Anonymous Authentication Wazuh

USE CASE:

Allow a team to access your Wazuh SIEM with read only privileges and without providing credentials.

Wazuh Dashboard Configuration:

Navigate to Server management > Security, and then Roles mapping, then create a Create Role mapping and complete the empty fields with the following parameters:

• Role mapping name: Assign a name to the role mapping.

• Roles: Select readonly.

• Custom rules: Click Add new rule to expand this field.

• User field: backend_roles

• Search operation: FIND

• Value: opendistro_security_anonymous_backendrole . then save the role mapping

For the role mapping to take effect, make sure that run_as is set to true in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. Restart the Wazuh dashboard service and clear your browser cache and cookies.

Wazuh Indexer Configuration:

Access the Wazuh indexer server and perform the following:

• Set “anonymous_auth_enabled” to true in /etc/wazuh-indexer/opensearch-security/config.yml. Then apply the change:

   export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv
  

• Add opensearch_security.auth.anonymous_auth_enabled: true to /etc/wazuh-dashboard/opensearch_dashboards.yml then restart the Wazuh dashboard systemctl restart wazuh-dashboard.service

• In the /etc/wazuh-indexer/opensearch-security/roles.yml set the following role:

wazuh_read_anonymous:
  cluster_permissions:
  - "cluster_composite_ops_ro"
  index_permissions:
  - index_patterns:
    - "*"
    allowed_actions:
    - "read"
  tenant_permissions:
  - tenant_patterns:
    - "global_tenant"
    allowed_actions:
    - "kibana_all_read"

Applying the change:

export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/roles.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv

• Within the /etc/wazuh-indexer/opensearch-security/roles_mapping.yml configure the mapping of the anonymous backend role:

wazuh_read_anonymous:
  backend_roles:
  - "opendistro_security_anonymous_backendrole"

• Apply the change:

export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/roles_mapping.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 127.0.0.1 -nhnv

Demo: