update fixed version

2023-11-24 21:35:46 +01:00 · 2023-11-24 21:35:46 +01:00 · 060d818416
parent eaec953d40
commit 060d818416
1 changed files with 39 additions and 34 deletions
--- a/website/integrations/services/wazuh/index.md
+++ b/website/integrations/services/wazuh/index.md
@ -1,12 +1,12 @@
 ---
-title: wazuh. 
+title: wazuh.
 ---

 <span class="badge badge--secondary">Support level: Community</span>

 ## What is wazuh

-> wazuh is an open source Security Information and Event Management System that also has (extended) Endpoint Detection & Response (XDR) capabilities, as well as components of a Network Intrusion & Detection System (NIDS). 
+> wazuh is an open source Security Information and Event Management System that also has (extended) Endpoint Detection & Response (XDR) capabilities, as well as components of a Network Intrusion & Detection System (NIDS).
 >
 > -- https://wazuh.com

@ -21,7 +21,7 @@ The following placeholders will be used:
 -   `wazuh.company` is the FQDN of the wazuh server instance.
 -   `authentik.company` is the FQDN of the authentik install.

-While wazuh allows both LDAP and SAML integration, in this post we will only walk through the SAML integration. 
+While wazuh allows both LDAP and SAML integration, in this post we will only walk through the SAML integration.

 ### Step 1 - certificates

@ -29,7 +29,6 @@ The first step would be to add a certificate for wazuh.

 You can generate a new one under `System` -> `Certificates` -> `Generate`

-
 Add a name, set the validity period to 365 days and click `Generate`
 ![](./certificate.png)

@ -49,19 +48,19 @@ Add a descriptive name, select the appropriate Authentication/Authorization flow

 `https://<WAZUH_IP_OR_HOSTNAME>/_opendistro/_security/saml/acs`

-also make sure to give it an appropriate `EntityID` name (`issuer`), you will need that later and a valid option is e.g. `wazuh-saml` 
+also make sure to give it an appropriate `EntityID` name (`issuer`), you will need that later and a valid option is e.g. `wazuh-saml`

 Select `Post` as the `Service Provider Binding` and move on to the advanced protocol settings.
 ![](./provider2.png)

-The last step is to select the previously created `Signing Certificate` from the dropdown list and leave the rest of the configurations as default for now. 
+The last step is to select the previously created `Signing Certificate` from the dropdown list and leave the rest of the configurations as default for now.
 ![](./provider3.png)
 ![](./provider4.png)
 ![](./provider5.png)

 ### Step 3 - property mapping

-Time to create a Property Mapping - this is a custom function that takes group/user data from authentik and provides it to wazuh in a structured way. 
+Time to create a Property Mapping - this is a custom function that takes group/user data from authentik and provides it to wazuh in a structured way.

 We will map a group membership - `wazuh-admins` - as a backend role for RBAC in wazuh using Property Mapping - `Customization` -> `Property Mappings`

@ -89,13 +88,13 @@ Now create an application to use the newly created provider. `Applications` -> `
 `Provider: SAML`
 `Policy Engine: any`

-
 ![](./application.png)

-You can change the UI / upload a logo so that in the applications overview you have a nice layout and can easily identify the new wazuh app. 
+You can change the UI / upload a logo so that in the applications overview you have a nice layout and can easily identify the new wazuh app.
 ![](./applications_overview.png)

 ### Step 5 - metadata + wazuh opensearch-security configuration
+
 Now download the metadata file `saml_authentik_meta.xml` from the `Applications` -> `Provider` -> `Related Objects` -> `Download`

 and copy/save it on the wazuh server - ideally under `/etc/wazuh-indexer/opensearch-security/idp-metadata.xml`
@ -103,12 +102,12 @@ and copy/save it on the wazuh server - ideally under `/etc/wazuh-indexer/opensea

 Next up change the `/etc/wazuh-indexer/opensearch-security/config.yml` and make sure it looks like the one below

