query about security user option in wazuh 4.1

[Daniel Hinojo]

Good afternoon dear, I would like to make the following query, I am currently entering the wazuh portal with the admin user but I would like to create another user with permissions for example to only view, I found in wazuh the security module where it allows you to create users and associate roles Create a user but when trying to enter the web it does not allow me, I would like to know why or is it not there where I should create a user if so, what is this Security module for?

ThankS

[Manuel Camona Perez]

Hi Daniel,

You have to differentiate between Wazuh API users and Elastic users.

To create Wazuh API users, you have to use the API itself or go to the Wazuh > Security section in Kibana. 

To create Elastic users, in Kibana, go to Security > Internal users. (users like the default admin user)

The RBAC feature can be applied to Wazuh API users. The Wazuh Security module is used for these features: Wazuh API users, policies, roles, etc.

What you want to do is create an Elastic user with RBAC permissions. This is possible using run_as.

Here you have a question I answered about RBAC. If you want to create an Elastic user with RBAC permissions, follow the steps detailed in that discussion.

Note that if you have already created an Elastic user (Security > internal users) and you have an error with a "Forbidden" message, you will have to add the role kibana_user to that user. Go to Security > Roles in order to do that. Afterwards, click on kibana_user > mapped users > manage mappings and add the user to internal users.

Note: these roles are not the same roles we have for the RBAC in the Wazuh API.

You will also need to add run_as: true to the API configuration of /usr/share/kibana/data/wazuh/config/wazuh.yml as now it is not enabled by default.

I hope this helps, don't hesitate to ask if you have more doubts about this proccess!

[Daniel Hinojo]

Good afternoon Dear, thanks for the support I was able to create a user with the wazuh_user profile, but I have noticed that even so with these roles the user can modify rules, restart the wazuh manager through the web and other things, in that case how could I limit so that the user I want is clearly read only and can view certain modules or groups of agents. Please if you could help me

[Matias Pereyra]

Hello Daniel !

I'm working on this, I'll come back as soon as possible.

Regards.

[Matias Pereyra]

Sorry for the delay Daniel, we are going to check all the process step by step until we find the problem.

I'm using Wazuh v4.1.3 for these tests.

• First, log in as admin in the Wazuh UI. We are going to use the Dev tools to set the RBAC mode as white: everything is forbidden if don't we explicitly allow it

    PUT /security/config {"rbac_mode": "white"}

• Then, open the /usr/share/kibana/data/wazuh/config/wazuh.yml an the set the run_as field as true. Don't forget to restart all the services. You should see something like this

    hosts: 

         - default:
             url: https://localhost
             port: 55000
             username: wazuh-wui
             password: wazuh-wui
             run_as: true

• Now create a Kibana user from Security->Internal user

   

• We need to assign the kibana_user role to this user. Go to Security->Roles->kibana_user and use the Manage mapping button to assign it.
  

• I'm using the user1 for this test
  

• Now, log in with the new user you created, user1 in the example. If we go to Dev tools and run GET /security/users/me/policies , you should check this user isn't able to do anything

• Come back to the admin account, we are going to give this user some permissions. In the Wazuh->Security section, go to the Roles mapping tab.

• Click on Create Role mapping and assign the new user a role, for example, agents_read_only. You could create later more roles with the API and assign them too

• Come back to the user1 and check its permissions. You should see the new role assigned

    If you need to create new policies and roles, use the API and then assign them to the users. Here is an example related to the agents restart

    POST /security/policies
    {
      "name": "allow_restart",
      "policy": {
         "actions": [
          "agent:restart"
        ],
        "resources": [
          "agent:id:*"
        ],
        "effect": "allow"
      }
    }

    POST /security/roles
    {
      "name": "team_restart"
    }

 

    Now, assuming that the policy and role ID are 100, you have to assign the allow_restart policy to the team_restart role.

    POST /security/roles/100/policies?policy_ids=100

  

   The last step would it be to assign this new role to the user, the same way we did for the agents_readonly role.

    I hope this information to be useful to you, write us again if you are still having troubles with this feature.
    Regards.

[Daniel Hinojo]

Good morning Dear, I did all the steps that it indicates with everything and tests from the API and even there everything is fine but when I want to enter to visualize the security events module or others it does not allow me to get an error (Search Error/ Forbidden ). Please if you could help me 

 Attached the error:

Wrapper@https://xxxxxxxxx/35949/bundles/core/core.entry.js:6:4249 _createSuperInternal@https://xxxxxx/35949/bundles/core/core.entry.js:6:3388 HttpFetchError@https://xxxxxxx/35949/bundles/core/core.entry.js:6:6016 _callee3$@https://xxxx/35949/bundles/core/core.entry.js:6:59535 tryCatch@https://xxxxx/35949/bundles/plugin/opendistroQueryWorkbenchKibana/opendistroQueryWorkbenchKibana.plugin.js:1:32004 invoke@https://xxxxxx/35949/bundles/plugin/opendistroQueryWorkbenchKibana/opendistroQueryWorkbenchKibana.plugin.js:1:35976 defineIteratorMethods/</prototype[method]@https://xxxx/35949/bundles/plugin/opendistroQueryWorkbenchKibana/opendistroQueryWorkbenchKibana.plugin.js:1:33129 fetch_asyncGeneratorStep@https://xxxx/35949/bundles/core/core.entry.js:6:52652 _next@https://xxxxx/35949/bundles/core/core.entry.js:6:52992 

[Matias Pereyra]

Hello Daniel!

If you are trying to see the Wazuh -> Modules -> Security events section and finding an error like this, you need to give the user the proper permissions to read the Wazuh indexes

                                                                   

• First, create a new Elastic role and give it read permissions to wazuh-* indexes

                                                 

• I've created the read_index_role and it should look like this (confirm the read permissions)

                                                

• Then, assign the user to the new role. In this example, I have used user1

• Finally, the user1 should be able to open the dashboard

                                        

Write us again if you have any problem during the process!
Regards.

[Daniel Hinojo]

Thank you very much for your help. 

 Probe and everything fine but I have the following observation, in the part of Kivana Dashboard with my user that is in reading mode I can modify the dashboards that were created with the admin user, in that case how can I restrict to modify a dashboard already made.

[Matias Pereyra]

If you need to manage Dashboards and their permissions, you should consider Kibana multi-tenancy.

This feature of ODFE (Open Distro For Elasticsearch) has to be first enabled. Add the following lines to your kibana.yml and restart all services:

    opendistro_security.multitenancy.enabled: true

    opendistro_security.multitenancy.tenants.preferred: ["Global", "Private"]

Then, you can go the same Security section and modify the roles to include different tenants and their corresponding permissions. Here I am assigning Read only  to the test tenant

 

                                         

Regards.