trustchain-oc1-orchestral/authentik
Archived
10
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

update fixed version

Browse source
This commit is contained in:
Maik Ro 2023-11-24 21:35:46 +01:00
parent eaec953d40
commit 060d818416
1 changed files with 39 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

73
website/integrations/services/wazuh/index.md
View file

@ -1,12 +1,12 @@
--- ---
title: wazuh. title: wazuh.
--- ---
<span class="badge badge--secondary">Support level: Community</span> <span class="badge badge--secondary">Support level: Community</span>
## What is wazuh ## What is wazuh
> wazuh is an open source Security Information and Event Management System that also has (extended) Endpoint Detection & Response (XDR) capabilities, as well as components of a Network Intrusion & Detection System (NIDS). > wazuh is an open source Security Information and Event Management System that also has (extended) Endpoint Detection & Response (XDR) capabilities, as well as components of a Network Intrusion & Detection System (NIDS).
> >
> -- https://wazuh.com > -- https://wazuh.com
@ -21,7 +21,7 @@ The following placeholders will be used:
- `wazuh.company` is the FQDN of the wazuh server instance. - `wazuh.company` is the FQDN of the wazuh server instance.
- `authentik.company` is the FQDN of the authentik install. - `authentik.company` is the FQDN of the authentik install.
While wazuh allows both LDAP and SAML integration, in this post we will only walk through the SAML integration. While wazuh allows both LDAP and SAML integration, in this post we will only walk through the SAML integration.
### Step 1 - certificates ### Step 1 - certificates
@ -29,7 +29,6 @@ The first step would be to add a certificate for wazuh.
You can generate a new one under `System` -> `Certificates` -> `Generate` You can generate a new one under `System` -> `Certificates` -> `Generate`
Add a name, set the validity period to 365 days and click `Generate` Add a name, set the validity period to 365 days and click `Generate`
![](./certificate.png) ![](./certificate.png)
@ -49,19 +48,19 @@ Add a descriptive name, select the appropriate Authentication/Authorization flow
`https://<WAZUH_IP_OR_HOSTNAME>/_opendistro/_security/saml/acs` `https://<WAZUH_IP_OR_HOSTNAME>/_opendistro/_security/saml/acs`
also make sure to give it an appropriate `EntityID` name (`issuer`), you will need that later and a valid option is e.g. `wazuh-saml` also make sure to give it an appropriate `EntityID` name (`issuer`), you will need that later and a valid option is e.g. `wazuh-saml`
Select `Post` as the `Service Provider Binding` and move on to the advanced protocol settings. Select `Post` as the `Service Provider Binding` and move on to the advanced protocol settings.
![](./provider2.png) ![](./provider2.png)
The last step is to select the previously created `Signing Certificate` from the dropdown list and leave the rest of the configurations as default for now. The last step is to select the previously created `Signing Certificate` from the dropdown list and leave the rest of the configurations as default for now.
![](./provider3.png) ![](./provider3.png)
![](./provider4.png) ![](./provider4.png)
![](./provider5.png) ![](./provider5.png)
### Step 3 - property mapping ### Step 3 - property mapping
Time to create a Property Mapping - this is a custom function that takes group/user data from authentik and provides it to wazuh in a structured way. Time to create a Property Mapping - this is a custom function that takes group/user data from authentik and provides it to wazuh in a structured way.
We will map a group membership - `wazuh-admins` - as a backend role for RBAC in wazuh using Property Mapping - `Customization` -> `Property Mappings` We will map a group membership - `wazuh-admins` - as a backend role for RBAC in wazuh using Property Mapping - `Customization` -> `Property Mappings`
@ -89,13 +88,13 @@ Now create an application to use the newly created provider. `Applications` -> `
`Provider: SAML` `Provider: SAML`
`Policy Engine: any` `Policy Engine: any`
![](./application.png) ![](./application.png)
You can change the UI / upload a logo so that in the applications overview you have a nice layout and can easily identify the new wazuh app. You can change the UI / upload a logo so that in the applications overview you have a nice layout and can easily identify the new wazuh app.
![](./applications_overview.png) ![](./applications_overview.png)
### Step 5 - metadata + wazuh opensearch-security configuration ### Step 5 - metadata + wazuh opensearch-security configuration
Now download the metadata file `saml_authentik_meta.xml` from the `Applications` -> `Provider` -> `Related Objects` -> `Download` Now download the metadata file `saml_authentik_meta.xml` from the `Applications` -> `Provider` -> `Related Objects` -> `Download`
and copy/save it on the wazuh server - ideally under `/etc/wazuh-indexer/opensearch-security/idp-metadata.xml` and copy/save it on the wazuh server - ideally under `/etc/wazuh-indexer/opensearch-security/idp-metadata.xml`
@ -103,12 +102,12 @@ and copy/save it on the wazuh server - ideally under `/etc/wazuh-indexer/opensea
Next up change the `/etc/wazuh-indexer/opensearch-security/config.yml` and make sure it looks like the one below Next up change the `/etc/wazuh-indexer/opensearch-security/config.yml` and make sure it looks like the one below
- you need to adjust the `metadata_file` if your name differs from the one shown above/below - you need to adjust the `metadata_file` if your name differs from the one shown above/below
