diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index fb080401f2..d97758accd 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,38 +1,23 @@ - ## Description - - ## Checks -- [ ] It compiles without warnings. -- [ ] Spelling and grammar. -- [ ] Used impersonal speech. -- [ ] Used uppercase only on nouns. -- [ ] Updated the `redirect.js` script if necessary (check [this guide](https://github.com/wazuh/wazuh-documentation/blob/master/NEW_RELEASE.md)). - - - -## Note to the reviewer - -This PR includes changes to the `redirect.js` script that need to be included in all production branches. +- [ ] Compiles without warnings. +- [ ] Uses present tense, active voice, and semi-formal registry. +- [ ] Uses short, simple sentences. +- [ ] Uses **bold** for user interface elements, _italics_ for key terms or emphasis, and `code` font for Bash commands, file names, REST paths, and code. +- [ ] Uses three spaces indentation. +- [ ] Adds or updates meta descriptions accordingly. +- [ ] Updates the `redirects.js` script if necessary (check [this guide](https://github.com/wazuh/wazuh-documentation/blob/master/NEW_RELEASE.md)). diff --git a/source/_static/js/redirects.js b/source/_static/js/redirects.js index 8627d52ae4..fbaad5eac6 100644 --- a/source/_static/js/redirects.js +++ b/source/_static/js/redirects.js @@ -104,6 +104,8 @@ newUrls['4.4'] = [ '/amazon/services/supported-services/elastic-load-balancing/alb.html', '/amazon/services/supported-services/elastic-load-balancing/nlb.html', '/amazon/services/supported-services/elastic-load-balancing/clb.html', + '/development/rbac-database-integrity.html', + '/user-manual/reference/tools/rbac-control.html', '/user-manual/agents/key-request.html', '/user-manual/manager/manual-backup-restore.html', '/user-manual/reference/ossec-conf/wazuh-db-config.html', diff --git a/source/amazon/services/prerequisites/considerations.rst b/source/amazon/services/prerequisites/considerations.rst index e5ce8d5937..d63e551440 100644 --- a/source/amazon/services/prerequisites/considerations.rst +++ b/source/amazon/services/prerequisites/considerations.rst @@ -33,24 +33,23 @@ On the other hand, the ``CloudWatch Logs`` module can process logs older than th Reparse -~~~~~~~ - -.. note:: - Option not available for CloudWatch Logs. +------- .. warning:: - Using the ``reparse`` option will fetch and process every log from the starting date until the present. This process may generate duplicate alerts. + + Using the ``reparse`` option will fetch and process all the logs from the starting date until the present. This process may generate duplicate alerts. + +To fetch and process older logs, you need to manually run the module using the ``--reparse`` option. -To process older logs, it's necessary to manually execute the module using the ``--reparse`` or ``-o`` option. Executing the module with this option will use the ``only_logs_after`` value provided to fetch and process every log from that date until the present. If no ``only_logs_after`` value was provided, it will use the date of the first file processed. +The ``only_logs_after`` value sets the time for the starting point. If you don't provide an ``only_logs_after`` value, the module uses the date of the first file processed. -Below there is an example of a manual execution of the module using the ``--reparse`` option on a manager, being ``/var/ossec`` the Wazuh installation path: +Find an example of running the module on a manager using the ``--reparse`` option. ``/var/ossec`` is the Wazuh installation path. .. code-block:: console - # cd /var/ossec/wodles/aws - # ./aws-s3 -b 'wazuh-example-bucket' --reparse --only_logs_after '2021-Jun-10' --debug 2 + # /var/ossec/wodles/aws/aws-s3 -b 'wazuh-example-bucket' --reparse --only_logs_after '2021-Jun-10' --debug 2 -The ``--debug 2`` parameter was used to get a verbose output since by default the script won't print anything on the terminal, and it could seem like it's not working when it could be handling a great amount of data instead. +The ``--debug 2`` parameter gets a verbose output. This is useful to show the script is working, specially when handling a large amount of data. Connection configuration for retries diff --git a/source/amazon/services/supported-services/ecr-image-scanning.rst b/source/amazon/services/supported-services/ecr-image-scanning.rst index fd2746b35a..4ab619a975 100644 --- a/source/amazon/services/supported-services/ecr-image-scanning.rst +++ b/source/amazon/services/supported-services/ecr-image-scanning.rst @@ -27,7 +27,148 @@ The following sections cover how to configure AWS to store the scan findings in AWS configuration ----------------- -AWS provides a `template `_ for creating a stack in CloudFormation that loads the image scan findings from Amazon ECR in CloudWatch using an AWS Lambda function. +AWS provides a `template `__ that logs to CloudWatch the findings of Amazon ECR scans of images. The template uses an AWS Lambda function to accomplish this. + +Uploading the template and creating a stack, uploading the images to Amazon ECR, scanning the images, and using the logger all require specific permissions. Because of this, you need to create a custom policy granting these permissions. + +.. include:: /_templates/cloud/amazon/create_policy.rst + +IAM permissions +^^^^^^^^^^^^^^^ + +You need the permissions listed below inside the sections for ``RoleCreator`` and ``PassRole`` to create and delete the stack based on the template. + +.. warning:: + + These permissions must be bound to the specific resources due to overly permissive actions. + +.. code-block:: json + + { + "Sid": "RoleCreator", + "Effect": "Allow", + "Action": [ + "iam:CreateRole", + "iam:PutRolePolicy", + "iam:AttachRolePolicy", + "iam:DeleteRolePolicy", + "iam:DeleteRole", + "iam:GetRole", + "iam:GetRolePolicy", + "iam:PassRole" + ], + "Resource": "arn:aws:iam:::role/*" + }, + { + "Sid": "PassRole", + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "arn:aws:iam:::role/*-LambdaExecutionRole*" + } + +CloudFormation stack permissions +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +You need the following permissions to create and delete any template-based CloudFormation stack. + +.. code-block:: json + + { + "Sid": "CloudFormationStackCreation", + "Effect": "Allow", + "Action": [ + "cloudformation:CreateStack", + "cloudformation:ValidateTemplate", + "cloudformation:CreateUploadBucket", + "cloudformation:GetTemplateSummary", + "cloudformation:DescribeStackEvents", + "cloudformation:DescribeStackResources", + "cloudformation:ListStacks", + "cloudformation:DeleteStack", + "s3:PutObject", + "s3:ListBucket", + "s3:GetObject", + "s3:CreateBucket" + ], + "Resource": "*" + } + +ECR registry and repository permissions +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This `Amazon ECR `__ permission allows calls to the API through an IAM policy. + +.. note:: + + Before authenticating to a registry and pushing or pulling any images from any Amazon ECR repository, you need ``ecr:GetAuthorizationToken``. + +.. code-block:: json + + { + "Sid": "ECRUtilities", + "Effect": "Allow", + "Action": [ + "ecr:GetAuthorizationToken", + "ecr:DescribeRepositories" + ], + "Resource": "*" + } + +Image pushing and scanning permissions +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +You need the following Amazon ECR permissions to `push images `__. They are scoped down to a specific repository. The steps to push Docker images are described in the `Amazon ECR - Pushing a Docker image `_ documentation. + +.. code-block:: json + + { + "Sid": "ScanPushImage", + "Effect": "Allow", + "Action": [ + "ecr:CompleteLayerUpload", + "ecr:UploadLayerPart", + "ecr:InitiateLayerUpload", + "ecr:BatchCheckLayerAvailability", + "ecr:PutImage", + "ecr:ListImages", + "ecr:DescribeImages", + "ecr:DescribeImageScanFindings", + "ecr:StartImageScan" + ], + "Resource": "arn:aws:ecr:::repository/" + } + +Amazon Lambda and Amazon EventBridge