Skip to content

Latest commit

 

History

History
374 lines (231 loc) · 17.1 KB

rbac.rst

File metadata and controls

374 lines (231 loc) · 17.1 KB
Raw

Wazuh RBAC - How to create and map internal users

Wazuh RBAC allows access to Wazuh resources based on the roles and policies assigned to the users. It is an easy-to-use administration system that enables to manage users' or entities' permissions to the system resources. To learn more, see the Role-Based Access Control </user-manual/api/rbac/index> section.

The Wazuh platform includes an internal user database that can be used for authentication. It can also be used in addition to an external authentication system such as LDAP or Active Directory. Learn how to create users and map them with Wazuh in the below sections.

Creating and setting a Wazuh admin user

Follow these steps to create an internal user, create a new role mapping, and give administrator permissions to the user.

  1. Log into the Wazuh dashboard as administrator.

  2. Click the upper-left menu icon to open the options, go to Indexer/dashboard management > Security, and then Internal users to open the internal users' page.

    /images/manual/user-administration/rbac/internal-user.gif

  3. Click Create internal user, provide a username and password, and click Create to complete the action.

  4. To map the user to the admin role, follow these steps:

    1. Click the upper-left menu icon to open the options, go to Indexer/dashboard management > Security, and then Roles to open the roles page.
    2. Search for the all_access role in the roles list and select it to open the details window.
    3. Click Duplicate role, assign a name to the new role, then click Create to confirm the action.
    4. Select the newly created role.
    5. Select the Mapped users tab and click Manage mapping.
    6. Add the user you created in the previous steps and click Map to confirm the action.

    Note

    Reserved roles are restricted for any permission customizations. You can create a custom role with the same permissions or duplicate a reserved role for further customization.

  5. To map the user with Wazuh, follow these steps:

    1. Click the upper-left menu icon to open the menu on the Wazuh dashboard, go to Server management > Security, and then Roles mapping to open the page.

      /images/manual/user-administration/rbac/role-mapping.gif

    2. Click Create Role mapping and complete the empty fields with the following parameters:
      • Role mapping name: Assign a name to the role mapping.
      • Roles: Select administrator.
      • Internal users: Select the internal user created previously.
    3. Click Save role mapping to save and map the user with Wazuh as administrator.

    For the role mapping to take effect, make sure that Run as is set to true in the API host entry configuration on Dashboard management > Server APIs. Restart the Wazuh dashboard service and clear your browser cache and cookies.

    image

Creating and setting a Wazuh read-only user

Follow these steps to create an internal user, create a new role mapping, and give read-only permissions to the user.

  1. Log into the Wazuh dashboard as administrator.

  2. Click the upper-left menu icon to open the options, go to Indexer/dashboard management > Security, and then Internal users to open the internal users' page.

    /images/manual/user-administration/rbac/internal-user.gif

  3. Click Create internal user, provide a username and password, and click Create to complete the action.
  4. To map the user to the appropriate role, follow these steps:
    1. Click the upper-left menu icon to open the options, go to Indexer/dashboard management > Security, and then Roles to open the roles page.
    2. Click Create role, complete the empty fields with the following parameters, and then click Create to complete the task.
      • Name: Assign a name to the role.
      • Cluster permissions: cluster_composite_ops_ro
      • Index: *
      • Index permissions: read
      • Tenant permissions: global_tenant and select the Read only option.
    3. Select the Mapped users tab and click Manage mapping.
    4. Add the user you created in the previous steps and click Map to confirm the action.

  5. To map the user with Wazuh, follow these steps:

    1. Click to open the menu on the Wazuh dashboard, go to Server management > Security, and then Roles mapping to open the page.

      /images/manual/user-administration/rbac/role-mapping.gif

    2. Click Create Role mapping and complete the empty fields with the following parameters:
      • Role mapping name: Assign a name to the role mapping.
      • Roles: Select readonly.
      • Internal users: Select the internal user created previously.
    3. Click Save role mapping to save and map the user with Wazuh as read-only.

    For the role mapping to take effect, make sure that Run as is set to true in the API host entry configuration on Dashboard management > Server APIs. Restart the Wazuh dashboard service and clear your browser cache and cookies.

    image

Creating an internal user and mapping it to Wazuh

Follow these steps to create an internal user and map it to a role of your choice.

  1. Log into the Wazuh dashboard as administrator.

  2. Click the upper-left menu icon to open the options, go to Indexer/dashboard management > Security, and then Internal users to open the internal users' page.

    /images/manual/user-administration/rbac/internal-user.gif

  3. Click Create internal user, provide a username and password, and click Create to complete the action.
  4. To map the user to a given role, follow these steps:
    1. Go to Security, select Roles to open the page, and click the name of the selected role to open the window. Alternatively, you can create a custom role by clicking Create role.
    2. Select the Mapped users tab and click Manage mapping.
    3. Add the user you created in the previous steps and click Map to confirm the action.

  5. To map the user with Wazuh, follow these steps:

    1. Click to open the menu on the Wazuh dashboard, go to Server management > Security, and then Roles mapping to open the page.

      /images/manual/user-administration/rbac/role-mapping.gif

    2. Click Create Role mapping and complete the empty fields with the following parameters:

      • Role mapping name: Assign a name to the role mapping.
      • Roles: Select the Wazuh roles that you want to map the user with.
      • Internal users: Select the internal user created previously.

