Alternative to X-Pack

[C. L. Martinez]

Hi all,

 If I am not wrong, Wazuh does not yet have x-pack support, right? Exists some alternative to control access to Wazuh's dashboards?

Thanks.

[jesus.g...@wazuh.com]

Hi C.L. Martínez, we haven't got a well formatted documentation for X-Pack  but currently we are supporting X-Pack and we 

are managing roles from Elasticsearch to keep your Wazuh App limited by user role. Regarding to the documentation

we are working on it and it's going to be published soon. 

For now I can help you to achieve this task. Let me know a bit more about your environment and your desired requirements,

this way I can guide you to the solution which matches your situation.

Regards,

Jesús

[C. L. Martinez]

Many thanks Jesus.

I have three wazuh's managers configured as a cluster (on master and two clients) and one server with ELK installed. I need to control who access to this ELK server (restricting by an AD group) and who can view Wazuh's dashboards. Is it possible?

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2ee0db19-19d9-4fe3-8fd4-155beac1a2cf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[jesus.g...@wazuh.com]

Ok Martinez,

The RBAC from X-Pack applies to the Elasticsearch indices, so if you have X-Pack installed you could create multiple users and assign them

to certain roles.

The Wazuh App mainly uses four indices:

.wazuh (one index)
.wazuh-version (one index)
wazuh-monitoring-3.x-* (more than one index using that prefix)
wazuh-alerts-3.x-* (more than one index using that prefix)

If you create the proper roles to control the access to these indices you could have a securized environment regardless the number of Wazuh managers

and regardless AD.

At .wazuh index we store the Wazuh API credentials, URL, port, etc. Each document from that index is a Wazuh API entry.

At .wazuh-version index we store only a single document with useless information for the user, only for internal purposes.

At the wazuh-alerts-3.x-* indices we store alerts from the Wazuh manager(s)

At the wazuh-monitoring-3.x-* indices we store agents statuses to build the visualization known as Agents status from Overview.

What we can help you to configure right now?

- Limit who can add/edit/remove a Wazuh API entry using the Wazuh App.

- Limit who can see alerts from certain indices --> Limit who can see alerts in the dashboards

- Limit who can see agents statuses

These features are supported by now, If you want help achieving that let me know which kind of users could match the above features.

Regards,

Jesús

[C. L. Martinez]

Many thanks Jesus. I am interested in the following points:

- Limit who can add/edit/remove a Wazuh API entry using the Wazuh App.

- Limit who can see alerts from certain indices --> Limit who can see alerts in the dashboards

Elasticsearch and logstash's ports are only allowed for master server ...

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/db64e953-745f-405b-b475-2a8e4bf01101%40googlegroups.com.

[jesus.g...@wazuh.com]

Ok I'm going to explain you few things about Kibana, RBAC and Elasticsearch and how to achieve your target.

• Kibana uses a X-Pack user to start the server, this user is under kibana.yml configuration file
  
• Once Kibana is running the user logs in using a different user or the same user as the kibana.yml file
  

Installing X-Pack

1. Install X-Pack plugin for Elasticsearch:

# /usr/share/elasticsearch/bin/elasticsearch-plugin install x-pack

   

2. Restart Elasticsearch:

# systemctl restart elasticsearch

    

It's important to wait until the Elasticsearch server finishes starting. Check the current status with the following command, which should give you a response like the shown below:

  # curl localhost:9200/?pretty -u elastic:elastic_password
  {
    "name" : "5urh-FJ",
    "cluster_name" : "elasticsearch",
    "cluster_uuid" : "B5rXKBg2Tr-KWwFdbDHJQg",
    "version" : {
      "number" : "6.2.4",
      "build_hash" : "7299dc3",
      "build_date" : "2018-02-07T19:34:26.990113Z",
      "build_snapshot" : false,
      "lucene_version" : "7.2.1",
      "minimum_wire_compatibility_version" : "5.6.0",
      "minimum_index_compatibility_version" : "5.0.0"
    },
    "tagline" : "You Know, for Search"
  }

3. Generate the credentials and note down them:

# /usr/share/elasticsearch/bin/x-pack/setup-passwords auto

4. Install X-Pack plugin for Kibana:

# /usr/share/kibana/bin/kibana-plugin install x-pack

5. Set temporary the elastic user for Kibana, edit /etc/kibana/kibana.yml as follow:

elasticsearch.username: "elastic"
elasticsearch.password: "elastic_password_from_step3"

6. Restart Kibana

   

# systemctl restart kibana

Now it's time to configure RBAC

1. Creating the wazuh-admin role:

   

# curl -XPOST "http://localhost:9200/_xpack/security/role/wazuh-admin" -H 'Content-Type: application/json' -d'

    {
      "cluster": [ "manage", "manage_index_templates" ],
      "indices": [
        {
          "names": [ ".old-wazuh", ".wazuh", ".wazuh-version", "wazuh-*" ],
          "privileges": ["all"]
        }
      ]
    }' -u elastic:elastic_password

2. Creating the wazuh-basic role:

# curl -XPOST "http://localhost:9200/_xpack/security/role/wazuh-basic" -H 'Content-Type: application/json' -d'
    {
      "cluster": [],
      "indices": [
        {
          "names": [ ".kibana", ".wazuh", ".wazuh-version", "wazuh-alerts-3.x-*", "wazuh-monitoring-3.x-*" ],
          "privileges": ["read"]
        }
      ]
    }' -u elastic:elastic_password

3. Creating the wazuh-api-admin role:

# curl -XPOST "http://localhost:9200/_xpack/security/role/wazuh-api-admin" -H 'Content-Type: application/json' -d'
    {
      "cluster": [],
      "indices": [
        {
          "names": [ ".wazuh" ],
          "privileges": ["all"]
        }
      ]
    }' -u elastic:elastic_password

4. Creating the Kibana system user (ensure the password is enough strong, it will be the superuser for your environment):

   

# curl -XPOST "http://localhost:9200/_xpack/security/user/wazuhsystem" -H 'Content-Type: application/json' -d'
    {
      "password": "wazuhsystem",
      "roles":["wazuh-admin","kibana_system"],
      "full_name":"Wazuh System",
      "email":"wazuh...@wazuh.com"                          
    }' -u elastic:elastic_password

5. Creating the Wazuh admin user:

# curl -XPOST "http://localhost:9200/_xpack/security/user/jack" -H 'Content-Type: application/json' -d'
    {
      "password": "jackjack",
      "roles":["wazuh-basic","wazuh-api-admin"],
      "full_name":"Jack",
      "email":"ja...@wazuh.com"                          
    }' -u elastic:elastic_password

6. Creating a standard user (This user is not able to add/remove/edit a Wazuh API, use the Wazuh admin user instead, remember step 5).

   

# curl -XPOST "http://localhost:9200/_xpack/security/user/john" -H 'Content-Type: application/json' -d'
    {
      "password": "johnjohn",
      "roles":["wazuh-basic"],
      "full_name":"John",
      "email":"jo...@wazuh.com"                          
    }' -u elastic:elastic_password

7. Set the right user on kibana.yml file:

elasticsearch.username: "wazuhsystem"
elasticsearch.password: "wazuhsystem"

8. Restart Kibana:

   

# systemctl restart kibana

Right now, you have a securized environment. The users could be different and you must to replace their names to fit your requirements and you could create more complex 

roles, this is the standard guide. Let me know if you need any kind of help.

Regards,

Jesús