- you need to adjust the `metadata_file` if your name differs from the one shown above/below
- `entity_id` needs to change twice, once in the `idp` section and once in the `sp` section - you can look it up in the metadata xml file - search for `entityID`
-![Alt text](entityid.png)
- adapt the `kibana_url` to match your wazuh dashboard url - e.g. `https://wazuh.myhomelab.com/`
- copy/paste the `exchange_key`, you can get it from the metadata file (find the key between the `<ds:X509Certificate></ds:X509Certificate>` tags, it usually starts with MII...) - DO NOT FORGET TO PUT QUOTES AROUND THE CERTIFICATE
- make sure to adjust the ownership and access rights via the following commands:
+-   you need to adjust the `metadata_file` if your name differs from the one shown above/below
+-   `entity_id` needs to change twice, once in the `idp` section and once in the `sp` section - you can look it up in the metadata xml file - search for `entityID`
+    ![Alt text](entityid.png)
+-   adapt the `kibana_url` to match your wazuh dashboard url - e.g. `https://wazuh.myhomelab.com/`
+-   copy/paste the `exchange_key`, you can get it from the metadata file (find the key between the `<ds:X509Certificate></ds:X509Certificate>` tags, it usually starts with MII...) - DO NOT FORGET TO PUT QUOTES AROUND THE CERTIFICATE
+-   make sure to adjust the ownership and access rights via the following commands:

 ```bash
 sudo chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-security/idp-metadata.xml
@ -124,21 +123,21 @@ authc:
    transport_enabled: true b
    order: 0
    http_authenticator:
-      type: basic 
+      type: basic
      challenge: false
    authentication_backend:
-      type: intern 
+      type: intern
  saml_auth_domain:
    http_enabled: true
    transport_enabled: false
    order: 1
    http_authenticator:
-      type: saml 
+      type: saml
      challenge: true
-      config: 
+      config:
        idp:
          metadata_file: "/etc/wazuh-indexer/opensearch-security/idp-metadata.xml"
-          entity_id: "wazuh-saml" 
+          entity_id: "wazuh-saml"
        sp:
          entity_id: "wazuh-saml"
        kibana_url: "https://<YOUR_WAZUH_IP_OR_HOSTNAME>"
@ -169,51 +168,57 @@ under `backend_roles` add `wazuh-admin` and check that reserved is `false` + the

 ```yml
 all_access:
-  reserved: false
-  hidden: false
-  backend_roles:
-  - "wazuh-admin"
-  - "admin"
-  hosts: []
-  users: []
-  and_backend_roles: []
-  description: "Maps admin to all_access"
+    reserved: false
+    hidden: false
+    backend_roles:
+        - "wazuh-admin"
+        - "admin"
+    hosts: []
+    users: []
+    and_backend_roles: []
+    description: "Maps admin to all_access"
 ```

 save the file and use the securityadmin.sh with the following command to load the adjusted `roles_mapping.yml`:
+
 ```bash
 export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/roles_mapping.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h localhost -nhnv
 ```

 If all goes well this shows `Done with success` in the end

-
 ### Step 8 - wazuh.yml
+
 Check `/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml` and make sure that `run_as` is set to `false`.
 ![](wazuhyml.png)

 ### Step 9 - security role mapping
+
 open the wazuh dashboard - click on the downward pointing triangle next to the wazuh logo then on `Security` and `Roles mapping`.
 ![](roles_mapping1.png)
 We will now add a new role mapping - add any name + the respective Roles -> in this case administrator and add a new custom rule at the bottom that matches (`FIND`) the `user_name` to `wazuh-admin`.
 ![](saml-admin.png)

-
 ### Step 10 - final step - opensearch_dashboards.yml

 The last step is to adapt the `/etc/wazuh-dashboard/opensearch_dashboards.yml` and add three lines to the bottom of the file:

 ```yml
 opensearch_security.auth.type: "saml"
-server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"]
+server.xsrf.allowlist:
+    [
+        "/_opendistro/_security/saml/acs",
+        "/_opendistro/_security/saml/logout",
+        "/_opendistro/_security/saml/acs/idpinitiated",
+    ]
 opensearch_security.session.keepalive: false
 ```

 ![](dashboardsyml.png)

-If all went well you should now only have to restart the wazuh dashboard 
+If all went well you should now only have to restart the wazuh dashboard

 `systemctl restart wazuh-dashboard`

 and then you should be greeted by the authentik login screen when you try to connect to the dashboard
-![](login.png)
+![](login.png)