Question about RBAC

[Ibrahim]

Hello,

First of all thank you so much for this great feature.

I followed all the steps in order to creat custom policies and roles to a specific users in Elastic, but unfortunately it didnt work, I mention here the deployment and next steps.

1- Installing ELK basic license and Wazuh APP, both on the same node.

2- Enabling X-Pack security.

3- Set RBAC in Black mode.

4- Create a new Policy and new Role (agent:read, Resource *, "Deny"), Then assign the policy to the role. 

Now I have 2 questions:

According to documentation in here
https://documentation.wazuh.com/4.0/user-manual/api/rbac/configuration.html

I should create a user and assign the Role to that user, actually I did this phase and it was succeed, but I couldnt see any created users in security section. (That user refer to Wazuh API?)

So I believe that we can assign the Roles Elastic users as I could see those users in the Security section of wazuh, I assigned that Role to a new created user in Elastic, but Also it didnt work reducing the privileges.

I have several users in Elastic, I need to reduce and customize their privileges in Wazuh APP, regarding to their own agents and activities.

Any help please?

Thanks.

[Manuel Camona Perez]

Hi Ibrahim,

I am glad to know that you liked the new RBAC feature, thanks for getting interested in!

When we talk about users in the RBAC section of the Wazuh API, we refer to users of the Wazuh API.

If you created users in the Wazuh API, it is something normal that you do not see created users in the Kibana security section, that is because, as I said, Elastic users are not these users.

In order to use RBAC features with the Kibana users, follow these steps:

- Create a new policy and a new role following this documentation: https://documentation.wazuh.com/4.0/user-manual/api/rbac/configuration.html. I think you followed this step properly. You could have done it using the security section in the Kibana APP, too.

- Create a Kibana user with X-Pack configured. In order to create it, go to security > internal users. When you create it, you will see it in the Wazuh security section. Ommit this step if you have users in Kibana.

                          

- After having created the user, you have to add the role kibana_user to that user. Go to security > roles in order to do that. Afterwards, click on kibana_user > mapped users > manage mappings and add the user to internal users. 

Note: these roles are not the same roles as we have for the RBAC in the Wazuh API.

- After that, go to Wazuh > Security > Users. Click on the user you created and you will see a roles section. Click on select roles and assign the RBAC role you created in the Wazuh API. You can see this step in the next photo. After that, log in with the new user and the new permissions must be working. You can go to dev_tools and execute GET /security/users/me/policies in order to see that you have the policies you assigned to the role.

I hope this helps, do not hesitate to ask if you have more questions!

[Manuel Camona Perez]

Sorry but the photos were not sent.

In this reply you have them in the order they appear in the message above:

Sorry for the inconvenience!

[Ibrahim]

Hello Manuel,

Thanks for your help,

I believe that you are using elastic_opendistro, anyway its not a problem while xpack enabled in basic license.

I followed your instructions:

1- RBAC >> Black mode.

2- Elastic User been created with restricted Role at the level of APPS and Indices.
3- Policy and Role been created in Wazuh-Security.

4- Link the Wazuh-Role to elastic user.

but actually when I login using the new user, I can see everything like normal, I can see all agents with their events while i Deny this in the policy of wazuh.

RBAC is designed to be used with elastic_users or just Wazuh-API?

Regards.

[Manuel Camona Perez]

Hi again Ibrahim,

Sorry for the late response. 

Yes, I was using opendistro but the process is the same for xpack.

Have you checked you have the wazuh-wui user instead of wazuh in ./usr/share/kibana/optimize/wazuh/config/wazuh.yml? If not, add a host to the file so you have something similar to this example (the ID can be whatever):

hosts:

  ...

  - 1111111111111:

      url: https://wazuh

      port: 55000

      username: wazuh-wui

      password: wazuh-wui

      

After that, make sure you are using the API entry related to that host. In my example, the host added is selected in the next image (the selected API entry will appear if you have more than an API host):

About your last question, RBAC can be used with both the Wazuh API users and with the Elastic users. In this context, we are trying to apply RBAC to the Elastic users you are using in your Kibana APP.

If you have more questions, do not hesitate to ask!

[Manuel Camona Perez]

[Manuel Camona Perez]

[Ibrahim]

Hello Manuel,

Thanks you, yes you are right, the user wasnt wazuh-wui, but was another I have created, now are working fine the policies and roles.

But I have noticed a problem:

First test I did in White mode was using the role "agents_readonly" that belong to two policies "agents_read_agents" and "agents_read_groups".

its works fine and eveything was denied less what the Role allows.

I tired to do my own policy to allow a specific agents for the user test in kibana using:

curl -k -X POST "https://localhost:55000/security/policies?pretty=true" -H  "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d "{\"name\":\"agent_read_mine\",\"policy\":{\"actions\":[\"agent:read\"],\"resources\":[\"agent:group:test\"],\"effect\":\"allow\"}}"

 

But I see that everyhting was denied, I did so many tests and nothing been accepted only "agent:group:*" or "agent:id:*"

So after so many tests I saw that in White mode will not be accepted applying policies to a specific agents (agent:id:any) or agents belong to a group (agent:group:any).

___________________________________

When setting RBAC in Black mode, and try to restrict the privileges on some agents or groups, it was working fine, I did same API request and insted of allow, I put Deny.

I could see the correct number and names of agents that are allowed, or the rest of Deny.

I thought to do the following:

1- Set RBAC in Black mode.

2- Create a policy (deny all) less the agent:read.

3- Creat another policy to Deny agent:read, and sepcify what want to elastic user.

4- It went fine, but its heavy working and more complicated, also what I did is what RBAC in white mode does.

So what would you recomend me Manuel?

Regards.

[Manuel Camona Perez]

Hi again Ibrahim,

- About your first question:

The policy you created means that you will allow reading information from agents that belong to the specified group named "test". You said you wanted to allow specific agents information for the user "test", so you have probably misunderstood what the resource does. Here you will find info about the RBAC reference. 

After creating the policy, you have to create a role:

curl -k -X POST "https://localhost:55000/security/roles?pretty=true" -H  "accept: application/json" -H  "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d "{\"name\":\"role_read_mine\"}"

Asign the policy created to the role (104 is the role_id and 103 is the policy_id):

curl -k -X POST "https://localhost:55000/security/roles/104/policies?policy_ids=103&pretty=true" -H  "Authorization: Bearer $TOKEN"

After that, assign the role to the user where you want to have the restriction, as we have seen in my lasts responses. You can use the kibana wazuh security section or do it via the Wazuh API. Note that if you do it via API, you cannot assign roles to Kibana users, only to Wazuh API users.

Ok now we have a role with a policy that allows reading the agents that belong to the group "test". With the admin user, I have created the test group and I have asigned an agent to it in order to test what we have done. Now if you log in the user you assigned the role to, you will be able to read agents from group "test" information.

- About your second question:

I recommend that you use the white mode in order to do it. Not only is doing it with the rbac black mode more complicated, but it is also much worse if we talk about security. Note that if you are using the rbac black mode, you could have security issues. For an instance, if you upgrade to a new version with new resources, you will have to update the policies in order to deny these new resources, if not, you will have an important security breach.

Have a look to the RBAC documentation in order to understand all the RBAC concepts better.

If you are still having problems, let me know your specific use case so I can help in you in a more specific way.

[Ibrahim]

Hello Manuel,

Thanks for your explanation,

what you mentioned about what iam doing is correct  that i need a role with policy to a user that allows him to read only the agents from a specific group, and i already done all the previous steps, also i adjust here screenshots.

the problem is when i enter using that user and go to agents portal, i cant see any agent, while there is one agent belong to "test" group, you can see the screenshot 5.

I did one more test, I registered another agent, and then in the portal appears 1 active agent, i registered the third then appears 2 active and so on.

thank you for your help Manuel.

Regards.

[Manuel Camona Perez]

Ok, now I understand what is happening. I am afraid to say that this is a known error that makes an internal query not return the properly information when the user does not have the agent 000 in its permissions (which I think is your case).

Here you can track the issue. In spite of this error, your RBAC permissions seem to be working properly.

Sorry for the inconveniences caused.

Do not hesitate to ask if you have more questions!

[Ibrahim]

Exactly Manuel, is the same case I have,

I will be tracking that issue,

thank you again for your help.

Regards.