Integrate with Wazuh

What is Wazuh

Wazuh is a security platform that aims to safeguard data assets across multiple environments including on-site, virtualized, containerized, and cloud-based.

-- https://wazuh.com

Preparation

The following placeholders are used in this guide:

• wazuh-dashboard.company is the FQDN of the Wazuh Dashboard installation.
• wazuh-indexer.company is the FQDN of the Wazuh Indexer installation
• authentik.company is the FQDN of the authentik installation.

:::info This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application. :::

authentik configuration

To support the integration of Wazuh with authentik, you need to create a group, a property mapping, and an application/provider pair in authentik.

Create a user group in authentik

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to Directory > Groups and click Create.
3. Set a name for the group (e.g. wazuh-administrators) and click Create.
4. Click the name of the newly created group and navigate to the Users tab.
5. Click Add existing user, select the user that needs Wazuh admin access and click Add.

Create a property mapping in authentik

1. Log in to authentik as an administrator and open the authentik Admin interface.

2. Navigate to Customization > Property Mappings and click Create. Create a SAML Provider Property Mapping with the following settings:

   • Name: Choose a descriptive name
   • SAML Attribute Name: Roles
   • Friendly Name: Leave blank
   • Expression: wazuh-administrators is used as a placeholder for the group name.
   pythonCopy

   if ak_is_group_member(request.user, name="wazuh-administrators"):
      yield "wazuh-admin"
   

3. Click Finish.

Create an application and provider in authentik

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to Applications > Applications and click Create with Provider to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)

• Application: provide a descriptive name (e.g., Wazuh), an optional group for the type of application, the policy engine mode, and optional UI settings.
• Choose a Provider type: Select SAML Provider as the provider type.
• Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
  • ACS URL: https://wazuh-dashboard.company/_opendistro/_security/saml/acs
  • Issuer: wazuh-saml
  • Service Provider Binding: Post
  • Under Advanced protocol settings:
    • Property Mappings: add the Property Mapping you created in the previous section.
    • NameID Property Mapping: select a property mapping that will be used for Wazuh usernames (e.g. authentik default SAML Mapping: Name or authentik default SAML Mapping: Email)
  • Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's My applications page.

3. Click Submit to save the new application and provider.

Download metadata file

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to Applications > Providers and click on the name of the provider that you created in the previous section (e.g. Provider for wazuh).
3. Under Related objects > Metadata, click on Download. This downloaded file is your SAML Metadata file and it will be required in the next section.

Wazuh configuration

To support the integration of authentik with Wazuh, you will need to configure SAML authentication on the Wazuh Indexer server and create role mappings on the Wazuh Dashboard server.

Wazuh Indexer SAML configuration

:::info The file wazuh_authentik_meta.xml serves as a placeholder for your SAML Metadata file. Ensure that the filename used in this context matches the name of your SAML Metadata file. :::

1. For the next step, you will need an exchange key. To generate this key, use the following command:

   bashCopy

   openssl rand -hex 32
   

2. Copy the downloaded metadata file to the /etc/wazuh-indexer/opensearch-security/ directory on your Wazuh Indexer server.

3. Change the ownership of the wazuh_authentik_meta.xml file to the wazuh-indexer user using the following command:

   bashCopy

   chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-security/wazuh_authentik_meta.xml
   

4. Edit the /etc/wazuh-indexer/opensearch-security/config.yml on your Wazuh Indexer server.

   Add a saml_auth_domain section after the basic_internal_auth_domain section. For example:

   yamlCopy

   ---
   authc:
       basic_internal_auth_domain:
           description: "Authenticate SAML against internal users database"
           http_enabled: true
           transport_enabled: true
           order: 0
           http_authenticator:
               type: basic
               challenge: false
           authentication_backend:
               type: intern
       saml_auth_domain:
           http_enabled: true
           transport_enabled: false
           order: 1
           http_authenticator:
               type: saml
               challenge: true
               config:
                   idp:
                       metadata_file: "/etc/wazuh-indexer/opensearch-security/wazuh_authentik_meta.xml"
                       entity_id: "wazuh-saml"
                   sp:
                       entity_id: "wazuh-saml"
                   kibana_url: "https://wazuh-dashboard.company/"
                   roles_key: Roles
                   exchange_key: "<exchange key generated in step 1>"
           authentication_backend:
               type: noop
   

:::info Ensure that you set the following parameters in the basic_internal_auth_domain section: order: 0 and challenge: false

And the metadata_file, kibana_url, and exchange_key parameters in the saml_auth_domain section. :::

5. Run the securityadmin.sh script to load the configuration changes made in the /etc/wazuh-indexer/opensearch-security/config.yml file, ensure that you update the -h flag to your Wazuh Indexer FQDN:

   bashCopy

   export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h wazuh-indexer.company -nhnv
   

6. Edit the /etc/wazuh-indexer/opensearch-security/roles_mapping.yml file and include wazuh_admin as a backend_role in the appropriate section. The following example adds the role to the all_access section:

   yamlCopy

   all_access:
   reserved: true
   hidden: false
   backend_roles:
   // highlight-next-line
       - "wazuh-admin"
       - "admin"
   hosts: []
   users: []
   and_backend_roles: []
   description: "Maps admin to all_access"
   

7. Run the securityadmin.sh script again but with the -f flag set to /etc/wazuh-indexer/opensearch-security/roles_mapping.yml, ensure that you update the -h flag to your Wazuh Indexer FQDN:

   bashCopy

   export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/roles_mapping.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h wazuh-indexer.company -nhnv
   

Wazuh dashboard configuration

1. On the Wazuh Dashboard server, check the value of run_as in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file:

   yamlCopy

   hosts:
       - default:
               url: https://127.0.0.1
               port: 55000
               username: wazuh-wui
               password: "<WAZUH_WUI_PASSWORD>"
               // highlight-next-line
               run_as: false
   

   The run_as parameter, when set to true, enables the assignment of roles to users based on authorization context information. See the Wazuh Authorization Context documentation for more information.

   If run_as is set to false, proceed to step 4. If run_as is set to true, proceed with the following steps to add a role mapping on the Wazuh dashboard.

2. On the Wazuh dashboard, click the upper-left menu icon ☰ to open the menu, then go to Server management > Security > Roles mapping.

3. Click Create Role mapping and configure the following parameters:

   • Role Name: set a name for the role mapping (e.g. authentik_admins)
   • Roles: select a role (e.g.administrator)
   • Custom rules: Click Add new rule and set:
     • User field: backend_roles
     • Search operation: FIND
     • Value: wazuh-admin

   Click Save role mapping

4. On the Wazuh Dashboard server, add these lines to the /etc/wazuh-dashboard/opensearch_dashboards.yml file:

   yamlCopy

   opensearch_security.auth.type: "saml"
   server.xsrf.allowlist:
       [
           "/_opendistro/_security/saml/acs",
           "/_opendistro/_security/saml/logout",
           "/_opendistro/_security/saml/acs/idpinitiated",
       ]
   opensearch_security.session.keepalive: false
   

5. Restart the Wazuh dashboard service using the following command:

   bashCopy

   sudo systemctl restart wazuh-dashboard
   

Configuration verification

To confirm that authentik is properly configured with Wazuh, log out and log back in using an account that is a member of the appropriate authentik group (e.g. wazuh-administrators).