Skip to content

Restrict access to partial configuration information to read only users #7462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: 4.12.2
Choose a base branch
from
Open

Restrict access to partial configuration information to read only users #7462

wants to merge 1 commit into from

Conversation

guidomodarelli
Copy link
Contributor

Description

In certain configurations, authenticated users with read-only API roles may retrieve agent enrollment credentials through the /utils/configuration endpoint. These credentials can be used to register new agents within the same Wazuh tenant without requiring elevated permissions through the UI.

Users with authenticated access and the appropriate RBAC profile may access the configuration API. This endpoint returns a JSON payload that includes the enrollment.password and enrollment.dns fields used to register agents.

Despite lacking agent:create permissions via the user interface, these credentials may be used manually to register additional agents via command-line or automation scripts.

Example of retrieved information by a read-only user:

{
    "statusCode": 200,
    "error": 0,
    "data": {
        "alerts.sample.prefix": "wazuh-alerts-4.x-",
        "checks.api": true,
        "checks.fields": true,
        "checks.maxBuckets": true,
        "checks.metaFields": true,
        "checks.pattern": true,
        "checks.setup": true,
        "checks.template": true,
        "checks.timeFilter": true,
        "configuration.ui_api_editable": true,
        "cron.prefix": "wazuh",
        "cron.statistics.apis": [],
        "cron.statistics.index.creation": "w",
        "cron.statistics.index.name": "statistics",
        "cron.statistics.index.replicas": 0,
        "cron.statistics.index.shards": 1,
        "cron.statistics.interval": "0 */5 * * * *",
        "cron.statistics.status": true,
        "customization.enabled": true,
        "customization.logo.app": "",
        "customization.logo.healthcheck": "",
        "customization.logo.reports": "",
        "customization.reports.footer": "",
        "customization.reports.header": "",
        "enrollment.dns": "192.168.1.142",
        "enrollment.password": "",
        "hideManagerAlerts": false,
        "ip.ignore": [],
        "ip.selector": true,
        "wazuh.updates.disabled": false,
        "pattern": "wazuh-alerts-*",
        "timeout": 20000,
        "reports.csv.maxRows": 10000,
        "wazuh.monitoring.creation": "w",
        "wazuh.monitoring.enabled": true,
        "wazuh.monitoring.frequency": 900,
        "wazuh.monitoring.pattern": "wazuh-monitoring-*",
        "wazuh.monitoring.replicas": 0,
        "wazuh.monitoring.shards": 1,
        "vulnerabilities.pattern": "wazuh-states-vulnerabilities-*"
    }
}
  • Stops referencing or validating the enrollment password configuration by eliminating related code, tests, and constants. Simplifies agent registration flow to rely solely on the existing authentication method.

Issues Resolved

https://github.com/wazuh/internal-devel-requests/issues/2414

Evidence

Verify that the following 3 requests are made in parallel when accessing deploy-agent (/app/endpoints-summary#/agents-preview/deploy).
GET /
GET /cluster/status
GET /groups
image
image
image

Test

  1. Check the evidence.
  2. Follow the steps detailed here (https://documentation.wazuh.com/4.12/user-manual/agent/agent-enrollment/security-options/using-password-authentication.html#prerequisites) and the enrollment should be successful

image

Check List

  • All tests pass
    • yarn test:jest
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

@guidomodarelli guidomodarelli self-assigned this May 26, 2025
@guidomodarelli
remove enrollment password from configuration API
86a91e5 
Prevents exposure of the agent enrollment password in the configuration endpoint response to enhance security and avoid unauthorized agent registration by users with read-only API roles. Updates related logic and tests to reflect the removal.
@guidomodarelli guidomodarelli force-pushed the enhancement/2414-restrict-access-to-partial-configuration-information-to-read-only-users-4.12.2 branch from 87581a8 to 86a91e5 Compare May 26, 2025 12:57
@guidomodarelli guidomodarelli marked this pull request as ready for review May 26, 2025 12:59
@github-actions GitHub Actions
Copy link
Contributor

Wazuh Check Updates plugin code coverage (Jest) test % values
Statements 78.72% ( 185 / 235 )
Branches 62.72% ( 69 / 110 )
Functions 61.7% ( 29 / 47 )
Lines 78.72% ( 185 / 235 )

@github-actions GitHub Actions
Copy link
Contributor

Wazuh Core plugin code coverage (Jest) test % values
Statements 45.23% ( 399 / 882 )
Branches 41.09% ( 157 / 382 )
Functions 43.13% ( 135 / 313 )
Lines 45.42% ( 397 / 874 )

@guidomodarelli guidomodarelli mentioned this pull request May 26, 2025
Closed
6 tasks
@github-actions GitHub Actions
Copy link
Contributor

Main plugin code coverage (Jest) test % values
Statements 16.9% ( 5055 / 29896 )
Branches 10.32% ( 1990 / 19267 )
Functions 17.94% ( 1300 / 7245 )
Lines 17.18% ( 4945 / 28770 )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@guidomodarelli guidomodarelli

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@guidomodarelli