From b12d4efa5e7620c6998e46bdaf074e5cafed3e48 Mon Sep 17 00:00:00 2001 From: Marcel Kemp Date: Fri, 13 May 2022 12:41:00 +0200 Subject: [PATCH 01/55] Add support for Amazon Linux 2022 in Vulnerability Detector --- .../wazuh-manager-class.rst | 126 +++++++++--------- source/learning-wazuh/vuln-detection.rst | 1 + .../compatibility-matrix.rst | 8 +- .../offline-update.rst | 18 ++- .../reference/ossec-conf/vuln-detector.rst | 7 +- 5 files changed, 84 insertions(+), 76 deletions(-) diff --git a/source/deployment-options/deploying-with-puppet/wazuh-puppet-module/reference-wazuh-puppet/wazuh-manager-class.rst b/source/deployment-options/deploying-with-puppet/wazuh-puppet-module/reference-wazuh-puppet/wazuh-manager-class.rst index c7f553f8ec..6cb92c8bbc 100644 --- a/source/deployment-options/deploying-with-puppet/wazuh-puppet-module/reference-wazuh-puppet/wazuh-manager-class.rst +++ b/source/deployment-options/deploying-with-puppet/wazuh-puppet-module/reference-wazuh-puppet/wazuh-manager-class.rst @@ -199,7 +199,7 @@ $ossec_smtp_server SMTP mail server. `Default smtp.example.wazuh.com` - + `Type String` Depends on **ossec_emailnotification** @@ -208,7 +208,7 @@ $ossec_emailfrom Email from address. `Default ossecm@example.wazuh.com` - + `Type String` Depends on **ossec_emailnotification** @@ -228,7 +228,7 @@ $ossec_email_log_source `Default 'alerts.log'` `Type String` - + Depends on **ossec_emailnotification** $ossec_email_idsname @@ -441,7 +441,7 @@ $ossec_syscheck_scan_on_start Specifies if syscheck scans immediately when started. `Default yes` - + `Type String` $ossec_syscheck_auto_ignore @@ -521,9 +521,9 @@ $ossec_syscheck_ignore_type_2 $ossec_syscheck_max_eps Sets the maximum event reporting throughput. Events are messages that will produce an alert. - + `Default 100` - + `Type String` $ossec_syscheck_process_priority @@ -585,38 +585,38 @@ $syslog_output_level The minimum level of the alerts to be forwarded. `Default 2` - + `Type Integer` - + Depends on **syslog_output** $syslog_output_port The port to forward alerts to. `Default 514` - + `Type Integer` - + Depends on **syslog_output** $syslog_output_server The IP address of the syslog server. `Default undef` - + `Type String` - + Depends on **syslog_output** - + Required if **syslog_output** is set to true $syslog_output_format Format of alert output. `Default undef` - + `Type String` - + Depends on **syslog_output** @@ -880,7 +880,7 @@ $vulnerability_detector_provider_alas_enabled $vulnerability_detector_provider_alas_os Feed to update. - `Default ['amazon-linux','amazon-linux-2']` + `Default ['amazon-linux','amazon-linux-2','amazon-linux-2022']` `Type List` @@ -939,7 +939,7 @@ $wazuh_api_port Port where the Wazuh API will listen. `Default 55000` - + `Type String` @@ -947,42 +947,42 @@ $wazuh_api_https_enabled Enable or disable SSL (https) in the Wazuh API. `Default true` - + `Type String` $wazuh_api_https_key File with the private key. `Default server.key (in api/configuration/ssl)` - + `Type String` $wazuh_api_https_cert File with the certificate. `Default server.crt (in api/configuration/ssl)` - + `Type String` $wazuh_api_https_use_ca Whether to use a certificate from a Certificate Authority. `Default false` - + `Type String` $wazuh_api_https_ca Certificate of the Certificate Authority (CA). `Default ca.crt (in api/configuration/ssl)` - + `Type String` $wazuh_api_logs_level Sets the verbosity level of the Wazuh API logs. `Default info` - + `Type String` $wazuh_api_logs_format @@ -994,84 +994,84 @@ $wazuh_api_cors_enabled Enable or disable the use of CORS in the Wazuh API. `Default false` - + `Type String` $wazuh_api_cors_source_route Sources for which the resources will be available. For example `http://client.example.org.` `Default "*"` - + `Type String` $wazuh_api_cors_expose_headers Specifies which headers can be exposed as part of the response. `Default "*"` - + `Type String` $wazuh_api_cors_allow_headers Specifies which HTTP headers can be used during the actual request. `Default "*"` - + `Type String` $wazuh_api_cors_allow_credentials Tells browsers whether to expose the response to frontend JavaScript. `Default false` - + `Type String` $wazuh_api_cache_enabled Enables or disables caching for certain API responses (currently, all `/rules` endpoints) `Default true` - + `Type String` $wazuh_api_cache_time Time in seconds that the cache lasts before expiring. `Default 0.75` - + `Type String` $wazuh_api_access_max_login_attempts Set a maximum number of login attempts during a specified block_time number of seconds. `Default 5` - + `Type Integer` $wazuh_api_access_block_time Established period of time (in seconds) to attempt login requests. If the established number of requests (`max_login_attempts`) is exceeded within this time limit, the IP address is blocked until the end of the block time period. `Default 300` - + `Type Integer` $wazuh_api_access_max_request_per_minute Establish a maximum number of requests the Wazuh API can handle per minute (does not include authentication requests). If the number of requests for a given minute is exceeded, all incoming requests (from any user) will be blocked. This feature can be disabled by setting its value to 0. `Default 300` - + `Type Integer` $wazuh_api_drop_privileges Run wazuh-api process as wazuh user `Default true` - + `Type String` $wazuh_api_experimental_features Enable features under development `Default false` - + `Type String` @@ -1084,14 +1084,14 @@ $configure_wodle_openscap Enables the Wodle OpenSCAP section rendering on this host. If this variable is not set to *true* the complete open-scap wodle tag will not be added to *ossec.conf*. `Default true` - + `Type boolean` $wodle_openscap_disabled Disables the OpenSCAP wodle. `Default yes` - + `Type String` Depends on **wodle_openscap_disabled** @@ -1100,7 +1100,7 @@ $wodle_openscap_timeout Timeout for each evaluation. `Default 1800` - + `Type String` Depends on **wodle_openscap_disabled** @@ -1109,7 +1109,7 @@ $wodle_openscap_interval Interval between OpenSCAP executions. `Default 1d` - + `Type String` Depends on **wodle_openscap_disabled** @@ -1118,11 +1118,11 @@ $wodle_openscap_scan_on_start Run evaluation immediately when service is started. `Default yes` - + `Type String` Depends on **wodle_openscap_disabled** - + .. _ref_server_vars_ciscat: @@ -1140,7 +1140,7 @@ $wodle_ciscat_disabled Disables the CIS-CAT wodle. `Default yes` - + `Type String` Depends on **configure_wodle_cis_cat** @@ -1149,7 +1149,7 @@ $wodle_ciscat_timeout Timeout for each evaluation. In case the execution takes longer than the specified timeout, it stops. `Default 1800` - + `Type String` Depends on **configure_wodle_cis_cat** @@ -1158,7 +1158,7 @@ $wodle_ciscat_interval Interval between CIS-CAT executions. `Default 1d` - + `Type String` Depends on **configure_wodle_cis_cat** @@ -1167,7 +1167,7 @@ $wodle_ciscat_scan_on_start Run evaluation immediately when service is started. `Default yes` - + `Type String` Depends on **configure_wodle_cis_cat** @@ -1176,7 +1176,7 @@ $wodle_ciscat_java_path Define where Java is located. If this parameter is not set, the wodle will search for the Java location in the default environment variable `$PATH`. `Default 'wodles/java'` - + `Type String` Depends on **configure_wodle_cis_cat** @@ -1185,7 +1185,7 @@ $wodle_ciscat_ciscat_path Define where CIS-CAT is located. `Default 'wodles/ciscat'` - + `Type String` Depends on **configure_wodle_cis_cat** @@ -1199,14 +1199,14 @@ $configure_wodle_osquery Enables the Wodle osquery section rendering on this host. If this variable is not set to *true*, the complete osquery wodle tag will not be added to *ossec.conf*. `Default true` - + `Type Boolean` $wodle_osquery_disabled Disable the osquery wodle. `Default yes` - + `Type String` Depends on **configure_wodle_osquery** @@ -1215,7 +1215,7 @@ $wodle_osquery_run_daemon Makes the module run osqueryd as a subprocess or lets the module monitor the results log without running Osquery. `Default yes` - + `Type String` Depends on **configure_wodle_osquery** @@ -1224,7 +1224,7 @@ $wodle_osquery_log_path Full path to the results log written by Osquery. `Default '/var/log/osquery/osqueryd.results.log'` - + `Type String` Depends on **configure_wodle_osquery** @@ -1233,7 +1233,7 @@ $wodle_osquery_config_path Path to the Osquery configuration file. This path can be relative to the folder where the Wazuh agent is running. `Default '/etc/osquery/osquery.conf'` - + `Type String` Depends on **configure_wodle_osquery** @@ -1242,12 +1242,12 @@ $wodle_osquery_add_labels Add the agent labels defined as decorators. `Default yes` - + `Type String` Depends on **configure_wodle_osquery** - + .. _ref_server_vars_wodle_syscollector: @@ -1263,56 +1263,56 @@ $wodle_syscollector_interval Time between system scans. `Default 1h` - + `Type String` $wodle_syscollector_scan_on_start Run a system scan immediately when service is started. `Default yes` - + `Type String` $wodle_syscollector_hardware Enables the hardware scan. `Default yes` - + `Type String` $wodle_syscollector_os Enables the OS scan. `Default yes` - + `Type String` $wodle_syscollector_network Enables the network scan. `Default yes` - + `Type String` $wodle_syscollector_packages Enables the packages scan. `Default yes` - + `Type String` $wodle_syscollector_ports Enables the ports scan. `Default yes` - + `Type String` $wodle_syscollector_processes Enables the processes scan. `Default yes` - + `Type String` @@ -1439,5 +1439,3 @@ $active_response_repeated_offenders `Default empty` .. _ref_server_addlog: - - diff --git a/source/learning-wazuh/vuln-detection.rst b/source/learning-wazuh/vuln-detection.rst index 4cd2fd3a02..84c317bfd3 100644 --- a/source/learning-wazuh/vuln-detection.rst +++ b/source/learning-wazuh/vuln-detection.rst @@ -122,6 +122,7 @@ In the ``/var/ossec/etc/ossec.conf`` file of the Wazuh manager, scroll down to t no amazon-linux amazon-linux-2 + amazon-linux-2022 1h diff --git a/source/user-manual/capabilities/vulnerability-detection/compatibility-matrix.rst b/source/user-manual/capabilities/vulnerability-detection/compatibility-matrix.rst index 7b782d2b7f..a420d54ede 100644 --- a/source/user-manual/capabilities/vulnerability-detection/compatibility-matrix.rst +++ b/source/user-manual/capabilities/vulnerability-detection/compatibility-matrix.rst @@ -37,9 +37,11 @@ The following table shows the operating systems where the vulnerability detector | +------------------------+ | | | bullseye / 11 | | +---------------+------------------------+----------------------------------+ -| | Amazon Linux 1 | - ALAS | -| Amazon Linux +------------------------+ - National Vulnerability Database| -| | Amazon Linux 2 | | +| | Amazon Linux 1 | | +| +------------------------+ | +| Amazon Linux | Amazon Linux 2 | - ALAS | +| +------------------------+ - National Vulnerability Database| +| | Amazon Linux 2022 | | +---------------+------------------------+----------------------------------+ | | | | | Arch Linux | Rolling release | - Arch | diff --git a/source/user-manual/capabilities/vulnerability-detection/offline-update.rst b/source/user-manual/capabilities/vulnerability-detection/offline-update.rst index f4ef20191f..d110f19197 100644 --- a/source/user-manual/capabilities/vulnerability-detection/offline-update.rst +++ b/source/user-manual/capabilities/vulnerability-detection/offline-update.rst @@ -279,13 +279,15 @@ ALAS The vulnerability feeds for **Amazon Linux** systems are currently fetched from the Wazuh repository as ALAS feeds. To perform an offline update of these feeds, they first have to be downloaded from the corresponding Wazuh repository: -+----------------+------------------------------------------------------------------------------------------+ -| OS | Link | -+================+==========================================================================================+ -| Amazon Linux | ``_ | -+----------------+------------------------------------------------------------------------------------------+ -| Amazon Linux 2 | ``_ | -+----------------+------------------------------------------------------------------------------------------+ ++-------------------+------------------------------------------------------------------------------------------+ +| OS | Link | ++===================+==========================================================================================+ +| Amazon Linux | ``_ | ++-------------------+------------------------------------------------------------------------------------------+ +| Amazon Linux 2 | ``_ | ++-------------------+------------------------------------------------------------------------------------------+ +| Amazon Linux 2022 | ``_ | ++-------------------+------------------------------------------------------------------------------------------+ Then, they need to be placed accordingly in the custom location. @@ -295,6 +297,7 @@ Then, they need to be placed accordingly in the custom location. yes amazon-linux amazon-linux-2 + amazon-linux-2022 1h @@ -306,6 +309,7 @@ Alternatively, the feeds can be loaded from a local path with the ``path`` attri yes amazon-linux amazon-linux-2 + amazon-linux-2022 1h diff --git a/source/user-manual/reference/ossec-conf/vuln-detector.rst b/source/user-manual/reference/ossec-conf/vuln-detector.rst index 67a25685ee..baa3c72739 100644 --- a/source/user-manual/reference/ossec-conf/vuln-detector.rst +++ b/source/user-manual/reference/ossec-conf/vuln-detector.rst @@ -172,8 +172,10 @@ Configuration block to specify vulnerability updates. | | | | | bullseye / 11 | | | | +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | | | | amazon-linux / 1 | -| | | | alas +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| | | | | amazon-linux-2 / 2 | +| | | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| | | | alas | amazon-linux-2 / 2 | +| | | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| | | | | amazon-linux-2022 / 2022 | | | | +--------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | | | | | 5 | | | | | +---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -332,6 +334,7 @@ The following configuration will update the vulnerability database for Ubuntu, D no amazon-linux amazon-linux-2 + amazon-linux-2022 1h From 960f5f65a10a4fa11b7cf384fe3c32d712a575c9 Mon Sep 17 00:00:00 2001 From: Manuel Date: Wed, 25 May 2022 09:54:21 +0200 Subject: [PATCH 02/55] Add RBAC database migration documentation --- source/development/index.rst | 1 + .../development/rbac-database-integrity.rst | 28 +++++++++++++++++++ source/user-manual/api/rbac/how-it-works.rst | 8 +++--- 3 files changed, 33 insertions(+), 4 deletions(-) create mode 100644 source/development/rbac-database-integrity.rst diff --git a/source/development/index.rst b/source/development/index.rst index 8431399d06..33e785f61f 100644 --- a/source/development/index.rst +++ b/source/development/index.rst @@ -22,3 +22,4 @@ This section contains technical documentation for developers. packaging/index wazuh-logtest selinux-wazuh-context + rbac-database-integrity diff --git a/source/development/rbac-database-integrity.rst b/source/development/rbac-database-integrity.rst new file mode 100644 index 0000000000..8bcf683159 --- /dev/null +++ b/source/development/rbac-database-integrity.rst @@ -0,0 +1,28 @@ +.. Copyright (C) 2022 Wazuh, Inc. + +.. _rbac_database_integrity: + +RBAC database integrity +======================= + +The RBAC database integrity will be checked every time the wazuh-manager service starts to determine if the database should be updated. The integrity check allows us to cover the following cases: + +- Allow the introduction of breaking changes in the RBAC database structure or its default resources in future releases. +- Restore the RBAC database with its default RBAC resources if it was manually deleted, being able to restore the RBAC database to a fresh install state if needed. + +.. warning:: + If the RBAC database is manually deleted it will be restored with the default resources, but any user-created resources will be lost. + + +How the database upgrade process works +-------------------------------------- + +During the RBAC database integrity check, Wazuh compares the RBAC database version with the current Wazuh version installed. If they don't match, the database upgrade process is triggered. + +Here is an abridged list of steps performed during the database upgrade process: + +1. A new RBAC database file is created and the current default Wazuh RBAC resources for the installed version are added to it. +2. Any user-created RBAC resources are migrated from the old database to the new one, maintaining their IDs, names and so on. +3. In case a user-created RBAC resource has the same name as a default Wazuh RBAC resource, the default one is kept and the user-created one is not added to the new RBAC database file. For the RBAC Policies the same applies to their policy body (compose of its actions, resources and effects), as they must be unique. +4. Any relationships between user-created resources and default ones, such as relationships between roles and policies or roles and users, are updated to use the default resource instead, so the functionality is kept. +5. The old RBAC database file is replaced by the new one. diff --git a/source/user-manual/api/rbac/how-it-works.rst b/source/user-manual/api/rbac/how-it-works.rst index 198db3d7a6..e4b20d04b1 100644 --- a/source/user-manual/api/rbac/how-it-works.rst +++ b/source/user-manual/api/rbac/how-it-works.rst @@ -1,22 +1,22 @@ .. Copyright (C) 2022 Wazuh, Inc. .. meta:: - :description: The operation of RBAC is based on the relationship between three components: users, roles, and policies or permissions. Learn more here. + :description: The operation of RBAC is based on the relationship between four components: users, roles, rules and policies. Learn more here. .. _api_rbac_how_it_works: How it works ============ -The operation of RBAC is based on the relationship between three components: **users**, **roles**, and **policies** or permissions. Policies are associated with roles, and each user can belong to one or more roles. +The operation of RBAC is based on the relationship between four components: **users**, **roles**, **rules** and **policies**. Policies and rules are associated with roles, and each user can belong to one or more roles. Since the policies are not directly related to users, it is not necessary to assign them to each user. Simply assign the user to the appropriate role. The process of updating the permissions of an entire group of users is also made easier thanks to this structure. After configuring RBAC, there will be users that can only see and do certain actions on specified resources that have previously been established. For example, it can be ensured that members of a Security-team have 'read' access to all agents, while the Sales-team has 'read' and 'modify' permissions only to agents in their department (but not delete permissions). -Actions, resources, and effect ------------------------------- +RBAC Policies +------------- Policies control the Wazuh API permissions using three elements: actions, resources, and effect. From 164d252dca7d6dcb01b3b78162fb80cd00898d12 Mon Sep 17 00:00:00 2001 From: Manuel Date: Wed, 25 May 2022 10:07:35 +0200 Subject: [PATCH 03/55] Add minor changes to RBAC database integrity documentation --- source/development/rbac-database-integrity.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/source/development/rbac-database-integrity.rst b/source/development/rbac-database-integrity.rst index 8bcf683159..91f4eaaecf 100644 --- a/source/development/rbac-database-integrity.rst +++ b/source/development/rbac-database-integrity.rst @@ -5,13 +5,13 @@ RBAC database integrity ======================= -The RBAC database integrity will be checked every time the wazuh-manager service starts to determine if the database should be updated. The integrity check allows us to cover the following cases: +The RBAC database integrity is checked every time the wazuh-manager service starts to determine if the database should be updated. The integrity check allows us to cover the following cases: - Allow the introduction of breaking changes in the RBAC database structure or its default resources in future releases. - Restore the RBAC database with its default RBAC resources if it was manually deleted, being able to restore the RBAC database to a fresh install state if needed. .. warning:: - If the RBAC database is manually deleted it will be restored with the default resources, but any user-created resources will be lost. + If the RBAC database is manually deleted, it is restored with the default resources. Other resources created by the user are, therefore, lost. How the database upgrade process works @@ -21,8 +21,8 @@ During the RBAC database integrity check, Wazuh compares the RBAC database versi Here is an abridged list of steps performed during the database upgrade process: -1. A new RBAC database file is created and the current default Wazuh RBAC resources for the installed version are added to it. -2. Any user-created RBAC resources are migrated from the old database to the new one, maintaining their IDs, names and so on. +1. A new RBAC database file is created and the default Wazuh RBAC resources for the installed version are added to it. +2. Every user-created RBAC resource is migrated from the old database to the new one, maintaining its ID, name and so on. 3. In case a user-created RBAC resource has the same name as a default Wazuh RBAC resource, the default one is kept and the user-created one is not added to the new RBAC database file. For the RBAC Policies the same applies to their policy body (compose of its actions, resources and effects), as they must be unique. 4. Any relationships between user-created resources and default ones, such as relationships between roles and policies or roles and users, are updated to use the default resource instead, so the functionality is kept. 5. The old RBAC database file is replaced by the new one. From 7051eef4e54f0e2960edac3dcaa26351fd65f8b2 Mon Sep 17 00:00:00 2001 From: Sandra Ocando Date: Wed, 1 Jun 2022 09:58:02 +0200 Subject: [PATCH 04/55] Update release and API tag --- source/conf.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/conf.py b/source/conf.py index 4e25a7c0b3..d8a8d57c3c 100644 --- a/source/conf.py +++ b/source/conf.py @@ -42,8 +42,8 @@ # The full version, including alpha/beta/rc tags # Important: use a valid branch (4.0) or, preferably, tag name (v4.0.0) -release = '4.4' -api_tag = '4.4' +release = '4.5' +api_tag = 'master' apiURL = 'https://raw.githubusercontent.com/wazuh/wazuh/'+api_tag+'/api/api/spec/spec.yaml' # -- General configuration ------------------------------------------------ From a7292319007eda37f5fbc14f3542ab1edc5f8be5 Mon Sep 17 00:00:00 2001 From: Manuel Date: Thu, 2 Jun 2022 12:17:41 +0200 Subject: [PATCH 05/55] Update rbac-database-integrity.rst after the RBAC migration changes --- source/development/rbac-database-integrity.rst | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/source/development/rbac-database-integrity.rst b/source/development/rbac-database-integrity.rst index 91f4eaaecf..f90d211b20 100644 --- a/source/development/rbac-database-integrity.rst +++ b/source/development/rbac-database-integrity.rst @@ -23,6 +23,14 @@ Here is an abridged list of steps performed during the database upgrade process: 1. A new RBAC database file is created and the default Wazuh RBAC resources for the installed version are added to it. 2. Every user-created RBAC resource is migrated from the old database to the new one, maintaining its ID, name and so on. -3. In case a user-created RBAC resource has the same name as a default Wazuh RBAC resource, the default one is kept and the user-created one is not added to the new RBAC database file. For the RBAC Policies the same applies to their policy body (compose of its actions, resources and effects), as they must be unique. -4. Any relationships between user-created resources and default ones, such as relationships between roles and policies or roles and users, are updated to use the default resource instead, so the functionality is kept. +3. In case a user-created RBAC resource coincides with one of the new default Wazuh RBAC resources: + 3.1. If a user-created **user** has the same **name** as a default user, both are considered the same. The user-created user is renamed to its name + '_user'. + 3.2. If a user-created **role** has the same **name** as a default role, both are considered the same. The user-created role is renamed to its name + '_user'. + 3.3. If a user-created **rule** has the same **name** and **body** as a default rule, both are considered the same. The user-created rule relationships are migrated to the new default rule. + 3.4. If a user-created **policy** has the same **name** and **body** as a default policy, both are considered the same. The user-created policy relationships are migrated to the new default policy. +4. Any relationships between RBAC user-created resources are added to the new database. +4. Any relationships between RBAC user-created resources and default ones are updated: + 4.1. If the default resource does not exist in the new version, the relationships between user-created resources and the deleted resource are removed. + 4.2. If the default resource has a different ID in the new version, the relationships between user-created resources and the default resource are updated to match the new ID and keep the old functionality. + 4.3. In any other case, the relationships between user-created resources and the default resources are kept. 5. The old RBAC database file is replaced by the new one. From 82d3141a38398e06f51b5f73bb27df4c6e2ba478 Mon Sep 17 00:00:00 2001 From: Manuel Date: Thu, 2 Jun 2022 13:47:26 +0200 Subject: [PATCH 06/55] Add minor changes to rbac-database-integrity.rst --- .../development/rbac-database-integrity.rst | 38 ++++++++++++------- 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/source/development/rbac-database-integrity.rst b/source/development/rbac-database-integrity.rst index f90d211b20..b918b60a41 100644 --- a/source/development/rbac-database-integrity.rst +++ b/source/development/rbac-database-integrity.rst @@ -21,16 +21,28 @@ During the RBAC database integrity check, Wazuh compares the RBAC database versi Here is an abridged list of steps performed during the database upgrade process: -1. A new RBAC database file is created and the default Wazuh RBAC resources for the installed version are added to it. -2. Every user-created RBAC resource is migrated from the old database to the new one, maintaining its ID, name and so on. -3. In case a user-created RBAC resource coincides with one of the new default Wazuh RBAC resources: - 3.1. If a user-created **user** has the same **name** as a default user, both are considered the same. The user-created user is renamed to its name + '_user'. - 3.2. If a user-created **role** has the same **name** as a default role, both are considered the same. The user-created role is renamed to its name + '_user'. - 3.3. If a user-created **rule** has the same **name** and **body** as a default rule, both are considered the same. The user-created rule relationships are migrated to the new default rule. - 3.4. If a user-created **policy** has the same **name** and **body** as a default policy, both are considered the same. The user-created policy relationships are migrated to the new default policy. -4. Any relationships between RBAC user-created resources are added to the new database. -4. Any relationships between RBAC user-created resources and default ones are updated: - 4.1. If the default resource does not exist in the new version, the relationships between user-created resources and the deleted resource are removed. - 4.2. If the default resource has a different ID in the new version, the relationships between user-created resources and the default resource are updated to match the new ID and keep the old functionality. - 4.3. In any other case, the relationships between user-created resources and the default resources are kept. -5. The old RBAC database file is replaced by the new one. +#. A new RBAC database file is created and the default Wazuh RBAC resources for the installed version are added to it. + +#. Every user-created RBAC resource is migrated from the old database to the new one, maintaining its ID, name and so on. + +#. In case a user-created RBAC resource coincides with one of the new default Wazuh RBAC resource: + + #. If the user-created **user** has the same **name** as the default user, both are considered the same. The user-created user is renamed to its name + '_user'. + + #. If the user-created **role** has the same **name** as the default role, both are considered the same. The user-created role is renamed to its name + '_user'. + + #. If the user-created **rule** has the same **name** or **body** as the default rule, both are considered the same. The user-created rule relationships are migrated to the new default rule. + + #. If the user-created **policy** has the same **name** or **body** as the default policy, both are considered the same. The user-created policy relationships are migrated to the new default policy. + +#. Any relationships between RBAC user-created resources are added to the new database. + +#. Any relationships between RBAC user-created resources and default ones are updated: + + #. If the default resource does not exist in the new version, the relationships between user-created resources and the deleted resource are removed. + + #. If the default resource has a different ID in the new version, the relationships between user-created resources and the default resource are updated to match the new ID and keep the old functionality. + + #. In any other case, the relationships between user-created resources and the default resources are kept. + +#. The old RBAC database file is replaced by the new one. From 70b8c61cb155a57614105f1aa057cf8bb4121a24 Mon Sep 17 00:00:00 2001 From: Nicolas Gomez Palacios Date: Wed, 15 Jun 2022 21:03:23 +0000 Subject: [PATCH 07/55] Removes local_ip option for agent configuration. --- source/user-manual/reference/ossec-conf/client.rst | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/source/user-manual/reference/ossec-conf/client.rst b/source/user-manual/reference/ossec-conf/client.rst index 774100da76..44efbd2129 100644 --- a/source/user-manual/reference/ossec-conf/client.rst +++ b/source/user-manual/reference/ossec-conf/client.rst @@ -112,7 +112,6 @@ Options - `time-reconnect`_ - `force_reconnect_interval`_ - `ip_update_interval`_ -- `local_ip`_ - `auto_restart`_ - `crypto_method`_ @@ -199,17 +198,6 @@ Any value equal to or lower than the configured ``notify_time`` will cause the I .. note:: Most systems won't need to modify this value, but on systems with large routing tables this configuration can help lower CPU usage from wazuh-modulesd. -local_ip -^^^^^^^^ - -Specifies which IP address will be used to communicate with the manager when the agent has multiple network interfaces. - -+--------------------+----------------------------------+ -| **Default value** | n/a | -+--------------------+----------------------------------+ -| **Allowed values** | Any valid IP address is allowed. | -+--------------------+----------------------------------+ - auto_restart ^^^^^^^^^^^^ From 0b9a9494abe5129d17aa2e64f994462da8a4a6c8 Mon Sep 17 00:00:00 2001 From: Manuel Date: Fri, 17 Jun 2022 11:40:26 +0200 Subject: [PATCH 08/55] Add rbac_control CLI documentation --- .../reference/tools/rbac-control.rst | 102 ++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 source/user-manual/reference/tools/rbac-control.rst diff --git a/source/user-manual/reference/tools/rbac-control.rst b/source/user-manual/reference/tools/rbac-control.rst new file mode 100644 index 0000000000..f403bd17cc --- /dev/null +++ b/source/user-manual/reference/tools/rbac-control.rst @@ -0,0 +1,102 @@ +.. Copyright (C) 2022 Wazuh, Inc. + +.. _rbac_control: + +rbac_control +============ + +.. versionadded:: 4.5.0 + +The ``rbac_control`` tool allows changing the default users' password and reseting the RBAC database to its default +state. For more information about the Wazuh RBAC resources and database, please visit the +:ref:`How it works ` section. + +Usage +----- + ++-----------------------------------------+---------------------------------------------------+ +| Option name | Option description | ++=========================================+===================================================+ +| ``-h, --help`` | Display the help message. | ++-----------------------------------------+---------------------------------------------------+ +| ``change-password`` | Change the password for each default user. | ++-----------------------------------------+---------------------------------------------------+ +| ``factory-reset`` | Reset the RBAC database to its default state. | ++-----------------------------------------+---------------------------------------------------+ + +Examples +-------- + +``-h`` argument: + +.. code-block:: console + + # /var/ossec/bin/rbac_control -h + +.. code-block:: console + :class: output + + usage: rbac_control.py [-h] {change-password,factory-reset} ... + + Wazuh RBAC tool: manage resources from the Wazuh RBAC database + + Arguments: + {change-password,factory-reset} + change-password Change the password for each default user. Empty values will leave the password unchanged. + factory-reset Reset the RBAC database to its default state. This will completely wipe your custom RBAC information. + + optional arguments: + -h, --help show this help message and exit + + +``factory-reset`` example: + +.. code-block:: console + + # /var/ossec/bin/rbac_control factory-reset + +.. code-block:: console + :class: output + + This action will completely wipe your RBAC configuration and restart it to default values. Type RESET to proceed: RESET + Successfully reset RBAC database + +``factory-reset`` example (aborted): + +.. code-block:: console + + # /var/ossec/bin/rbac_control factory-reset + +.. code-block:: console + :class: output + + This action will completely wipe your RBAC configuration and restart it to default values. Type RESET to proceed: aa + RBAC database reset aborted. + + +``change-password`` example with an insecure password: + +.. code-block:: console + + # /var/ossec/bin/rbac_control change-password + +.. code-block:: console + :class: output + + New password for 'wazuh' (skip): + New password for 'wazuh-wui' (skip): + wazuh: FAILED | Error 5007 - Insecure user password provided + + +``change-password`` example where the password was changed successfully: + +.. code-block:: console + + # /var/ossec/bin/rbac_control change-password + +.. code-block:: console + :class: output + + New password for 'wazuh' (skip): + New password for 'wazuh-wui' (skip): + wazuh: UPDATED From 336274ad58b8073f941ecc36b14ee37bb5d44e60 Mon Sep 17 00:00:00 2001 From: Manuel Date: Fri, 17 Jun 2022 12:03:36 +0200 Subject: [PATCH 09/55] Add examples to the rbac-database-integrity docu --- .../development/rbac-database-integrity.rst | 76 +++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/source/development/rbac-database-integrity.rst b/source/development/rbac-database-integrity.rst index b918b60a41..531dab4208 100644 --- a/source/development/rbac-database-integrity.rst +++ b/source/development/rbac-database-integrity.rst @@ -46,3 +46,79 @@ Here is an abridged list of steps performed during the database upgrade process: #. In any other case, the relationships between user-created resources and the default resources are kept. #. The old RBAC database file is replaced by the new one. + +Migration examples +------------------ + +After upgrading from a Wazuh version with RBAC database version 0 to 1, ``WAZUH_PATH/logs/api.log``: + +.. code-block:: none + :class: output + + 2022/06/17 09:44:04 INFO: Checking RBAC database integrity... + 2022/06/17 09:44:04 INFO: /var/ossec/api/configuration/security/rbac.db file was detected + 2022/06/17 09:44:04 INFO: RBAC database migration required. Current version is 0 but it should be 1. Upgrading RBAC database to version 1 + 2022/06/17 09:44:09 INFO: /var/ossec/api/configuration/security/rbac.db database upgraded successfully + 2022/06/17 09:44:09 INFO: RBAC database integrity check finished successfully + 2022/06/17 09:44:12 INFO: Listening on 0.0.0.0:55000.. + +After upgrading from a Wazuh version with RBAC database version 0 to 1, with the old DB having a user that is a default user in the new version: + +``WAZUH_PATH/logs/api.log``: + +.. code-block:: none + :class: output + + 2022/06/17 10:00:21 INFO: /var/ossec/api/configuration/security/rbac.db file was detected + 2022/06/17 10:00:21 INFO: RBAC database migration required. Current version is 0 but it should be 1. Upgrading RBAC database to version 1 + 2022/06/17 10:00:25 WARNING: User 100 (manuel) is part of the new default users. Renaming it to 'manuel_user' + 2022/06/17 10:00:26 INFO: /var/ossec/api/configuration/security/rbac.db database upgraded successfully + 2022/06/17 10:00:26 INFO: RBAC database integrity check finished successfully + 2022/06/17 10:00:29 INFO: Listening on 0.0.0.0:55000.. + +``GET /security/users`` response: + +.. code-block:: json + :class: output + + { + "data": { + "affected_items": [ + { + "id": 1, + "username": "wazuh", + "allow_run_as": true, + "roles": [ + 1 + ] + }, + { + "id": 2, + "username": "wazuh-wui", + "allow_run_as": true, + "roles": [ + 1 + ] + }, + { + "id": 3, + "username": "manuel", + "allow_run_as": true, + "roles": [] + }, + { + "id": 100, + "username": "manuel_user", + "allow_run_as": false, + "roles": [ + 100 + ] + } + ], + "total_affected_items": 4, + "total_failed_items": 0, + "failed_items": [] + }, + "message": "All specified users were returned", + "error": 0 + } From 074e9d3bd98d9188b7c28f2dd55d5a398830e170 Mon Sep 17 00:00:00 2001 From: Manuel Date: Fri, 17 Jun 2022 12:06:33 +0200 Subject: [PATCH 10/55] Update tools index --- source/user-manual/reference/tools/index.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source/user-manual/reference/tools/index.rst b/source/user-manual/reference/tools/index.rst index 6f3b7274bd..45983b5639 100644 --- a/source/user-manual/reference/tools/index.rst +++ b/source/user-manual/reference/tools/index.rst @@ -29,6 +29,8 @@ Tools +---------------------------------------------------+----------------------------------------------------------------------------+-----------------------------+ | :doc:`wazuh-regex ` | Validates a regex expression | manager | +---------------------------------------------------+----------------------------------------------------------------------------+-----------------------------+ +| :doc:`rbac_control ` | Manage default API users' password and reset RBAC DB | manager | ++---------------------------------------------------+----------------------------------------------------------------------------+-----------------------------+ | :doc:`update_ruleset ` | Update Decoders, Rules and Rootchecks | manager | | | | | | | .. deprecated:: 4.2 | | From dc7d72238456caeaad2953adc8fcdd9f9a2268ae Mon Sep 17 00:00:00 2001 From: Manuel Date: Fri, 17 Jun 2022 12:07:46 +0200 Subject: [PATCH 11/55] Add rbac-control to toctree --- source/user-manual/reference/tools/index.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/source/user-manual/reference/tools/index.rst b/source/user-manual/reference/tools/index.rst index 45983b5639..6775419933 100644 --- a/source/user-manual/reference/tools/index.rst +++ b/source/user-manual/reference/tools/index.rst @@ -59,6 +59,7 @@ Tools wazuh-logtest clear-stats wazuh-regex + rbac-control update-ruleset verify-agent-conf agent-groups From 621925e48b38e6543b7f4f882840c7b87959417f Mon Sep 17 00:00:00 2001 From: Manuel Date: Mon, 20 Jun 2022 10:59:37 +0200 Subject: [PATCH 12/55] Add requested changes --- .../development/rbac-database-integrity.rst | 14 ++++++------ source/user-manual/reference/tools/index.rst | 2 +- .../reference/tools/rbac-control.rst | 22 +++++++++---------- 3 files changed, 19 insertions(+), 19 deletions(-) diff --git a/source/development/rbac-database-integrity.rst b/source/development/rbac-database-integrity.rst index 531dab4208..42e06c9cff 100644 --- a/source/development/rbac-database-integrity.rst +++ b/source/development/rbac-database-integrity.rst @@ -5,9 +5,9 @@ RBAC database integrity ======================= -The RBAC database integrity is checked every time the wazuh-manager service starts to determine if the database should be updated. The integrity check allows us to cover the following cases: +The RBAC database integrity is checked every time the Wazuh API starts to determine if the database should be updated. The integrity check allows us to cover the following cases: -- Allow the introduction of breaking changes in the RBAC database structure or its default resources in future releases. +- Upgrade to a Wazuh version with breaking changes in the RBAC database structure or with new default resources. - Restore the RBAC database with its default RBAC resources if it was manually deleted, being able to restore the RBAC database to a fresh install state if needed. .. warning:: @@ -17,13 +17,13 @@ The RBAC database integrity is checked every time the wazuh-manager service star How the database upgrade process works -------------------------------------- -During the RBAC database integrity check, Wazuh compares the RBAC database version with the current Wazuh version installed. If they don't match, the database upgrade process is triggered. +During the RBAC database integrity check, Wazuh compares its RBAC database version with the installed one. If they don't match, the database upgrade process is triggered. Here is an abridged list of steps performed during the database upgrade process: #. A new RBAC database file is created and the default Wazuh RBAC resources for the installed version are added to it. -#. Every user-created RBAC resource is migrated from the old database to the new one, maintaining its ID, name and so on. +#. Every user-created RBAC resource is migrated from the old database to the new one, maintaining its ID, name and so forth. #. In case a user-created RBAC resource coincides with one of the new default Wazuh RBAC resource: @@ -71,7 +71,7 @@ After upgrading from a Wazuh version with RBAC database version 0 to 1, with the 2022/06/17 10:00:21 INFO: /var/ossec/api/configuration/security/rbac.db file was detected 2022/06/17 10:00:21 INFO: RBAC database migration required. Current version is 0 but it should be 1. Upgrading RBAC database to version 1 - 2022/06/17 10:00:25 WARNING: User 100 (manuel) is part of the new default users. Renaming it to 'manuel_user' + 2022/06/17 10:00:25 WARNING: User 100 (example) is part of the new default users. Renaming it to 'example_user' 2022/06/17 10:00:26 INFO: /var/ossec/api/configuration/security/rbac.db database upgraded successfully 2022/06/17 10:00:26 INFO: RBAC database integrity check finished successfully 2022/06/17 10:00:29 INFO: Listening on 0.0.0.0:55000.. @@ -102,13 +102,13 @@ After upgrading from a Wazuh version with RBAC database version 0 to 1, with the }, { "id": 3, - "username": "manuel", + "username": "example", "allow_run_as": true, "roles": [] }, { "id": 100, - "username": "manuel_user", + "username": "example_user", "allow_run_as": false, "roles": [ 100 diff --git a/source/user-manual/reference/tools/index.rst b/source/user-manual/reference/tools/index.rst index 6775419933..774f1a1d49 100644 --- a/source/user-manual/reference/tools/index.rst +++ b/source/user-manual/reference/tools/index.rst @@ -29,7 +29,7 @@ Tools +---------------------------------------------------+----------------------------------------------------------------------------+-----------------------------+ | :doc:`wazuh-regex ` | Validates a regex expression | manager | +---------------------------------------------------+----------------------------------------------------------------------------+-----------------------------+ -| :doc:`rbac_control ` | Manage default API users' password and reset RBAC DB | manager | +| :doc:`rbac_control ` | Manage API RBAC resources and reset RBAC DB | manager | +---------------------------------------------------+----------------------------------------------------------------------------+-----------------------------+ | :doc:`update_ruleset ` | Update Decoders, Rules and Rootchecks | manager | | | | | diff --git a/source/user-manual/reference/tools/rbac-control.rst b/source/user-manual/reference/tools/rbac-control.rst index f403bd17cc..38ad6bf142 100644 --- a/source/user-manual/reference/tools/rbac-control.rst +++ b/source/user-manual/reference/tools/rbac-control.rst @@ -7,22 +7,22 @@ rbac_control .. versionadded:: 4.5.0 -The ``rbac_control`` tool allows changing the default users' password and reseting the RBAC database to its default +The ``rbac_control`` tool allows managing resources from the Wazuh RBAC database and reseting the DB to its default state. For more information about the Wazuh RBAC resources and database, please visit the :ref:`How it works ` section. Usage ----- -+-----------------------------------------+---------------------------------------------------+ -| Option name | Option description | -+=========================================+===================================================+ -| ``-h, --help`` | Display the help message. | -+-----------------------------------------+---------------------------------------------------+ -| ``change-password`` | Change the password for each default user. | -+-----------------------------------------+---------------------------------------------------+ -| ``factory-reset`` | Reset the RBAC database to its default state. | -+-----------------------------------------+---------------------------------------------------+ ++-----------------------------------------+----------------------------------------------------------------------------------------------------------+ +| Option name | Option description | ++=========================================+==========================================================================================================+ +| ``-h, --help`` | Display the help message. | ++-----------------------------------------+----------------------------------------------------------------------------------------------------------+ +| ``change-password`` | Change the password for each default user. | ++-----------------------------------------+----------------------------------------------------------------------------------------------------------+ +| ``factory-reset`` | Reset the RBAC database to its default state. Ask for confirmation unless the -f/--force flag is used. | ++-----------------------------------------+----------------------------------------------------------------------------------------------------------+ Examples -------- @@ -88,7 +88,7 @@ Examples wazuh: FAILED | Error 5007 - Insecure user password provided -``change-password`` example where the password was changed successfully: +``change-password`` example where the `wazuh` user password was changed successfully (to skip any of the user, leave the new password blank): .. code-block:: console From a361d1d5d870a943e2a5eaa6dbb8919bdc2ef440 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Carmona=20P=C3=A9rez?= Date: Mon, 20 Jun 2022 13:13:04 +0200 Subject: [PATCH 13/55] Update source/user-manual/reference/tools/rbac-control.rst MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Víctor Fernández Poyatos --- source/user-manual/reference/tools/rbac-control.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/user-manual/reference/tools/rbac-control.rst b/source/user-manual/reference/tools/rbac-control.rst index 38ad6bf142..6f7be6da1d 100644 --- a/source/user-manual/reference/tools/rbac-control.rst +++ b/source/user-manual/reference/tools/rbac-control.rst @@ -7,7 +7,7 @@ rbac_control .. versionadded:: 4.5.0 -The ``rbac_control`` tool allows managing resources from the Wazuh RBAC database and reseting the DB to its default +The ``rbac_control`` tool allows managing resources from the Wazuh RBAC database and resetting the DB to its default state. For more information about the Wazuh RBAC resources and database, please visit the :ref:`How it works ` section. From 56077606494b7ee9966c021ff419ab389f268ee6 Mon Sep 17 00:00:00 2001 From: javimed Date: Mon, 4 Jul 2022 12:18:02 -0300 Subject: [PATCH 14/55] Add redirects and changes to wording --- source/_static/js/redirects.js | 2 + .../development/rbac-database-integrity.rst | 20 +++--- source/user-manual/api/rbac/how-it-works.rst | 4 +- .../reference/tools/rbac-control.rst | 61 +++++++++---------- 4 files changed, 42 insertions(+), 45 deletions(-) diff --git a/source/_static/js/redirects.js b/source/_static/js/redirects.js index 4602e323bd..a2ee3500c8 100644 --- a/source/_static/js/redirects.js +++ b/source/_static/js/redirects.js @@ -99,6 +99,8 @@ newUrls['4.4'] = [ '/amazon/services/supported-services/elastic-load-balancing/alb.html', '/amazon/services/supported-services/elastic-load-balancing/nlb.html', '/amazon/services/supported-services/elastic-load-balancing/clb.html', + '/development/rbac-database-integrity.html', + '/user-manual/reference/tools/rbac-control.html', ]; removedUrls['4.4'] = [ diff --git a/source/development/rbac-database-integrity.rst b/source/development/rbac-database-integrity.rst index 42e06c9cff..141b857680 100644 --- a/source/development/rbac-database-integrity.rst +++ b/source/development/rbac-database-integrity.rst @@ -1,18 +1,16 @@ .. Copyright (C) 2022 Wazuh, Inc. -.. _rbac_database_integrity: - RBAC database integrity ======================= -The RBAC database integrity is checked every time the Wazuh API starts to determine if the database should be updated. The integrity check allows us to cover the following cases: +The integrity of the RBAC database is checked before determining if the database should be updated. The integrity check allows us the following: -- Upgrade to a Wazuh version with breaking changes in the RBAC database structure or with new default resources. -- Restore the RBAC database with its default RBAC resources if it was manually deleted, being able to restore the RBAC database to a fresh install state if needed. +- Upgrade to a Wazuh version when this version includes breaking changes in the RBAC database structure or new default resources. +- Restore the RBAC database with its default RBAC resources if it was manually deleted. This allows restoring the RBAC database to a fresh install state if needed. -.. warning:: - If the RBAC database is manually deleted, it is restored with the default resources. Other resources created by the user are, therefore, lost. + .. warning:: + User-created resources are lost when the database is restored with default resources. How the database upgrade process works -------------------------------------- @@ -27,13 +25,13 @@ Here is an abridged list of steps performed during the database upgrade process: #. In case a user-created RBAC resource coincides with one of the new default Wazuh RBAC resource: - #. If the user-created **user** has the same **name** as the default user, both are considered the same. The user-created user is renamed to its name + '_user'. + #. If the user-created *user* has the same *name* as the default user, both are considered the same. The user-created user is renamed appending *'_user'* to its name. - #. If the user-created **role** has the same **name** as the default role, both are considered the same. The user-created role is renamed to its name + '_user'. + #. If the user-created *role* has the same *name* as the default role, both are considered the same. The user-created role is renamed appending *'_user'* to its name. - #. If the user-created **rule** has the same **name** or **body** as the default rule, both are considered the same. The user-created rule relationships are migrated to the new default rule. + #. If the user-created *rule* has the same *name* or *body* as the default rule, both are considered the same. The user-created rule relationships are migrated to the new default rule. - #. If the user-created **policy** has the same **name** or **body** as the default policy, both are considered the same. The user-created policy relationships are migrated to the new default policy. + #. If the user-created *policy* has the same *name* or *body* as the default policy, both are considered the same. The user-created policy relationships are migrated to the new default policy. #. Any relationships between RBAC user-created resources are added to the new database. diff --git a/source/user-manual/api/rbac/how-it-works.rst b/source/user-manual/api/rbac/how-it-works.rst index e4b20d04b1..c30170af41 100644 --- a/source/user-manual/api/rbac/how-it-works.rst +++ b/source/user-manual/api/rbac/how-it-works.rst @@ -1,14 +1,14 @@ .. Copyright (C) 2022 Wazuh, Inc. .. meta:: - :description: The operation of RBAC is based on the relationship between four components: users, roles, rules and policies. Learn more here. + :description: The operation of RBAC is based on the relationship between four components: users, roles, rules, and policies. Learn more here. .. _api_rbac_how_it_works: How it works ============ -The operation of RBAC is based on the relationship between four components: **users**, **roles**, **rules** and **policies**. Policies and rules are associated with roles, and each user can belong to one or more roles. +The operation of RBAC is based on the relationship between four components: **users**, **roles**, **rules**, and **policies**. Policies and rules are associated with roles, and each user can belong to one or more roles. Since the policies are not directly related to users, it is not necessary to assign them to each user. Simply assign the user to the appropriate role. The process of updating the permissions of an entire group of users is also made easier thanks to this structure. diff --git a/source/user-manual/reference/tools/rbac-control.rst b/source/user-manual/reference/tools/rbac-control.rst index 6f7be6da1d..53faa44fb6 100644 --- a/source/user-manual/reference/tools/rbac-control.rst +++ b/source/user-manual/reference/tools/rbac-control.rst @@ -1,14 +1,11 @@ .. Copyright (C) 2022 Wazuh, Inc. -.. _rbac_control: - rbac_control ============ .. versionadded:: 4.5.0 -The ``rbac_control`` tool allows managing resources from the Wazuh RBAC database and resetting the DB to its default -state. For more information about the Wazuh RBAC resources and database, please visit the +The ``rbac_control`` tool allows managing resources from the Wazuh RBAC database and resetting the DB to its default state. For more information about the Wazuh RBAC resources and database, please visit the :ref:`How it works ` section. Usage @@ -31,72 +28,72 @@ Examples .. code-block:: console - # /var/ossec/bin/rbac_control -h + # /var/ossec/bin/rbac_control -h .. code-block:: console - :class: output + :class: output - usage: rbac_control.py [-h] {change-password,factory-reset} ... + usage: rbac_control.py [-h] {change-password,factory-reset} ... - Wazuh RBAC tool: manage resources from the Wazuh RBAC database + Wazuh RBAC tool: manage resources from the Wazuh RBAC database - Arguments: - {change-password,factory-reset} - change-password Change the password for each default user. Empty values will leave the password unchanged. - factory-reset Reset the RBAC database to its default state. This will completely wipe your custom RBAC information. + Arguments: + {change-password,factory-reset} + change-password Change the password for each default user. Empty values will leave the password unchanged. + factory-reset Reset the RBAC database to its default state. This will completely wipe your custom RBAC information. - optional arguments: - -h, --help show this help message and exit + optional arguments: + -h, --help show this help message and exit ``factory-reset`` example: .. code-block:: console - # /var/ossec/bin/rbac_control factory-reset + # /var/ossec/bin/rbac_control factory-reset .. code-block:: console - :class: output + :class: output - This action will completely wipe your RBAC configuration and restart it to default values. Type RESET to proceed: RESET - Successfully reset RBAC database + This action will completely wipe your RBAC configuration and restart it to default values. Type RESET to proceed: RESET + Successfully reset RBAC database ``factory-reset`` example (aborted): .. code-block:: console - # /var/ossec/bin/rbac_control factory-reset + # /var/ossec/bin/rbac_control factory-reset .. code-block:: console - :class: output + :class: output - This action will completely wipe your RBAC configuration and restart it to default values. Type RESET to proceed: aa - RBAC database reset aborted. + This action will completely wipe your RBAC configuration and restart it to default values. Type RESET to proceed: aa + RBAC database reset aborted. ``change-password`` example with an insecure password: .. code-block:: console - # /var/ossec/bin/rbac_control change-password + # /var/ossec/bin/rbac_control change-password .. code-block:: console - :class: output + :class: output - New password for 'wazuh' (skip): - New password for 'wazuh-wui' (skip): - wazuh: FAILED | Error 5007 - Insecure user password provided + New password for 'wazuh' (skip): + New password for 'wazuh-wui' (skip): + wazuh: FAILED | Error 5007 - Insecure user password provided ``change-password`` example where the `wazuh` user password was changed successfully (to skip any of the user, leave the new password blank): .. code-block:: console - # /var/ossec/bin/rbac_control change-password + # /var/ossec/bin/rbac_control change-password .. code-block:: console - :class: output + :class: output - New password for 'wazuh' (skip): - New password for 'wazuh-wui' (skip): - wazuh: UPDATED + New password for 'wazuh' (skip): + New password for 'wazuh-wui' (skip): + wazuh: UPDATED From 3e0b7847cee73a1244906808d9b2c99a17e1b5af Mon Sep 17 00:00:00 2001 From: Javier M Date: Tue, 5 Jul 2022 10:07:45 -0300 Subject: [PATCH 15/55] Update source/development/rbac-database-integrity.rst MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Manuel Carmona Pérez --- source/development/rbac-database-integrity.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/development/rbac-database-integrity.rst b/source/development/rbac-database-integrity.rst index 141b857680..019770cef6 100644 --- a/source/development/rbac-database-integrity.rst +++ b/source/development/rbac-database-integrity.rst @@ -3,7 +3,7 @@ RBAC database integrity ======================= -The integrity of the RBAC database is checked before determining if the database should be updated. The integrity check allows us the following: +The integrity of the RBAC database is checked when the API starts. The result of this check determines whether the database needs an update or not. The integrity check allows us the following: - Upgrade to a Wazuh version when this version includes breaking changes in the RBAC database structure or new default resources. - Restore the RBAC database with its default RBAC resources if it was manually deleted. This allows restoring the RBAC database to a fresh install state if needed. From 1794024c1ccc1bf0c8eaccef1bb141e3b5fe9c72 Mon Sep 17 00:00:00 2001 From: Sandra Ocando Date: Wed, 6 Jul 2022 15:35:21 +0200 Subject: [PATCH 16/55] Update the Wazuh version --- source/conf.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/conf.py b/source/conf.py index d6991ad5d3..25b0297cc4 100644 --- a/source/conf.py +++ b/source/conf.py @@ -37,7 +37,7 @@ copyright = u'© ' + str(datetime.datetime.now().year) + u' · Wazuh Inc.' # The short X.Y version -version = '4.4' +version = '4.5' is_latest_release = True # The full version, including alpha/beta/rc tags From 081c44bedf059de6dfff0f0ca2ff198e4a2c11fa Mon Sep 17 00:00:00 2001 From: javimed Date: Wed, 6 Jul 2022 15:28:19 -0300 Subject: [PATCH 17/55] Add changes as requested --- source/development/rbac-database-integrity.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/source/development/rbac-database-integrity.rst b/source/development/rbac-database-integrity.rst index 019770cef6..ea4c5738e6 100644 --- a/source/development/rbac-database-integrity.rst +++ b/source/development/rbac-database-integrity.rst @@ -23,15 +23,15 @@ Here is an abridged list of steps performed during the database upgrade process: #. Every user-created RBAC resource is migrated from the old database to the new one, maintaining its ID, name and so forth. -#. In case a user-created RBAC resource coincides with one of the new default Wazuh RBAC resource: +#. In case a user-created RBAC resource coincides with one of the new default Wazuh RBAC resources: - #. If the user-created *user* has the same *name* as the default user, both are considered the same. The user-created user is renamed appending *'_user'* to its name. + #. If the user-created *user* has the same *name* as a default user, the first one is renamed appending *‘_user’* to its name. - #. If the user-created *role* has the same *name* as the default role, both are considered the same. The user-created role is renamed appending *'_user'* to its name. + #. If the user-created *role* has the same *name* as a default role, the first one is renamed appending *'_user'* to its name. - #. If the user-created *rule* has the same *name* or *body* as the default rule, both are considered the same. The user-created rule relationships are migrated to the new default rule. + #. If the user-created *rule* has the same *name* or *body* as a default rule, the relationships of the first one are migrated to the new default rule. - #. If the user-created *policy* has the same *name* or *body* as the default policy, both are considered the same. The user-created policy relationships are migrated to the new default policy. + #. If the user-created *policy* has the same *name* or *body* as a default policy, the relationships of the first one are migrated to the new default policy. #. Any relationships between RBAC user-created resources are added to the new database. From 7120a49319afb01467d80495511b73cd4b38a75e Mon Sep 17 00:00:00 2001 From: Antonio Fresneda Date: Tue, 12 Jul 2022 09:18:28 +0200 Subject: [PATCH 18/55] Add section to explain how the manager certificates are generated. --- .../reference/daemons/wazuh-authd.rst | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/source/user-manual/reference/daemons/wazuh-authd.rst b/source/user-manual/reference/daemons/wazuh-authd.rst index 1860be3f8e..b26717648e 100644 --- a/source/user-manual/reference/daemons/wazuh-authd.rst +++ b/source/user-manual/reference/daemons/wazuh-authd.rst @@ -15,6 +15,16 @@ The ``wazuh-authd`` program can automatically add a Wazuh agent to a Wazuh manag .. warning:: By default, there is no authentication or authorization involved in this transaction, so it is recommended that this daemon only be run when a new agent is being added. +.. versionadded:: 5.0 + +``wazuh-authd`` is able to generate the manager certificates even if openssl is not installed on the system. The parameters of the certificate are specified in the CLI: + + .. code-block:: console + + # wazuh-authd -C 265 -B 2048 -K /var/ossec/etc/sslmanager.key -X /var/ossec/etc/sslmanager.cert -S "/C=US/ST=California/CN=wazuh/" + +If one of the parameters related with the certificate generation is missing, an error will be triggered and the certificate generation will be aborted. + +------------------+-------------------------------------------------------------------------------------------------------+ | **-V** | Version and license message. | +------------------+-------------------------------------------------------------------------------------------------------+ @@ -62,6 +72,16 @@ The ``wazuh-authd`` program can automatically add a Wazuh agent to a Wazuh manag +------------------+-------------+-----------------------------------------------------------------------------------------+ | **-L** | Force insertion even though agent limit has been reached. | +------------------+-------------------------------------------------------------------------------------------------------+ +| **-C** | Specify the manager certificate validity in days. | ++------------------+-------------------------------------------------------------------------------------------------------+ +| **-B** | Set the manager certificate key size in bits. | ++------------------+-------------------------------------------------------------------------------------------------------+ +| **-K** | Path to store the manager certificate key. | ++------------------+-------------------------------------------------------------------------------------------------------+ +| **-X** | Path to store the manager certificate. | ++------------------+-------------------------------------------------------------------------------------------------------+ +| **-S** | Subject of the manager certificate. | ++------------------+-------------------------------------------------------------------------------------------------------+ .. note:: Paths can be referred to relative paths under the Wazuh installation directory, or full paths. From 0a55e14bc5e2d8c9650dca341d6c6a40b1baf593 Mon Sep 17 00:00:00 2001 From: Antonio Fresneda Date: Wed, 13 Jul 2022 09:58:31 +0200 Subject: [PATCH 19/55] Apply review suggestions. --- .../reference/daemons/wazuh-authd.rst | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/source/user-manual/reference/daemons/wazuh-authd.rst b/source/user-manual/reference/daemons/wazuh-authd.rst index b26717648e..b34e6e320a 100644 --- a/source/user-manual/reference/daemons/wazuh-authd.rst +++ b/source/user-manual/reference/daemons/wazuh-authd.rst @@ -15,15 +15,15 @@ The ``wazuh-authd`` program can automatically add a Wazuh agent to a Wazuh manag .. warning:: By default, there is no authentication or authorization involved in this transaction, so it is recommended that this daemon only be run when a new agent is being added. -.. versionadded:: 5.0 -``wazuh-authd`` is able to generate the manager certificates even if openssl is not installed on the system. The parameters of the certificate are specified in the CLI: +``wazuh-authd`` is able to generate X.509 certificates even if OpenSSL is not installed on the system. The parameters of the certificate are specified in the CLI: .. code-block:: console # wazuh-authd -C 265 -B 2048 -K /var/ossec/etc/sslmanager.key -X /var/ossec/etc/sslmanager.cert -S "/C=US/ST=California/CN=wazuh/" -If one of the parameters related with the certificate generation is missing, an error will be triggered and the certificate generation will be aborted. +If any of the parameters related to the certificate generation is missing, an error will be triggered and the certificates are not generated. +This certificate is used for the manager verification. +------------------+-------------------------------------------------------------------------------------------------------+ | **-V** | Version and license message. | @@ -72,15 +72,15 @@ If one of the parameters related with the certificate generation is missing, an +------------------+-------------+-----------------------------------------------------------------------------------------+ | **-L** | Force insertion even though agent limit has been reached. | +------------------+-------------------------------------------------------------------------------------------------------+ -| **-C** | Specify the manager certificate validity in days. | +| **-C** | Specify the number of days cert is valid for. | +------------------+-------------------------------------------------------------------------------------------------------+ -| **-B** | Set the manager certificate key size in bits. | +| **-B** | Set the X.509 certificate key size in bits. | +------------------+-------------------------------------------------------------------------------------------------------+ -| **-K** | Path to store the manager certificate key. | +| **-K** | Path to store the X.509 certificate key. | +------------------+-------------------------------------------------------------------------------------------------------+ -| **-X** | Path to store the manager certificate. | +| **-X** | Path to store the X.509 certificate. | +------------------+-------------------------------------------------------------------------------------------------------+ -| **-S** | Subject of the manager certificate. | +| **-S** | Subject of the X.509 certificate. The arg must be formatted as /type0=value0/type1=value1/type2=.. | +------------------+-------------------------------------------------------------------------------------------------------+ .. note:: From 4c784ff40ec750fc8f2081a09e8ad3ec4d5190e5 Mon Sep 17 00:00:00 2001 From: Zafer Balkan Date: Wed, 3 Aug 2022 17:20:49 +0300 Subject: [PATCH 20/55] Fix EICAR URL --- .../active-response/ar-use-cases/removing-malware.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/user-manual/capabilities/active-response/ar-use-cases/removing-malware.rst b/source/user-manual/capabilities/active-response/ar-use-cases/removing-malware.rst index d011554dff..8e67ceb240 100644 --- a/source/user-manual/capabilities/active-response/ar-use-cases/removing-malware.rst +++ b/source/user-manual/capabilities/active-response/ar-use-cases/removing-malware.rst @@ -191,7 +191,7 @@ To test that everything is working correctly, generate an alert using the EICAR .. code-block:: none cd /root - curl -LO http://www.eicar.org/download/eicar.com + curl -LO https://secure.eicar.org/eicar.com From e8977b4cdaff48d2dc579c253e7f35ad3aea94da Mon Sep 17 00:00:00 2001 From: zapatannicolas Date: Sun, 7 Aug 2022 17:58:57 -0300 Subject: [PATCH 21/55] Remove step 2 --- .../your-environment/send-syslog-data.rst | 22 +++++-------------- 1 file changed, 5 insertions(+), 17 deletions(-) diff --git a/source/cloud-service/your-environment/send-syslog-data.rst b/source/cloud-service/your-environment/send-syslog-data.rst index 8a6646b6ed..6ca711b22b 100644 --- a/source/cloud-service/your-environment/send-syslog-data.rst +++ b/source/cloud-service/your-environment/send-syslog-data.rst @@ -77,19 +77,7 @@ Use Logstash on a Windows host with a Wazuh agent to receive syslog, log to a fi #. `Download the Logstash `_ ZIP package. #. Extract the ZIP contents into a local folder, for example, to ``C:\logstash\``. -2. Install ``logstash-input-syslog`` and ``logstash-output-file`` plugins. - - .. code-block:: - - C:\logstash\bin>logstash-plugin install logstash-input-syslog - - .. code-block:: - - C:\logstash\bin>logstash-plugin install logstash-output-file - - If you are using PowerShell, make sure to add ``.\`` before the executable: ``.\logstash-plugin`` - -3. Configure Logstash. +2. Configure Logstash. Create the following file: ``C:\logstash\config\logstash.conf`` @@ -110,9 +98,9 @@ Use Logstash on a Windows host with a Wazuh agent to receive syslog, log to a fi To perform the following steps, make sure to replace ``file_name.log`` with the name chosen for this log. -4. Deploy a Wazuh agent on the same host that has Logstash. +3. Deploy a Wazuh agent on the same host that has Logstash. -5. Configure the agent to read the Logstash output file. +4. Configure the agent to read the Logstash output file. Edit ``C:\Program Files (x86)\ossec-agent\ossec.conf`` by adding the following configuration: @@ -125,7 +113,7 @@ To perform the following steps, make sure to replace ``file_name.log`` with the -6. Restart Logstash. +5. Restart Logstash. #. Run Logstash from the command line: @@ -135,7 +123,7 @@ To perform the following steps, make sure to replace ``file_name.log`` with the #. `Install Logstash as a Windows Service `_ either using `NSSM `_ or `Windows Task Scheduler `_. -7. Restart the Wazuh agent. If you are running PowerShell, use the following command: +6. Restart the Wazuh agent. If you are running PowerShell, use the following command: .. code-block:: console From 1b6242597b15ca6b25453e1bf55c55a8233e99f5 Mon Sep 17 00:00:00 2001 From: zapatannicolas Date: Mon, 5 Sep 2022 18:20:43 -0300 Subject: [PATCH 22/55] change Svc name --- source/cloud-service/your-environment/send-syslog-data.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/cloud-service/your-environment/send-syslog-data.rst b/source/cloud-service/your-environment/send-syslog-data.rst index 6ca711b22b..0927f07939 100644 --- a/source/cloud-service/your-environment/send-syslog-data.rst +++ b/source/cloud-service/your-environment/send-syslog-data.rst @@ -127,4 +127,4 @@ To perform the following steps, make sure to replace ``file_name.log`` with the .. code-block:: console - Restart-Service OssecSvc + Restart-Service WazuhSvc From b03ca99df42381c5e9aca3c979b8674e00668943 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Fern=C3=A1ndez=20Poyatos?= Date: Mon, 29 Aug 2022 10:33:45 +0200 Subject: [PATCH 23/55] Add new API log rotation option based on file size --- source/user-manual/api/configuration.rst | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/source/user-manual/api/configuration.rst b/source/user-manual/api/configuration.rst index dbd871bd5a..03163bc3ee 100644 --- a/source/user-manual/api/configuration.rst +++ b/source/user-manual/api/configuration.rst @@ -41,6 +41,8 @@ Here are all the available settings for the ``api.yaml`` configuration file. For logs: level: "info" format: "plain" + max_size: + enabled: false cors: enabled: no @@ -239,6 +241,22 @@ logs | | | | Set the format of the Wazuh API logs. | +---------------------------+----------------------------------------------------------------------------------------+---------------+-------------------------------------------------+ +max_size +~~~~~~~~~~~~~~~~~~~~~~ + +.. versionadded:: 4.5.0 + ++------------+-----------------------------------------------+---------------+-------------------------------------------------------------------------------------------------------------------+ +| Sub-fields | Allowed values | Default value | Description | ++============+===============================================+===============+===================================================================================================================+ ++------------+-----------------------------------------------+---------------+-------------------------------------------------------------------------------------------------------------------+ +| enabled | yes, true, no, false | false | Enable or disable log file rotation based on file size. This option will disable log file rotation based on time. | ++------------+-----------------------------------------------+---------------+-------------------------------------------------------------------------------------------------------------------+ +| size | Any positive number followed by a valid unit. | 1M | Set a file size to trigger log rotation. | +| | K/k for kilobytes, M/m for megabytes. | | | ++------------+-----------------------------------------------+---------------+-------------------------------------------------------------------------------------------------------------------+ + + cors ^^^^^^^^^^^^^^^^^^^^^^ +-------------------+----------------------+---------------+-----------------------------------------------------------------------------------------------+ From 38384b1e1dfbe384c6b9174a1e4376ebd508b17d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Fern=C3=A1ndez=20Poyatos?= Date: Thu, 8 Sep 2022 09:50:12 +0200 Subject: [PATCH 24/55] Update source/user-manual/api/configuration.rst Co-authored-by: Sandra Ocando --- source/user-manual/api/configuration.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/source/user-manual/api/configuration.rst b/source/user-manual/api/configuration.rst index 03163bc3ee..60ef44626d 100644 --- a/source/user-manual/api/configuration.rst +++ b/source/user-manual/api/configuration.rst @@ -249,7 +249,6 @@ max_size +------------+-----------------------------------------------+---------------+-------------------------------------------------------------------------------------------------------------------+ | Sub-fields | Allowed values | Default value | Description | +============+===============================================+===============+===================================================================================================================+ -+------------+-----------------------------------------------+---------------+-------------------------------------------------------------------------------------------------------------------+ | enabled | yes, true, no, false | false | Enable or disable log file rotation based on file size. This option will disable log file rotation based on time. | +------------+-----------------------------------------------+---------------+-------------------------------------------------------------------------------------------------------------------+ | size | Any positive number followed by a valid unit. | 1M | Set a file size to trigger log rotation. | From f7415c26bee1767523afac1f28a16f3835801cc4 Mon Sep 17 00:00:00 2001 From: Sandra Ocando Date: Tue, 13 Sep 2022 15:59:48 +0200 Subject: [PATCH 25/55] Update pull_request_template.md --- .github/pull_request_template.md | 34 +++++++++----------------------- 1 file changed, 9 insertions(+), 25 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index fb080401f2..d4969876af 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,38 +1,22 @@ - ## Description - - ## Checks - [ ] It compiles without warnings. -- [ ] Spelling and grammar. -- [ ] Used impersonal speech. -- [ ] Used uppercase only on nouns. -- [ ] Updated the `redirect.js` script if necessary (check [this guide](https://github.com/wazuh/wazuh-documentation/blob/master/NEW_RELEASE.md)). - - - -## Note to the reviewer - -This PR includes changes to the `redirect.js` script that need to be included in all production branches. +- [ ] Use present tense, active voice, and semi-formal registry. Write short sentences, simple sentences. +- [ ] Use **bold** for user interface elements, _italics_ for key terms or emphasis, and `Code` font for Bash commands, file names, REST paths, and code. +- [ ] Add meta descriptions to new pages. +- [ ] Indent using three spaces. +- [ ] The `redirect.js` script is updated (check [this guide](https://github.com/wazuh/wazuh-documentation/blob/master/NEW_RELEASE.md)). From 81ed500864dc6b4f3986bad581e90cbbe06e17f7 Mon Sep 17 00:00:00 2001 From: Nicolas Stefani Date: Mon, 12 Sep 2022 18:26:30 -0300 Subject: [PATCH 26/55] Update exit codes references Signed-off-by: Nicolas Stefani --- source/amazon/services/troubleshooting.rst | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/source/amazon/services/troubleshooting.rst b/source/amazon/services/troubleshooting.rst index a16e422a07..607b9b9a41 100644 --- a/source/amazon/services/troubleshooting.rst +++ b/source/amazon/services/troubleshooting.rst @@ -2,7 +2,7 @@ .. meta:: :description: Frequently asked questions about the Wazuh module for Amazon. Learn more about it in this section of the documentation. - + .. _amazon_troubleshooting: Troubleshooting @@ -65,7 +65,7 @@ Follow these steps to enable debug mode: wazuh_modules.debug=2 -#. Restart the Wazuh service. +#. Restart the Wazuh service. .. include:: ../../_templates/common/restart_manager_or_agent.rst @@ -191,7 +191,7 @@ Take into account that Wazuh does not provide default rules for the different lo Interval overtaken message is present in the ossec.log ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The ``Interval overtaken`` message is present in the ``ossec.log`` file. +The ``Interval overtaken`` message is present in the ``ossec.log`` file. **Solution** @@ -211,7 +211,7 @@ Error codes reference | 1 | Unknown error | Programming error. Please, open an issue in the `Wazuh GitHub repository `_ with the trace of the | | | | error. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ - | 2 | Error parsing configuration (bucket name, keys, etc.) | Check the wodle configuration in ``ossec.conf`` file. | + | 2 | SIGINT | The module stopped due to an interrupt signal. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ | 3 | Invalid credentials to access S3 bucket | Make sure that your credentials are OK. For more information, see the :ref:`Configuring AWS credentials ` section. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -225,11 +225,11 @@ Error codes reference +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ | 8 | Failed to decompress file | Only ``.gz`` and ``.zip`` compression formats are supported. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ - | 9 | Failed to parse file | Check the type of the bucket. | + | 9 | Failed to parse file | Ensure that the file has the expected schema. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ | 11 | Unable to connect to Wazuh | Ensure that Wazuh is running. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ - | 12 | SIGINT | The module stopped due to an interrupt signal. | + | 12 | Invalid type of bucket | Check the type of the bucket. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ | 13 | Error sending message to Wazuh | Make sure that Wazuh is running. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -242,3 +242,7 @@ Error codes reference | 17 | Invalid file key format | Ensure that the file path follows the format specified in the | | | | `Wazuh documentation `_. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ + | 18 | Invalid prefix | Make sure that the indicated path exists in the S3 bucket. | + +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ + | 19 | The server datetime and datetime of the AWS environment differ | Make sure that the server datetime is correctly setted. | + +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ \ No newline at end of file From 3c0157a5e05527fb35a25384266b315d228cb2ab Mon Sep 17 00:00:00 2001 From: Facundo Dalmau Date: Fri, 9 Sep 2022 15:56:05 -0300 Subject: [PATCH 27/55] Add Reparse section to GCP and Azure --- .../services/prerequisites/considerations.rst | 5 +---- .../prerequisites/considerations.rst | 18 ++++++++++++++++++ source/gcp/prerequisites/considerations.rst | 18 ++++++++++++++++++ 3 files changed, 37 insertions(+), 4 deletions(-) diff --git a/source/amazon/services/prerequisites/considerations.rst b/source/amazon/services/prerequisites/considerations.rst index 423987131f..0e17834e65 100644 --- a/source/amazon/services/prerequisites/considerations.rst +++ b/source/amazon/services/prerequisites/considerations.rst @@ -33,10 +33,7 @@ On the other hand, the ``CloudWatch Logs`` module can process logs older than th Reparse -~~~~~~~ - -.. note:: - Option not available for CloudWatch Logs. +------- .. warning:: Using the ``reparse`` option will fetch and process every log from the starting date until the present. This process may generate duplicate alerts. diff --git a/source/azure/activity-services/prerequisites/considerations.rst b/source/azure/activity-services/prerequisites/considerations.rst index 6ffe3b07ef..f5be355b06 100644 --- a/source/azure/activity-services/prerequisites/considerations.rst +++ b/source/azure/activity-services/prerequisites/considerations.rst @@ -5,6 +5,24 @@ Considerations for configuration ================================ +Reparse +------- + +.. warning:: + Using the ``reparse`` option will fetch and process every log from the starting date until the present. This process may generate duplicate alerts. + +To process older logs, it's necessary to manually execute the module using the ``--reparse`` option. Executing the module with this option will use the ``la_time_offset`` value provided to fetch and process every log starting from the described offset. If no ``la_time_offset`` value was provided, it will use the date of the first file processed. + +Below there is an example of a manual execution of the module using the ``--reparse`` option on a manager, being ``/var/ossec`` the Wazuh installation path: + +.. code-block:: console + + # cd /var/ossec/wodles/azure + # ./azure-logs --log_analytics --la_auth_path credentials_example --la_tenant_domain 'wazuh.example.domain' --la_tag azure-activity --la_query "AzureActivity" --workspace example-workspace --la_time_offset 50d --debug 2 --reparse + +The ``--debug 2`` parameter was used to get a verbose output since by default the script won't print anything on the terminal, and it could seem like it's not working when it could be handling a great amount of data instead. + + Configuring multiple services ----------------------------- diff --git a/source/gcp/prerequisites/considerations.rst b/source/gcp/prerequisites/considerations.rst index 563c235fde..488762179d 100644 --- a/source/gcp/prerequisites/considerations.rst +++ b/source/gcp/prerequisites/considerations.rst @@ -32,6 +32,24 @@ Logging level To switch between different logging levels for debugging and troubleshooting purposes, the Google Cloud integration uses the :ref:`wazuh_modules.debug ` level to set its verbosity level. +Reparse +------- + +.. warning:: + Using the ``reparse`` option will fetch and process every log from the starting date until the present. This process may generate duplicate alerts. + +To process older logs, it's necessary to manually execute the module using the ``--reparse`` option. Executing the module with this option will use the ``only_logs_after`` value provided to fetch and process every log from that date until the present. If no ``only_logs_after`` value was provided, it will use the date of the first file processed. + +Below there is an example of a manual execution of the module using the ``--reparse`` option on a manager, being ``/var/ossec`` the Wazuh installation path: + +.. code-block:: console + + # cd /var/ossec/wodles/gcloud + # ./gcloud --integration_type access_logs -b 'wazuh-example-bucket' -c credentials.json --reparse --only_logs_after '2021-Jun-10' --debug 2 + +The ``--debug 2`` parameter was used to get a verbose output since by default the script won't print anything on the terminal, and it could seem like it's not working when it could be handling a great amount of data instead. + + Configuring multiple Google Cloud Storage bucket ------------------------------------------------ From 9c1eef85265d8f9d4ba2e74b6417972dd8e7d5a2 Mon Sep 17 00:00:00 2001 From: Facundo Dalmau Date: Wed, 14 Sep 2022 09:19:22 -0300 Subject: [PATCH 28/55] Change reparse example command --- source/amazon/services/prerequisites/considerations.rst | 3 +-- .../azure/activity-services/prerequisites/considerations.rst | 3 +-- source/gcp/prerequisites/considerations.rst | 3 +-- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/source/amazon/services/prerequisites/considerations.rst b/source/amazon/services/prerequisites/considerations.rst index 0e17834e65..f094feea24 100644 --- a/source/amazon/services/prerequisites/considerations.rst +++ b/source/amazon/services/prerequisites/considerations.rst @@ -44,8 +44,7 @@ Below there is an example of a manual execution of the module using the ``--repa .. code-block:: console - # cd /var/ossec/wodles/aws - # ./aws-s3 -b 'wazuh-example-bucket' --reparse --only_logs_after '2021-Jun-10' --debug 2 + # /var/ossec/wodles/aws/aws-s3 -b 'wazuh-example-bucket' --reparse --only_logs_after '2021-Jun-10' --debug 2 The ``--debug 2`` parameter was used to get a verbose output since by default the script won't print anything on the terminal, and it could seem like it's not working when it could be handling a great amount of data instead. diff --git a/source/azure/activity-services/prerequisites/considerations.rst b/source/azure/activity-services/prerequisites/considerations.rst index f5be355b06..43990fc5d4 100644 --- a/source/azure/activity-services/prerequisites/considerations.rst +++ b/source/azure/activity-services/prerequisites/considerations.rst @@ -17,8 +17,7 @@ Below there is an example of a manual execution of the module using the ``--repa .. code-block:: console - # cd /var/ossec/wodles/azure - # ./azure-logs --log_analytics --la_auth_path credentials_example --la_tenant_domain 'wazuh.example.domain' --la_tag azure-activity --la_query "AzureActivity" --workspace example-workspace --la_time_offset 50d --debug 2 --reparse + # /var/ossec/wodles/azure/azure-logs --log_analytics --la_auth_path credentials_example --la_tenant_domain 'wazuh.example.domain' --la_tag azure-activity --la_query "AzureActivity" --workspace example-workspace --la_time_offset 50d --debug 2 --reparse The ``--debug 2`` parameter was used to get a verbose output since by default the script won't print anything on the terminal, and it could seem like it's not working when it could be handling a great amount of data instead. diff --git a/source/gcp/prerequisites/considerations.rst b/source/gcp/prerequisites/considerations.rst index 488762179d..dafe4454f2 100644 --- a/source/gcp/prerequisites/considerations.rst +++ b/source/gcp/prerequisites/considerations.rst @@ -44,8 +44,7 @@ Below there is an example of a manual execution of the module using the ``--repa .. code-block:: console - # cd /var/ossec/wodles/gcloud - # ./gcloud --integration_type access_logs -b 'wazuh-example-bucket' -c credentials.json --reparse --only_logs_after '2021-Jun-10' --debug 2 + # /var/ossec/wodles/gcloud/gcloud --integration_type access_logs -b 'wazuh-example-bucket' -c credentials.json --reparse --only_logs_after '2021-Jun-10' --debug 2 The ``--debug 2`` parameter was used to get a verbose output since by default the script won't print anything on the terminal, and it could seem like it's not working when it could be handling a great amount of data instead. From 15a855678ab7e447f511ca9549d8ddf1bf22e03f Mon Sep 17 00:00:00 2001 From: Facundo Dalmau Date: Thu, 8 Sep 2022 16:55:54 -0300 Subject: [PATCH 29/55] Add Policy configuration section --- .../supported-services/ecr-image-scanning.rst | 71 +++++++++++++++++++ 1 file changed, 71 insertions(+) diff --git a/source/amazon/services/supported-services/ecr-image-scanning.rst b/source/amazon/services/supported-services/ecr-image-scanning.rst index 129743b5ff..1aec2c9641 100644 --- a/source/amazon/services/supported-services/ecr-image-scanning.rst +++ b/source/amazon/services/supported-services/ecr-image-scanning.rst @@ -29,6 +29,77 @@ AWS configuration AWS provides a `template `_ for creating a stack in CloudFormation that loads the image scan findings from Amazon ECR in CloudWatch using an AWS Lambda function. +Policy configuration +^^^^^^^^^^^^^^^^^^^^ +.. include:: /_templates/cloud/amazon/create_policy.rst + +.. note:: + The permissions inside the ``RoleCreator`` section of the policy are necessary in order to create/delete the stack and can and should be deactivated once the creation process is finished. + +.. note:: + The permissions part of the ``ImagePush`` section are required by Amazon ECR to `push images `_ and are scoped down to a specific repository. The steps to push Docker images is also described in the `Amazon ECR - Pushing a Docker image `_ documentation. + + +.. code-block:: json + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "RoleCreator", + "Effect": "Allow", + "Action": [ + "iam:CreateRole", + "iam:PutRolePolicy", + "iam:AttachRolePolicy", + "iam:DeleteRolePolicy", + "iam:DeleteRole", + "iam:GetRole", + "iam:GetRolePolicy" + ], + "Resource": "*" + }, + { + "Sid": "CloudFormationActions", + "Effect": "Allow", + "Action": [ + "cloudformation:CreateStack", + "cloudformation:ValidateTemplate", + "cloudformation:CreateUploadBucket", + "cloudformation:GetTemplateSummary", + "cloudformation:DescribeStackEvents", + "cloudformation:DescribeStackResources", + "cloudformation:ListStacks", + "cloudformation:DeleteStack", + "s3:PutObject", + "s3:ListBucket", + "s3:GetObject", + "s3:CreateBucket" + ], + "Resource": "*" + }, + { + "Sid": "ImagePush", + "Effect": "Allow", + "Action": [ + "ecr:CompleteLayerUpload", + "ecr:UploadLayerPart", + "ecr:InitiateLayerUpload", + "ecr:BatchCheckLayerAvailability", + "ecr:PutImage" + ], + "Resource": "arn:aws:ecr:region:111122223333:repository/repository-name" + }, + { + "Sid": "ECRAuthToken", + "Effect": "Allow", + "Action": "ecr:GetAuthorizationToken", + "Resource": "*" + } + ] + } + + How to create the CloudFormation Stack ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ From 51f0727aa8a000c12960c01a4ba9182fdb2dd05e Mon Sep 17 00:00:00 2001 From: Facundo Dalmau Date: Mon, 12 Sep 2022 18:07:32 -0300 Subject: [PATCH 30/55] Divide permissions into groups --- .../supported-services/ecr-image-scanning.rst | 60 ++++++++++++------- 1 file changed, 40 insertions(+), 20 deletions(-) diff --git a/source/amazon/services/supported-services/ecr-image-scanning.rst b/source/amazon/services/supported-services/ecr-image-scanning.rst index 1aec2c9641..f3b3571be4 100644 --- a/source/amazon/services/supported-services/ecr-image-scanning.rst +++ b/source/amazon/services/supported-services/ecr-image-scanning.rst @@ -33,19 +33,15 @@ Policy configuration ^^^^^^^^^^^^^^^^^^^^ .. include:: /_templates/cloud/amazon/create_policy.rst -.. note:: - The permissions inside the ``RoleCreator`` section of the policy are necessary in order to create/delete the stack and can and should be deactivated once the creation process is finished. - -.. note:: - The permissions part of the ``ImagePush`` section are required by Amazon ECR to `push images `_ and are scoped down to a specific repository. The steps to push Docker images is also described in the `Amazon ECR - Pushing a Docker image `_ documentation. +IAM permissions +~~~~~~~~~~~~~~~ +.. warning:: + The permissions inside the ``RoleCreator`` section of the policy are necessary in order to create/delete the stack and can and should be deactivated once the creation process is finished due to overly permissive actions. .. code-block:: json - + { - "Version": "2012-10-17", - "Statement": [ - { "Sid": "RoleCreator", "Effect": "Allow", "Action": [ @@ -58,8 +54,14 @@ Policy configuration "iam:GetRolePolicy" ], "Resource": "*" - }, - { + } + +CloudFormation Stack permissions +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. code-block:: json + + { "Sid": "CloudFormationActions", "Effect": "Allow", "Action": [ @@ -77,8 +79,17 @@ Policy configuration "s3:CreateBucket" ], "Resource": "*" - }, - { + } + +Image Pushing permissions +~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. note:: + The permissions part of the ``ImagePush`` section are required by Amazon ECR to `push images `_ and are scoped down to a specific repository. The steps to push Docker images is also described in the `Amazon ECR - Pushing a Docker image `_ documentation. + +.. code-block:: json + + { "Sid": "ImagePush", "Effect": "Allow", "Action": [ @@ -89,14 +100,23 @@ Policy configuration "ecr:PutImage" ], "Resource": "arn:aws:ecr:region:111122223333:repository/repository-name" - }, - { - "Sid": "ECRAuthToken", - "Effect": "Allow", - "Action": "ecr:GetAuthorizationToken", - "Resource": "*" } - ] + + +Registry permissions +~~~~~~~~~~~~~~~~~~~~ + +.. note:: + The permissions part of the ``ECRAuthToken`` section are required by `Amazon ECR `_ for users to have permission to make calls to the ``ecr:GetAuthorizationToken`` API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository. + + +.. code-block:: json + + { + "Sid": "ECRAuthToken", + "Effect": "Allow", + "Action": "ecr:GetAuthorizationToken", + "Resource": "*" } From b7f37bcb8c66ee5f88a091b9f46e0b54c9140b38 Mon Sep 17 00:00:00 2001 From: Facundo Dalmau Date: Tue, 13 Sep 2022 17:24:06 -0300 Subject: [PATCH 31/55] Add new permissions required --- .../supported-services/ecr-image-scanning.rst | 146 ++++++++++++------ 1 file changed, 98 insertions(+), 48 deletions(-) diff --git a/source/amazon/services/supported-services/ecr-image-scanning.rst b/source/amazon/services/supported-services/ecr-image-scanning.rst index f3b3571be4..aaa35a8f69 100644 --- a/source/amazon/services/supported-services/ecr-image-scanning.rst +++ b/source/amazon/services/supported-services/ecr-image-scanning.rst @@ -33,11 +33,13 @@ Policy configuration ^^^^^^^^^^^^^^^^^^^^ .. include:: /_templates/cloud/amazon/create_policy.rst -IAM permissions -~~~~~~~~~~~~~~~ +Template specific permissions +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +IAM +""" .. warning:: - The permissions inside the ``RoleCreator`` section of the policy are necessary in order to create/delete the stack and can and should be deactivated once the creation process is finished due to overly permissive actions. + The permissions inside the ``IAMRole`` section and the ``PassRole`` section are necessary in order to create/delete the stack based on the named template and can and should be deactivated once the creation process is finished due to overly permissive actions. .. code-block:: json @@ -53,71 +55,119 @@ IAM permissions "iam:GetRole", "iam:GetRolePolicy" ], - "Resource": "*" + "Resource": "*", + "Condition": { + "StringEquals": {"iam:PassedToService": "replicator.lambda.amazonaws.com"} + } + }, + { + "Sid": "PassRole", + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "*", + "Condition": { + "StringEquals": {"iam:PassedToService": "replicator.lambda.amazonaws.com"} + } } -CloudFormation Stack permissions -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Amazon Lambda and Amazon EventBridge +"""""""""""""""""""""""""""""""""""" +The following permissions are required to create/delete the resources handled by the Scan Findings Logger template + .. code-block:: json { - "Sid": "CloudFormationActions", - "Effect": "Allow", - "Action": [ - "cloudformation:CreateStack", - "cloudformation:ValidateTemplate", - "cloudformation:CreateUploadBucket", - "cloudformation:GetTemplateSummary", - "cloudformation:DescribeStackEvents", - "cloudformation:DescribeStackResources", - "cloudformation:ListStacks", - "cloudformation:DeleteStack", - "s3:PutObject", - "s3:ListBucket", - "s3:GetObject", - "s3:CreateBucket" - ], - "Resource": "*" - } + "Sid": "TemplateRequired", + "Effect": "Allow", + "Action": [ + "lambda:RemovePermission", + "lambda:DeleteFunction", + "lambda:GetFunction", + "lambda:CreateFunction", + "lambda:AddPermission", + "events:RemoveTargets", + "events:DeleteRule", + "events:PutRule", + "events:DescribeRule", + "events:PutTargets" + ], + "Resource": "*" + } -Image Pushing permissions -~~~~~~~~~~~~~~~~~~~~~~~~~ -.. note:: - The permissions part of the ``ImagePush`` section are required by Amazon ECR to `push images `_ and are scoped down to a specific repository. The steps to push Docker images is also described in the `Amazon ECR - Pushing a Docker image `_ documentation. + +CloudFormation Stack +~~~~~~~~~~~~~~~~~~~~ + +The following permissions are required to create/delete any template based CloudFormation stack .. code-block:: json { - "Sid": "ImagePush", - "Effect": "Allow", - "Action": [ - "ecr:CompleteLayerUpload", - "ecr:UploadLayerPart", - "ecr:InitiateLayerUpload", - "ecr:BatchCheckLayerAvailability", - "ecr:PutImage" - ], - "Resource": "arn:aws:ecr:region:111122223333:repository/repository-name" - } + "Sid": "CloudFormationStackCreation", + "Effect": "Allow", + "Action": [ + "cloudformation:CreateStack", + "cloudformation:ValidateTemplate", + "cloudformation:CreateUploadBucket", + "cloudformation:GetTemplateSummary", + "cloudformation:DescribeStackEvents", + "cloudformation:DescribeStackResources", + "cloudformation:ListStacks", + "cloudformation:DeleteStack", + "s3:PutObject", + "s3:ListBucket", + "s3:GetObject", + "s3:CreateBucket" + ], + "Resource": "*" + } +Amazon ECR usage permissions +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Image Pushing and Scanning +"""""""""""""""""""""""""" -Registry permissions -~~~~~~~~~~~~~~~~~~~~ + The following permissions are required by Amazon ECR to `push images `_ and are scoped down to a specific repository. The steps to push Docker images is also described in the `Amazon ECR - Pushing a Docker image `_ documentation. + +.. code-block:: json + + { + "Sid": "ScanPushImage", + "Effect": "Allow", + "Action": [ + "ecr:CompleteLayerUpload", + "ecr:UploadLayerPart", + "ecr:InitiateLayerUpload", + "ecr:BatchCheckLayerAvailability", + "ecr:PutImage", + "ecr:ListImages", + "ecr:DescribeImages", + "ecr:DescribeImageScanFindings", + "ecr:StartImageScan" + ], + "Resource": "arn:aws:ecr:region:user-id:repository/repository-name" + } + +ECR Registry and Repository +""""""""""""""""""""""""""" .. note:: - The permissions part of the ``ECRAuthToken`` section are required by `Amazon ECR `_ for users to have permission to make calls to the ``ecr:GetAuthorizationToken`` API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository. + The permission "ecr:GetAuthorizationToken" is required by `Amazon ECR `_ for users to have permission to make calls to the ``ecr:GetAuthorizationToken`` API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository. .. code-block:: json - { - "Sid": "ECRAuthToken", - "Effect": "Allow", - "Action": "ecr:GetAuthorizationToken", - "Resource": "*" - } + { + "Sid": "ECRUtilities", + "Effect": "Allow", + "Action": [ + "ecr:GetAuthorizationToken", + "ecr:DescribeRepositories" + ], + "Resource": "*" + } How to create the CloudFormation Stack From 23e666b2e32421ad5ff6936feb21ac796c6f95b3 Mon Sep 17 00:00:00 2001 From: Facundo Dalmau Date: Fri, 16 Sep 2022 09:39:58 -0300 Subject: [PATCH 32/55] Add last set of permissions --- .../supported-services/ecr-image-scanning.rst | 86 +++++++++---------- 1 file changed, 41 insertions(+), 45 deletions(-) diff --git a/source/amazon/services/supported-services/ecr-image-scanning.rst b/source/amazon/services/supported-services/ecr-image-scanning.rst index aaa35a8f69..1e0c511e04 100644 --- a/source/amazon/services/supported-services/ecr-image-scanning.rst +++ b/source/amazon/services/supported-services/ecr-image-scanning.rst @@ -39,68 +39,64 @@ IAM """ .. warning:: - The permissions inside the ``IAMRole`` section and the ``PassRole`` section are necessary in order to create/delete the stack based on the named template and can and should be deactivated once the creation process is finished due to overly permissive actions. + The permissions inside the ``RoleCreator`` section are necessary in order to create/delete the stack based on the named template and can and should be deactivated once the creation process is finished due to overly permissive actions. .. code-block:: json { - "Sid": "RoleCreator", - "Effect": "Allow", - "Action": [ - "iam:CreateRole", - "iam:PutRolePolicy", - "iam:AttachRolePolicy", - "iam:DeleteRolePolicy", - "iam:DeleteRole", - "iam:GetRole", - "iam:GetRolePolicy" - ], - "Resource": "*", - "Condition": { - "StringEquals": {"iam:PassedToService": "replicator.lambda.amazonaws.com"} - } - }, - { - "Sid": "PassRole", - "Effect": "Allow", - "Action": "iam:PassRole", - "Resource": "*", - "Condition": { - "StringEquals": {"iam:PassedToService": "replicator.lambda.amazonaws.com"} - } + "Sid": "RoleCreator", + "Effect": "Allow", + "Action": [ + "iam:CreateRole", + "iam:PutRolePolicy", + "iam:AttachRolePolicy", + "iam:DeleteRolePolicy", + "iam:DeleteRole", + "iam:GetRole", + "iam:GetRolePolicy", + "iam:PassRole" + ], + "Resource": "arn:aws:iam::user-id:role/*" } Amazon Lambda and Amazon EventBridge """""""""""""""""""""""""""""""""""" -The following permissions are required to create/delete the resources handled by the Scan Findings Logger template +The following permissions are required to create/delete the resources handled by the Scan Findings Logger template. .. code-block:: json { - "Sid": "TemplateRequired", - "Effect": "Allow", - "Action": [ - "lambda:RemovePermission", - "lambda:DeleteFunction", - "lambda:GetFunction", - "lambda:CreateFunction", - "lambda:AddPermission", - "events:RemoveTargets", - "events:DeleteRule", - "events:PutRule", - "events:DescribeRule", - "events:PutTargets" - ], - "Resource": "*" - } + "Sid": "TemplateRequired0", + "Effect": "Allow", + "Action": [ + "lambda:RemovePermission", + "lambda:DeleteFunction", + "lambda:GetFunction", + "lambda:CreateFunction", + "lambda:AddPermission" + ], + "Resource": "arn:aws:lambda:region:user-id:*" + }, + { + "Sid": "TemplateRequired1", + "Effect": "Allow", + "Action": [ + "events:RemoveTargets", + "events:DeleteRule", + "events:PutRule", + "events:DescribeRule", + "events:PutTargets" + ], + "Resource": "arn:aws:events:region:user-id:*" + } CloudFormation Stack ~~~~~~~~~~~~~~~~~~~~ -The following permissions are required to create/delete any template based CloudFormation stack +The following permissions are required to create/delete any template based CloudFormation stack. .. code-block:: json @@ -129,7 +125,7 @@ Amazon ECR usage permissions Image Pushing and Scanning """""""""""""""""""""""""" - The following permissions are required by Amazon ECR to `push images `_ and are scoped down to a specific repository. The steps to push Docker images is also described in the `Amazon ECR - Pushing a Docker image `_ documentation. +The following permissions are required by Amazon ECR to `push images `_ and are scoped down to a specific repository. The steps to push Docker images is also described in the `Amazon ECR - Pushing a Docker image `_ documentation. .. code-block:: json @@ -154,7 +150,7 @@ ECR Registry and Repository """"""""""""""""""""""""""" .. note:: - The permission "ecr:GetAuthorizationToken" is required by `Amazon ECR `_ for users to have permission to make calls to the ``ecr:GetAuthorizationToken`` API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository. + The permission ``ecr:GetAuthorizationToken`` is required by `Amazon ECR `_ for users to have permission to make calls to the API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository. .. code-block:: json From 261c8f49e6fa91fd57d7014093b4d995d766921a Mon Sep 17 00:00:00 2001 From: Facundo Dalmau Date: Fri, 16 Sep 2022 10:14:46 -0300 Subject: [PATCH 33/55] Modify indentation --- .../supported-services/ecr-image-scanning.rst | 146 +++++++++--------- 1 file changed, 73 insertions(+), 73 deletions(-) diff --git a/source/amazon/services/supported-services/ecr-image-scanning.rst b/source/amazon/services/supported-services/ecr-image-scanning.rst index 1e0c511e04..6acaeb72b6 100644 --- a/source/amazon/services/supported-services/ecr-image-scanning.rst +++ b/source/amazon/services/supported-services/ecr-image-scanning.rst @@ -43,21 +43,21 @@ IAM .. code-block:: json - { - "Sid": "RoleCreator", - "Effect": "Allow", - "Action": [ - "iam:CreateRole", - "iam:PutRolePolicy", - "iam:AttachRolePolicy", - "iam:DeleteRolePolicy", - "iam:DeleteRole", - "iam:GetRole", - "iam:GetRolePolicy", - "iam:PassRole" - ], - "Resource": "arn:aws:iam::user-id:role/*" - } + { + "Sid": "RoleCreator", + "Effect": "Allow", + "Action": [ + "iam:CreateRole", + "iam:PutRolePolicy", + "iam:AttachRolePolicy", + "iam:DeleteRolePolicy", + "iam:DeleteRole", + "iam:GetRole", + "iam:GetRolePolicy", + "iam:PassRole" + ], + "Resource": "arn:aws:iam::user-id:role/*" + } Amazon Lambda and Amazon EventBridge """""""""""""""""""""""""""""""""""" @@ -66,30 +66,30 @@ The following permissions are required to create/delete the resources handled by .. code-block:: json - { - "Sid": "TemplateRequired0", - "Effect": "Allow", - "Action": [ - "lambda:RemovePermission", - "lambda:DeleteFunction", - "lambda:GetFunction", - "lambda:CreateFunction", - "lambda:AddPermission" - ], - "Resource": "arn:aws:lambda:region:user-id:*" - }, - { - "Sid": "TemplateRequired1", - "Effect": "Allow", - "Action": [ - "events:RemoveTargets", - "events:DeleteRule", - "events:PutRule", - "events:DescribeRule", - "events:PutTargets" - ], - "Resource": "arn:aws:events:region:user-id:*" - } + { + "Sid": "TemplateRequired0", + "Effect": "Allow", + "Action": [ + "lambda:RemovePermission", + "lambda:DeleteFunction", + "lambda:GetFunction", + "lambda:CreateFunction", + "lambda:AddPermission" + ], + "Resource": "arn:aws:lambda:region:user-id:*" + }, + { + "Sid": "TemplateRequired1", + "Effect": "Allow", + "Action": [ + "events:RemoveTargets", + "events:DeleteRule", + "events:PutRule", + "events:DescribeRule", + "events:PutTargets" + ], + "Resource": "arn:aws:events:region:user-id:*" + } @@ -100,25 +100,25 @@ The following permissions are required to create/delete any template based Cloud .. code-block:: json - { - "Sid": "CloudFormationStackCreation", - "Effect": "Allow", - "Action": [ - "cloudformation:CreateStack", - "cloudformation:ValidateTemplate", - "cloudformation:CreateUploadBucket", - "cloudformation:GetTemplateSummary", - "cloudformation:DescribeStackEvents", - "cloudformation:DescribeStackResources", - "cloudformation:ListStacks", - "cloudformation:DeleteStack", - "s3:PutObject", - "s3:ListBucket", - "s3:GetObject", - "s3:CreateBucket" - ], - "Resource": "*" - } + { + "Sid": "CloudFormationStackCreation", + "Effect": "Allow", + "Action": [ + "cloudformation:CreateStack", + "cloudformation:ValidateTemplate", + "cloudformation:CreateUploadBucket", + "cloudformation:GetTemplateSummary", + "cloudformation:DescribeStackEvents", + "cloudformation:DescribeStackResources", + "cloudformation:ListStacks", + "cloudformation:DeleteStack", + "s3:PutObject", + "s3:ListBucket", + "s3:GetObject", + "s3:CreateBucket" + ], + "Resource": "*" + } Amazon ECR usage permissions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -129,22 +129,22 @@ The following permissions are required by Amazon ECR to `push images Date: Mon, 19 Sep 2022 09:39:53 -0300 Subject: [PATCH 34/55] Modify iam permissions --- .../services/supported-services/ecr-image-scanning.rst | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/source/amazon/services/supported-services/ecr-image-scanning.rst b/source/amazon/services/supported-services/ecr-image-scanning.rst index 6acaeb72b6..607787c528 100644 --- a/source/amazon/services/supported-services/ecr-image-scanning.rst +++ b/source/amazon/services/supported-services/ecr-image-scanning.rst @@ -39,7 +39,7 @@ IAM """ .. warning:: - The permissions inside the ``RoleCreator`` section are necessary in order to create/delete the stack based on the named template and can and should be deactivated once the creation process is finished due to overly permissive actions. + The permissions inside the ``RoleCreator`` and ``PassRole`` sections are necessary in order to create/delete the stack based on the named template and must be bound to the described specific resources due to overly permissive actions. .. code-block:: json @@ -57,6 +57,12 @@ IAM "iam:PassRole" ], "Resource": "arn:aws:iam::user-id:role/*" + }, + { + "Sid": "PassRole", + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "arn:aws:iam::user-id:role/*-LambdaExecutionRole*" } Amazon Lambda and Amazon EventBridge From 9badec6242a2dcecd8de2e08fa624740c6cfae56 Mon Sep 17 00:00:00 2001 From: Facundo Dalmau Date: Wed, 21 Sep 2022 09:51:31 -0300 Subject: [PATCH 35/55] Modify policy section details --- .../supported-services/ecr-image-scanning.rst | 34 +++++++++---------- 1 file changed, 16 insertions(+), 18 deletions(-) diff --git a/source/amazon/services/supported-services/ecr-image-scanning.rst b/source/amazon/services/supported-services/ecr-image-scanning.rst index 607787c528..e9027c640e 100644 --- a/source/amazon/services/supported-services/ecr-image-scanning.rst +++ b/source/amazon/services/supported-services/ecr-image-scanning.rst @@ -27,19 +27,17 @@ The following sections cover how to configure AWS to store the scan findings in AWS configuration ----------------- -AWS provides a `template `_ for creating a stack in CloudFormation that loads the image scan findings from Amazon ECR in CloudWatch using an AWS Lambda function. +AWS provides a `template `_ for creating a stack in CloudFormation that loads the image scan findings from Amazon ECR in CloudWatch using an AWS Lambda function. To be able to use this template, create the stack and upload images to Amazon ECR, it is necessary to create a custom policy granting the necessary permissions. -Policy configuration -^^^^^^^^^^^^^^^^^^^^ .. include:: /_templates/cloud/amazon/create_policy.rst Template specific permissions -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ IAM -""" +~~~ .. warning:: - The permissions inside the ``RoleCreator`` and ``PassRole`` sections are necessary in order to create/delete the stack based on the named template and must be bound to the described specific resources due to overly permissive actions. + The permissions inside the ``RoleCreator`` and ``PassRole`` sections are necessary in order to create and delete the stack based on the named template and must be bound to the described specific resources due to overly permissive actions. .. code-block:: json @@ -56,19 +54,19 @@ IAM "iam:GetRolePolicy", "iam:PassRole" ], - "Resource": "arn:aws:iam::user-id:role/*" + "Resource": "arn:aws:iam:::role/*" }, { "Sid": "PassRole", "Effect": "Allow", "Action": "iam:PassRole", - "Resource": "arn:aws:iam::user-id:role/*-LambdaExecutionRole*" + "Resource": "arn:aws:iam:::role/*-LambdaExecutionRole*" } Amazon Lambda and Amazon EventBridge -"""""""""""""""""""""""""""""""""""" +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -The following permissions are required to create/delete the resources handled by the Scan Findings Logger template. +The following permissions are required to create and delete the resources handled by the Scan Findings Logger template. .. code-block:: json @@ -82,7 +80,7 @@ The following permissions are required to create/delete the resources handled by "lambda:CreateFunction", "lambda:AddPermission" ], - "Resource": "arn:aws:lambda:region:user-id:*" + "Resource": "arn:aws:lambda:::*" }, { "Sid": "TemplateRequired1", @@ -94,15 +92,15 @@ The following permissions are required to create/delete the resources handled by "events:DescribeRule", "events:PutTargets" ], - "Resource": "arn:aws:events:region:user-id:*" + "Resource": "arn:aws:events:::*" } CloudFormation Stack -~~~~~~~~~~~~~~~~~~~~ +^^^^^^^^^^^^^^^^^^^^ -The following permissions are required to create/delete any template based CloudFormation stack. +The following permissions are required to create and delete any template based CloudFormation stack. .. code-block:: json @@ -127,9 +125,9 @@ The following permissions are required to create/delete any template based Cloud } Amazon ECR usage permissions -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Image Pushing and Scanning -"""""""""""""""""""""""""" +~~~~~~~~~~~~~~~~~~~~~~~~~~ The following permissions are required by Amazon ECR to `push images `_ and are scoped down to a specific repository. The steps to push Docker images is also described in the `Amazon ECR - Pushing a Docker image `_ documentation. @@ -149,11 +147,11 @@ The following permissions are required by Amazon ECR to `push images ::repository/" } ECR Registry and Repository -""""""""""""""""""""""""""" +~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. note:: The permission ``ecr:GetAuthorizationToken`` is required by `Amazon ECR `_ for users to have permission to make calls to the API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository. From 7a6ecaf5781358dfb774133d4f3cc71b82deef7e Mon Sep 17 00:00:00 2001 From: javimed Date: Thu, 22 Sep 2022 18:40:51 -0300 Subject: [PATCH 36/55] Rephrase reparse option texts --- .../prerequisites/considerations.rst | 11 +++++++---- source/gcp/prerequisites/considerations.rst | 11 +++++++---- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/source/azure/activity-services/prerequisites/considerations.rst b/source/azure/activity-services/prerequisites/considerations.rst index 43990fc5d4..6824b2d898 100644 --- a/source/azure/activity-services/prerequisites/considerations.rst +++ b/source/azure/activity-services/prerequisites/considerations.rst @@ -9,17 +9,20 @@ Reparse ------- .. warning:: - Using the ``reparse`` option will fetch and process every log from the starting date until the present. This process may generate duplicate alerts. -To process older logs, it's necessary to manually execute the module using the ``--reparse`` option. Executing the module with this option will use the ``la_time_offset`` value provided to fetch and process every log starting from the described offset. If no ``la_time_offset`` value was provided, it will use the date of the first file processed. + Using the ``reparse`` option may fetch and process all the logs from the starting date until the present. This process may generate duplicate alerts. -Below there is an example of a manual execution of the module using the ``--reparse`` option on a manager, being ``/var/ossec`` the Wazuh installation path: +To fetch and process older logs, you need to manually run the module using the ``--reparse`` option. + +The ``la_time_offset`` value sets the time as an offset for the starting point. If you don't provide an ``la_time_offset`` value, the module goes back to the date of the first file processed. + +Find an example of running the module on a manager using the ``--reparse`` option. ``/var/ossec`` is the Wazuh installation path. .. code-block:: console # /var/ossec/wodles/azure/azure-logs --log_analytics --la_auth_path credentials_example --la_tenant_domain 'wazuh.example.domain' --la_tag azure-activity --la_query "AzureActivity" --workspace example-workspace --la_time_offset 50d --debug 2 --reparse -The ``--debug 2`` parameter was used to get a verbose output since by default the script won't print anything on the terminal, and it could seem like it's not working when it could be handling a great amount of data instead. +The ``--debug 2`` parameter gets a verbose output. This is useful to show the script is working, specially when handling a large amount of data. Configuring multiple services diff --git a/source/gcp/prerequisites/considerations.rst b/source/gcp/prerequisites/considerations.rst index dafe4454f2..e7b19bf558 100644 --- a/source/gcp/prerequisites/considerations.rst +++ b/source/gcp/prerequisites/considerations.rst @@ -36,17 +36,20 @@ Reparse ------- .. warning:: - Using the ``reparse`` option will fetch and process every log from the starting date until the present. This process may generate duplicate alerts. -To process older logs, it's necessary to manually execute the module using the ``--reparse`` option. Executing the module with this option will use the ``only_logs_after`` value provided to fetch and process every log from that date until the present. If no ``only_logs_after`` value was provided, it will use the date of the first file processed. + Using the ``reparse`` option may fetch and process all the logs from the starting date until the present. This process may generate duplicate alerts. -Below there is an example of a manual execution of the module using the ``--reparse`` option on a manager, being ``/var/ossec`` the Wazuh installation path: +To fetch and process older logs, you need to manually run the module using the ``--reparse`` option. + +The ``only_logs_after`` value sets the time for the starting point. If you don't provide an ``only_logs_after`` value, the module uses the date of the first file processed. + +Find an example of running the module on a manager using the ``--reparse`` option. ``/var/ossec`` is the Wazuh installation path. .. code-block:: console # /var/ossec/wodles/gcloud/gcloud --integration_type access_logs -b 'wazuh-example-bucket' -c credentials.json --reparse --only_logs_after '2021-Jun-10' --debug 2 -The ``--debug 2`` parameter was used to get a verbose output since by default the script won't print anything on the terminal, and it could seem like it's not working when it could be handling a great amount of data instead. +The ``--debug 2`` parameter gets a verbose output. This is useful to show the script is working, specially when handling a large amount of data. Configuring multiple Google Cloud Storage bucket From 4c2bd268f4ad785fff4e02cd42efcd9a9b45b90f Mon Sep 17 00:00:00 2001 From: Sandra Ocando Date: Fri, 23 Sep 2022 12:22:35 +0200 Subject: [PATCH 37/55] Minor editorial changes --- source/user-manual/reference/daemons/wazuh-authd.rst | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/source/user-manual/reference/daemons/wazuh-authd.rst b/source/user-manual/reference/daemons/wazuh-authd.rst index b34e6e320a..d19676c666 100644 --- a/source/user-manual/reference/daemons/wazuh-authd.rst +++ b/source/user-manual/reference/daemons/wazuh-authd.rst @@ -16,14 +16,15 @@ The ``wazuh-authd`` program can automatically add a Wazuh agent to a Wazuh manag By default, there is no authentication or authorization involved in this transaction, so it is recommended that this daemon only be run when a new agent is being added. -``wazuh-authd`` is able to generate X.509 certificates even if OpenSSL is not installed on the system. The parameters of the certificate are specified in the CLI: +``wazuh-authd`` is able to generate X.509 certificates used for manager verification. `OpenSSL` is not required. + +The certificate parameters are specified in the CLI: .. code-block:: console # wazuh-authd -C 265 -B 2048 -K /var/ossec/etc/sslmanager.key -X /var/ossec/etc/sslmanager.cert -S "/C=US/ST=California/CN=wazuh/" -If any of the parameters related to the certificate generation is missing, an error will be triggered and the certificates are not generated. -This certificate is used for the manager verification. +If any of the parameters related to the certificate generation is missing, an error is triggered and the certificates are not generated. +------------------+-------------------------------------------------------------------------------------------------------+ | **-V** | Version and license message. | @@ -72,7 +73,7 @@ This certificate is used for the manager verification. +------------------+-------------+-----------------------------------------------------------------------------------------+ | **-L** | Force insertion even though agent limit has been reached. | +------------------+-------------------------------------------------------------------------------------------------------+ -| **-C** | Specify the number of days cert is valid for. | +| **-C** | Specify the number of days the certificate is valid for. | +------------------+-------------------------------------------------------------------------------------------------------+ | **-B** | Set the X.509 certificate key size in bits. | +------------------+-------------------------------------------------------------------------------------------------------+ From 9087b8be9405ec34cd30c17e4819223f1c665c5b Mon Sep 17 00:00:00 2001 From: Facundo Dalmau Date: Fri, 23 Sep 2022 09:10:52 -0300 Subject: [PATCH 38/55] Modify AWS reparse section --- .../amazon/services/prerequisites/considerations.rst | 11 +++++++---- .../prerequisites/considerations.rst | 2 +- source/gcp/prerequisites/considerations.rst | 2 +- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/source/amazon/services/prerequisites/considerations.rst b/source/amazon/services/prerequisites/considerations.rst index f094feea24..8f15b6b3b5 100644 --- a/source/amazon/services/prerequisites/considerations.rst +++ b/source/amazon/services/prerequisites/considerations.rst @@ -36,17 +36,20 @@ Reparse ------- .. warning:: - Using the ``reparse`` option will fetch and process every log from the starting date until the present. This process may generate duplicate alerts. + + Using the ``reparse`` option will fetch and process all the logs from the starting date until the present. This process may generate duplicate alerts. + +To fetch and process older logs, you need to manually run the module using the ``--reparse`` option. -To process older logs, it's necessary to manually execute the module using the ``--reparse`` or ``-o`` option. Executing the module with this option will use the ``only_logs_after`` value provided to fetch and process every log from that date until the present. If no ``only_logs_after`` value was provided, it will use the date of the first file processed. +The ``only_logs_after`` value sets the time for the starting point. If you don't provide an ``only_logs_after`` value, the module uses the date of the first file processed. -Below there is an example of a manual execution of the module using the ``--reparse`` option on a manager, being ``/var/ossec`` the Wazuh installation path: +Find an example of running the module on a manager using the ``--reparse`` option. ``/var/ossec`` is the Wazuh installation path. .. code-block:: console # /var/ossec/wodles/aws/aws-s3 -b 'wazuh-example-bucket' --reparse --only_logs_after '2021-Jun-10' --debug 2 -The ``--debug 2`` parameter was used to get a verbose output since by default the script won't print anything on the terminal, and it could seem like it's not working when it could be handling a great amount of data instead. +The ``--debug 2`` parameter gets a verbose output. This is useful to show the script is working, specially when handling a large amount of data. Configuring multiple services ----------------------------- diff --git a/source/azure/activity-services/prerequisites/considerations.rst b/source/azure/activity-services/prerequisites/considerations.rst index 6824b2d898..935351757a 100644 --- a/source/azure/activity-services/prerequisites/considerations.rst +++ b/source/azure/activity-services/prerequisites/considerations.rst @@ -10,7 +10,7 @@ Reparse .. warning:: - Using the ``reparse`` option may fetch and process all the logs from the starting date until the present. This process may generate duplicate alerts. + Using the ``reparse`` option will fetch and process all the logs from the starting date until the present. This process may generate duplicate alerts. To fetch and process older logs, you need to manually run the module using the ``--reparse`` option. diff --git a/source/gcp/prerequisites/considerations.rst b/source/gcp/prerequisites/considerations.rst index e7b19bf558..79b939897d 100644 --- a/source/gcp/prerequisites/considerations.rst +++ b/source/gcp/prerequisites/considerations.rst @@ -37,7 +37,7 @@ Reparse .. warning:: - Using the ``reparse`` option may fetch and process all the logs from the starting date until the present. This process may generate duplicate alerts. + Using the ``reparse`` option will fetch and process all the logs from the starting date until the present. This process may generate duplicate alerts. To fetch and process older logs, you need to manually run the module using the ``--reparse`` option. From e51d90a91c4960f657c0895e450ebfb77fbc2fd4 Mon Sep 17 00:00:00 2001 From: Nicolas Stefani Date: Tue, 6 Sep 2022 20:48:03 -0300 Subject: [PATCH 39/55] Add container prefix option Signed-off-by: Nicolas Stefani --- .../reference/ossec-conf/wodle-azure-logs.rst | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/source/user-manual/reference/ossec-conf/wodle-azure-logs.rst b/source/user-manual/reference/ossec-conf/wodle-azure-logs.rst