ThreatLockDown RBAC - How to create and map internal users

ThreatLockDown RBAC allows access to ThreatLockDown resources based on the roles and policies assigned to the users. It is an easy-to-use administration system that enables to manage users' or entities' permissions to the system resources. To learn more, see the Role-Based Access Control section.

The ThreatLockDown platform includes an internal user database that can be used for authentication. It can also be used in addition to an external authentication system such as LDAP or Active Directory. Learn how to create users and map them with ThreatLockDown in the below sections.

Creating and setting a ThreatLockDown admin user

Follow these steps to create an internal user, create a new role mapping, and give administrator permissions to the user.

  1. Log into the ThreatLockDown dashboard as administrator.

  2. Click the upper-left menu icon to open the options, go to Indexer/dashboard management > Security, and then Internal users to open the internal users' page.

    Internal users page
  3. Click Create internal user, provide a username and password, and click Create to complete the action.

  4. To map the user to the admin role, follow these steps:

    1. Click the upper-left menu icon to open the options, go to Indexer/dashboard management > Security, and then Roles to open the roles page.

    2. Search for the all_access role in the roles list and select it to open the details window.

    3. Click Duplicate role, assign a name to the new role, then click Create to confirm the action.

    4. Select the newly created role.

    5. Select the Mapped users tab and click Manage mapping.

    6. Add the user you created in the previous steps and click Map to confirm the action.

    Note

    Reserved roles are restricted for any permission customizations. You can create a custom role with the same permissions or duplicate a reserved role for further customization.

  5. To map the user with Wazuh, follow these steps:

    1. Click the upper-left menu icon to open the menu on the ThreatLockDown dashboard, go to Server management > Security, and then Roles mapping to open the page.

      ThreatLockDown role mapping
    2. Click Create Role mapping and complete the empty fields with the following parameters:

      • Role mapping name: Assign a name to the role mapping.

      • Roles: Select administrator.

      • Internal users: Select the internal user created previously.

    3. Click Save role mapping to save and map the user with ThreatLockDown as administrator.

    For the role mapping to take effect, make sure that run_as is set to true in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. Restart the ThreatLockDown dashboard service and clear your browser cache and cookies.

Creating and setting a ThreatLockDown read-only user

Follow these steps to create an internal user, create a new role mapping, and give read-only permissions to the user.

  1. Log into the ThreatLockDown dashboard as administrator.

  2. Click the upper-left menu icon to open the options, go to Indexer/dashboard management > Security, and then Internal users to open the internal users' page.

    Internal users page
  3. Click Create internal user, provide a username and password, and click Create to complete the action.

  4. To map the user to the appropriate role, follow these steps:

    1. Click the upper-left menu icon to open the options, go to Indexer/dashboard management > Security, and then Roles to open the roles page.

    2. Click Create role, complete the empty fields with the following parameters, and then click Create to complete the task.

      • Name: Assign a name to the role.

      • Cluster permissions: cluster_composite_ops_ro

      • Index: *

      • Index permissions: read

      • Tenant permissions: global_tenant and select the Read only option.

    3. Select the Mapped users tab and click Manage mapping.

    4. Add the user you created in the previous steps and click Map to confirm the action.

  5. To map the user with Wazuh, follow these steps:

    1. Click to open the menu on the ThreatLockDown dashboard, go to Server management > Security, and then Roles mapping to open the page.

      ThreatLockDown role mapping
    2. Click Create Role mapping and complete the empty fields with the following parameters:

      • Role mapping name: Assign a name to the role mapping.

      • Roles: Select readonly.

      • Internal users: Select the internal user created previously.

    3. Click Save role mapping to save and map the user with ThreatLockDown as read-only.

    For the role mapping to take effect, make sure that run_as is set to true in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. Restart the ThreatLockDown dashboard service and clear your browser cache and cookies.

Creating an internal user and mapping it to Wazuh

Follow these steps to create an internal user and map it to a role of your choice.

  1. Log into the ThreatLockDown dashboard as administrator.

  2. Click the upper-left menu icon to open the options, go to Indexer/dashboard management > Security, and then Internal users to open the internal users' page.

    Internal users page
  3. Click Create internal user, provide a username and password, and click Create to complete the action.

  4. To map the user to a given role, follow these steps:

    1. Go to Security, select Roles to open the page, and click the name of the selected role to open the window. Alternatively, you can create a custom role by clicking Create role.

    2. Select the Mapped users tab and click Manage mapping.

    3. Add the user you created in the previous steps and click Map to confirm the action.

  5. To map the user with Wazuh, follow these steps:

    1. Click to open the menu on the ThreatLockDown dashboard, go to Server management > Security, and then Roles mapping to open the page.

      ThreatLockDown role mapping
    2. Click Create Role mapping and complete the empty fields with the following parameters:

      • Role mapping name: Assign a name to the role mapping.

      • Roles: Select the ThreatLockDown roles that you want to map the user with.

      • Internal users: Select the internal user created previously.

      ThreatLockDown includes an extensive list of default policies and roles. Additionally, you can create custom policies and roles to suit your needs. To see an example, check our Use case: Give a user permissions to manage a group of agents below.