      Wazuh includes an extensive list of default policies<api_rbac_reference_default_policies> and roles <api_rbac_reference_default_roles>. Additionally, you can create custom policies and roles to suit your needs. To see an example, check our Use case: Give a user permissions to manage a group of agents <wazuh-rbac-use-case-agents-group> below.

    3. Click Save role mapping to save and map the user with Wazuh.

    For the role mapping to take effect, make sure that Run as is set to true in the API host entry configuration on Dashboard management > Server APIs. Restart the Wazuh dashboard service and clear your browser cache and cookies.

    image

Use case: Give a user permissions to read and manage a group of agents

In this use case, we explore how to create an internal user and give it permissions to read and manage an agents group.

This process involves adding a label in the agent group's centralized configuration to identify the Wazuh alerts coming from this group of agents, creating an internal user, and giving it reading permission only for those documents that correspond to the group of authorized agents.

It also involves mapping this user with the Wazuh API, creating a custom policy that includes permissions to read, restart, upgrade, among other actions over a group of agents, and finally creating a custom role and mapping it to our internal user.

As a final result, we will have a new user with permission to manage a group of agents and read the documents regarding the said group.

In this example, we have an environment with five agents. Agents 001, 002, and 005 belong to the Team_A group whereas agents 003, 004, and 005 belong to the Team_B group. To learn more about creating agents' groups, see Grouping agents <grouping-agents>. We will describe how to create a new user and give it permission to manage agents from Team_A.

/images/manual/user-administration/rbac/environment.png

Adding an agents group label

To prepare the environment, add a label in the Team_A centralized configuration agent.conf. To learn more, see Agent labels </user-manual/agents/labels>.

  1. Log into the Wazuh dashboard as administrator.
  2. Select Server management > Endpoint Groups to open the page.
  3. Select your group, for example, Team_A.
  4. Select Files and click Edit group configuration.

  5. Add a label to identify the group, for example:

    <agent_config>
   <labels>
       <label key="group">Team_A</label>
   </labels>
</agent_config>
  6. Click Save to complete the action.

You have now added a group label that allows us to identify all the Wazuh alerts coming from this group of agents. Note that only new alerts will include this group label.

Creating and mapping an internal user

Follow these steps to create an internal user, create a custom role and map it to the new user.

  1. Click the upper-left menu icon to open the available options, go to Indexer/dashboard management > Security, and then Internal users to open the internal users' page.
  2. Click Create internal user, provide a username and password, and click Create to complete the action.
  3. To create a custom role and map the user to it, follow these steps:
    1. Go to Security, select Roles to open the page.
    2. Click Create role, complete the empty fields with the following parameters:
      • Name: Assign a name to the role.
      • Cluster permissions: cluster_composite_ops_ro
      • Index: *
      • Index permissions: read
    3. Click Add another index permission and unfold the new section Add index permission. Complete the empty fields with the following parameters and make sure to replace your group name accordingly:
      • Index: wazuh-alerts*
      • Index permissions: read

      • Document level security:

        {
  "bool": {
    "must": {
      "match": {
        "agent.labels.group": "Team_A"
      }
    }
  }
}
    4. Click Add another index permission and unfold the new section Add index permission. Complete the empty fields with the following parameters and make sure to replace your group name accordingly:
      • Index: wazuh-monitoring*
      • Index permissions: read

      • Document level security:

        {
  "bool": {
    "must": {
      "match": {
        "group": "Team_A"
      }
    }
  }
}
    5. Under Tenant permissions, select Tenant: global_tenant and the Read only option.
    6. Click Create to complete the task.
    7. Select the Mapped users tab and click Manage mapping.
    8. Add the user you created in the previous steps and click Map to confirm the action.

You have now created an internal user and assigned it reading permissions over the Wazuh alerts and Wazuh monitoring documents from the authorized agents group.

Mapping with Wazuh

To map the user with Wazuh, follow these steps:

  1. Click to open the menu on the Wazuh dashboard, go to Server management > Security, and then Policies to open the policies page.

  2. Click Create policy and complete the empty fields with the requested information.

    • Policy name: Assign a name to the new policy.
    • Action: Select the actions that the user is allowed to perform, for example, agent:read, and click Add. Select as many actions as needed.
    • Resource: Select agent:group.
    • Resource identifier: Write the name of the agents' group, for example, Team_A, and click Add. You can add as many resources as needed.
    • Select an effect: Select Allow.

    /images/manual/user-administration/rbac/create-policy.png

  3. Click Create policy to complete the action.

  4. Click Roles to open the tab, click Create Role, and fill in the empty fields with the requested information.

    • Role name: Assign a name to the new role.
    • Policies: Select the policy created previously.

    /images/manual/user-administration/rbac/create-role.png

  5. Click Create role to confirm the action.

  6. Click Create Role mapping and complete the empty fields with the requested information.

    • Role mapping name: Assign a name to the role mapping.
    • Roles: Select the role created previously and the cluster_readonly role. This role assigns the user basic configuration reading permissions.
    • Internal users: Select the internal user created previously.

    /images/manual/user-administration/rbac/create-new-role-mapping.png

  7. Click Save role mapping to finish the action.

    For the role mapping to take effect, make sure that Run as is set to true in the API host entry configuration on Dashboard management > Server APIs. Restart the Wazuh dashboard service and clear your browser cache and cookies.

    image

You have now created a new internal user and mapped it to manage a Wazuh agents' group. Authenticate with the new user and open the Wazuh dashboard, see that only Team_A agents' alerts and information are displayed.

/images/manual/user-administration/rbac/team_A-agents.png