permissions +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +You need the following permissions to create and delete the resources handled by the Scan Findings Logger template. + +.. code-block:: json + + { + "Sid": "TemplateRequired0", + "Effect": "Allow", + "Action": [ + "lambda:RemovePermission", + "lambda:DeleteFunction", + "lambda:GetFunction", + "lambda:CreateFunction", + "lambda:AddPermission" + ], + "Resource": "arn:aws:lambda:::*" + }, + { + "Sid": "TemplateRequired1", + "Effect": "Allow", + "Action": [ + "events:RemoveTargets", + "events:DeleteRule", + "events:PutRule", + "events:DescribeRule", + "events:PutTargets" + ], + "Resource": "arn:aws:events:::*" + } How to create the CloudFormation Stack ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/source/amazon/services/troubleshooting.rst b/source/amazon/services/troubleshooting.rst index a16e422a07..fc987fa3bf 100644 --- a/source/amazon/services/troubleshooting.rst +++ b/source/amazon/services/troubleshooting.rst @@ -2,7 +2,7 @@ .. meta:: :description: Frequently asked questions about the Wazuh module for Amazon. Learn more about it in this section of the documentation. - + .. _amazon_troubleshooting: Troubleshooting @@ -65,7 +65,7 @@ Follow these steps to enable debug mode: wazuh_modules.debug=2 -#. Restart the Wazuh service. +#. Restart the Wazuh service. .. include:: ../../_templates/common/restart_manager_or_agent.rst @@ -191,7 +191,7 @@ Take into account that Wazuh does not provide default rules for the different lo Interval overtaken message is present in the ossec.log ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The ``Interval overtaken`` message is present in the ``ossec.log`` file. +The ``Interval overtaken`` message is present in the ``ossec.log`` file. **Solution** @@ -211,7 +211,7 @@ Error codes reference | 1 | Unknown error | Programming error. Please, open an issue in the `Wazuh GitHub repository `_ with the trace of the | | | | error. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ - | 2 | Error parsing configuration (bucket name, keys, etc.) | Check the wodle configuration in ``ossec.conf`` file. | + | 2 | SIGINT | The module stopped due to an interrupt signal. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ | 3 | Invalid credentials to access S3 bucket | Make sure that your credentials are OK. For more information, see the :ref:`Configuring AWS credentials ` section. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -225,11 +225,11 @@ Error codes reference +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ | 8 | Failed to decompress file | Only ``.gz`` and ``.zip`` compression formats are supported. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ - | 9 | Failed to parse file | Check the type of the bucket. | + | 9 | Failed to parse file | Ensure that the log file contents have the expected structure. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ | 11 | Unable to connect to Wazuh | Ensure that Wazuh is running. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ - | 12 | SIGINT | The module stopped due to an interrupt signal. | + | 12 | Invalid type of bucket | Check if the type of bucket is one of the :ref:`supported `. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ | 13 | Error sending message to Wazuh | Make sure that Wazuh is running. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -239,6 +239,9 @@ Error codes reference +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ | 16 | Throttling error | AWS is receiving more than 10 requests per second. Try to run the module again when the number of requests to AWS has decreased. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ - | 17 | Invalid file key format | Ensure that the file path follows the format specified in the | - | | | `Wazuh documentation `_. | + | 17 | Invalid file key format | Ensure that the file path follows the format specified in the :ref:`Wazuh documentation `. | + +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ + | 18 | Invalid prefix | Make sure that the indicated path exists in the S3 bucket. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ + | 19 | The server datetime and datetime of the AWS environment differ | Make sure that the server datetime is correctly set. | + +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ \ No newline at end of file diff --git a/source/azure/activity-services/prerequisites/considerations.rst b/source/azure/activity-services/prerequisites/considerations.rst index 40fc8cc293..c99767d126 100644 --- a/source/azure/activity-services/prerequisites/considerations.rst +++ b/source/azure/activity-services/prerequisites/considerations.rst @@ -8,6 +8,26 @@ Considerations for configuration ================================ +Reparse +------- + +.. warning:: + + Using the ``reparse`` option will fetch and process all the logs from the starting date until the present. This process may generate duplicate alerts. + +To fetch and process older logs, you need to manually run the module using the ``--reparse`` option. + +The ``la_time_offset`` value sets the time as an offset for the starting point. If you don't provide an ``la_time_offset`` value, the module goes back to the date of the first file processed. + +Find an example of running the module on a manager using the ``--reparse`` option. ``/var/ossec`` is the Wazuh installation path. + +.. code-block:: console + + # /var/ossec/wodles/azure/azure-logs --log_analytics --la_auth_path credentials_example --la_tenant_domain 'wazuh.example.domain' --la_tag azure-activity --la_query "AzureActivity" --workspace example-workspace --la_time_offset 50d --debug 2 --reparse + +The ``--debug 2`` parameter gets a verbose output. This is useful to show the script is working, specially when handling a large amount of data. + + Configuring multiple services ----------------------------- diff --git a/source/conf.py b/source/conf.py index a5520cb65d..8d0f55d3dd 100644 --- a/source/conf.py +++ b/source/conf.py @@ -37,13 +37,13 @@ copyright = u'© ' + str(datetime.datetime.now().year) + u' · Wazuh Inc.' # The short X.Y version -version = '4.4' +version = '4.5' is_latest_release = True # The full version, including alpha/beta/rc tags # Important: use a valid branch (4.0) or, preferably, tag name (v4.0.0) -release = '4.4.0' -api_tag = '4.4' +release = '4.5.0' +api_tag = 'master' apiURL = 'https://raw.githubusercontent.com/wazuh/wazuh/'+api_tag+'/api/api/spec/spec.yaml' # -- General configuration ------------------------------------------------ diff --git a/source/deployment-options/deploying-with-puppet/wazuh-puppet-module/reference-wazuh-puppet/wazuh-manager-class.rst b/source/deployment-options/deploying-with-puppet/wazuh-puppet-module/reference-wazuh-puppet/wazuh-manager-class.rst index 7c39277de2..86e90afcd0 100644 --- a/source/deployment-options/deploying-with-puppet/wazuh-puppet-module/reference-wazuh-puppet/wazuh-manager-class.rst +++ b/source/deployment-options/deploying-with-puppet/wazuh-puppet-module/reference-wazuh-puppet/wazuh-manager-class.rst @@ -202,7 +202,7 @@ $ossec_smtp_server SMTP mail server. `Default smtp.example.wazuh.com` - + `Type String` Depends on **ossec_emailnotification** @@ -211,7 +211,7 @@ $ossec_emailfrom Email from address. `Default ossecm@example.wazuh.com` - + `Type String` Depends on **ossec_emailnotification** @@ -231,7 +231,7 @@ $ossec_email_log_source `Default 'alerts.log'` `Type String` - + Depends on **ossec_emailnotification** $ossec_email_idsname @@ -444,7 +444,7 @@ $ossec_syscheck_scan_on_start Specifies if syscheck scans immediately when started. `Default yes` - + `Type String` $ossec_syscheck_auto_ignore @@ -524,9 +524,9 @@ $ossec_syscheck_ignore_type_2 $ossec_syscheck_max_eps Sets the maximum event reporting throughput. Events are messages that will produce an alert. - + `Default 100` - + `Type String` $ossec_syscheck_process_priority @@ -588,38 +588,38 @@ $syslog_output_level The minimum level