Restrict access to partial configuration information to read-only users #7455
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* feat(endpoints-summary-ui): Add back button to endpoints summary Signed-off-by: gonzaarancibia <[email protected]> * fix: apply prettier formatting Signed-off-by: gonzaarancibia <[email protected]> * fix: apply prettier formatting to register-agent component Signed-off-by: gonzaarancibia <[email protected]> * doc(changelog): Added back button to Deploy Agent page that redirects to Endpoints Summary #7443 Signed-off-by: gonzaarancibia <[email protected]> --------- Signed-off-by: gonzaarancibia <[email protected]>
Stops referencing or validating the enrollment password configuration by eliminating related code, tests, and constants. Simplifies agent registration flow to rely solely on the existing authentication method.
Refactors asynchronous operations to fetch version, config, and group data in parallel, reducing wait time and improving component load performance.
Prevents exposure of agent enrollment credentials in API responses to enhance security and avoid unauthorized agent registration by users with read-only API roles.
…l-configuration-information-to-read-only-users
|
|
|
|
Closed in favor of #7462, as it will be merged in 4.12.2. |
guidomodarelli
deleted the
enhancement/2414-restrict-access-to-partial-configuration-information-to-read-only-users
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
In certain configurations, authenticated users with read-only API roles may retrieve agent enrollment credentials through the
/utils/configurationendpoint. These credentials can be used to register new agents within the same Wazuh tenant without requiring elevated permissions through the UI.Users with authenticated access and the appropriate RBAC profile may access the configuration API. This endpoint returns a JSON payload that includes the
enrollment.passwordandenrollment.dnsfields used to register agents.Despite lacking
agent:createpermissions via the user interface, these credentials may be used manually to register additional agents via command-line or automation scripts.Example of retrieved information by a read-only user:
{ "statusCode": 200, "error": 0, "data": { "alerts.sample.prefix": "wazuh-alerts-4.x-", "checks.api": true, "checks.fields": true, "checks.maxBuckets": true, "checks.metaFields": true, "checks.pattern": true, "checks.setup": true, "checks.template": true, "checks.timeFilter": true, "configuration.ui_api_editable": true, "cron.prefix": "wazuh", "cron.statistics.apis": [], "cron.statistics.index.creation": "w", "cron.statistics.index.name": "statistics", "cron.statistics.index.replicas": 0, "cron.statistics.index.shards": 1, "cron.statistics.interval": "0 */5 * * * *", "cron.statistics.status": true, "customization.enabled": true, "customization.logo.app": "", "customization.logo.healthcheck": "", "customization.logo.reports": "", "customization.reports.footer": "", "customization.reports.header": "", "enrollment.dns": "192.168.1.142", "enrollment.password": "", "hideManagerAlerts": false, "ip.ignore": [], "ip.selector": true, "wazuh.updates.disabled": false, "pattern": "wazuh-alerts-*", "timeout": 20000, "reports.csv.maxRows": 10000, "wazuh.monitoring.creation": "w", "wazuh.monitoring.enabled": true, "wazuh.monitoring.frequency": 900, "wazuh.monitoring.pattern": "wazuh-monitoring-*", "wazuh.monitoring.replicas": 0, "wazuh.monitoring.shards": 1, "vulnerabilities.pattern": "wazuh-states-vulnerabilities-*" } }Issues Resolved
https://github.com/wazuh/internal-devel-requests/issues/2414
Evidence
Verify that the following 3 requests are made in parallel when accessing deploy-agent (
/app/endpoints-summary#/agents-preview/deploy).GET
/GET
/cluster/statusGET
/groupsTest
Check List
yarn test:jest