diff --git a/build-scripts/assemble.sh b/build-scripts/assemble.sh index 154d12af1fa71..a699db4d86868 100644 --- a/build-scripts/assemble.sh +++ b/build-scripts/assemble.sh @@ -158,13 +158,14 @@ function parse_args() { # Set up configuration files # ==== function add_configuration_files() { - # swap configuration files - cp $PATH_CONF/security/* $PATH_CONF/opensearch-security/ - cp $PATH_CONF/jvm.prod.options $PATH_CONF/jvm.options - cp $PATH_CONF/opensearch.prod.yml $PATH_CONF/opensearch.yml + # Add our settings to the configuration files + cat "$PATH_CONF/security/roles.wazuh.yml" >> "$PATH_CONF/opensearch-security/roles.yml" + cat "$PATH_CONF/security/roles_mapping.wazuh.yml" >> "$PATH_CONF/opensearch-security/roles_mapping.yml" + + cp "$PATH_CONF/opensearch.prod.yml" "$PATH_CONF/opensearch.yml" - rm -r $PATH_CONF/security - rm $PATH_CONF/jvm.prod.options $PATH_CONF/opensearch.prod.yml + rm -r "$PATH_CONF/security" + rm "$PATH_CONF/opensearch.prod.yml" # Remove symbolic links and bat files find . -type l -exec rm -rf {} \; @@ -187,9 +188,9 @@ function add_wazuh_tools() { local download_url download_url="https://packages-dev.wazuh.com/${version}" - curl -sL "${download_url}/config.yml" -o $PATH_PLUGINS/opensearch-security/tools/config.yml - curl -sL "${download_url}/wazuh-passwords-tool.sh" -o $PATH_PLUGINS/opensearch-security/tools/wazuh-passwords-tool.sh - curl -sL "${download_url}/wazuh-certs-tool.sh" -o $PATH_PLUGINS/opensearch-security/tools/wazuh-certs-tool.sh + curl -sL "${download_url}/config.yml" -o "$PATH_PLUGINS/opensearch-security/tools/config.yml" + curl -sL "${download_url}/wazuh-passwords-tool.sh" -o "$PATH_PLUGINS/opensearch-security/tools/wazuh-passwords-tool.sh" + curl -sL "${download_url}/wazuh-certs-tool.sh" -o "$PATH_PLUGINS/opensearch-security/tools/wazuh-certs-tool.sh" } # ==== diff --git a/distribution/build.gradle b/distribution/build.gradle index 1210e5b131deb..d10c0042c5d42 100644 --- a/distribution/build.gradle +++ b/distribution/build.gradle @@ -609,8 +609,8 @@ subprojects { ], 'error.file': [ - 'deb': "-XX:ErrorFile=/usr/share/wazuh-indexer/hs_err_pid%p.log", - 'rpm': "-XX:ErrorFile=/usr/share/wazuh-indexer/hs_err_pid%p.log", + 'deb': "-XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log", + 'rpm': "-XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log", 'def': "-XX:ErrorFile=logs/hs_err_pid%p.log" ], diff --git a/distribution/packages/src/common/wazuh-indexer-performance-analyzer.service b/distribution/packages/src/common/wazuh-indexer-performance-analyzer.service index c744071b958b3..a935ba21a3898 100644 --- a/distribution/packages/src/common/wazuh-indexer-performance-analyzer.service +++ b/distribution/packages/src/common/wazuh-indexer-performance-analyzer.service @@ -1,22 +1,15 @@ -# Copyright OpenSearch Contributors -# SPDX-License-Identifier: Apache-2.0 -# -# The OpenSearch Contributors require contributions made to -# this file be licensed under the Apache-2.0 license or a -# compatible open source license. - [Unit] Description=OpenSearch Performance Analyzer +PartOf=wazuh-indexer.service [Service] -Type=simple ExecStart=/usr/share/wazuh-indexer/bin/opensearch-performance-analyzer/performance-analyzer-agent-cli Restart=on-failure User=wazuh-indexer Group=wazuh-indexer Environment=OPENSEARCH_HOME=/usr/share/wazuh-indexer -Environment=OPENSEARCH_PATH_CONF=/etc/wazuh-indexer/ +Environment=OPENSEARCH_PATH_CONF=/etc/wazuh-indexer WorkingDirectory=/usr/share/wazuh-indexer [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=wazuh-indexer.service \ No newline at end of file diff --git a/distribution/packages/src/deb/debian/postinst b/distribution/packages/src/deb/debian/postinst index c523ffa260091..b2288e99da164 100644 --- a/distribution/packages/src/deb/debian/postinst +++ b/distribution/packages/src/deb/debian/postinst @@ -32,6 +32,21 @@ chown -R wazuh-indexer:wazuh-indexer ${data_dir} chown -R wazuh-indexer:wazuh-indexer ${pid_dir} chown -R wazuh-indexer:wazuh-indexer ${tmp_dir} + +export OPENSEARCH_PATH_CONF=${OPENSEARCH_PATH_CONF:-${config_dir}} +# Apply Performance Analyzer settings, as