead of deactivating the vulnerability detection module entirely. As I already mentioned, the vulnerability states for the active vulnerability across your endpoints are getting indexed in a separate index pattern ( wazuh-states-vulnerabilities-*) in your indexer. Now for the custom RBAC users whom you do not want to give access to this index and relevant visualizations, you can restrict that with a document level security.
You can Add another index permission in the step 3 of Creating and mapping an internal user as below:
Index: wazuh-states-vulnerabilities-*
Index permissions: read
Document level security:
Index permissions: read
Document level security:
{
"bool": {
"must": {
"exists": {
"field": "agent.group"
}
}
}
}
"bool": {
"must": {
"exists": {
"field": "agent.group"
}
}
}
}
This would be a trick to restrict the wazuh-states-vulnerabilities-* index entirely for the users mapped to this role as there is no field named agent.group available in those vulnerability states. However, you can still see the vulnerability detection dashboard and inventory with your admin users.
Reply all
Reply to author
Forward
0 new messages