of the alerts to be forwarded. `Default 2` - + `Type Integer` - + Depends on **syslog_output** $syslog_output_port The port to forward alerts to. `Default 514` - + `Type Integer` - + Depends on **syslog_output** $syslog_output_server The IP address of the syslog server. `Default undef` - + `Type String` - + Depends on **syslog_output** - + Required if **syslog_output** is set to true $syslog_output_format Format of alert output. `Default undef` - + `Type String` - + Depends on **syslog_output** @@ -883,7 +883,7 @@ $vulnerability_detector_provider_alas_enabled $vulnerability_detector_provider_alas_os Feed to update. - `Default ['amazon-linux','amazon-linux-2']` + `Default ['amazon-linux','amazon-linux-2','amazon-linux-2022']` `Type List` @@ -942,7 +942,7 @@ $wazuh_api_port Port where the Wazuh API will listen. `Default 55000` - + `Type String` @@ -950,42 +950,42 @@ $wazuh_api_https_enabled Enable or disable SSL (https) in the Wazuh API. `Default true` - + `Type String` $wazuh_api_https_key File with the private key. `Default server.key (in api/configuration/ssl)` - + `Type String` $wazuh_api_https_cert File with the certificate. `Default server.crt (in api/configuration/ssl)` - + `Type String` $wazuh_api_https_use_ca Whether to use a certificate from a Certificate Authority. `Default false` - + `Type String` $wazuh_api_https_ca Certificate of the Certificate Authority (CA). `Default ca.crt (in api/configuration/ssl)` - + `Type String` $wazuh_api_logs_level Sets the verbosity level of the Wazuh API logs. `Default info` - + `Type String` $wazuh_api_logs_format @@ -997,84 +997,84 @@ $wazuh_api_cors_enabled Enable or disable the use of CORS in the Wazuh API. `Default false` - + `Type String` $wazuh_api_cors_source_route Sources for which the resources will be available. For example `http://client.example.org.` `Default "*"` - + `Type String` $wazuh_api_cors_expose_headers Specifies which headers can be exposed as part of the response. `Default "*"` - + `Type String` $wazuh_api_cors_allow_headers Specifies which HTTP headers can be used during the actual request. `Default "*"` - + `Type String` $wazuh_api_cors_allow_credentials Tells browsers whether to expose the response to frontend JavaScript. `Default false` - + `Type String` $wazuh_api_cache_enabled Enables or disables caching for certain API responses (currently, all `/rules` endpoints) `Default true` - + `Type String` $wazuh_api_cache_time Time in seconds that the cache lasts before expiring. `Default 0.75` - + `Type String` $wazuh_api_access_max_login_attempts Set a maximum number of login attempts during a specified block_time number of seconds. `Default 5` - + `Type Integer` $wazuh_api_access_block_time Established period of time (in seconds) to attempt login requests. If the established number of requests (`max_login_attempts`) is exceeded within this time limit, the IP address is blocked until the end of the block time period. `Default 300` - + `Type Integer` $wazuh_api_access_max_request_per_minute Establish a maximum number of requests the Wazuh API can handle per minute (does not include authentication requests). If the number of requests for a given minute is exceeded, all incoming requests (from any user) will be blocked. This feature can be disabled by setting its value to 0. `Default 300` - + `Type Integer` $wazuh_api_drop_privileges Run wazuh-api process as wazuh user `Default true` - + `Type String` $wazuh_api_experimental_features Enable features under development `Default false` - + `Type String` @@ -1087,14 +1087,14 @@ $configure_wodle_openscap Enables the Wodle OpenSCAP section rendering on this host. If this variable is not set to *true* the complete open-scap wodle tag will not be added to *ossec.conf*. `Default true` - + `Type boolean` $wodle_openscap_disabled Disables the OpenSCAP wodle. `Default yes` - + `Type String` Depends on **wodle_openscap_disabled** @@ -1103,7 +1103,7 @@ $wodle_openscap_timeout Timeout for each evaluation. `Default 1800` - + `Type String` Depends on **wodle_openscap_disabled** @@ -1112,7 +1112,7 @@ $wodle_openscap_interval The interval between OpenSCAP executions. `Default 1d` - + `Type String` Depends on **wodle_openscap_disabled** @@ -1121,11 +1121,11 @@ $wodle_openscap_scan_on_start Run evaluation immediately when service is started. `Default yes` - + `Type String` Depends on **wodle_openscap_disabled** - + .. _ref_server_vars_ciscat: @@ -1143,7 +1143,7 @@ $wodle_ciscat_disabled Disables the CIS-CAT wodle. `Default yes` - + `Type String` Depends on **configure_wodle_cis_cat** @@ -1152,7 +1152,7 @@ $wodle_ciscat_timeout Timeout for each evaluation. In case the execution takes longer than the specified timeout, it stops. `Default 1800` - + `Type String` Depends on **configure_wodle_cis_cat** @@ -1161,7 +1161,7 @@ $wodle_ciscat_interval The interval between CIS-CAT executions. `Default 1d` - + `Type String` Depends on **configure_wodle_cis_cat** @@ -1170,7 +1170,7 @@ $wodle_ciscat_scan_on_start Run evaluation immediately when service is started. `Default yes` - + `Type String` Depends on **configure_wodle_cis_cat** @@ -1179,7 +1179,7 @@ $wodle_ciscat_java_path Define where Java is located. If this parameter is not set, the wodle will search for the Java location in the default environment variable `$PATH`. `Default 'wodles/java'` - + `Type String` Depends on **configure_wodle_cis_cat** @@ -1188,7 +1188,7 @@ $wodle_ciscat_ciscat_path Define where CIS-CAT is located. `Default 'wodles/ciscat'` - + `Type String` Depends on **configure_wodle_cis_cat** @@ -1202,14 +1202,14 @@ $configure_wodle_osquery Enables the Wodle osquery section rendering on this host. If this variable is not set to *true*, the complete osquery wodle tag will not be added to *ossec.conf*. `Default true` - + `Type Boolean` $wodle_osquery_disabled Disable the osquery wodle. `Default yes` - + `Type String` Depends on **configure_wodle_osquery** @@ -1218,7 +1218,7 @@ $wodle_osquery_run_daemon Makes the module run osqueryd as a subprocess or lets the module monitor the results log without running Osquery. `Default yes` - + `Type String` Depends on **configure_wodle_osquery** @@ -1227,7 +1227,7 @@ $wodle_osquery_log_path Full path to the results log written by Osquery. `Default '/var/log/osquery/osqueryd.results.log'` - + `Type String` Depends on **configure_wodle_osquery** @@ -1236,7 +1236,7 @@ $wodle_osquery_config_path Path to the Osquery configuration file. This path can be relative to the folder where the Wazuh agent is running. `Default '/etc/osquery/osquery.conf'` - + `Type String` Depends on **configure_wodle_osquery** @@ -1245,12 +1245,12 @@ $wodle_osquery_add_labels Add the agent labels defined as decorators. `Default yes` - + `Type String` Depends on **configure_wodle_osquery** - + .. _ref_server_vars_wodle_syscollector: @@ -1266,56 +1266,56 @@ $wodle_syscollector_interval Time between system scans. `Default 1h` - + `Type String` $wodle_syscollector_scan_on_start Run a system scan immediately when service is started. `Default yes` - + `Type String` $wodle_syscollector_hardware Enables the hardware scan. `Default yes` - + `Type String` $wodle_syscollector_os Enables the OS scan. `Default yes` - + `Type String` $wodle_syscollector_network Enables the network scan. `Default yes` - + `Type String` $wodle_syscollector_packages Enables the scan of the packages. `Default yes` - + `Type String` $wodle_syscollector_ports Enables the ports scan. `Default yes` - + `Type String` $wodle_syscollector_processes Enables the scan of the processes. `Default yes` - + `Type String` @@ -1442,5 +1442,3 @@ $active_response_repeated_offenders `Default empty` .. _ref_server_addlog: - - diff --git a/source/development/index.rst b/source/development/index.rst index fd938f9042..614920a852 100644 --- a/source/development/index.rst +++ b/source/development/index.rst @@ -22,3 +22,4 @@ This section contains documentation for developers. Here developers can learn ab