- `entity_id` needs to change twice, once in the `idp` section and once in the `sp` section - you can look it up in the metadata xml file - search for `entityID` - `entity_id` needs to change twice, once in the `idp` section and once in the `sp` section - you can look it up in the metadata xml file - search for `entityID`
![Alt text](entityid.png) ![Alt text](entityid.png)
- adapt the `kibana_url` to match your wazuh dashboard url - e.g. `https://wazuh.myhomelab.com/` - adapt the `kibana_url` to match your wazuh dashboard url - e.g. `https://wazuh.myhomelab.com/`
- copy/paste the `exchange_key`, you can get it from the metadata file (find the key between the `<ds:X509Certificate></ds:X509Certificate>` tags, it usually starts with MII...) - DO NOT FORGET TO PUT QUOTES AROUND THE CERTIFICATE - copy/paste the `exchange_key`, you can get it from the metadata file (find the key between the `<ds:X509Certificate></ds:X509Certificate>` tags, it usually starts with MII...) - DO NOT FORGET TO PUT QUOTES AROUND THE CERTIFICATE
- make sure to adjust the ownership and access rights via the following commands: - make sure to adjust the ownership and access rights via the following commands:
```bash ```bash
sudo chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-security/idp-metadata.xml sudo chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-security/idp-metadata.xml
@ -124,21 +123,21 @@ authc:
transport_enabled: true b transport_enabled: true b
order: 0 order: 0
http_authenticator: http_authenticator:
type: basic type: basic
challenge: false challenge: false
authentication_backend: authentication_backend:
type: intern type: intern
saml_auth_domain: saml_auth_domain:
http_enabled: true http_enabled: true
transport_enabled: false transport_enabled: false
order: 1 order: 1
http_authenticator: http_authenticator:
type: saml type: saml
challenge: true challenge: true
config: config:
idp: idp:
metadata_file: "/etc/wazuh-indexer/opensearch-security/idp-metadata.xml" metadata_file: "/etc/wazuh-indexer/opensearch-security/idp-metadata.xml"
entity_id: "wazuh-saml" entity_id: "wazuh-saml"
sp: sp:
entity_id: "wazuh-saml" entity_id: "wazuh-saml"
kibana_url: "https://<YOUR_WAZUH_IP_OR_HOSTNAME>" kibana_url: "https://<YOUR_WAZUH_IP_OR_HOSTNAME>"
@ -169,51 +168,57 @@ under `backend_roles` add `wazuh-admin` and check that reserved is `false` + the
```yml ```yml
all_access: all_access:
reserved: false reserved: false
hidden: false hidden: false
backend_roles: backend_roles:
- "wazuh-admin" - "wazuh-admin"
- "admin" - "admin"
hosts: [] hosts: []
users: [] users: []
and_backend_roles: [] and_backend_roles: []
description: "Maps admin to all_access" description: "Maps admin to all_access"
``` ```
save the file and use the securityadmin.sh with the following command to load the adjusted `roles_mapping.yml`: save the file and use the securityadmin.sh with the following command to load the adjusted `roles_mapping.yml`:
```bash ```bash
export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/roles_mapping.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h localhost -nhnv export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/roles_mapping.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h localhost -nhnv
``` ```
If all goes well this shows `Done with success` in the end If all goes well this shows `Done with success` in the end
### Step 8 - wazuh.yml ### Step 8 - wazuh.yml
Check `/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml` and make sure that `run_as` is set to `false`. Check `/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml` and make sure that `run_as` is set to `false`.
![](wazuhyml.png) ![](wazuhyml.png)
### Step 9 - security role mapping ### Step 9 - security role mapping
open the wazuh dashboard - click on the downward pointing triangle next to the wazuh logo then on `Security` and `Roles mapping`. open the wazuh dashboard - click on the downward pointing triangle next to the wazuh logo then on `Security` and `Roles mapping`.
![](roles_mapping1.png) ![](roles_mapping1.png)
We will now add a new role mapping - add any name + the respective Roles -> in this case administrator and add a new custom rule at the bottom that matches (`FIND`) the `user_name` to `wazuh-admin`. We will now add a new role mapping - add any name + the respective Roles -> in this case administrator and add a new custom rule at the bottom that matches (`FIND`) the `user_name` to `wazuh-admin`.
![](saml-admin.png) ![](saml-admin.png)
### Step 10 - final step - opensearch_dashboards.yml ### Step 10 - final step - opensearch_dashboards.yml
The last step is to adapt the `/etc/wazuh-dashboard/opensearch_dashboards.yml` and add three lines to the bottom of the file: The last step is to adapt the `/etc/wazuh-dashboard/opensearch_dashboards.yml` and add three lines to the bottom of the file:
```yml ```yml
opensearch_security.auth.type: "saml" opensearch_security.auth.type: "saml"
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"] server.xsrf.allowlist:
[
"/_opendistro/_security/saml/acs",
"/_opendistro/_security/saml/logout",
"/_opendistro/_security/saml/acs/idpinitiated",
]
opensearch_security.session.keepalive: false opensearch_security.session.keepalive: false
``` ```
![](dashboardsyml.png) ![](dashboardsyml.png)
If all went well you should now only have to restart the wazuh dashboard If all went well you should now only have to restart the wazuh dashboard
`systemctl restart wazuh-dashboard` `systemctl restart wazuh-dashboard`
and then you should be greeted by the authentik login screen when you try to connect to the dashboard and then you should be greeted by the authentik login screen when you try to connect to the dashboard
![](login.png) ![](login.png)