Updated security config files

2025-11-03 21:43:17 +00:00 · 2023-11-09 09:09:08 -03:00
parent 4863d54c99
commit 486c41e3f9
6 changed files with 35 additions and 4 deletions
--- a/README.md
+++ b/README.md
@@ -101,6 +101,7 @@ WAZUH_MONITORING_REPLICAS=0         ##
    │   │   └── Dockerfile
    │   ├── wazuh-indexer
    │   │   ├── config
+    │   │   │   ├── action_groups.yml
    │   │   │   ├── config.sh
    │   │   │   ├── config.yml
    │   │   │   ├── entrypoint.sh
--- a/build-docker-images/wazuh-indexer/Dockerfile
+++ b/build-docker-images/wazuh-indexer/Dockerfile
@@ -12,6 +12,8 @@ COPY config/config.sh .

 COPY config/config.yml /

+COPY config/action_groups.yml /
+
 COPY config/internal_users.yml /

 COPY config/roles_mapping.yml /
--- a/build-docker-images/wazuh-indexer/config/action_groups.yml
+++ b/build-docker-images/wazuh-indexer/config/action_groups.yml
@@ -0,0 +1,12 @@
+---
+_meta:
+  type: "actiongroups"
+  config_version: 2
+
+# ISM API permissions group
+manage_ism:
+  reserved: true
+  hidden: false
+  allowed_actions:
+  - "cluster:admin/opendistro/ism/*"
+  static: false
--- a/build-docker-images/wazuh-indexer/config/config.sh
+++ b/build-docker-images/wazuh-indexer/config/config.sh
@@ -120,6 +120,7 @@ cp /$PASSWORD_TOOL ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/
 # Copy Wazuh's config files for the security plugin
 cp -pr /roles_mapping.yml ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/
 cp -pr /roles.yml ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/
+cp -pr /action_groups.yml ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/
 cp -pr /internal_users.yml ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/
 cp -pr /opensearch.yml ${TARGET_DIR}${CONFIG_DIR}
 # Copy Wazuh indexer's certificates
--- a/build-docker-images/wazuh-indexer/config/roles.yml
+++ b/build-docker-images/wazuh-indexer/config/roles.yml
@@ -142,7 +142,7 @@ wazuh_ui_user:
    allowed_actions:
    - "read"
  tenant_permissions: []
-  static: false        
+  static: false

 wazuh_ui_admin:
  reserved: true
@@ -160,4 +160,12 @@ wazuh_ui_admin:
    - "manage"
    - "index"
  tenant_permissions: []
-  static: false  
+  static: false
+
+# ISM API permissions role
+manage_ism:
+  reserved: true
+  hidden: false
+  cluster_permissions:
+  - "manage_ism"
+  static: false
--- a/build-docker-images/wazuh-indexer/config/roles_mapping.yml
+++ b/build-docker-images/wazuh-indexer/config/roles_mapping.yml
@@ -33,7 +33,7 @@ kibana_user:
  - "kibanauser"
  users:
  - "wazuh_user"
-  - "wazuh_admin"    
+  - "wazuh_admin"
  description: "Maps kibanauser to kibana_user"

 readall:
@@ -68,4 +68,11 @@ wazuh_ui_user:
  hosts: []
  users:
  - "wazuh_user"
-  and_backend_roles: []
+  and_backend_roles: []
+
+# ISM API permissions role mapping
+manage_ism:
+  reserved: true
+  hidden: false
+  users:
+  - "kibanaserver"