packaging/index wazuh-logtest selinux-wazuh-context + rbac-database-integrity diff --git a/source/development/rbac-database-integrity.rst b/source/development/rbac-database-integrity.rst new file mode 100644 index 0000000000..ea4c5738e6 --- /dev/null +++ b/source/development/rbac-database-integrity.rst @@ -0,0 +1,122 @@ +.. Copyright (C) 2022 Wazuh, Inc. + +RBAC database integrity +======================= + +The integrity of the RBAC database is checked when the API starts. The result of this check determines whether the database needs an update or not. The integrity check allows us the following: + +- Upgrade to a Wazuh version when this version includes breaking changes in the RBAC database structure or new default resources. +- Restore the RBAC database with its default RBAC resources if it was manually deleted. This allows restoring the RBAC database to a fresh install state if needed. + + .. warning:: + + User-created resources are lost when the database is restored with default resources. + +How the database upgrade process works +-------------------------------------- + +During the RBAC database integrity check, Wazuh compares its RBAC database version with the installed one. If they don't match, the database upgrade process is triggered. + +Here is an abridged list of steps performed during the database upgrade process: + +#. A new RBAC database file is created and the default Wazuh RBAC resources for the installed version are added to it. + +#. Every user-created RBAC resource is migrated from the old database to the new one, maintaining its ID, name and so forth. + +#. In case a user-created RBAC resource coincides with one of the new default Wazuh RBAC resources: + + #. If the user-created *user* has the same *name* as a default user, the first one is renamed appending *‘_user’* to its name. + + #. If the user-created *role* has the same *name* as a default role, the first one is renamed appending *'_user'* to its name. + + #. If the user-created *rule* has the same *name* or *body* as a default rule, the relationships of the first one are migrated to the new default rule. + + #. If the user-created *policy* has the same *name* or *body* as a default policy, the relationships of the first one are migrated to the new default policy. + +#. Any relationships between RBAC user-created resources are added to the new database. + +#. Any relationships between RBAC user-created resources and default ones are updated: + + #. If the default resource does not exist in the new version, the relationships between user-created resources and the deleted resource are removed. + + #. If the default resource has a different ID in the new version, the relationships between user-created resources and the default resource are updated to match the new ID and keep the old functionality. + + #. In any other case, the relationships between user-created resources and the default resources are kept. + +#. The old RBAC database file is replaced by the new one. + +Migration examples +------------------ + +After upgrading from a Wazuh version with RBAC database version 0 to 1, ``WAZUH_PATH/logs/api.log``: + +.. code-block:: none + :class: output + + 2022/06/17 09:44:04 INFO: Checking RBAC database integrity... + 2022/06/17 09:44:04 INFO: /var/ossec/api/configuration/security/rbac.db file was detected + 2022/06/17 09:44:04 INFO: RBAC database migration required. Current version is 0 but it should be 1. Upgrading RBAC database to version 1 + 2022/06/17 09:44:09 INFO: /var/ossec/api/configuration/security/rbac.db database upgraded successfully + 2022/06/17 09:44:09 INFO: RBAC database integrity check finished successfully + 2022/06/17 09:44:12 INFO: Listening on 0.0.0.0:55000.. + +After upgrading from a Wazuh version with RBAC database version 0 to 1, with the old DB having a user that is a default user in the new version: + +``WAZUH_PATH/logs/api.log``: + +.. code-block:: none + :class: output + + 2022/06/17 10:00:21 INFO: /var/ossec/api/configuration/security/rbac.db file was detected + 2022/06/17 10:00:21 INFO: RBAC database migration required. Current version is 0 but it should be 1. Upgrading RBAC database to version 1 + 2022/06/17 10:00:25 WARNING: User 100 (example) is part of the new default users. Renaming it to 'example_user' + 2022/06/17 10:00:26 INFO: /var/ossec/api/configuration/security/rbac.db database upgraded successfully + 2022/06/17 10:00:26 INFO: RBAC database integrity check finished successfully + 2022/06/17 10:00:29 INFO: Listening on 0.0.0.0:55000.. + +``GET /security/users`` response: + +.. code-block:: json + :class: output + + { + "data": { + "affected_items": [ + { + "id": 1, + "username": "wazuh", + "allow_run_as": true, + "roles": [ + 1 + ] + }, + { + "id": 2, + "username": "wazuh-wui", + "allow_run_as": true, + "roles": [ + 1 + ] + }, + { + "id": 3, + "username": "example", + "allow_run_as": true, + "roles": [] + }, + { + "id": 100, + "username": "example_user", + "allow_run_as": false, + "roles": [ + 100 + ] + } + ], + "total_affected_items": 4, + "total_failed_items": 0, + "failed_items": [] + }, + "message": "All specified users were returned", + "error": 0 + } diff --git a/source/gcp/prerequisites/considerations.rst b/source/gcp/prerequisites/considerations.rst index 563c235fde..79b939897d 100644 --- a/source/gcp/prerequisites/considerations.rst +++ b/source/gcp/prerequisites/considerations.rst @@ -32,6 +32,26 @@ Logging level To switch between different logging levels for debugging and troubleshooting purposes, the Google Cloud integration uses the :ref:`wazuh_modules.debug ` level to set its verbosity level. +Reparse +------- + +.. warning:: + + Using the ``reparse`` option will fetch and process all the logs from the starting date until the present. This process may generate duplicate alerts. + +To fetch and process older logs, you need to manually run the module using the ``--reparse`` option. + +The ``only_logs_after`` value sets the time for the starting point. If you don't provide an ``only_logs_after`` value, the module uses the date of the first file processed. + +Find an example of running the module on a manager using the ``--reparse`` option. ``/var/ossec`` is the Wazuh installation path. + +.. code-block:: console + + # /var/ossec/wodles/gcloud/gcloud --integration_type access_logs -b 'wazuh-example-bucket' -c credentials.json --reparse --only_logs_after '2021-Jun-10' --debug 2 + +The ``--debug 2`` parameter gets a verbose output. This is useful to show the script is working, specially when handling a large amount of data. + + Configuring multiple Google Cloud Storage bucket ------------------------------------------------ diff --git a/source/learning-wazuh/vuln-detection.rst b/source/learning-wazuh/vuln-detection.rst index f4669f4bbd..1276de30ab 100644 --- a/source/learning-wazuh/vuln-detection.rst +++ b/source/learning-wazuh/vuln-detection.rst @@ -132,6 +132,7 @@ In the ``/var/ossec/etc/ossec.conf`` file of the Wazuh manager, scroll down to t no amazon-linux amazon-linux-2 + amazon-linux-2022 1h diff --git a/source/upgrade-guide/upgrading-central-components.rst b/source/upgrade-guide/upgrading-central-components.rst index 8ce887c836..baf20a34bf 100644 --- a/source/upgrade-guide/upgrading-central-components.rst +++ b/source/upgrade-guide/upgrading-central-components.rst @@ -12,6 +12,20 @@ This section guides through the upgrade process of the Wazuh indexer, the Wazuh Root user privileges are required to execute all the commands described below. +Upgrade with the Wazuh installation assistant ++++++++++++++++++++++++++++++++++++++++++++++ + +You can use the installation assistant to upgrade the Wazuh central components. The assistant will detect which components are installed and upgrade them if necessary. + +To upgrade execute the following command: + +.. code-block:: bash + + curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh && sudo bash ./wazuh-install.sh -up + +Step-by-step upgrade ++++++++++++++++++++++ + Preparing the upgrade --------------------- diff --git a/source/user-manual/api/configuration.rst b/source/user-manual/api/configuration.rst index 801c178cd7..54195e6d3e 100644 --- a/source/user-manual/api/configuration.rst +++ b/source/user-manual/api/configuration.rst @@ -44,6 +44,8 @@ Here are all the available settings for the ``api.yaml`` configuration file. For logs: level: "info" format: "plain" + max_size: + enabled: false cors: enabled: no @@ -233,6 +235,21 @@ logs | | | | Set the format of the Wazuh API logs. | +---------------------------+----------------------------------------------------------------------------------------+---------------+-------------------------------------------------+ +max_size +~~~~~~~~~~~~~~~~~~~~~~ + +.. versionadded:: 4.5.0 + ++------------+-----------------------------------------------+---------------+-------------------------------------------------------------------------------------------------------------------+ +| Sub-fields | Allowed values | Default value | Description | ++============+===============================================+===============+===================================================================================================================+ +| enabled | yes, true, no, false | false | Enable or disable log file rotation based on file size. This option will disable log file rotation based on time. | ++------------+-----------------------------------------------+---------------+-------------------------------------------------------------------------------------------------------------------+ +| size | Any positive number followed by a valid unit. | 1M | Set a file size to trigger log rotation. | +| | K/k for kilobytes, M/m for megabytes. | | | ++------------+-----------------------------------------------+---------------+-------------------------------------------------------------------------------------------------------------------+ + + cors ^^^^^^^^^^^^^^^^^^^^^^ +-------------------+----------------------+---------------+-----------------------------------------------------------------------------------------------+ diff --git a/source/user-manual/api/rbac/how-it-works.rst b/source/user-manual/api/rbac/how-it-works.rst index 463340ba20..babeca4f6c 100644 --- a/source/user-manual/api/rbac/how-it-works.rst +++ b/source/user-manual/api/rbac/how-it-works.rst @@ -1,22 +1,22 @@ .. Copyright (C) 2015, Wazuh, Inc. .. meta:: - :description: The operation of RBAC is based on the relationship between three components: users, roles, and policies or permissions. Learn more here. + :description: The operation of RBAC is based on the relationship between four components: users, roles, rules, and policies. Learn more here. .. _api_rbac_how_it_works: How it works ============ -The operation of RBAC is based on the relationship between three components: **users**, **roles**, and **policies** or permissions. Policies are associated with roles, and each user can belong to one or more roles. +The operation of RBAC is based on the relationship between four components: **users**, **roles**, **rules**, and **policies**. Policies and rules are associated with roles, and each user can belong to one or more roles. Since the policies are not directly related to users, it is not necessary to assign them to each user. Simply assign the user to the appropriate role. The process of updating the permissions of an entire group of users is also made easier thanks to this structure. After configuring RBAC, there will be users that can only see and do certain actions on specified resources that have previously been established. For example, it can be ensured that members of a Security-team have 'read' access to all agents, while the Sales-team has 'read' and 'modify' permissions only to agents in their department (but not delete permissions). -Actions, resources, and effect ------------------------------- +RBAC Policies +------------- Policies control the Wazuh API permissions using three elements: actions, resources, and effect. diff --git a/source/user-manual/capabilities/vulnerability-detection/compatibility-matrix.rst b/source/user-manual/capabilities/vulnerability-detection/compatibility-matrix.rst index 61841a4eee..d79e06bcad 100644 --- a/source/user-manual/capabilities/vulnerability-detection/compatibility-matrix.rst +++ b/source/user-manual/capabilities/vulnerability-detection/compatibility-matrix.rst @@ -37,9 +37,11 @@ The following table shows the operating systems where the vulnerability detector | Debian +------------------------+ - Debian | | | bullseye / 11 | - National Vulnerability Database| +---------------+------------------------+----------------------------------+ -| | Amazon Linux 1 | - ALAS | -| Amazon Linux +------------------------+ - National Vulnerability Database| -| | Amazon Linux 2 | | +| | Amazon Linux 1 | | +| +------------------------+ | +| Amazon Linux | Amazon Linux 2 | - ALAS | +| +------------------------+ - National Vulnerability Database| +| | Amazon Linux 2022 | | +---------------+------------------------+----------------------------------+ | | | | | Arch Linux | Rolling release | - Arch | diff --git a/source/user-manual/capabilities/vulnerability-detection/offline-update.rst b/source/user-manual/capabilities/vulnerability-detection/offline-update.rst index 6862c856b5..209e452df9 100644 --- a/source/user-manual/capabilities/vulnerability-detection/offline-update.rst +++ b/source/user-manual/capabilities/vulnerability-detection/offline-update.rst @@ -280,13 +280,15 @@ ALAS The vulnerability feeds for **Amazon Linux** systems are currently fetched from the Wazuh repository as ALAS feeds. To perform an offline update of these feeds, they first have to be downloaded from the corresponding Wazuh repository: -+----------------+------------------------------------------------------------------------------------------+ -| OS | Files | -+================+==========================================================================================+ -| Amazon Linux | `alas.json.gz `_ | -+----------------+------------------------------------------------------------------------------------------+ -| Amazon Linux 2 | `alas2.json.gz `_ | -+----------------+------------------------------------------------------------------------------------------+ ++-------------------+------------------------------------------------------------------------------------------------+ +| OS | Files | ++===================+================================================================================================+ +| Amazon Linux | `alas.json.gz `_ | ++-------------------+------------------------------------------------------------------------------------------------+ +| Amazon Linux 2 | `alas2.json.gz `_ | ++-------------------+------------------------------------------------------------------------------------------------+ +| Amazon Linux 2022 | `alas2022.json.gz `_ | ++-------------------+------------------------------------------------------------------------------------------------+ Then, they need to be placed accordingly in the custom location. @@ -296,6 +298,7 @@ Then, they need to be placed accordingly in the custom location. yes amazon-linux amazon-linux-2 + amazon-linux-2022 1h @@ -307,6 +310,7 @@ Alternatively, the feeds can be loaded from a local path with the ``path`` attri yes amazon-linux amazon-linux-2 + amazon-linux-2022 1h diff --git a/source/user-manual/reference/daemons/wazuh-authd.rst b/source/user-manual/reference/daemons/wazuh-authd.rst index 73a5fdc7d5..69ac3a9125 100644 --- a/source/user-manual/reference/daemons/wazuh-authd.rst +++ b/source/user-manual/reference/daemons/wazuh-authd.rst @@ -15,6 +15,17 @@ The ``wazuh-authd`` program can automatically add a Wazuh agent to a Wazuh manag .. warning:: By default, there is no authentication or authorization involved in this transaction, so it is recommended that this daemon