wazuh-dashboard-plugins
wazuh-dashboard-plugins copied to clipboard
wazuh
Sample data warning does not appear for readonly users
| Wazuh | Elastic | Rev | Security |
|---|---|---|---|
| 4.2 | 7.10.2/7.11.2 | 4xxx | Basic, ODFE, Xpack |
| Browser |
|---|
| Chrome, Firefox, Safari, etc |
Description
The warning saying that there is sample data in a dashboard does not appear if we access the app with a user that only has read permissions.
Preconditions
- An user with only read permissions.
Steps to reproduce
- Add sample data
- Login with a user with only read permissions for Wazuh indices.
- Go to
security events
Expected Result
- The warning always appears.
Actual Result
- The warning does not appear for readonly users.
Screenshots
https://user-images.githubusercontent.com/19505384/134375184-159148f4-9531-4338-bf43-f6106047fb81.mp4
Now, all the requests to check if sample alerts exist will be done with the internalUser
Is necessary to check the existence of sample alerts without permissions errors.
Fixed
https://user-images.githubusercontent.com/6089438/157096747-cceaf3e3-41ee-4bf1-9771-1a49b814d040.mov
The callout with the warning about the existence of sample data of Wazuh alerts, depends on a request done by the logged/current user to check if there are some of the indices whose names match the composed name for the sample data indices. If the user has no the required permission, the request should fail and the callout is not displayed.
The name of the sample data indices is defined by:
<WAZUH_SAMPLE_ALERTS_PREFIX>sample-<SAMPLE_ALERTS_CATEGORY>
where:
-
<WAZUH_SAMPLE_ALERTS_PREFIX>: is defined in the plugin settingalerts.sample.prefix -
<SAMPLE_ALERTS_CATEGORY>is a fixed string that depends on the current categories of sample alerts
The problem should be related to missing permissions in the current/logged user. Give it the required permissions, should do the toast appear.
Wazuh installation
I was reviewing the default configurations for new installations explained in the Wazuh documentation.
Kibana - Open Distro for Elasticsearch
Documentation: https://documentation.wazuh.com/4.2/installation-guide/open-distro/all-in-one-deployment/all-in-one.html#elasticsearch-users-and-roles
The configuration files for Elasticsearch define:
- Role:
wazuh_ui_userwith thereadgroup permission. This group gives the permissions:-
indices:data/read* -
indices:admin/mappings/fields/get*
and no includes the permission to check if exists the indices of sample data.
-
- User:
wazuh_userwith the rolewazuh_ui_userrole.
This configuration causes this user can't check the existence of sample data indices. This affects the mentioned callout is not displayed when there sample data indices and the Settings/Sample data where appears a toast displaying an error related to permissions:
It would be recommended to add the required permission to the predefined wazuh_user user. I was testing and the required permission is indices:admin/get.
When the user tries to check the existence of a sample data index:
HEAD <index_name>
The Elasticsearch logs display:
[2022-04-07T11:36:45,767][INFO ][c.a.o.s.p.PrivilegesEvaluator] [elasticsearch] No index-level perm match for User [name=wazuh_user, backend_roles=[], requestedTenant=__user__] Resolved [aliases=[], allIndices=[wazuh-alerts-4.x-sample-auditing-policy-monitoring], types=[*], originalRequested=[wazuh-alerts-4.x-sample-auditing-policy-monitoring], remoteIndices=[]] [Action [indices:admin/get]] [RolesChecked [wazuh_ui_user, wazuh_index_exists, own_index, kibana_user]]
where we can see that the indices:admin/get permission is required to perform the action in the related index.
This requirement should be included in the documentation to create a read-only user and unattended installation scripts: https://documentation.wazuh.com/4.2/user-manual/kibana-app/wazuh-rbac.html#creating-and-setting-a-wazuh-read-only-user
Another interesting thing would be to add a permission/action group that contains the read group permission and the required permission to check the existence of sample data indices. This group permission could be used by the user, to configure custom roles to work with the Wazuh plugin. To create an action group we could use the UI or if we want to create a customized installation we could define it in the action_groups.yml file using as an example: https://opendistro.github.io/for-elasticsearch-docs/docs/security/configuration/yaml/#action_groupsyml.
Kibana - Elastic license
The current guide doesn't configure new users that are not built-in in the installation.
Documentation: https://documentation.wazuh.com/4.2/installation-guide/more-installation-alternatives/elastic-stack/all-in-one-deployment/all-in-one.html
I'm working with the new configuration of roles, roles_mapping, and internal_users to see how is the new behavior of Sample data without the removed wazuh_ui_user.
Initially, this issue was created because the prompt message shown when there is sample data didn't show when the user has read_only permissions. But, in newer versions, this role does no longer exist by default in the Wazuh installation (4.4 version). In conclusion, with the new configuration, this issue will not happen anymore in the 4.4 version because we don't have a read-only user by default.
Next step:
- [x] Check the entire app behavior with the new default configurations (roles, roles_mapping, and internal_users). Check if the application works as we expected.
Conclusion
Tested in Opensearch 1.2.0-1.24 (Wazuh Dashboard) environment without problems, applying the new configuration for 4.4 version:
