Create user to access only the Integrity monitoring Module

[Nepolean]

Hi Team,

Is it possible to create a user who can check the integrity monitoring module of wazuh? I tried creating a read only user, but it was overwhelming creating roles, since I am new to user creation. Is it possible to meet my requirement?

Thanks

Nepolean

[Antonio David Gutiérrez]

Hi Nepolean,

Yes, it is possible to create a user who can check the integrity monitoring module.

You should know the Wazuh plugin displays data that is stored in 2 different places:
- Wazuh API
- Wazuh alerts ( indexed as documents in Wazuh indexer or Elasticsearch depending on your stack )

Each of them needs to be configurated to grant the permissions.

The Integrity monitoring module has 3 tabs:
- Inventory: display the inventory related to the files. The data is coming from Wazuh API.
- Dashboard: display the Wazuh alerts in visualizations. The data is stored in Wazuh indexer/Elasticsearch.
- Events: display the Wazuh alerts as a table. The data is stored in Wazuh indexer/Elasticsearch.

So, if you want the user can see all the data of this module, then the user needs permissions for the Wazuh API (to see the Inventory tab) and Wazuh indexer/Elasticsearch (Dashboard and Events tabs).

Depending on your use case, you could restrict the user permissions to only see data related to the integrity monitoring module (in Wazuh API and Wazuh indexer) for the logged user or have a generic read-only user that can see data related to others modules.

Documentation to create a read-only user: https://documentation.wazuh.com/current/user-manual/user-administration/rbac.html#creating-and-setting-a-wazuh-read-only-user

[Nepolean]

@Antonio Really thankful for your answer. What I meant to ask is, is it possible to create a user who can view ONLY the integrity monitoring module of Wazuh. Sorry for not clearly conveying. I tried creating roles for the user. Is my requirement possible by adjusting things at creating document level security while creating roles?

[Antonio David Gutiérrez]

Hi @Nepolean,

If you are referring to restricting the user only can see the Integrity monitoring module in the menu of Wazuh plugin or the section is not possible. As a workaround, you can restrict the permissions using the document level security of the user to this can only read the documents related to Wazuh alerts of the Integrity monitoring module. With this workaround, if the user enters another module, he could not get documents (alerts) to that module.

If you want to use the document level security, you could use it as a filter, the same filter used by the Wazuh plugin for the Integrity monitoring module where the "rule.group" field is (or contain) "syscheck". You can see the added filter under the search bar.

[Nepolean]

Thanks a lot @Antonio. I tried the way you suggested. I tried creating a role with the permissions as in the screenshot. But when I login dashboard with the mapped user, it say something went wrong. Is it the right way to do this?

[Antonio David Gutiérrez]

Hi Nepolean,

What error are you getting? I guess the problem is caused because the user needs more permissions to work correctly.

What version of the Wazuh dashboard and Wazuh indexer are you using? I will try to create the user and see the permissions requirements.

[Antonio David Gutiérrez]

Hi Nepolean,

I was testing the permissions configuration and I got it.

You could configure the permission based on the documentation to create a generic read-only user. See https://documentation.wazuh.com/4.4/user-manual/user-administration/rbac.html#creating-and-setting-a-wazuh-read-only-user.

According to this documentation, it adds some permissions that maybe could be missing in your configuration and causing the errors. They are:
- Cluster permissions: cluster_composite_ops_ro
- Tenant permissions: global_tenant and select the Read only option.

So, you should ensure the user have these permissions that could be provided by the same rol that defines the document level security or another role that is mapped to the user too.

In my case, I did the following steps:

1. Create a new role with:
- Index permissions:
  - Index: wazuh-alerts-*
  - Index permissions: read
  - Document level security:
{
  "bool": {
    "must": {
      "match": {
        "rule.groups": "syscheck"
      }
    }
  }
}

2. Map the created role to the user

3. Map the kibanar_user role to the user. This should give the cluster permissions (cluster_composite_ops_ro) and permissions in the indices related to the tenants that is explained in the example of the read-only user in the Wazuh documentation https://documentation.wazuh.com/4.4/user-manual/user-administration/rbac.html#creating-and-setting-a-wazuh-read-only-user.

> Tip: I mapped the user directly, but you could get this mapping through the backend role if the user is configurated to have a backend role that is used in this mapping. For example, regarding the role mapping for the kibana_user role, if the user wazuh_user_fim_ro has the kibanauser backend role, it would not be necessary to map the user directly, so you could control the mapped role through the backend role instead of the specific user. Choose the approach you like.


And the user should be able to login without problems.

For example, if the user goes to the Modules > Security events section, he only can be the alerts related to integrity monitoring because these are tagged with the rule.groups: syscheck that I used in the document level security.


I hope this can help you.

[Antonio David Gutiérrez]

The guide explained in the previous message only restricts the permissions to see the indexed data of Wazuh alerts.

But if you want to restrict the data that the user is able to see related to Wazuh API, for example, to only be able to see the Inventory tab of the Integrity monitoring module, then you will have to map the logged user with roles of the Wazuh API. You could create custom policies and roles in the Wazuh API to get this if you need it.