only be run when a new agent is being added. + +``wazuh-authd`` is able to generate X.509 certificates used for manager verification. `OpenSSL` is not required. + +The certificate parameters are specified in the CLI: + + .. code-block:: console + + # wazuh-authd -C 265 -B 2048 -K /var/ossec/etc/sslmanager.key -X /var/ossec/etc/sslmanager.cert -S "/C=US/ST=California/CN=wazuh/" + +If any of the parameters related to the certificate generation is missing, an error is triggered and the certificates are not generated. + +------------------+-------------------------------------------------------------------------------------------------------+ | **-V** | Version and license message. | +------------------+-------------------------------------------------------------------------------------------------------+ @@ -62,6 +73,16 @@ The ``wazuh-authd`` program can automatically add a Wazuh agent to a Wazuh manag +------------------+-------------+-----------------------------------------------------------------------------------------+ | **-L** | Force insertion even though agent limit has been reached. | +------------------+-------------------------------------------------------------------------------------------------------+ +| **-C** | Specify the number of days the certificate is valid for. | ++------------------+-------------------------------------------------------------------------------------------------------+ +| **-B** | Set the X.509 certificate key size in bits. | ++------------------+-------------------------------------------------------------------------------------------------------+ +| **-K** | Path to store the X.509 certificate key. | ++------------------+-------------------------------------------------------------------------------------------------------+ +| **-X** | Path to store the X.509 certificate. | ++------------------+-------------------------------------------------------------------------------------------------------+ +| **-S** | Subject of the X.509 certificate. The arg must be formatted as /type0=value0/type1=value1/type2=.. | ++------------------+-------------------------------------------------------------------------------------------------------+ .. note:: Paths can be referred to relative paths under the Wazuh installation directory, or full paths. diff --git a/source/user-manual/reference/daemons/wazuh-db.rst b/source/user-manual/reference/daemons/wazuh-db.rst index 4cef480567..c79ada5731 100644 --- a/source/user-manual/reference/daemons/wazuh-db.rst +++ b/source/user-manual/reference/daemons/wazuh-db.rst @@ -151,6 +151,14 @@ Data needed to upgrade the agent's database | **value** | Field value | 3 | +-----------------------+-----------------------------+-------------------------------------------+ +.. versionadded:: 4.5.0 + +The ``key`` field can also store the following values: + + - **last_vacuum_time**: its ``value`` field stores the last time the vacuum was performed. + + - **last_vacuum_value**: its ``value`` field stores the fragmentation value that the database was left with after the last vacuum was performed. + .. Uncomment when necessary .. .. ``pm_event`` diff --git a/source/user-manual/reference/internal-options.rst b/source/user-manual/reference/internal-options.rst index c11155cb0d..478cc9adf0 100644 --- a/source/user-manual/reference/internal-options.rst +++ b/source/user-manual/reference/internal-options.rst @@ -746,9 +746,15 @@ Remoted +-----------------------------------+---------------+--------------------------------------------------------------+ | **remoted.merge_shared** | Description | Merge shared configuration to be broadcast to agents. | + +---------------+--------------------------------------------------------------+ -| | Default Value | 1 ( Enabled ) | +| | Default Value | 1 (Enabled) | + +---------------+--------------------------------------------------------------+ -| | Allowed Value | 1 ( Enabled ) or 0 (Disabled) | +| | Allowed Value | 1 (Enabled), 0 (Disabled) | ++-----------------------------------+---------------+--------------------------------------------------------------+ +| **remoted.disk_storage** | Description | Store the temporary shared configuration file on disk. | ++ +---------------+--------------------------------------------------------------+ +| | Default Value | 0 (No, store in memory) | ++ +---------------+--------------------------------------------------------------+ +| | Allowed Value | 1 (Yes, store on disk), 0 (No, store in memory) | +-----------------------------------+---------------+--------------------------------------------------------------+ | **remoted.shared_reload** | Description | Number of seconds between reloading of shared files. | + +---------------+--------------------------------------------------------------+ @@ -1064,47 +1070,79 @@ Wazuh Command Wazuh-db -------- -+------------------------------------+---------------+-------------------------------------------------------------------------------------+ -| **wazuh_db.worker_pool_size** | Description | Number of worker threads | -| +---------------+-------------------------------------------------------------------------------------+ -| | Default value | 8 | -| +---------------+-------------------------------------------------------------------------------------+ -| | Allowed value | Any integer between 1 and 32 | -+------------------------------------+---------------+-------------------------------------------------------------------------------------+ -| **wazuh_db.open_db_limit** | Description | Maximum number of allowed open databases before closing | -| +---------------+-------------------------------------------------------------------------------------+ -| | Default value | 64 | -| +---------------+-------------------------------------------------------------------------------------+ -| | Allowed value | Any integer between 1 and 4096 | -+------------------------------------+---------------+-------------------------------------------------------------------------------------+ -| **wazuh_db.rlimit_nofile** | Description | Maximum number of file descriptors that Wazuh-DB can open. | -+ +---------------+-------------------------------------------------------------------------------------+ -| | Default value | 65536 | -+ +---------------+-------------------------------------------------------------------------------------+ -| | Allowed value | Any integer between 1024 and 1048576. | -+------------------------------------+---------------+-------------------------------------------------------------------------------------+ -| **wazuh_db.commit_time_min** | Description | Minimum time margin before committing. | -+ +---------------+-------------------------------------------------------------------------------------+ -| | Default value | 10 | -+ +---------------+-------------------------------------------------------------------------------------+ -| | Allowed value | Any integer between 1 and 3600. | -+------------------------------------+---------------+-------------------------------------------------------------------------------------+ -| **wazuh_db.commit_time_max** | Description | Maximum time margin before committing. | -+ +---------------+-------------------------------------------------------------------------------------+ -| | Default value | 60 | -+ +---------------+-------------------------------------------------------------------------------------+ -| | Allowed value | Any integer between 1 and 3600. | -+------------------------------------+---------------+-------------------------------------------------------------------------------------+ -| **wazuh_db.debug** | Description | Debug level | -| +---------------+-------------------------------------------------------------------------------------+ -| | Default value | 0 | -+ +---------------+-------------------------------------------------------------------------------------+ -| | Allowed