[Backport 4.4] Add environment to wazuh 4.4

docker/wazuh-4.3-wz/config/wazuh_indexer/config-saml.yml

@@ -0,0 +1,40 @@
+---
+_meta:
+  type: "config"
+  config_version: 2
+
+config:
+  dynamic:
+    http:
+      anonymous_auth_enabled: false
+    authc:
+      internal_auth:
+        order: 0
+        description: "HTTP basic authentication using the internal user database"
+        http_enabled: true
+        transport_enabled: true
+        http_authenticator:
+          type: basic
+          challenge: false
+        authentication_backend:
+          type: internal
+      saml_auth:
+        order: 1
+        description: "Keycloack SAML provider"
+        http_enabled: true
+        transport_enabled: false
+        http_authenticator:
+          type: saml
+          challenge: true
+          config:
+            idp:
+              metadata_url: http://idp:8080/realms/wazuh/protocol/saml/descriptor
+              entity_id: http://idp:8080/realms/wazuh
+            sp:
+              entity_id: wazuh
+              signature_private_key_filepath: "certs/admin-key.pem"
+            kibana_url: https://localhost:5601
+            roles_key: Role
+            exchange_key: 1a2a3a4a5a6a7a8a9a0a1b2b3b4b5b6b
+        authentication_backend:
+          type: noop

docker/wazuh-4.3-wz/config/wazuh_indexer/roles.yml

@@ -0,0 +1,149 @@
+_meta:
+  type: "roles"
+  config_version: 2
+
+# Restrict users so they can only view visualization and dashboard on kibana
+kibana_read_only:
+  reserved: true
+
+# The security REST API access role is used to assign specific users access to change the security settings through the REST API.
+security_rest_api_access:
+  reserved: true
+
+# Allows users to view monitors, destinations and alerts
+alerting_read_access:
+  reserved: true
+  cluster_permissions:
+    - "cluster:admin/opendistro/alerting/alerts/get"
+    - "cluster:admin/opendistro/alerting/destination/get"
+    - "cluster:admin/opendistro/alerting/monitor/get"
+    - "cluster:admin/opendistro/alerting/monitor/search"
+
+# Allows users to view and acknowledge alerts
+alerting_ack_alerts:
+  reserved: true
+  cluster_permissions:
+    - "cluster:admin/opendistro/alerting/alerts/*"
+
+# Allows users to use all alerting functionality
+alerting_full_access:
+  reserved: true
+  cluster_permissions:
+    - "cluster_monitor"
+    - "cluster:admin/opendistro/alerting/*"
+  index_permissions:
+    - index_patterns:
+        - "*"
+      allowed_actions:
+        - "indices_monitor"
+        - "indices:admin/aliases/get"
+        - "indices:admin/mappings/get"
+
+# Allow users to read Anomaly Detection detectors and results
+anomaly_read_access:
+  reserved: true
+  cluster_permissions:
+    - "cluster:admin/opendistro/ad/detector/info"
+    - "cluster:admin/opendistro/ad/detector/search"
+    - "cluster:admin/opendistro/ad/detectors/get"
+    - "cluster:admin/opendistro/ad/result/search"
+    - "cluster:admin/opendistro/ad/tasks/search"
+
+# Allows users to use all Anomaly Detection functionality
+anomaly_full_access:
+  reserved: true
+  cluster_permissions:
+    - "cluster_monitor"
+    - "cluster:admin/opendistro/ad/*"
+  index_permissions:
+    - index_patterns:
+        - "*"
+      allowed_actions:
+        - "indices_monitor"
+        - "indices:admin/aliases/get"
+        - "indices:admin/mappings/get"
+
+# Allows users to read Notebooks
+notebooks_read_access:
+  reserved: true
+  cluster_permissions:
+    - "cluster:admin/opendistro/notebooks/list"
+    - "cluster:admin/opendistro/notebooks/get"
+
+# Allows users to all Notebooks functionality
+notebooks_full_access:
+  reserved: true
+  cluster_permissions:
+    - "cluster:admin/opendistro/notebooks/create"
+    - "cluster:admin/opendistro/notebooks/update"
+    - "cluster:admin/opendistro/notebooks/delete"
+    - "cluster:admin/opendistro/notebooks/get"
+    - "cluster:admin/opendistro/notebooks/list"
+
+# Allows users to read and download Reports
+reports_instances_read_access:
+  reserved: true
+  cluster_permissions:
+    - "cluster:admin/opendistro/reports/instance/list"
+    - "cluster:admin/opendistro/reports/instance/get"
+    - "cluster:admin/opendistro/reports/menu/download"
+
+# Allows users to read and download Reports and Report-definitions
+reports_read_access:
+  reserved: true
+  cluster_permissions:
+    - "cluster:admin/opendistro/reports/definition/get"
+    - "cluster:admin/opendistro/reports/definition/list"
+    - "cluster:admin/opendistro/reports/instance/list"
+    - "cluster:admin/opendistro/reports/instance/get"
+    - "cluster:admin/opendistro/reports/menu/download"
+
+# Allows users to all Reports functionality
+reports_full_access:
+  reserved: true
+  cluster_permissions:
+    - "cluster:admin/opendistro/reports/definition/create"
+    - "cluster:admin/opendistro/reports/definition/update"
+    - "cluster:admin/opendistro/reports/definition/on_demand"
+    - "cluster:admin/opendistro/reports/definition/delete"
+    - "cluster:admin/opendistro/reports/definition/get"
+    - "cluster:admin/opendistro/reports/definition/list"
+    - "cluster:admin/opendistro/reports/instance/list"
+    - "cluster:admin/opendistro/reports/instance/get"
+    - "cluster:admin/opendistro/reports/menu/download"
+
+# Allows users to use all asynchronous-search functionality
+asynchronous_search_full_access:
+  reserved: true
+  cluster_permissions:
+    - "cluster:admin/opendistro/asynchronous_search/*"
+  index_permissions:
+    - index_patterns:
+        - "*"
+      allowed_actions:
+        - "indices:data/read/search*"
+
+# Allows users to read stored asynchronous-search results
+asynchronous_search_read_access:
+  reserved: true
+  cluster_permissions:
+    - "cluster:admin/opendistro/asynchronous_search/get"
+
+# Wazuh monitoring and statistics index permissions
+manage_wazuh_index:
+  reserved: true
+  hidden: false
+  cluster_permissions: []
+  index_permissions:
+    - index_patterns:
+        - "wazuh-*"
+      dls: ""
+      fls: []
+      masked_fields: []
+      allowed_actions:
+        - "read"
+        - "delete"
+        - "manage"
+        - "index"
+  tenant_permissions: []
+  static: false

