RBAC adent:id issue

81 views
Skip to first unread message

Gal Akavia

unread,
Sep 22, 2021, 2:54:01 PMSep 22
to Wazuh mailing list
Hi,

Great RBAC!
Im using wazuh version 4.1.5
I will be thankfull for a little help hehe..
Im try to configue in the WUI readonly access for a user to spesific agent (Don't want him to see all the agents security events - only for a spesific one).
I did does steps in Kibana & Wazuh but still that privilegless user  keep see all the agents i have on the Wazuh > Modules> security events.

Kibana:
1. I created internal user (in WUI user-Run_as allow & /usr/share/kibana/data/wazuh/config/wazuh.yml)
C1.PNG
2. I created new role and assign it the following:

C1.PNGC2.PNGC3.PNG

3. Mapped my user to that role.

Wazuh WUI:
1. 
C1.PNG

2. I created 2 policies and then apply them to a role, first allow the following Allow(G_testt) to spesific\all agents and the disallow permissions to thoes spesific agents;
(tried alot of variations with that policies, with the Allow & Disallow together\seperate, and diffrent order of priority)

G_testt = allow
C1.PNG

G_test_DisallowPolicy
C2.PNG
above Resources I wanna DENY read\watching access to does praticular agents (006 for example) for that test user but still seeing them in the security events!!

3. Roles (As above i tried many variations like with\without the allow policy(G_test) and i changed the roles & policies assign to it, it is the main one i stay with now)
C1.PNG

C2.PNG
4. Roles mapping (few variations that i tried  at Roles);

C1.PNG

*** inside look ***
C1.PNG


All thoes steps but still that permissionsless-user keep seeing all the agents at my Wazuh security events 

Please help :)

I know thats alot to read and yet, Its the fully steps to made RBAC with Wazuh-Kibaba WUI 4.1.5 after i combined all the guides i saw so.. thats still nice for anybudy who want to create it . . .    ;)



Gal Akavia

unread,
Sep 22, 2021, 3:06:12 PMSep 22
to Wazuh mailing list
To be more clear, at Kibana step 3 thats the screen i mapped the internal user (Gal_test)
C1.PNG

About step 2 in Wazuh, the priority order i tooked from here, Last-in is the High priority >

step 2 in my main post there is some writing errors so, forgive me =P

carlos...@wazuh.com

unread,
Sep 23, 2021, 5:22:56 AMSep 23
to Wazuh mailing list
Hi,

Let me answer you with a guide of the exact steps you should follow in order to achieve this goal, so it can be useful both for you, who already have most of it done, and for the rest of the community that may want to do it from scratch.

These would be the steps:


STEP 1: CREATE A GROUP FOR YOUR AGENTS

This is a very important step I think you are missing. The idea is to add to this group every Agent you want your user to be able to see.

Create the group by accessing Wazuh > Management > Groups > Add new group

step1-1.png
step1-2.png

It is important to save the name of the group as we will need it. In this example I'm creating a new group called "community".


STEP 2: CREATE AN INTERNAL USER

Note: If you have already created the user you can skip this step.

Go to Security > Internal users and create a new user.

step2-1.png

STEP 3: CREATE A KIBANA ROLE

Go to Security > Roles and create a new one with the following permissions:

step3-1.png

Then add the following Document level security, replacing the agent.labels value with the name of the group created at step 2 as the label name in the "match_phrase":

{
  "bool": {
    "must": [],
    "filter": [
      {
        "match_all": {}
      },
      {
        "match_phrase": {
          "agent.labels.community": "yes"
        }
      }
    ],
    "should": [],
    "must_not": []
  }
}

STEP 4: CREATE A RBAC POLICY

Go to Wazuh > Security > Policies and create a new one. 
step4-1.png

You should include the desired allowed actions for that particular user. You will need to specify the agent group name as the Resource Identifier. Take a look at the following example:
step4-2.png

STEP 5: CREATE A RBAC ROLE

Go to Wazuh > Security > Roles and create a new role assigning to it the new Policy we created

step5-1.png

STEP 6: CONFIGURE WAZUH RBAC IN KIBANA

For the next step you will need to use the wazuh-wui user with run_as enabled. To enable this, access your Kibana host and set the run_as parameter to true in the /usr/share/kibana/data/wazuh/config/wazuh.yml configuration file. Save it and restart the Kibana service. Here is an example of how the configuration file should look after applying this change:

hosts:
 - default:
    port: 55000
    username: wazuh-wui
    password: wazuh-wui
    run_as: true   

Also make sure you are using RBAC white mode. You can find more information about the white mode and how check if it is enabled here


STEP 7: ADD THE ROLE MAPPING

Finally go to Wazuh > Security > Roles mapping and save a new role mapping using the internal user we created in Step 2 and the role name of the Step 5.
step6-1.png


HOW TO TEST THIS

Now it should work as expected. Keep in mind that you probably need to clear your browser cache. Try using incognito mode to see that everything works as you expect.

Here is an example of the results after configuring this to make the agent 002 the only one available for my example user:
results.png
As you can see, even I have more agents registered only the 002 is visible for my current user. The same applies to the Wazuh agents alerts.

I hope this helps. Let me know if you have further questions regarding this topic.