value | 0: No debug output | -+ + +-------------------------------------------------------------------------------------+ -| | | 1: Standard debug output | -+ + +-------------------------------------------------------------------------------------+ -| | | 2: Verbose debug output | -+------------------------------------+---------------+-------------------------------------------------------------------------------------+ ++-------------------------------------------+---------------+-------------------------------------------------------------------------------------+ +| **wazuh_db.worker_pool_size** | Description | Number of worker threads | +| +---------------+-------------------------------------------------------------------------------------+ +| | Default value | 8 | +| +---------------+-------------------------------------------------------------------------------------+ +| | Allowed value | Any integer between 1 and 32 | ++-------------------------------------------+---------------+-------------------------------------------------------------------------------------+ +| **wazuh_db.open_db_limit** | Description | Maximum number of allowed open databases before closing | +| +---------------+-------------------------------------------------------------------------------------+ +| | Default value | 64 | +| +---------------+-------------------------------------------------------------------------------------+ +| | Allowed value | Any integer between 1 and 4096 | ++-------------------------------------------+---------------+-------------------------------------------------------------------------------------+ +| **wazuh_db.rlimit_nofile** | Description | Maximum number of file descriptors that Wazuh-DB can open. | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Default value | 65536 | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Allowed value | Any integer between 1024 and 1048576. | ++-------------------------------------------+---------------+-------------------------------------------------------------------------------------+ +| **wazuh_db.commit_time_min** | Description | Minimum time margin before committing. | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Default value | 10 | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Allowed value | Any integer between 1 and 3600. | ++-------------------------------------------+---------------+-------------------------------------------------------------------------------------+ +| **wazuh_db.commit_time_max** | Description | Maximum time margin before committing. | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Default value | 60 | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Allowed value | Any integer between 1 and 3600. | ++-------------------------------------------+---------------+-------------------------------------------------------------------------------------+ +| **wazuh_db.max_fragmentation** | Description | Maximum fragmentation allowed for a database. | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Default value | 95 | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Allowed value | Any integer between 0 and 100. | ++-------------------------------------------+---------------+-------------------------------------------------------------------------------------+ +| **wazuh_db.fragmentation_threshold** | Description | Indicates the allowed fragmentation threshold. | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Default value | 80 | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Allowed value | Any integer between 0 and 100. | ++-------------------------------------------+---------------+-------------------------------------------------------------------------------------+ +| **wazuh_db.fragmentation_delta** | Description | | Indicates the allowed fragmentation difference between the last time | +| | | | the vacuum was performed and the current measurement. | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Default value | 5 | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Allowed value | Any integer between 0 and 100. | ++-------------------------------------------+---------------+-------------------------------------------------------------------------------------+ +| **wazuh_db.free_pages_percentage** | Description | | Indicates the minimum percentage of free pages present in a database that | +| | | | can trigger a vacuum. | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Default value | 5 | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Allowed value | Any integer between 0 and 99. | ++-------------------------------------------+---------------+-------------------------------------------------------------------------------------+ +| **wazuh_db.check_fragmentation_interval** | Description | Interval for database fragmentation check, in seconds. | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Default value | 43200 | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Allowed value | Any integer between 1 and 30758400. | ++-------------------------------------------+---------------+-------------------------------------------------------------------------------------+ +| **wazuh_db.debug** | Description | Debug level | +| +---------------+-------------------------------------------------------------------------------------+ +| | Default value | 0 | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Allowed value | 0: No debug output | ++ + +-------------------------------------------------------------------------------------+ +| | | 1: Standard debug output | ++ + +-------------------------------------------------------------------------------------+ +| | | 2: Verbose debug output | ++-------------------------------------------+---------------+-------------------------------------------------------------------------------------+ Wazuh-download -------------- diff --git a/source/user-manual/reference/ossec-conf/client.rst b/source/user-manual/reference/ossec-conf/client.rst index 571d344ca1..d1b1dd40a7 100644 --- a/source/user-manual/reference/ossec-conf/client.rst +++ b/source/user-manual/reference/ossec-conf/client.rst @@ -113,7 +113,6 @@ Options - `time-reconnect`_ - `force_reconnect_interval`_ - `ip_update_interval`_ -- `local_ip`_ - `auto_restart`_ - `crypto_method`_ @@ -200,17 +199,6 @@ Any value equal to or lower than the configured ``notify_time`` will cause the I .. note:: Most systems won't need to modify this value, but on systems with large routing tables this configuration can help lower CPU usage from wazuh-modulesd. -local_ip -^^^^^^^^ - -Specifies which IP address will be used to communicate with the manager when the agent has multiple network interfaces. - -+--------------------+----------------------------------+ -| **Default value** | n/a | -+--------------------+----------------------------------+ -| **Allowed values** | Any valid IP address is allowed. | -+--------------------+----------------------------------+ - auto_restart ^^^^^^^^^^^^ diff --git a/source/user-manual/reference/ossec-conf/vuln-detector.rst b/source/user-manual/reference/ossec-conf/vuln-detector.rst index 5570a3c7f4..50f58e5575 100644 --- a/source/user-manual/reference/ossec-conf/vuln-detector.rst +++ b/source/user-manual/reference/ossec-conf/vuln-detector.rst @@ -174,8 +174,10 @@ Configuration block to specify vulnerability updates. | | | | | bullseye / 11 | | | | +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | | | | amazon-linux / 1 | -| | | | alas +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| | | | | amazon-linux-2 / 2 | +| | | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| | | | alas | amazon-linux-2 / 2 | +| | | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| | | | | amazon-linux-2022 / 2022 | | | | +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | | | | 5 | | | | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -350,6 +352,7 @@ The following