docker/wazuh-4.3-wz/config/wazuh_indexer/roles_mapping.yml

@@ -0,0 +1,88 @@
+---
+# In this file users, backendroles and hosts can be mapped to Open Distro Security roles.
+# Permissions for Opendistro roles are configured in roles.yml
+
+_meta:
+  type: "rolesmapping"
+  config_version: 2
+
+# Define your roles mapping here
+
+## Default roles mapping
+
+all_access:
+  reserved: true
+  hidden: false
+  backend_roles:
+    - "admin"
+  hosts: []
+  users: []
+  and_backend_roles: []
+  description: "Maps admin to all_access"
+
+own_index:
+  reserved: false
+  hidden: false
+  backend_roles: []
+  hosts: []
+  users:
+    - "*"
+  and_backend_roles: []
+  description: "Allow full access to an index named like the username"
+
+logstash:
+  reserved: false
+  hidden: false
+  backend_roles:
+    - "logstash"
+  hosts: []
+  users: []
+  and_backend_roles: []
+
+readall:
+  reserved: true
+  hidden: false
+  backend_roles:
+    - "readall"
+  hosts: []
+  users: []
+  and_backend_roles: []
+
+manage_snapshots:
+  reserved: true
+  hidden: false
+  backend_roles:
+    - "snapshotrestore"
+  hosts: []
+  users: []
+  and_backend_roles: []
+
+kibana_server:
+  reserved: true
+  hidden: false
+  backend_roles: []
+  hosts: []
+  users:
+    - "kibanaserver"
+  and_backend_roles: []
+
+kibana_user:
+  reserved: false
+  hidden: false
+  backend_roles:
+    - "kibanauser"
+  hosts: []
+  users: []
+  and_backend_roles: []
+  description: "Maps kibanauser to kibana_user"
+
+  # Wazuh monitoring and statistics index permissions
+manage_wazuh_index:
+  reserved: true
+  hidden: false
+  backend_roles: []
+  hosts: []
+  users:
+    - "kibanaserver"
+    - "admin"
+  and_backend_roles: []

docker/wazuh-4.3-wz/enable_saml.sh

@@ -1,12 +1,6 @@
 #!/bin/bash
 
-if [[ $# -lt 1 ]]
-then
-  echo "Designed to be called only from rel.sh! do not exeute manually!"
-  exit
-fi
-
-# idp container launches and docker-compose returns too quickly, do not wait for container to 
+# idp container launches and docker-compose returns too quickly, do not wait for container to
 # be healthy as it has no dependencies, so we wait before continuing
 sleep 7
 
@@ -45,13 +39,13 @@ P='{
 curl -sS -L -X POST "${B}/admin/realms" "${H[@]}" -d "$P" | grep -v "Conflict detected"
 
 
-# Add admin certificates to keycloak as these are used by indexer to sign saml 
+# Add admin certificates to keycloak as these are used by indexer to sign saml
 # messages. These should be uploaded to keycloak if we want it to verify indexer messages.
-key=$(docker exec $indexer cat /usr/share/wazuh-indexer/config/certs/admin-key.pem | grep -v "PRIVATE KEY" | tr -d "\n")
-cert=$(docker exec $indexer cat /usr/share/wazuh-indexer/config/certs/admin.pem | grep -v CERTIFICATE| tr -d "\n")
+key=$(cat /certs/wi/admin-key.pem | grep -v "PRIVATE KEY" | tr -d "\n")
+cert=$(cat /certs/wi/admin.pem | grep -v CERTIFICATE | tr -d "\n")
 
 
-# Create client 
+# Create client
 # By default the client does not verify the client signature on saml messages
 # but it could be enabled for testing purposes
 PC="{
@@ -71,7 +65,7 @@ PC="{
     \"saml.signing.private.key\": \"$key\",
     \"saml.client.signature\": \"true\",
     \"saml_single_logout_service_url_redirect\": \"https://localhost:5601\",
-    \"post.logout.redirect.uris\": \"https://localhost:5601*\" 
+    \"post.logout.redirect.uris\": \"https://localhost:5601*\"
   }
 }"
 
@@ -80,7 +74,7 @@ curl -sS -L -X POST "${B}/admin/realms/${REALM}/clients" "${H[@]}" -d "$PC" | gr
 # Get a client json representation
 CLIENT=$(curl -sS -L -X GET "${B}/admin/realms/${REALM}/clients" "${H[@]}" -G -d 'clientId=wazuh' |jq '.[] | select(.clientId=="wazuh")')
 
-# Get client id 
+# Get client id
 CID=$(echo $CLIENT | jq -r '.id' )
 
 # Generate all-access and admin role for the realm
@@ -114,7 +108,7 @@ curl -sS -L -X POST "${B}/admin/realms/${REALM}/users" "${H[@]}" -d "$PU" | grep
 ## Get a user json representation
 USER=$(curl -sS -L -X GET "${B}/admin/realms/${REALM}/users" "${H[@]}" -G -d 'username=wazuh' |jq '.[] | select(.username=="wazuh")')
 
-### Get user id 
+### Get user id
 USERID=$(echo $USER | jq -r '.id' )
 
 # Get roles

docker/wazuh-4.3-wz/rel.sh

@@ -43,11 +43,13 @@ export COMPOSE_PROJECT_NAME=wz-rel-${WAZUH_STACK//./}
 
 profile="standard"
 export WAZUH_DASHBOARD_CONF=./config/wazuh_dashboard/wazuh_dashboard.yml
+export SEC_CONFIG_FILE=./config/wazuh_indexer/config.yml
 
 if [[ "$3" =~ "saml" ]]
 then
 	profile="saml"
 	export WAZUH_DASHBOARD_CONF=./config/wazuh_dashboard/wazuh_dashboard_saml.yml
+  export SEC_CONFIG_FILE=./config/wazuh_indexer/config-saml.yml
 fi
 
 case "$2" in