per https://github.com/opensearch-project/opensearch-build/blob/2.18.0/scripts/pkg/build_templates/current/opensearch/deb/debian/postinst#L28-L37 +if ! grep -q '## OpenSearch Performance Analyzer' "$OPENSEARCH_PATH_CONF/jvm.options"; then + CLK_TCK=$(/usr/bin/getconf CLK_TCK) + { + echo + echo "## OpenSearch Performance Analyzer" + echo "-Dclk.tck=$CLK_TCK" + echo "-Djdk.attach.allowAttachSelf=true" + echo "-Djava.security.policy=file://$OPENSEARCH_PATH_CONF/opensearch-performance-analyzer/opensearch_security.policy" + echo "--add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED" + } >> "$OPENSEARCH_PATH_CONF/jvm.options" +fi + # Reload systemctl daemon if command -v systemctl > /dev/null; then systemctl daemon-reload diff --git a/distribution/packages/src/deb/debmake_install.sh b/distribution/packages/src/deb/debmake_install.sh index 372b49d7da330..eaaa23c712701 100644 --- a/distribution/packages/src/deb/debmake_install.sh +++ b/distribution/packages/src/deb/debmake_install.sh @@ -45,7 +45,6 @@ find "${buildroot}" -type f -exec chmod 640 {} \; systemd_files=() systemd_files+=("${buildroot}/${service_dir}/${name}.service") systemd_files+=("${buildroot}/${service_dir}/${name}-performance-analyzer.service") -systemd_files+=("${buildroot}/${service_dir}/${name}-performance-analyzer.service") systemd_files+=("${buildroot}/etc/init.d/${name}") systemd_files+=("${buildroot}/usr/lib/sysctl.d/${name}.conf") systemd_files+=("${buildroot}/usr/lib/tmpfiles.d/${name}.conf") @@ -81,6 +80,7 @@ fi binary_files=() binary_files+=("${buildroot}${product_dir}"/bin/*) +binary_files+=("${buildroot}${product_dir}"/bin/opensearch-performance-analyzer/*) binary_files+=("${buildroot}${product_dir}"/jdk/bin/*) binary_files+=("${buildroot}${product_dir}"/jdk/lib/jspawnhelper) binary_files+=("${buildroot}${product_dir}"/jdk/lib/modules) diff --git a/distribution/packages/src/rpm/wazuh-indexer.rpm.spec b/distribution/packages/src/rpm/wazuh-indexer.rpm.spec index e9420754c1136..ce9ede8879523 100644 --- a/distribution/packages/src/rpm/wazuh-indexer.rpm.spec +++ b/distribution/packages/src/rpm/wazuh-indexer.rpm.spec @@ -180,18 +180,20 @@ set -e chown -R %{name}:%{name} %{config_dir} chown -R %{name}:%{name} %{log_dir} -# Apply PerformanceAnalyzer Settings -chmod a+rw /tmp -if ! grep -q '## OpenSearch Performance Analyzer' %{config_dir}/jvm.options; then - # Add Performance Analyzer settings in %{config_dir}/jvm.options - CLK_TCK=`/usr/bin/getconf CLK_TCK` - echo >> %{config_dir}/jvm.options - echo '## OpenSearch Performance Analyzer' >> %{config_dir}/jvm.options - echo "-Dclk.tck=$CLK_TCK" >> %{config_dir}/jvm.options - echo "-Djdk.attach.allowAttachSelf=true" >> %{config_dir}/jvm.options - echo "-Djava.security.policy=file://%{config_dir}/opensearch-performance-analyzer/opensearch_security.policy" >> %{config_dir}/jvm.options - echo "--add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED" >> %{config_dir}/jvm.options +export OPENSEARCH_PATH_CONF=${OPENSEARCH_PATH_CONF:-%{config_dir}} +# Apply Performance Analyzer settings, as per https://github.com/opensearch-project/opensearch-build/blob/2.18.0/scripts/pkg/build_templates/current/opensearch/deb/debian/postinst#L28-L37 +if ! grep -q '## OpenSearch Performance Analyzer' "$OPENSEARCH_PATH_CONF/jvm.options"; then + CLK_TCK=$(/usr/bin/getconf CLK_TCK) + { + echo + echo "## OpenSearch Performance Analyzer" + echo "-Dclk.tck=$CLK_TCK" + echo "-Djdk.attach.allowAttachSelf=true" + echo "-Djava.security.policy=file://$OPENSEARCH_PATH_CONF/opensearch-performance-analyzer/opensearch_security.policy" + echo "--add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED" + } >> "$OPENSEARCH_PATH_CONF/jvm.options" fi + # Reload systemctl daemon if command -v systemctl > /dev/null; then systemctl daemon-reload diff --git a/distribution/src/config/jvm.prod.options b/distribution/src/config/jvm.prod.options deleted file mode 100644 index 9a116b52d314c..0000000000000 --- a/distribution/src/config/jvm.prod.options +++ /dev/null @@ -1,93 +0,0 @@ -## JVM configuration - -################################################################ -## IMPORTANT: JVM heap size -################################################################ -## -## You should always set the min and max JVM heap -## size to the same value. For example, to set -## the heap to 4 GB, set: -## -## -Xms4g -## -Xmx4g -## -## See https://opensearch.org/docs/opensearch/install/important-settings/ -## for more information -## -################################################################ - -# Xms represents the initial size of total heap space -# Xmx represents the maximum size of total heap space - --Xms1g --Xmx1g - -################################################################ -## Expert settings -################################################################ -## -## All settings below this section are considered -## expert settings. Don't tamper with them unless -## you understand what you are doing -## -################################################################ - -## GC configuration -8-10:-XX:+UseConcMarkSweepGC -8-10:-XX:CMSInitiatingOccupancyFraction=75 -8-10:-XX:+UseCMSInitiatingOccupancyOnly - -## G1GC Configuration -# NOTE: G1 GC is only supported on JDK version 10 or later -# to use G1GC, uncomment the next two lines and update the version on the -# following three lines to your version of the JDK -# 10:-XX:-UseConcMarkSweepGC -# 10:-XX:-UseCMSInitiatingOccupancyOnly -11-:-XX:+UseG1GC -11-:-XX:G1ReservePercent=25 -11-:-XX:InitiatingHeapOccupancyPercent=30 - -## JVM temporary directory --Djava.io.tmpdir=${OPENSEARCH_TMPDIR} - -## heap dumps - -# generate a heap dump when an allocation from the Java heap fails -# heap dumps are created in the working directory of the JVM --XX:+HeapDumpOnOutOfMemoryError - -# specify an alternative path for heap dumps; ensure the directory exists and -# has sufficient space --XX:HeapDumpPath=/var/lib/wazuh-indexer - -# specify an alternative path for JVM fatal error logs --XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log - -## JDK 8 GC logging -8:-XX:+PrintGCDetails -8:-XX:+PrintGCDateStamps -8:-XX:+PrintTenuringDistribution -8:-XX:+PrintGCApplicationStoppedTime -8:-Xloggc:/var/log/wazuh-indexer/gc.log -8:-XX:+UseGCLogFileRotation -8:-XX:NumberOfGCLogFiles=32 -8:-XX:GCLogFileSize=64m - -# JDK 9+ GC logging -9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m - -# Explicitly allow security manager (https://bugs.openjdk.java.net/browse/JDK-8270380) -18-:-Djava.security.manager=allow - -# JDK 20+ Incubating Vector Module for SIMD optimizations; -# disabling may reduce performance on vector optimized lucene -20:--add-modules=jdk.incubator.vector - -# HDFS ForkJoinPool.common() support by SecurityManager --Djava.util.concurrent.ForkJoinPool.common.threadFactory=org.opensearch.secure_sm.SecuredForkJoinWorkerThreadFactory - -## OpenSearch Performance Analyzer --Dclk.tck=100 --Djdk.attach.allowAttachSelf=true --Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy ---add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED \ No newline at end of file diff --git a/distribution/src/config/security/internal_users.yml b/distribution/src/config/security/internal_users.yml deleted file mode 100644 index 44ae613e8bb19..0000000000000 --- a/distribution/src/config/security/internal_users.yml +++ /dev/null @@ -1,63 +0,0 @@ ---- -# This is the internal user database -# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh - -_meta: - type: "internalusers" - config_version: 2 - -# Define your internal users here - -## Demo users - -admin: - hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG" - reserved: true - backend_roles: - - "admin" - description: "Demo admin user" - -anomalyadmin: - hash: "$2y$12$TRwAAJgnNo67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3." - reserved: false - opendistro_security_roles: - - "anomaly_full_access" - description: "Demo anomaly admin user, using internal role" - -kibanaserver: - hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H." - reserved: true - description: "Demo OpenSearch Dashboards user" - -kibanaro: - hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC" - reserved: false - backend_roles: - - "kibanauser" - - "readall" - attributes: - attribute1: "value1" - attribute2: "value2" - attribute3: "value3" - description: "Demo read only user, using external role mapping" - -logstash: - hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2" - reserved: false - backend_roles: - - "logstash" - description: "Demo logstash user, using external role mapping" - -readall: - hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2" - reserved: false - backend_roles: - - "readall" - description: "Demo readall user, using external role mapping" - -snapshotrestore: - hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W" - reserved: false - backend_roles: - - "snapshotrestore" - description: "Demo snapshotrestore user, using external role mapping" diff --git a/distribution/src/config/security/roles.wazuh.yml b/distribution/src/config/security/roles.wazuh.yml new file mode 100644 index 0000000000000..96399e0723193 --- /dev/null +++ b/distribution/src/config/security/roles.wazuh.yml @@ -0,0 +1,19 @@ + +# Wazuh monitoring and statistics index permissions +manage_wazuh_index: + reserved: true + hidden: false + cluster_permissions: [] + index_permissions: + - index_patterns: + - "wazuh-*" + dls: "" + fls: [] + masked_fields: [] + allowed_actions: + - "read" + - "delete" + - "manage" + - "index" + tenant_permissions: [] + static: false \ No newline at end of file diff --git a/distribution/src/config/security/roles.yml b/distribution/src/config/security/roles.yml deleted file mode 100644 index 20b372b778efb..0000000000000 --- a/distribution/src/config/security/roles.yml +++ /dev/null @@ -1,393 +0,0 @@ -_meta: - type: "roles" - config_version: 2 - -# Restrict users so they can only view visualization and dashboard on OpenSearchDashboards -kibana_read_only: - reserved: true - -# The security REST API access role is used to assign specific users access to change the security settings through the REST API. -security_rest_api_access: - reserved: true - -security_rest_api_full_access: - reserved: true - cluster_permissions: - - 'restapi:admin/actiongroups' - - 'restapi:admin/allowlist' - - 'restapi:admin/config/update' - - 'restapi:admin/internalusers' - - 'restapi:admin/nodesdn' - - 'restapi:admin/roles' - - 'restapi:admin/rolesmapping' - - 'restapi:admin/ssl/certs/info' - - 'restapi:admin/ssl/certs/reload' - - 'restapi:admin/tenants' - -# Allows users to view monitors, destinations and alerts -alerting_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/alerting/alerts/get' - - 'cluster:admin/opendistro/alerting/destination/get' - - 'cluster:admin/opendistro/alerting/monitor/get' - - 'cluster:admin/opendistro/alerting/monitor/search' - - 'cluster:admin/opensearch/alerting/findings/get' - - 'cluster:admin/opensearch/alerting/workflow/get' - - 'cluster:admin/opensearch/alerting/workflow_alerts/get' - -# Allows users to view and acknowledge alerts -alerting_ack_alerts: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/alerting/alerts/*' - - 'cluster:admin/opendistro/alerting/chained_alerts/*' - - 'cluster:admin/opendistro/alerting/workflow_alerts/*' - -# Allows users to use all alerting functionality -alerting_full_access: - reserved: true - cluster_permissions: - - 'cluster_monitor' - - 'cluster:admin/opendistro/alerting/*' - - 'cluster:admin/opensearch/alerting/*' - - 'cluster:admin/opensearch/notifications/feature/publish' - index_permissions: - - index_patterns: - - '*' - allowed_actions: - - 'indices_monitor' - - 'indices:admin/aliases/get' - - 'indices:admin/mappings/get' - -# Allow users to read Anomaly Detection detectors and results -anomaly_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/ad/detector/info' - - 'cluster:admin/opendistro/ad/detector/search' - - 'cluster:admin/opendistro/ad/detectors/get' - - 'cluster:admin/opendistro/ad/result/search' - - 'cluster:admin/opendistro/ad/tasks/search' - - 'cluster:admin/opendistro/ad/detector/validate' - - 'cluster:admin/opendistro/ad/result/topAnomalies' - -# Allows users to use all Anomaly Detection functionality -anomaly_full_access: - reserved: true - cluster_permissions: - - 