wazuh-kubernetes
wazuh-kubernetes copied to clipboard
Published
20 hours ago •
wazuh
wazuh
Dashboard OpenID support
Version: tested on 4.3.9 and 4.3.10
Issue: OpenID config based in Opensearch documentation does not work https://opensearch.org/docs/latest/security-plugin/configuration/openid-connect/ https://www.linkedin.com/pulse/integrate-opensearch-azure-active-directory-dimitris-p-/
"Too many redirects" wazuh redirect to OIDC but loops starting again
I tested with LoadBalancer, internally with proxy and without proxy...here dashboard logs...
{"type":"log","@timestamp":"2023-01-05T10:06:44Z","tags":["error","plugins","securityDashboards"],"pid":40,"message":"OpenId authentication failed: Error: Authentication Exception"}
{"type":"response","@timestamp":"2023-01-05T10:06:44Z","tags":[],"pid":40,"method":"get","statusCode":302,"req":{"url":"/auth/openid/login?state=u_tFN50YBxPo9GgY7N_y-m&session_state=b757e8ff-044f-486f-a640-0f076863322f&code=8378672d-be68-4dbb-a667-f2f8c0c4d712.b757e8ff-044f-486f-a640-0f076863322f.198fe1f9-9024-4abd-acc0-c347679e97a2","method":"get","headers":{"host":"wazuh.domain","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","accept-encoding":"gzip","accept-language":"en-US,en;q=0.9","cache-control":"max-age=0","cdn-loop":"cloudflare","cf-connecting-ip":"149.36.196.128","cf-ipcountry":"ES","cf-ray":"784b67284e653670-MAD","cf-visitor":"{\"scheme\":\"https\"}","sec-ch-ua":"\"Not?A_Brand\";v=\"8\", \"Chromium\";v=\"108\", \"Google Chrome\";v=\"108\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"same-site","upgrade-insecure-requests":"1","x-forwarded-for":"10.144.219.179","x-forwarded-host":"wazuh.domain","x-forwarded-port":"443","x-forwarded-proto":"https","x-forwarded-server":"x-traefik-ext-645d77dd4c-zl57n","x-real-ip":"10.144.219.179"},"remoteAddress":"172.30.234.146","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"},"res":{"statusCode":302,"responseTime":68,"contentLength":9},"message":"GET /auth/openid/login?state=u_tFN50YBxPo9GgY7N_y-m&session_state=b757e8ff-044f-486f-a640-0f076863322f&code=8378672d-be68-4dbb-a667-f2f8c0c4d712.b757e8ff-044f-486f-a640-0f076863322f.198fe1f9-9024-4abd-acc0-c347679e97a2 302 68ms - 9.0B"}
{"type":"response","@timestamp":"2023-01-05T10:06:44Z","tags":[],"pid":40,"method":"get","statusCode":302,"req":{"url":"/auth/openid/login","method":"get","headers":{"host":"wazuh.domain","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","accept-encoding":"gzip","accept-language":"en-US,en;q=0.9","cache-control":"max-age=0","cdn-loop":"cloudflare","cf-connecting-ip":"149.36.196.128","cf-ipcountry":"ES","cf-ray":"784b67294ffc3670-MAD","cf-visitor":"{\"scheme\":\"https\"}","sec-ch-ua":"\"Not?A_Brand\";v=\"8\", \"Chromium\";v=\"108\", \"Google Chrome\";v=\"108\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"same-site","upgrade-insecure-requests":"1","x-forwarded-for":"10.144.219.179","x-forwarded-host":"wazuh.domain","x-forwarded-port":"443","x-forwarded-proto":"https","x-forwarded-server":"traefik-ext-645d77dd4c-zl57n","x-real-ip":"10.144.219.179"},"remoteAddress":"172.30.234.146","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"},"res":{"statusCode":302,"responseTime":5,"contentLength":9},"message":"GET /auth/openid/login 302 5ms - 9.0B"}
Configuration:
server.host: 0.0.0.0
server.port: 5601
opensearch.hosts: https://indexer:9200
opensearch.ssl.verificationMode: none
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/usr/share/wazuh-dashboard/config/certs/key.pem"
server.ssl.certificate: "/usr/share/wazuh-dashboard/config/certs/cert.pem"
opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/config/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wazuh
opensearch_security.auth.type: "openid"
opensearch_security.openid.connect_url: "https://keycloakurl/auth/realms/realm/.well-known/openid-configuration"
opensearch_security.openid.client_id: "client-siem"
opensearch_security.openid.client_secret: "clientpasword"
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch_security.openid.base_redirect_url: https://siemurl
Mount config.yaml as configmap does not overwrite order, they keep sticky of Wazuh Management
---
apiVersion: v1
kind: ConfigMap
metadata:
name: config-index
namespace: wazuh
data:
config.yml: |-
_meta:
type: "config"
config_version: 2
config:
dynamic:
# Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#do_not_fail_on_forbidden: false
#kibana:
# Kibana multitenancy
#multitenancy_enabled: true
#server_username: kibanaserver
#index: '.kibana'
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
#internalProxies: '.*' # trust all internal proxies, regex pattern
#remoteIpHeader: 'x-forwarded-for'
###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: kerberos
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
description: "Authenticate keycloak openid"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: openid
challenge: true
config:
subject_key: preferred_username
roles_key: kibana_server
openid_connect_url: "https://keycloakurl/auth/realms/ibm/.well-known/openid-configuration"
authentication_backend:
Tested: Opensearch Doc for OpenID support overwritting config.yaml does not overwrite orders Reviw wazuh slack channels with some topics related
hi @andraspavelbaystream , i got mine working with this
type: "config"
config_version: 2
config:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: '10\.\d{1-3}\.\d{1-3}\.\d{1-3}' # regex pattern
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
roles_key: roles
openid_connect_url: <redacted>
authentication_backend:
type: noop