Gal Akavia

unread,
Sep 23, 2021, 6:28:49 AMSep 23
to Wazuh mailing list
Hello Carlos! tnx for replay, according to your instractions i created a group and assign to it the spesific agent,
2 silly quetions, 
1. where does configuration are located?
C1.PNG



2. RBAC white or black mode (-), i saw that but im using WUI and im not sure how to set is with cURL, is there another option trough the WUI or strate trough my host machine?

Gal Akavia

unread,
Sep 23, 2021, 10:05:09 AMSep 23
to Wazuh mailing list
OK after checked im on RBAC white mode, 
I just need to specift that group name as u suggested but where\how am i doing that ?    "/

carlos...@wazuh.com

unread,
Sep 23, 2021, 10:07:16 AMSep 23
to Wazuh mailing list
Hi again,

Don't worry about the questions. Ask whatever you need. We are glad to help the community.

The Document level security configuration must be specified when creating the Kibana Role and can be found here:
Selección_467.png
Just type the configuration I shared with you, replacing "community" with the name of your agent's group and you are good to go.

Regarding the RBAC white or black mode, you can easily check this by using the Wazuh API. The Wazuh UI provides a useful tool called API Console that allow you to run API commands without needing to access your manager by console. You can find the API console here:
api1.png
With this consule just run the following API endpoint:
api2.png
You can change the rbac mode by using this other endpoint, if needed. Finally, you can find more information about the different RBAC modes here.

Let me know if you need further assistance.

Gal Akavia

unread,
Sep 23, 2021, 12:07:59 PMSep 23
to Wazuh mailing list
After i added it i got the following errors;

C1.PNG

index permissions:
C2.PNG

I removed Document level security and its working.
Even if i use the private tenant i got does errors.

Any suggets friend?

Gal Akavia

unread,
Sep 23, 2021, 1:33:45 PMSep 23
to Wazuh mailing list
C1.PNG

Gal Akavia

unread,
Sep 24, 2021, 6:48:59 AMSep 24
to Wazuh mailing list
I checked the test user policies, seems i did all by the book cut still it enable to see all agents events,
Dev Toold > 
GET /security/users/me

OUTPUT:
{
  "data": {
    "affected_items": [
      {
        "id": 2,
        "username": "wazuh-wui",
        "allow_run_as": true,
        "roles": [
          {
            "id": 100,
            "name": "G_test",
            "policies": [
              {
                "id": 100,
                "name": "G_testt",
                "policy": {
                  "actions": [
                    "ciscat:read",
                    "mitre:read",
                    "rootcheck:read",
                    "syscheck:read",
                    "sca:read",
                    "syscollector:read",
                    "agent:read"
                  ],
                  "resources": [
                    "agent:group:agents_4-5",
                    "agent:id:004",
                    "agent:id:005"
                  ],
                  "effect": "allow"
                }
              }
            ],
            "rules": [
              {
                "id": 100,
                "name": "G_test_RoleMap",
                "rule": {
                  "FIND": {
                    "user_name": "Gal_test"
                  }
                }
              }
            ]
          }
        ]
      }
    ],
    "total_affected_items": 1,
    "total_failed_items": 0,
    "failed_items": []
  },
  "message": "Current user information was returned",
  "error": 0
}


 in the other hand that user can see in the Agents dashbord only agents 004 & 005 as config it to see.

is that a bug ? 

carlos...@wazuh.com

unread,
Sep 27, 2021, 11:28:12 AMSep 27
to Wazuh mailing list
 
Hi,

First of all, let me clarify the differences between Wazuh's RBAC and OpenDistro's RBAC, as there seems to be some confusion about it.
  • OpenDistro RBAC allows you to restrict a user's access to Kibana alerts and other actions.
  • Wazuh API RBAC allows you to restrict user access to different resources and actions that affect the operation of Wazuh itself, such as managing agents, modifying configurations, restarting Wazuh, etc.
It is possible to combine them, to take advantage of the capabilities that both offer.

That said, events are not managed by Wazuh's RBAC, but by OpenDistro's RBAC. That's why if you want a Wazuh policy to limit the display of some element, such as alerts, it has to be using the Document Level Security field. That's why you need to configure the Document Level Security as I specified before.


Regarding the issue of not seeing the alerts, have you made sure you are using a date filter in which there are events available? For example, in my example below I have no alerts for today, so I see this.

alerts1.png


However, if I select a wider filter (the last 7 days), I see that it works perfectly with the configuration I have given you:

alerts2.png
Please make sure your agent has events available for the time range specified.

Gal Akavia

unread,
Sep 28, 2021, 10:56:56 AMSep 28
to Wazuh mailing list
Hi carlos, tnx for replay.
I will explain my errors and targets.
1. I successfully configured to made that user to see wazuh spesific info for 2 agents and not all.
2. As you explain above, I used document level as you said because i want that user to see only thoes 2 agents alerts,
 i just changed the ".community" with my group as you can see:
‏‏לכידה.PNG

But,
After i configure it as above i got the following errors, i cannot signin to wazuh web interfaces:
‏‏לכידה.PNG

So document level give me those errors, you can see my index-pattern for that user
‏‏לכידה.PNG


After i remove document level as mention above the errors is fixed..

What am i missing?



Gal Akavia

unread,
Sep 29, 2021, 12:34:58 PMSep 29
to Wazuh mailing list
Carlos thank for all,
i success to do it even without the document level security.
tnx man

Reply all
Reply to author
Forward
0 new messages