'cluster_monitor' - - 'cluster:admin/opendistro/ad/*' - index_permissions: - - index_patterns: - - '*' - allowed_actions: - - 'indices_monitor' - - 'indices:admin/aliases/get' - - 'indices:admin/mappings/get' - -# Allow users to execute read only k-NN actions -knn_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/knn_search_model_action' - - 'cluster:admin/knn_get_model_action' - - 'cluster:admin/knn_stats_action' - -# Allow users to use all k-NN functionality -knn_full_access: - reserved: true - cluster_permissions: - - 'cluster:admin/knn_training_model_action' - - 'cluster:admin/knn_training_job_router_action' - - 'cluster:admin/knn_training_job_route_decision_info_action' - - 'cluster:admin/knn_warmup_action' - - 'cluster:admin/knn_delete_model_action' - - 'cluster:admin/knn_remove_model_from_cache_action' - - 'cluster:admin/knn_update_model_graveyard_action' - - 'cluster:admin/knn_search_model_action' - - 'cluster:admin/knn_get_model_action' - - 'cluster:admin/knn_stats_action' - -# Allow users to execute read only ip2geo datasource action -ip2geo_datasource_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/geospatial/datasource/get' - -# Allow users to use all ip2geo datasource action -ip2geo_datasource_full_access: - reserved: true - cluster_permissions: - - 'cluster:admin/geospatial/datasource/*' - -# Allows users to read Notebooks -notebooks_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/notebooks/list' - - 'cluster:admin/opendistro/notebooks/get' - -# Allows users to all Notebooks functionality -notebooks_full_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/notebooks/create' - - 'cluster:admin/opendistro/notebooks/update' - - 'cluster:admin/opendistro/notebooks/delete' - - 'cluster:admin/opendistro/notebooks/get' - - 'cluster:admin/opendistro/notebooks/list' - -# Allows users to read observability objects -observability_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opensearch/observability/get' - -# Allows users to all Observability functionality -observability_full_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opensearch/observability/create' - - 'cluster:admin/opensearch/observability/update' - - 'cluster:admin/opensearch/observability/delete' - - 'cluster:admin/opensearch/observability/get' - -# Allows users to all PPL functionality -ppl_full_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opensearch/ppl' - index_permissions: - - index_patterns: - - '*' - allowed_actions: - - 'indices:admin/mappings/get' - - 'indices:data/read/search*' - - 'indices:monitor/settings/get' - -# Allows users to read and download Reports -reports_instances_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/reports/instance/list' - - 'cluster:admin/opendistro/reports/instance/get' - - 'cluster:admin/opendistro/reports/menu/download' - -# Allows users to read and download Reports and Report-definitions -reports_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/reports/definition/get' - - 'cluster:admin/opendistro/reports/definition/list' - - 'cluster:admin/opendistro/reports/instance/list' - - 'cluster:admin/opendistro/reports/instance/get' - - 'cluster:admin/opendistro/reports/menu/download' - -# Allows users to all Reports functionality -reports_full_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/reports/definition/create' - - 'cluster:admin/opendistro/reports/definition/update' - - 'cluster:admin/opendistro/reports/definition/on_demand' - - 'cluster:admin/opendistro/reports/definition/delete' - - 'cluster:admin/opendistro/reports/definition/get' - - 'cluster:admin/opendistro/reports/definition/list' - - 'cluster:admin/opendistro/reports/instance/list' - - 'cluster:admin/opendistro/reports/instance/get' - - 'cluster:admin/opendistro/reports/menu/download' - -# Allows users to use all asynchronous-search functionality -asynchronous_search_full_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/asynchronous_search/*' - index_permissions: - - index_patterns: - - '*' - allowed_actions: - - 'indices:data/read/search*' - -# Allows users to read stored asynchronous-search results -asynchronous_search_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opendistro/asynchronous_search/get' - -# Allows user to use all index_management actions - ism policies, rollups, transforms -index_management_full_access: - reserved: true - cluster_permissions: - - "cluster:admin/opendistro/ism/*" - - "cluster:admin/opendistro/rollup/*" - - "cluster:admin/opendistro/transform/*" - - "cluster:admin/opensearch/controlcenter/lron/*" - - "cluster:admin/opensearch/notifications/channels/get" - - "cluster:admin/opensearch/notifications/feature/publish" - index_permissions: - - index_patterns: - - '*' - allowed_actions: - - 'indices:admin/opensearch/ism/*' - -# Allows users to use all cross cluster replication functionality at leader cluster -cross_cluster_replication_leader_full_access: - reserved: true - index_permissions: - - index_patterns: - - '*' - allowed_actions: - - "indices:admin/plugins/replication/index/setup/validate" - - "indices:data/read/plugins/replication/changes" - - "indices:data/read/plugins/replication/file_chunk" - -# Allows users to use all cross cluster replication functionality at follower cluster -cross_cluster_replication_follower_full_access: - reserved: true - cluster_permissions: - - "cluster:admin/plugins/replication/autofollow/update" - index_permissions: - - index_patterns: - - '*' - allowed_actions: - - "indices:admin/plugins/replication/index/setup/validate" - - "indices:data/write/plugins/replication/changes" - - "indices:admin/plugins/replication/index/start" - - "indices:admin/plugins/replication/index/pause" - - "indices:admin/plugins/replication/index/resume" - - "indices:admin/plugins/replication/index/stop" - - "indices:admin/plugins/replication/index/update" - - "indices:admin/plugins/replication/index/status_check" - -# Allows users to use all cross cluster search functionality at remote cluster -cross_cluster_search_remote_full_access: - reserved: true - index_permissions: - - index_patterns: - - '*' - allowed_actions: - - 'indices:admin/shards/search_shards' - - 'indices:data/read/search' - -# Allow users to read ML stats/models/tasks -ml_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opensearch/ml/stats/nodes' - - 'cluster:admin/opensearch/ml/model_groups/search' - - 'cluster:admin/opensearch/ml/models/get' - - 'cluster:admin/opensearch/ml/models/search' - - 'cluster:admin/opensearch/ml/tasks/get' - - 'cluster:admin/opensearch/ml/tasks/search' - -# Allows users to use all ML functionality -ml_full_access: - reserved: true - cluster_permissions: - - 'cluster_monitor' - - 'cluster:admin/opensearch/ml/*' - index_permissions: - - index_patterns: - - '*' - allowed_actions: - - 'indices_monitor' - -# Allows users to use all Notifications functionality -notifications_full_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opensearch/notifications/*' - -# Allows users to read Notifications config/channels -notifications_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opensearch/notifications/configs/get' - - 'cluster:admin/opensearch/notifications/features' - - 'cluster:admin/opensearch/notifications/channels/get' - -# Allows users to use all snapshot management functionality -snapshot_management_full_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opensearch/snapshot_management/*' - - 'cluster:admin/opensearch/notifications/feature/publish' - - 'cluster:admin/repository/*' - - 'cluster:admin/snapshot/*' - -# Allows users to see snapshots, repositories, and snapshot management policies -snapshot_management_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opensearch/snapshot_management/policy/get' - - 'cluster:admin/opensearch/snapshot_management/policy/search' - - 'cluster:admin/opensearch/snapshot_management/policy/explain' - - 'cluster:admin/repository/get' - - 'cluster:admin/snapshot/get' - -# Allows user to use point in time functionality -point_in_time_full_access: - reserved: true - index_permissions: - - index_patterns: - - '*' - allowed_actions: - - 'manage_point_in_time' - -# Allows users to see security analytics detectors and others -security_analytics_read_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opensearch/securityanalytics/alerts/get' - - 'cluster:admin/opensearch/securityanalytics/correlations/findings' - - 'cluster:admin/opensearch/securityanalytics/correlations/list' - - 'cluster:admin/opensearch/securityanalytics/detector/get' - - 'cluster:admin/opensearch/securityanalytics/detector/search' - - 'cluster:admin/opensearch/securityanalytics/findings/get' - - 'cluster:admin/opensearch/securityanalytics/mapping/get' - - 'cluster:admin/opensearch/securityanalytics/mapping/view/get' - - 'cluster:admin/opensearch/securityanalytics/rule/get' - - 'cluster:admin/opensearch/securityanalytics/rule/search' - -# Allows users to use all security analytics functionality -security_analytics_full_access: - reserved: true - cluster_permissions: - - 'cluster:admin/opensearch/securityanalytics/alerts/*' - - 'cluster:admin/opensearch/securityanalytics/correlations/*' - - 'cluster:admin/opensearch/securityanalytics/detector/*' - - 'cluster:admin/opensearch/securityanalytics/findings/*' - - 'cluster:admin/opensearch/securityanalytics/mapping/*' - - 'cluster:admin/opensearch/securityanalytics/rule/*' - index_permissions: - - index_patterns: - - '*' - allowed_actions: - - 'indices:admin/mapping/put' - - 'indices:admin/mappings/get' - -# Allows users to view and acknowledge alerts -security_analytics_ack_alerts: - reserved: true - cluster_permissions: - - 'cluster:admin/opensearch/securityanalytics/alerts/*' - -# Wazuh monitoring and statistics index permissions -manage_wazuh_index: - reserved: true - hidden: false - cluster_permissions: [] - index_permissions: - - index_patterns: - - "wazuh-*" - dls: "" - fls: [] - masked_fields: [] - allowed_actions: - - "read" - - "delete" - - "manage" - - "index" - tenant_permissions: [] - static: false diff --git a/distribution/src/config/security/roles_mapping.wazuh.yml b/distribution/src/config/security/roles_mapping.wazuh.yml new file mode 100644 index 0000000000000..b7b1b65b8c700 --- /dev/null +++ b/distribution/src/config/security/roles_mapping.wazuh.yml @@ -0,0 +1,10 @@ + +# Wazuh monitoring and statistics index permissions +manage_wazuh_index: + reserved: true + hidden: false + backend_roles: [] + hosts: [] + users: + - "kibanaserver" + and_backend_roles: [] \ No newline at end of file diff --git a/distribution/src/config/security/roles_mapping.yml b/distribution/src/config/security/roles_mapping.yml deleted file mode 100644 index e4f7628780f68..0000000000000 --- a/distribution/src/config/security/roles_mapping.yml +++ /dev/null @@ -1,87 +0,0 @@ ---- -# In this file users, backendroles and hosts can be mapped to Open Distro Security roles. -# Permissions for Opendistro roles are configured in roles.yml - -_meta: - type: "rolesmapping" - config_version: 2 - -# Define your roles mapping here - -## Default roles mapping - -all_access: - reserved: true - hidden: false - backend_roles: - - "admin" - hosts: [] - users: [] - and_backend_roles: [] - description: "Maps admin to all_access" - -own_index: - reserved: false - hidden: false - backend_roles: [] - hosts: [] - users: - - "*" - and_backend_roles: [] - description: "Allow full access to an index named like the username" - -logstash: - reserved: false - hidden: false - backend_roles: - - "logstash" - hosts: [] - users: [] - and_backend_roles: [] - -readall: - reserved: true - hidden: false - backend_roles: - - "readall" - hosts: [] - users: [] - and_backend_roles: [] - -manage_snapshots: - reserved: true - hidden: false - backend_roles: - - "snapshotrestore" - hosts: [] - users: [] - and_backend_roles: [] - -kibana_server: - reserved: true - hidden: false - backend_roles: [] - hosts: [] - users: - - "kibanaserver" - and_backend_roles: [] - -kibana_user: - reserved: false - hidden: false - backend_roles: - - "kibanauser" - hosts: [] - users: [] - and_backend_roles: [] - description: "Maps kibanauser to kibana_user" - -# Wazuh monitoring and statistics index permissions -manage_wazuh_index: - reserved: true - hidden: false - backend_roles: [] - hosts: [] - users: - - "kibanaserver" - and_backend_roles: [] \ No newline at end of file