configuration updates the vulnerability database for Ubuntu, Debia yes amazon-linux amazon-linux-2 + amazon-linux-2022 1h diff --git a/source/user-manual/reference/ossec-conf/wodle-azure-logs.rst b/source/user-manual/reference/ossec-conf/wodle-azure-logs.rst index 9310820edf..0ffffe1aa2 100644 --- a/source/user-manual/reference/ossec-conf/wodle-azure-logs.rst +++ b/source/user-manual/reference/ossec-conf/wodle-azure-logs.rst @@ -138,6 +138,8 @@ Options +----------------------------------------+----------------------------------------------+ | `storage\\container\\time_offset`_ | A positive number + suffix | +----------------------------------------+----------------------------------------------+ +| `storage\\container\\path`_ | Any string | ++----------------------------------------+----------------------------------------------+ disabled @@ -682,6 +684,8 @@ storage\\container +-----------------------------------------+----------------------------------------------+ | `storage\\container\\time_offset`_ | A positive number + suffix | +-----------------------------------------+----------------------------------------------+ +| `storage\\container\\path`_ | Any string | ++-----------------------------------------+----------------------------------------------+ storage\\container name ^^^^^^^^^^^^^^^^^^^^^^^ @@ -697,7 +701,7 @@ Specifies the name of the container. Enter ``*`` to access all account container storage\\container\\blobs ^^^^^^^^^^^^^^^^^^^^^^^^^ -Specifies the extension of the blobs like ``.json``. Enter "*" to access all the containers' blobs. +Specifies the extension of the blobs like ``.json``. Enter "*" to access all the containers' blobs. .. note:: @@ -719,7 +723,7 @@ This parameter indicates the format of the blobs' content. The available values - **json_inline**. Each line is a log in json format. The format of logs stored in Azure accounts is **inline JSON**. - + .. note:: When the ``day`` option is set, the interval value must be a multiple of months. By default, the interval is set to a month. @@ -753,6 +757,18 @@ This option sets the time delay in which we will perform the query. For example, | **Allowed values** | A positive number that should contain a suffix character indicating a time unit, such as, m (minutes), h (hours), d (days) | +--------------------+----------------------------------------------------------------------------------------------------------------------------+ + +storage\\container\\path +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Defines, for the container, a path to search into. If it isn't present, the module retrieves all the blobs at the root level. + ++--------------------+----------------------------------------------------------------------------------------------------------------------------+ +| **Default value** | N/A | ++--------------------+----------------------------------------------------------------------------------------------------------------------------+ +| **Allowed values** | Valid path | ++--------------------+----------------------------------------------------------------------------------------------------------------------------+ + Example of storage configuration -------------------------------- diff --git a/source/user-manual/reference/tools/index.rst b/source/user-manual/reference/tools/index.rst index 9d95133137..acea297696 100644 --- a/source/user-manual/reference/tools/index.rst +++ b/source/user-manual/reference/tools/index.rst @@ -29,6 +29,8 @@ Tools +---------------------------------------------------+----------------------------------------------------------------------------+-----------------------------+ | :doc:`wazuh-regex ` | Validates a regex expression | manager | +---------------------------------------------------+----------------------------------------------------------------------------+-----------------------------+ +| :doc:`rbac_control ` | Manage API RBAC resources and reset RBAC DB | manager | ++---------------------------------------------------+----------------------------------------------------------------------------+-----------------------------+ | :doc:`update_ruleset ` | Update Decoders, Rules and Rootchecks | manager | | | | | | | .. deprecated:: 4.2 | | @@ -57,6 +59,7 @@ Tools wazuh-logtest clear-stats wazuh-regex + rbac-control update-ruleset verify-agent-conf agent-groups diff --git a/source/user-manual/reference/tools/rbac-control.rst b/source/user-manual/reference/tools/rbac-control.rst new file mode 100644 index 0000000000..53faa44fb6 --- /dev/null +++ b/source/user-manual/reference/tools/rbac-control.rst @@ -0,0 +1,99 @@ +.. Copyright (C) 2022 Wazuh, Inc. + +rbac_control +============ + +.. versionadded:: 4.5.0 + +The ``rbac_control`` tool allows managing resources from the Wazuh RBAC database and resetting the DB to its default state. For more information about the Wazuh RBAC resources and database, please visit the +:ref:`How it works ` section. + +Usage +----- + ++-----------------------------------------+----------------------------------------------------------------------------------------------------------+ +| Option name | Option description | ++=========================================+==========================================================================================================+ +| ``-h, --help`` | Display the help message. | ++-----------------------------------------+----------------------------------------------------------------------------------------------------------+ +| ``change-password`` | Change the password for each default user. | ++-----------------------------------------+----------------------------------------------------------------------------------------------------------+ +| ``factory-reset`` | Reset the RBAC database to its default state. Ask for confirmation unless the -f/--force flag is used. | ++-----------------------------------------+----------------------------------------------------------------------------------------------------------+ + +Examples +-------- + +``-h`` argument: + +.. code-block:: console + + # /var/ossec/bin/rbac_control -h + +.. code-block:: console + :class: output + + usage: rbac_control.py [-h] {change-password,factory-reset} ... + + Wazuh RBAC tool: manage resources from the Wazuh RBAC database + + Arguments: + {change-password,factory-reset} + change-password Change the password for each default user. Empty values will leave the password unchanged. + factory-reset Reset the RBAC database to its default state. This will completely wipe your custom RBAC information. + + optional arguments: + -h, --help show this help message and exit + + +``factory-reset`` example: + +.. code-block:: console + + # /var/ossec/bin/rbac_control factory-reset + +.. code-block:: console + :class: output + + This action will completely wipe your RBAC configuration and restart it to default values. Type RESET to proceed: RESET + Successfully reset RBAC database + +``factory-reset`` example (aborted): + +.. code-block:: console + + # /var/ossec/bin/rbac_control factory-reset + +.. code-block:: console + :class: output + + This action will completely wipe your RBAC configuration and restart it to default values. Type RESET to proceed: aa + RBAC database reset aborted. + + +``change-password`` example with an insecure password: + +.. code-block:: console + + # /var/ossec/bin/rbac_control change-password + +.. code-block:: console + :class: output + + New password for 'wazuh' (skip): + New password for 'wazuh-wui' (skip): + wazuh: FAILED | Error 5007 - Insecure user password provided + + +``change-password`` example where the `wazuh` user password was changed successfully (to skip any of the user, leave the new password blank): + +.. code-block:: console + + # /var/ossec/bin/rbac_control change-password + +.. code-block:: console + :class: output + + New password for 'wazuh' (skip): + New password for 'wazuh-wui' (skip): + wazuh: UPDATED