    3. Click Save role mapping to save and map the user with Wazuh.

    For the role mapping to take effect, make sure that run_as is set to true in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. Restart the ThreatLockDown dashboard service and clear your browser cache and cookies.

Use case: Give a user permissions to read and manage a group of agents

In this use case, we explore how to create an internal user and give it permissions to read and manage an agents group.

This process involves adding a label in the agent group's centralized configuration to identify the ThreatLockDown alerts coming from this group of agents, creating an internal user, and giving it reading permission only for those documents that correspond to the group of authorized agents.

It also involves mapping this user with the ThreatLockDown API, creating a custom policy that includes permissions to read, restart, upgrade, among other actions over a group of agents, and finally creating a custom role and mapping it to our internal user.

As a final result, we will have a new user with permission to manage a group of agents and read the documents regarding the said group.

In this example, we have an environment with five agents. Agents 001, 002, and 005 belong to the Team_A group whereas agents 003, 004, and 005 belong to the Team_B group. To learn more about creating agents' groups, see Grouping agents. We will describe how to create a new user and give it permission to manage agents from Team_A.

Use case: Give a user permissions to manage a group of agents - Environment

Adding an agents group label

To prepare the environment, add a label in the Team_A centralized configuration agent.conf. To learn more, see Agent labels.

  1. Log into the ThreatLockDown dashboard as administrator.

  2. Select Server management > Endpoint Groups to open the page.

  3. Select your group, for example, Team_A.

  4. Select Files and click Edit group configuration.

  5. Add a label to identify the group, for example:

    <agent_config>
           <labels>
                   <label key="group">Team_A</label>
           </labels>
    </agent_config>
    
  6. Click Save to complete the action.

You have now added a group label that allows us to identify all the ThreatLockDown alerts coming from this group of agents. Note that only new alerts will include this group label.

Creating and mapping an internal user

Follow these steps to create an internal user, create a custom role and map it to the new user.

  1. Click the upper-left menu icon to open the available options, go to Indexer/dashboard management > Security, and then Internal users to open the internal users' page.

  2. Click Create internal user, provide a username and password, and click Create to complete the action.

  3. To create a custom role and map the user to it, follow these steps:

    1. Go to Security, select Roles to open the page.

    2. Click Create role, complete the empty fields with the following parameters:

      • Name: Assign a name to the role.

      • Cluster permissions: cluster_composite_ops_ro

      • Index: *

      • Index permissions: read

    3. Click Add another index permission and unfold the new section Add index permission. Complete the empty fields with the following parameters and make sure to replace your group name accordingly:

      • Index: wazuh-alerts*

      • Index permissions: read

      • Document level security:

        {
          "bool": {
            "must": {
              "match": {
                "agent.labels.group": "Team_A"
              }
            }
          }
        }
        
    4. Click Add another index permission and unfold the new section Add index permission. Complete the empty fields with the following parameters and make sure to replace your group name accordingly:

      • Index: wazuh-monitoring*

      • Index permissions: read

      • Document level security:

        {
          "bool": {
            "must": {
              "match": {
                "group": "Team_A"
              }
            }
          }
        }
        
    5. Under Tenant permissions, select Tenant: global_tenant and the Read only option.

    6. Click Create to complete the task.

    7. Select the Mapped users tab and click Manage mapping.

    8. Add the user you created in the previous steps and click Map to confirm the action.

You have now created an internal user and assigned it reading permissions over the ThreatLockDown alerts and ThreatLockDown monitoring documents from the authorized agents group.

Mapping with Wazuh

To map the user with Wazuh, follow these steps:

  1. Click to open the menu on the ThreatLockDown dashboard, go to Server management > Security, and then Policies to open the policies page.

  2. Click Create policy and complete the empty fields with the requested information.

    • Policy name: Assign a name to the new policy.

    • Action: Select the actions that the user is allowed to perform, for example, agent:read, and click Add. Select as many actions as needed.

    • Resource: Select agent:group.

    • Resource identifier: Write the name of the agents' group, for example, Team_A, and click Add. You can add as many resources as needed.

    • Select an effect: Select Allow.

    Creating a custom policy
  3. Click Create policy to complete the action.

  4. Click Roles to open the tab, click Create Role, and fill in the empty fields with the requested information.

    • Role name: Assign a name to the new role.

    • Policies: Select the policy created previously.

    Creating a custom role
  5. Click Create role to confirm the action.

  6. Click Create Role mapping and complete the empty fields with the requested information.

    • Role mapping name: Assign a name to the role mapping.

    • Roles: Select the role created previously and the cluster_readonly role. This role assigns the user basic configuration reading permissions.

    • Internal users: Select the internal user created previously.

    Creating a new role mapping
  7. Click Save role mapping to finish the action.

For the role mapping to take effect, make sure that run_as is set to true in the /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml configuration file. Restart the ThreatLockDown dashboard service and clear your browser cache and cookies.

You have now created a new internal user and mapped it to manage a ThreatLockDown agents' group. Authenticate with the new user and open the ThreatLockDown dashboard, see that only Team_A agents' alerts and information are displayed.

New user's environment - Only information regarding Team_A agents is displayed