Anonymous Authentication Wazuh


USE CASE:

Allow a team to access your Wazuh SIEM with read only privileges and without providing credentials.

Wazuh Dashboard Configuration:

Navigate to Server management > Security, and then Roles mapping, then create a Create Role mapping and complete the empty fields with the following parameters:

  • Role mapping name: Assign a name to the role mapping.
  • Roles: Select readonly.
  • Custom rules: Click Add new rule to expand this field.
  • User fieldbackend_roles
  • Search operationFIND
  • Value: opendistro_security_anonymous_backendrole . then save the role mapping

For the role mapping to take effect, make sure that run_as is set to true in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. Restart the Wazuh dashboard service and clear your browser cache and cookies.

Wazuh Indexer Configuration:

Access the Wazuh indexer server and perform the following:

  • Set “anonymous_auth_enabled” to true in /etc/wazuh-indexer/opensearch-security/config.yml. Then apply the change:
 export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
  • Add opensearch_security.auth.anonymous_auth_enabled: true to /etc/wazuh-dashboard/opensearch_dashboards.yml then restart the Wazuh dashboard systemctl restart wazuh-dashboard.service
  • In the /etc/wazuh-indexer/opensearch-security/roles.yml set the following role:
wazuh_read_anonymous:
  cluster_permissions:
  - "cluster_composite_ops_ro"
  index_permissions:
  - index_patterns:
    - "*"
    allowed_actions:
    - "read"
  tenant_permissions:
  - tenant_patterns:
    - "global_tenant"
    allowed_actions:
    - "kibana_all_read"

Applying the change:

export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/roles.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
  • Within the /etc/wazuh-indexer/opensearch-security/roles_mapping.yml configure the mapping of the anonymous backend role:
wazuh_read_anonymous:
  backend_roles:
  - "opendistro_security_anonymous_backendrole"

Applying the change:

export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/roles_mapping.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv

Demo:


6 responses to “Anonymous Authentication Wazuh”

Leave a Reply

Your email address will not be published. Required fields are marked *