index afe317f696..2ed182bd85 100644 --- a/source/user-manual/reference/ossec-conf/wodle-azure-logs.rst +++ b/source/user-manual/reference/ossec-conf/wodle-azure-logs.rst @@ -135,6 +135,8 @@ Options +----------------------------------------+----------------------------------------------+ | `storage\\container\\time_offset`_ | A positive number + suffix | +----------------------------------------+----------------------------------------------+ +| `storage\\container\\prefix`_ | Any string | ++----------------------------------------+----------------------------------------------+ disabled @@ -679,6 +681,8 @@ storage\\container +-----------------------------------------+----------------------------------------------+ | `storage\\container\\time_offset`_ | A positive number + suffix | +-----------------------------------------+----------------------------------------------+ +| `storage\\container\\prefix`_ | Any string | ++-----------------------------------------+----------------------------------------------+ storage\\container name ^^^^^^^^^^^^^^^^^^^^^^^ @@ -694,7 +698,7 @@ Specifies the name of the container. Enter ``*`` to access all account container storage\\container\\blobs ^^^^^^^^^^^^^^^^^^^^^^^^^ -Specifies the extension of the blobs like ``.json``. Enter "*" to access all the containers' blobs. +Specifies the extension of the blobs like ``.json``. Enter "*" to access all the containers' blobs. .. note:: @@ -716,7 +720,7 @@ This parameter indicates the format of the blobs' content. The available values - **json_inline**. Each line is a log in json format. The format of logs stored in Azure accounts is **inline JSON**. - + .. note:: When the ``day`` option is set, the interval value must be a multiple of months. By default, the interval is set to a month. @@ -750,6 +754,18 @@ This option sets the time delay in which we will perform the query. For example, | **Allowed values** | A positive number that should contain a suffix character indicating a time unit, such as, m (minutes), h (hours), d (days) | +--------------------+----------------------------------------------------------------------------------------------------------------------------+ + +storage\\container\\prefix +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +If is defined, the prefix for the container to search into. + ++--------------------+----------------------------------------------------------------------------------------------------------------------------+ +| **Default value** | N/A | ++--------------------+----------------------------------------------------------------------------------------------------------------------------+ +| **Allowed values** | Valid path | ++--------------------+----------------------------------------------------------------------------------------------------------------------------+ + Example of storage configuration -------------------------------- From 37e6ff67993572d325524861633c70a895939d74 Mon Sep 17 00:00:00 2001 From: Nicolas Stefani Date: Thu, 8 Sep 2022 12:54:20 -0300 Subject: [PATCH 40/55] Replace 'prefix' by 'path' Signed-off-by: Nicolas Stefani --- .../user-manual/reference/ossec-conf/wodle-azure-logs.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/source/user-manual/reference/ossec-conf/wodle-azure-logs.rst b/source/user-manual/reference/ossec-conf/wodle-azure-logs.rst index 2ed182bd85..6c2c93f7ea 100644 --- a/source/user-manual/reference/ossec-conf/wodle-azure-logs.rst +++ b/source/user-manual/reference/ossec-conf/wodle-azure-logs.rst @@ -135,7 +135,7 @@ Options +----------------------------------------+----------------------------------------------+ | `storage\\container\\time_offset`_ | A positive number + suffix | +----------------------------------------+----------------------------------------------+ -| `storage\\container\\prefix`_ | Any string | +| `storage\\container\\path`_ | Any string | +----------------------------------------+----------------------------------------------+ @@ -681,7 +681,7 @@ storage\\container +-----------------------------------------+----------------------------------------------+ | `storage\\container\\time_offset`_ | A positive number + suffix | +-----------------------------------------+----------------------------------------------+ -| `storage\\container\\prefix`_ | Any string | +| `storage\\container\\path`_ | Any string | +-----------------------------------------+----------------------------------------------+ storage\\container name @@ -755,10 +755,10 @@ This option sets the time delay in which we will perform the query. For example, +--------------------+----------------------------------------------------------------------------------------------------------------------------+ -storage\\container\\prefix +storage\\container\\path ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -If is defined, the prefix for the container to search into. +If is defined, the path for the container to search into. +--------------------+----------------------------------------------------------------------------------------------------------------------------+ | **Default value** | N/A | From 370317f14990599ee9c504050ed48ca2bc99a6f5 Mon Sep 17 00:00:00 2001 From: Nicolas Stefani Date: Fri, 23 Sep 2022 10:02:47 -0300 Subject: [PATCH 41/55] CR changes --- source/user-manual/reference/ossec-conf/wodle-azure-logs.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/user-manual/reference/ossec-conf/wodle-azure-logs.rst b/source/user-manual/reference/ossec-conf/wodle-azure-logs.rst index 6c2c93f7ea..d328597094 100644 --- a/source/user-manual/reference/ossec-conf/wodle-azure-logs.rst +++ b/source/user-manual/reference/ossec-conf/wodle-azure-logs.rst @@ -758,7 +758,7 @@ This option sets the time delay in which we will perform the query. For example, storage\\container\\path ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -If is defined, the path for the container to search into. +Defines for the container a path to search into. If isn't present the module retrieves all the blobs at the root level. +--------------------+----------------------------------------------------------------------------------------------------------------------------+ | **Default value** | N/A | From 185a33dd5292ebdaccb91941b4c04f2c1f423403 Mon Sep 17 00:00:00 2001 From: Javier M Date: Fri, 23 Sep 2022 10:45:11 -0300 Subject: [PATCH 42/55] Update source/user-manual/reference/ossec-conf/wodle-azure-logs.rst --- source/user-manual/reference/ossec-conf/wodle-azure-logs.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/user-manual/reference/ossec-conf/wodle-azure-logs.rst b/source/user-manual/reference/ossec-conf/wodle-azure-logs.rst index d328597094..0e958133da 100644 --- a/source/user-manual/reference/ossec-conf/wodle-azure-logs.rst +++ b/source/user-manual/reference/ossec-conf/wodle-azure-logs.rst @@ -758,7 +758,7 @@ This option sets the time delay in which we will perform the query. For example, storage\\container\\path ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Defines for the container a path to search into. If isn't present the module retrieves all the blobs at the root level. +Defines, for the container, a path to search into. If it isn't present, the module retrieves all the blobs at the root level. +--------------------+----------------------------------------------------------------------------------------------------------------------------+ | **Default value** | N/A | From 634575c8aeff57a9ee578d6377d014f50c9c943d Mon Sep 17 00:00:00 2001 From: javimed Date: Mon, 26 Sep 2022 15:37:43 -0300 Subject: [PATCH 43/55] Review Image scanning permissions text --- .../supported-services/ecr-image-scanning.rst | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/source/amazon/services/supported-services/ecr-image-scanning.rst b/source/amazon/services/supported-services/ecr-image-scanning.rst index e9027c640e..701307fd50 100644 --- a/source/amazon/services/supported-services/ecr-image-scanning.rst +++ b/source/amazon/services/supported-services/ecr-image-scanning.rst @@ -27,17 +27,23 @@ The following sections cover how to configure AWS to store the scan findings in AWS configuration ----------------- -AWS provides a `template `_ for creating a stack in CloudFormation that loads the image scan findings from Amazon ECR in CloudWatch using an AWS Lambda function. To be able to use this template, create the stack and upload images to Amazon ECR, it is necessary to create a custom policy granting the necessary permissions. +AWS provides a `template `_ for creating a stack in CloudFormation. The template has an AWS Lambda function. It logs the image scan findings from Amazon ECR in CloudWatch. + +Create the stack and upload images to Amazon ECR to use this template. You need to create a custom policy to grant the necessary permissions. .. include:: /_templates/cloud/amazon/create_policy.rst Template specific permissions ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + IAM ~~~ +You need the permissions listed below inside the sections for ``RoleCreator`` and ``PassRole`` to create and delete the stack based on the template. + .. warning:: - The permissions inside the ``RoleCreator`` and ``PassRole`` sections are necessary in order to create and delete the stack based on the named template and must be bound to the described specific resources due to overly permissive actions. + + These permissions must be bound to the specific resources due to overly permissive actions. .. code-block:: json @@ -66,7 +72,7 @@ IAM Amazon Lambda and Amazon EventBridge ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -The following permissions are required to create and delete the resources handled by the Scan Findings Logger template. +You need the following permissions to create and delete the resources handled by the Scan Findings Logger template. .. code-block:: json @@ -100,7 +106,7 @@ The following permissions are required to create and delete the resources handle CloudFormation Stack ^^^^^^^^^^^^^^^^^^^^ -The following permissions are required to create and delete any template based CloudFormation stack. +You need the following permissions to create and delete any template-based CloudFormation stack. .. code-block:: json @@ -126,10 +132,11 @@ The following permissions are required to create and delete any template based C Amazon ECR usage permissions ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + Image Pushing and Scanning ~~~~~~~~~~~~~~~~~~~~~~~~~~ -The following permissions are required by Amazon ECR to `push images `_ and are scoped down to a specific repository. The steps to push Docker images is also described in the `Amazon ECR - Pushing a Docker image `_ documentation. +You need the following Amazon ECR permissions to `push images `__. They are scoped down to a specific repository. The steps to push Docker images are described in the `Amazon ECR - Pushing a Docker image `_ documentation. .. code-block:: json @@ -154,8 +161,8 @@ ECR Registry and Repository ~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. note:: - The permission ``ecr:GetAuthorizationToken`` is required by `Amazon ECR `_ for users to have permission to make calls to the API through an IAM policy before they can authenticate to a registry and push or pull any images from any Amazon ECR repository. + Before authenticating to a registry and pushing or pulling any images from any Amazon ECR repository, you need ``ecr:GetAuthorizationToken``. This `Amazon ECR `__ permission allows calls to the API through an IAM policy. .. code-block:: json From c1c1e285f0b338f5a457ef47fa4e01f36b677d04 Mon Sep 17 00:00:00 2001 From: Sandra Ocando Date: Wed, 28 Sep 2022 09:09:47 +0200 Subject: [PATCH 44/55] Update pull_request_template.md --- .github/pull_request_template.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index d4969876af..8ca23caf31 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -14,9 +14,10 @@ Add a clear description of how the problem has been solved. If your PR closes an issue, please use the "closes" keyword indicating the issue. --> ## Checks -- [ ] It compiles without warnings. -- [ ] Use present tense, active voice, and semi-formal registry. Write short sentences, simple sentences. -- [ ] Use **bold** for user interface elements, _italics_ for key terms or emphasis, and `Code` font for Bash commands, file names, REST paths, and code. -- [ ] Add meta descriptions to new pages. -- [ ] Indent using three spaces. -- [ ] The `redirect.js` script is updated (check [this guide](https://github.com/wazuh/wazuh-documentation/blob/master/NEW_RELEASE.md)). +- [ ] Compiles without warnings. +- [ ] Uses present tense, active voice, and semi-formal registry. +- [ ] Uses short, simple sentences. +- [ ] Uses **bold** for user interface elements, _italics_ for key terms or emphasis, and `code` font for Bash commands, file names, REST paths, and code. +- [ ] Uses three spaces indentation. +- [ ] Adds or updates meta descriptions accordingly. +- [ ] Updates the `redirect.js` script if necessary (check [this guide](https://github.com/wazuh/wazuh-documentation/blob/master/NEW_RELEASE.md)). From e74ff66aa02572d10f1d7673f4c97ff525bf2174 Mon Sep 17 00:00:00 2001 From: javimed Date: Wed, 28 Sep 2022 12:18:19 -0300 Subject: [PATCH 45/55] Review Image scanning permissions text --- .../supported-services/ecr-image-scanning.rst | 113 ++++++++---------- 1 file changed, 53 insertions(+), 60 deletions(-) diff --git a/source/amazon/services/supported-services/ecr-image-scanning.rst b/source/amazon/services/supported-services/ecr-image-scanning.rst index 701307fd50..32a44b960b 100644 --- a/source/amazon/services/supported-services/ecr-image-scanning.rst +++ b/source/amazon/services/supported-services/ecr-image-scanning.rst @@ -27,17 +27,14 @@ The following sections cover how to configure AWS to store the scan findings in AWS configuration ----------------- -AWS provides a `template `_ for creating a stack in CloudFormation. The template has an AWS Lambda function. It logs the image scan findings from Amazon ECR in CloudWatch. +AWS provides a `template `__ that logs to CloudWatch the findings of Amazon ECR scans of images. The template uses an AWS Lambda function to accomplish this. -Create the stack and upload images to Amazon ECR to use this template. You need to create a custom policy to grant the necessary permissions. +Uploading the template and creating a stack, uploading the images to Amazon ECR, scanning the images, and using the logger all require specific permissions. Because of this, you need to create a custom policy granting these permissions. .. include:: /_templates/cloud/amazon/create_policy.rst -Template specific permissions -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -IAM -~~~ +IAM permissions +^^^^^^^^^^^^^^^ You need the permissions listed below inside the sections for ``RoleCreator`` and ``PassRole`` to create and delete the stack based on the template. @@ -69,42 +66,8 @@ You need the permissions listed below inside the sections for ``RoleCreator`` a "Resource": "arn:aws:iam:::role/*-LambdaExecutionRole*" } -Amazon Lambda and Amazon EventBridge -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -You need the following permissions to create and delete the resources handled by the Scan Findings Logger template. - -.. code-block:: json - - { - "Sid": "TemplateRequired0", - "Effect": "Allow", - "Action": [ - "lambda:RemovePermission", - "lambda:DeleteFunction", - "lambda:GetFunction", - "lambda:CreateFunction", - "lambda:AddPermission" - ], - "Resource": "arn:aws:lambda:::*" - }, - { - "Sid": "TemplateRequired1", - "Effect": "Allow", - "Action": [ - "events:RemoveTargets", - "events:DeleteRule", - "events:PutRule", - "events:DescribeRule", - "events:PutTargets" - ], - "Resource": "arn:aws:events:::*" - } - - - -CloudFormation Stack -^^^^^^^^^^^^^^^^^^^^ +CloudFormation stack permissions +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ You need the following permissions to create and delete any template-based CloudFormation stack. @@ -130,11 +93,29 @@ You need the following permissions to create and delete any template-based Cloud "Resource": "*" } -Amazon ECR usage permissions -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +ECR registry and repository permissions +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +This `Amazon ECR `__ permission allows calls to the API through an IAM policy. + +.. note:: + + Before authenticating to a registry and pushing or pulling any images from any Amazon ECR repository, you need ``ecr:GetAuthorizationToken``. -Image Pushing and Scanning -~~~~~~~~~~~~~~~~~~~~~~~~~~ +.. code-block:: json + + { + "Sid": "ECRUtilities", + "Effect": "Allow", + "Action": [ + "ecr:GetAuthorizationToken", + "ecr:DescribeRepositories" + ], + "Resource": "*" + } + +Image pushing and scanning permissions +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ You need the following Amazon ECR permissions to `push images `__. They are scoped down to a specific repository. The steps to push Docker images are described in the `Amazon ECR - Pushing a Docker image `_ documentation. @@ -157,25 +138,37 @@ You need the following Amazon ECR permissions to `push images ::repository/" } -ECR Registry and Repository -~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -.. note:: - - Before authenticating to a registry and pushing or pulling any images from any Amazon ECR repository, you need ``ecr:GetAuthorizationToken``. This `Amazon ECR `__ permission allows calls to the API through an IAM policy. +Amazon Lambda and Amazon EventBridge permissions +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +You need the following permissions to create and delete the resources handled by the Scan Findings Logger template. + .. code-block:: json - { - "Sid": "ECRUtilities", + { + "Sid": "TemplateRequired0", "Effect": "Allow", "Action": [ - "ecr:GetAuthorizationToken", - "ecr:DescribeRepositories" + "lambda:RemovePermission", + "lambda:DeleteFunction", + "lambda:GetFunction", + "lambda:CreateFunction", + "lambda:AddPermission" ], - "Resource": "*" - } - + "Resource": "arn:aws:lambda:::*" + }, + { + "Sid": "TemplateRequired1", + "Effect": "Allow", + "Action": [ + "events:RemoveTargets", + "events:DeleteRule", + "events:PutRule", + "events:DescribeRule", + "events:PutTargets" + ], + "Resource": "arn:aws:events:::*" + } How to create the CloudFormation Stack ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ From eaf9b1b6a7aada4e8016afd4f17e3169d9da2f14 Mon Sep 17 00:00:00 2001 From: Nico Stefani Date: Thu, 6 Oct 2022 19:10:44 -0300 Subject: [PATCH 46/55] Update source/amazon/services/troubleshooting.rst Co-authored-by: Carlos RS --- source/amazon/services/troubleshooting.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/amazon/services/troubleshooting.rst b/source/amazon/services/troubleshooting.rst index 607b9b9a41..32074a593e 100644 --- a/source/amazon/services/troubleshooting.rst +++ b/source/amazon/services/troubleshooting.rst @@ -225,7 +225,7 @@ Error codes reference +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ | 8 | Failed to decompress file | Only ``.gz`` and ``.zip`` compression formats are supported. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ - | 9 | Failed to parse file | Ensure that the file has the expected schema. | + | 9 | Failed to parse file | Ensure that the log file contents have the expected structure. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ | 11 | Unable to connect to Wazuh | Ensure that Wazuh is running. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ From e61fa3f8565a9e8d5f3bcda037706fe19dda6ca5 Mon Sep 17 00:00:00 2001 From: Nicolas Stefani Date: Thu, 6 Oct 2022 19:48:05 -0300 Subject: [PATCH 47/55] Added link to supported services and fixed another that already exists --- source/amazon/services/troubleshooting.rst | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/source/amazon/services/troubleshooting.rst b/source/amazon/services/troubleshooting.rst index 32074a593e..4c033505e9 100644 --- a/source/amazon/services/troubleshooting.rst +++ b/source/amazon/services/troubleshooting.rst @@ -225,11 +225,11 @@ Error codes reference +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ | 8 | Failed to decompress file | Only ``.gz`` and ``.zip`` compression formats are supported. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ - | 9 | Failed to parse file | Ensure that the log file contents have the expected structure. | + | 9 | Failed to parse file | Ensure that the log file contents have the expected structure. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ | 11 | Unable to connect to Wazuh | Ensure that Wazuh is running. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ - | 12 | Invalid type of bucket | Check the type of the bucket. | + | 12 | Invalid type of bucket | Check the type of the bucket is one of the :ref:`supported `. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ | 13 | Error sending message to Wazuh | Make sure that Wazuh is running. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -239,8 +239,7 @@ Error codes reference +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ | 16 | Throttling error | AWS is receiving more than 10 requests per second. Try to run the module again when the number of requests to AWS has decreased. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ - | 17 | Invalid file key format | Ensure that the file path follows the format specified in the | - | | | `Wazuh documentation `_. | + | 17 | Invalid file key format | Ensure that the file path follows the format specified in the :ref:`Wazuh documentation `. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ | 18 | Invalid prefix | Make sure that the indicated path exists in the S3 bucket. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ From c7e8dc6399601c34b57e8016a1330dab2aefa31c Mon Sep 17 00:00:00 2001 From: Nico Stefani Date: Thu, 13 Oct 2022 10:59:29 -0300 Subject: [PATCH 48/55] Apply suggestions from code review Co-authored-by: Sandra Ocando --- source/amazon/services/troubleshooting.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/amazon/services/troubleshooting.rst b/source/amazon/services/troubleshooting.rst index 4c033505e9..fc987fa3bf 100644 --- a/source/amazon/services/troubleshooting.rst +++ b/source/amazon/services/troubleshooting.rst @@ -229,7 +229,7 @@ Error codes reference +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ | 11 | Unable to connect to Wazuh | Ensure that Wazuh is running. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ - | 12 | Invalid type of bucket | Check the type of the bucket is one of the :ref:`supported `. | + | 12 | Invalid type of bucket | Check if the type of bucket is one of the :ref:`supported `. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ | 13 | Error sending message to Wazuh | Make sure that Wazuh is running. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -243,5 +243,5 @@ Error codes reference +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ | 18 | Invalid prefix | Make sure that the indicated path exists in the S3 bucket. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ - | 19 | The server datetime and datetime of the AWS environment differ | Make sure that the server datetime is correctly setted. | + | 19 | The server datetime and datetime of the AWS environment differ | Make sure that the server datetime is correctly set. | +-----------+-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ \ No newline at end of file From 066f47c64ab0a9c501bd42fa75ca22783f295b9c Mon Sep 17 00:00:00 2001 From: Nicolas Gomez Palacios Date: Thu, 10 Nov 2022 10:39:19 -0300 Subject: [PATCH 49/55] Add the new vacuum config options for wazuh-db in internal_options. Add information about the new fields last_vacuum_time and last_vacuum_value in the metadata table. --- .../reference/daemons/wazuh-db.rst | 6 + .../reference/internal-options.rst | 114 +++++++++++------- 2 files changed, 79 insertions(+), 41 deletions(-) diff --git a/source/user-manual/reference/daemons/wazuh-db.rst b/source/user-manual/reference/daemons/wazuh-db.rst index 4cef480567..8dbc904bbd 100644 --- a/source/user-manual/reference/daemons/wazuh-db.rst +++ b/source/user-manual/reference/daemons/wazuh-db.rst @@ -151,6 +151,12 @@ Data needed to upgrade the agent's database | **value** | Field value | 3 | +-----------------------+-----------------------------+-------------------------------------------+ +.. note:: Two new key-value rows added since version 4.5.0: + + - **last_vacuum_time** value for the **key** field: its **value** field stores the time of the last time the vacuum was performed. + + - **last_vacuum_value** value for the **key** field: its **value** field stores the fragmentation value that the database was left with after the last vacuum was performed. + .. Uncomment when necessary .. .. ``pm_event`` diff --git a/source/user-manual/reference/internal-options.rst b/source/user-manual/reference/internal-options.rst index c11155cb0d..733467f863 100644 --- a/source/user-manual/reference/internal-options.rst +++ b/source/user-manual/reference/internal-options.rst @@ -1064,47 +1064,79 @@ Wazuh Command Wazuh-db -------- -+------------------------------------+---------------+-------------------------------------------------------------------------------------+ -| **wazuh_db.worker_pool_size** | Description | Number of worker threads | -| +---------------+-------------------------------------------------------------------------------------+ -| | Default value | 8 | -| +---------------+-------------------------------------------------------------------------------------+ -| | Allowed value | Any integer between 1 and 32 | -+------------------------------------+---------------+-------------------------------------------------------------------------------------+ -| **wazuh_db.open_db_limit** | Description | Maximum number of allowed open databases before closing | -| +---------------+-------------------------------------------------------------------------------------+ -| | Default value | 64 | -| +---------------+-------------------------------------------------------------------------------------+ -| | Allowed value | Any integer between 1 and 4096 | -+------------------------------------+---------------+-------------------------------------------------------------------------------------+ -| **wazuh_db.rlimit_nofile** | Description | Maximum number of file descriptors that Wazuh-DB can open. | -+ +---------------+-------------------------------------------------------------------------------------+ -| | Default value | 65536 | -+ +---------------+-------------------------------------------------------------------------------------+ -| | Allowed value | Any integer between 1024 and 1048576. | -+------------------------------------+---------------+-------------------------------------------------------------------------------------+ -| **wazuh_db.commit_time_min** | Description | Minimum time margin before committing. | -+ +---------------+-------------------------------------------------------------------------------------+ -| | Default value | 10 | -+ +---------------+-------------------------------------------------------------------------------------+ -| | Allowed value | Any integer between 1 and 3600. | -+------------------------------------+---------------+-------------------------------------------------------------------------------------+ -| **wazuh_db.commit_time_max** | Description | Maximum time margin before committing. | -+ +---------------+-------------------------------------------------------------------------------------+ -| | Default value | 60 | -+ +---------------+-------------------------------------------------------------------------------------+ -| | Allowed value | Any integer between 1 and 3600. | -+------------------------------------+---------------+-------------------------------------------------------------------------------------+ -| **wazuh_db.debug** | Description | Debug level | -| +---------------+-------------------------------------------------------------------------------------+ -| | Default value | 0 | -+ +---------------+-------------------------------------------------------------------------------------+ -| | Allowed value | 0: No debug output | -+ + +-------------------------------------------------------------------------------------+ -| | | 1: Standard debug output | -+ + +-------------------------------------------------------------------------------------+ -| | | 2: Verbose debug output | -+------------------------------------+---------------+-------------------------------------------------------------------------------------+ ++-------------------------------------------+---------------+-------------------------------------------------------------------------------------+ +| **wazuh_db.worker_pool_size** | Description | Number of worker threads | +| +---------------+-------------------------------------------------------------------------------------+ +| | Default value | 8 | +| +---------------+-------------------------------------------------------------------------------------+ +| | Allowed value | Any integer between 1 and 32 | ++-------------------------------------------+---------------+-------------------------------------------------------------------------------------+ +| **wazuh_db.open_db_limit** | Description | Maximum number of allowed open databases before closing | +| +---------------+-------------------------------------------------------------------------------------+ +| | Default value | 64 | +| +---------------+-------------------------------------------------------------------------------------+ +| | Allowed value | Any integer between 1 and 4096 | ++-------------------------------------------+---------------+-------------------------------------------------------------------------------------+ +| **wazuh_db.rlimit_nofile** | Description | Maximum number of file descriptors that Wazuh-DB can open. | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Default value | 65536 | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Allowed value | Any integer between 1024 and 1048576. | ++-------------------------------------------+---------------+-------------------------------------------------------------------------------------+ +| **wazuh_db.commit_time_min** | Description | Minimum time margin before committing. | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Default value | 10 | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Allowed value | Any integer between 1 and 3600. | ++-------------------------------------------+---------------+-------------------------------------------------------------------------------------+ +| **wazuh_db.commit_time_max** | Description | Maximum time margin before committing. | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Default value | 60 | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Allowed value | Any integer between 1 and 3600. | ++-------------------------------------------+---------------+-------------------------------------------------------------------------------------+ +| **wazuh_db.max_fragmentation** | Description | Maximum fragmentation allowed for a database. | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Default value | 95 | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Allowed value | Any integer between 0 and 100. | ++-------------------------------------------+---------------+-------------------------------------------------------------------------------------+ +| **wazuh_db.fragmentation_threshold** | Description | Indicates the allowed fragmentation threshold. | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Default value | 80 | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Allowed value | Any integer between 0 and 100. | ++-------------------------------------------+---------------+-------------------------------------------------------------------------------------+ +| **wazuh_db.fragmentation_delta** | Description | | Indicates the allowed fragmentation difference between the last time | +| | | | the vacuum was performed and the current measurement. | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Default value | 5 | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Allowed value | Any integer between 0 and 100. | ++-------------------------------------------+---------------+-------------------------------------------------------------------------------------+ +| **wazuh_db.free_pages_percentage** | Description | | Indicates the minimum percentage of free pages present in a database that | +| | | | can trigger a vacuum. | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Default value | 5 | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Allowed value | Any integer between 0 and 99. | ++-------------------------------------------+---------------+-------------------------------------------------------------------------------------+ +| **wazuh_db.check_fragmentation_interval** | Description | Interval for database fragmentation check, in seconds. | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Default value | 43200 | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Allowed value | Any integer between 1 and 30758400. | ++-------------------------------------------+---------------+-------------------------------------------------------------------------------------+ +| **wazuh_db.debug** | Description | Debug level | +| +---------------+-------------------------------------------------------------------------------------+ +| | Default value | 0 | ++ +---------------+-------------------------------------------------------------------------------------+ +| | Allowed value | 0: No debug output | ++ + +-------------------------------------------------------------------------------------+ +| | | 1: Standard debug output | ++ + +-------------------------------------------------------------------------------------+ +| | | 2: Verbose debug output | ++-------------------------------------------+---------------+-------------------------------------------------------------------------------------+ Wazuh-download -------------- From 0dc4c58e97c2af90c3fe26e0712ea601c94f9ade Mon Sep 17 00:00:00 2001 From: Nicolas Gomez Palacios Date: Thu, 10 Nov 2022 11:30:02 -0300 Subject: [PATCH 50/55] Change blob style in metadata table note. --- source/user-manual/reference/daemons/wazuh-db.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/user-manual/reference/daemons/wazuh-db.rst b/source/user-manual/reference/daemons/wazuh-db.rst index 8dbc904bbd..c2ae0ecf33 100644 --- a/source/user-manual/reference/daemons/wazuh-db.rst +++ b/source/user-manual/reference/daemons/wazuh-db.rst @@ -153,9 +153,9 @@ Data needed to upgrade the agent's database .. note:: Two new key-value rows added since version 4.5.0: - - **last_vacuum_time** value for the **key** field: its **value** field stores the time of the last time the vacuum was performed. + - **last_vacuum_time** value for the ``key`` field: its ``value`` field stores the time of the last time the vacuum was performed. - - **last_vacuum_value** value for the **key** field: its **value** field stores the fragmentation value that the database was left with after the last vacuum was performed. + - **last_vacuum_value** value for the ``key`` field: its ``value`` field stores the fragmentation value that the database was left with after the last vacuum was performed. .. Uncomment when necessary .. From 9e6ec08f41cdf3ff3acfb9190f1e693d8b6f1417 Mon Sep 17 00:00:00 2001 From: Tomas Turina Date: Thu, 10 Nov 2022 12:25:55 -0300 Subject: [PATCH 51/55] Add storage in disk option for remoted groups generation --- source/user-manual/reference/internal-options.rst | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/source/user-manual/reference/internal-options.rst b/source/user-manual/reference/internal-options.rst index c11155cb0d..3ee934f2cd 100644 --- a/source/user-manual/reference/internal-options.rst +++ b/source/user-manual/reference/internal-options.rst @@ -746,9 +746,15 @@ Remoted +-----------------------------------+---------------+--------------------------------------------------------------+ | **remoted.merge_shared** | Description | Merge shared configuration to be broadcast to agents. | + +---------------+--------------------------------------------------------------+ -| | Default Value | 1 ( Enabled ) | +| | Default Value | 1 (Enabled) | + +---------------+--------------------------------------------------------------+ -| | Allowed Value | 1 ( Enabled ) or 0 (Disabled) | +| | Allowed Value | 1 (Enabled), 0 (Disabled) | ++-----------------------------------+---------------+--------------------------------------------------------------+ +| **remoted.disk_storage** | Description | Store the temporary shared configuration file on disk. | ++ +---------------+--------------------------------------------------------------+ +| | Default Value | 0 (No, store in memory) | ++ +---------------+--------------------------------------------------------------+ +| | Allowed Value | 1 (Yes, store on disk), 0 (No, store in memory) | +-----------------------------------+---------------+--------------------------------------------------------------+ | **remoted.shared_reload** | Description | Number of seconds between reloading of shared files. | + +---------------+--------------------------------------------------------------+ From 8546d189dbec4b80ae710fe95f0b437e9a76815d Mon Sep 17 00:00:00 2001 From: Nicolas Gomez Palacios Date: Tue, 15 Nov 2022 10:12:04 -0300 Subject: [PATCH 52/55] Change the 'note' tag to 'versionadded' in the wazuh-db metadata table. --- source/user-manual/reference/daemons/wazuh-db.rst | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/source/user-manual/reference/daemons/wazuh-db.rst b/source/user-manual/reference/daemons/wazuh-db.rst index c2ae0ecf33..31828c4e61 100644 --- a/source/user-manual/reference/daemons/wazuh-db.rst +++ b/source/user-manual/reference/daemons/wazuh-db.rst @@ -151,11 +151,13 @@ Data needed to upgrade the agent's database | **value** | Field value | 3 | +-----------------------+-----------------------------+-------------------------------------------+ -.. note:: Two new key-value rows added since version 4.5.0: +.. versionadded:: 4.5.0 - - **last_vacuum_time** value for the ``key`` field: its ``value`` field stores the time of the last time the vacuum was performed. +The ``key`` field can also store the following values: - - **last_vacuum_value** value for the ``key`` field: its ``value`` field stores the fragmentation value that the database was left with after the last vacuum was performed. + - **last_vacuum_time**: its ``value`` field stores the time of the last time the vacuum was performed. + + - **last_vacuum_value**: its ``value`` field stores the fragmentation value that the database was left with after the last vacuum was performed. .. Uncomment when necessary .. From 249e577c589b6f0dd8bb6811e97ec498d4e7d559 Mon Sep 17 00:00:00 2001 From: Nicolas Gomez Palacios Date: Thu, 17 Nov 2022 10:10:10 -0300 Subject: [PATCH 53/55] Improve the description of last_vacuum_time. Co-authored-by: Sandra Ocando --- source/user-manual/reference/daemons/wazuh-db.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/user-manual/reference/daemons/wazuh-db.rst b/source/user-manual/reference/daemons/wazuh-db.rst index 31828c4e61..c79ada5731 100644 --- a/source/user-manual/reference/daemons/wazuh-db.rst +++ b/source/user-manual/reference/daemons/wazuh-db.rst @@ -155,7 +155,7 @@ Data needed to upgrade the agent's database The ``key`` field can also store the following values: - - **last_vacuum_time**: its ``value`` field stores the time of the last time the vacuum was performed. + - **last_vacuum_time**: its ``value`` field stores the last time the vacuum was performed. - **last_vacuum_value**: its ``value`` field stores the fragmentation value that the database was left with after the last vacuum was performed. From 440ee5665f101f62abb6d8a14310dd586a6191cc Mon Sep 17 00:00:00 2001 From: Sandra Ocando Date: Wed, 23 Nov 2022 09:44:50 +0100 Subject: [PATCH 54/55] Update pull_request_template.md --- .github/pull_request_template.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 8ca23caf31..d97758accd 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -20,4 +20,4 @@ If your PR closes an issue, please use the "closes" keyword indicating the issue - [ ] Uses **bold** for user interface elements, _italics_ for key terms or emphasis, and `code` font for Bash commands, file names, REST paths, and code. - [ ] Uses three spaces indentation. - [ ] Adds or updates meta descriptions accordingly. -- [ ] Updates the `redirect.js` script if necessary (check [this guide](https://github.com/wazuh/wazuh-documentation/blob/master/NEW_RELEASE.md)). +- [ ] Updates the `redirects.js` script if necessary (check [this guide](https://github.com/wazuh/wazuh-documentation/blob/master/NEW_RELEASE.md)). From 93a2c5766857810c3297b370931b0f9fe38631c8 Mon Sep 17 00:00:00 2001 From: DFolchA Date: Fri, 2 Dec 2022 18:46:44 +0100 Subject: [PATCH 55/55] Add Upgrade with installation assistant --- .../upgrade-guide/upgrading-central-components.rst | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/source/upgrade-guide/upgrading-central-components.rst b/source/upgrade-guide/upgrading-central-components.rst index 8ce887c836..baf20a34bf 100644 --- a/source/upgrade-guide/upgrading-central-components.rst +++ b/source/upgrade-guide/upgrading-central-components.rst @@ -12,6 +12,20 @@ This section guides through the upgrade process of the Wazuh indexer, the Wazuh Root user privileges are required to execute all the commands described below. +Upgrade with the Wazuh installation assistant ++++++++++++++++++++++++++++++++++++++++++++++ + +You can use the installation assistant to upgrade the Wazuh central components. The assistant will detect which components are installed and upgrade them if necessary. + +To upgrade execute the following command: + +.. code-block:: bash + + curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh && sudo bash ./wazuh-install.sh -up + +Step-by-step upgrade ++++++++++++++++++++++ + Preparing the upgrade ---------------------