Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove deprecated plain text auth references for wodles #6405

Merged
merged 5 commits into from
Feb 29, 2024
Merged

Remove deprecated plain text auth references for wodles #6405

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
807e25e
Remove deprecated references for plain text auth in AWS wodle
nico-stefani Aug 30, 2023
2b22126
Remove deprecated references for plain text auth in Azure wodle
nico-stefani Aug 30, 2023
390c4fc
Suggestions from CR
nico-stefani Feb 21, 2024
53aba01
Remove duplicated key
nico-stefani Feb 28, 2024
b80a98d
Apply suggestions from code review
nico-stefani Feb 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion source/cloud-security/amazon/services/prerequisites/considerations.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ Reparse
-------

.. warning::

Using the ``reparse`` option will fetch and process all the logs from the starting date until the present. This process may generate duplicate alerts.

To fetch and process older logs, you need to manually run the module using the ``--reparse`` option.
Expand Down Expand Up @@ -231,6 +231,7 @@ The `service_endpoint` and `sts_endpoint` tags can be used to specify the VPC en
</bucket>

<bucket type="cloudtrail">
<aws_profile>default</aws_profile>
nico-stefani marked this conversation as resolved.
Show resolved Hide resolved
<name>wazuh-cloudtrail-2</name>
<aws_profile>default</aws_profile>
<iam_role_arn>arn:aws:iam::xxxxxxxxxxx:role/wazuh-role</iam_role_arn>
Expand Down
18 changes: 0 additions & 18 deletions source/cloud-security/amazon/services/prerequisites/credentials.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ There are multiple ways to configure the AWS credentials:
- `IAM Roles`_
- `IAM roles for EC2 instances`_
- `Environment variables`_
- `Insert the credentials into the configuration`_

Create an IAM User
------------------
Expand Down Expand Up @@ -182,20 +181,3 @@ If you're using a single AWS account for all your buckets this could be the most

* ``AWS_ACCESS_KEY_ID``
* ``AWS_SECRET_ACCESS_KEY``

Insert the credentials into the configuration
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

.. deprecated:: 4.4.0

Another available option to set up credentials is writing them right into the Wazuh configuration file (``/var/ossec/etc/ossec.conf``), inside of the ``<bucket>`` block on the module configuration.

This is an example configuration:

.. code-block:: xml

<bucket type="cloudtrail">
<name>my-bucket</name>
<access_key>insert_access_key</access_key>
<secret_key>insert_secret_key</secret_key>
</bucket>
77 changes: 3 additions & 74 deletions source/cloud-security/azure/activity-services/prerequisites/credentials.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,15 +36,10 @@ Getting access credentials for Storage
:width: 100%


Authentication options
----------------------
Authentication
--------------

There are two different ways to set up the Azure authentication:

Using an authentication file
^^^^^^^^^^^^^^^^^^^^^^^^^^^^

It is possible to store the credentials in a file for authentication as long as the file content follows the `field = value` format explained below.
To authenticate, store the credentials in a file whose content follows the `field = value` format explained below.

The fields expected to be present in the credentials file will change depending on the type of service or activity to be monitored.

Expand Down Expand Up @@ -113,70 +108,4 @@ Regardless of the service or activity to be monitored, the authentication file i

Check the :doc:`azure-logs wodle </user-manual/reference/ossec-conf/wodle-azure-logs>` section from the ossec.conf reference page for more information about the ``<auth_path>`` and other available parameters.


Inserting the credentials into the configuration
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

.. deprecated:: 4.4.0

Another authentication option is to set up credentials by storing them directly into the Wazuh configuration file ``/var/ossec/etc/ossec.conf``, inside of the ``<graph>``, ``<log_analytics>`` and ``<storage>`` blocks on the module configuration.

The tags to use are different depending on the type of service or activity to be monitored:

.. rubric:: Microsoft Graph and Log Analytics
:class: h5

.. code-block:: none
:emphasize-lines: 6, 7, 18, 19

<wodle name="azure-logs">
<disabled>no</disabled>
<run_on_start>yes</run_on_start>

<log_analytics>
<application_id>8b7...c14</application_id>
<application_key>w22...91x</application_key>

<tenantdomain>wazuh.onmicrosoft.com</tenantdomain>
<request>
<query>AzureActivity</query>
<workspace>d6b...efa</workspace>
<time_offset>1d</time_offset>
</request>
</log_analytics>

<graph>
<application_id>8b7...c14</application_id>
<application_key>w22...91x</application_key>

<tenantdomain>wazuh.onmicrosoft.com</tenantdomain>
<request>
<query>auditLogs/directoryAudits</query>
<time_offset>1d</time_offset>
</request>
</graph>
</wodle>

.. rubric:: Storage
:class: h5

.. code-block:: none
:emphasize-lines: 6, 7

<wodle name="azure-logs">
<disabled>no</disabled>
<run_on_start>yes</run_on_start>

<storage>
<account_name>exampleaccountname</account_name>
<account_key>w22...91x</account_key>

<container name="insights-operational-logs">
<blobs>.json</blobs>
<content_type>json_inline</content_type>
<time_offset>24h</time_offset>
</container>
</storage>
</wodle>

Take a look at the :doc:`azure-logs wodle </user-manual/reference/ossec-conf/wodle-azure-logs>` entry from the ``ossec.conf`` reference page for more information about the parameters.
108 changes: 3 additions & 105 deletions source/user-manual/reference/ossec-conf/wodle-azure-logs.rst
View file
Open in desktop
nico-stefani marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,6 @@ Options
- `time`_
- `timeout`_
- `log_analytics`_
- `log_analytics\\application_id`_
- `log_analytics\\application_key`_
- `log_analytics\\auth_path`_
- `log_analytics\\tenantdomain`_
- `log_analytics\\request`_
Expand All @@ -39,17 +37,13 @@ Options
- `log_analytics\\request\\workspace`_
- `log_analytics\\request\\timeout`_
- `log_analytics\\request\\time_offset`_
- `graph\\application_id`_
- `graph\\application_key`_
- `graph\\auth_path`_
- `graph\\tenantdomain`_
- `graph\\request`_
- `graph\\request\\tag`_
- `graph\\request\\query`_
- `graph\\request\\timeout`_
- `graph\\request\\time_offset`_
- `storage\\account_name`_
- `storage\\account_key`_
- `storage\\auth_path`_
- `storage\\tag`_
- `storage\\container`_
Expand All @@ -76,10 +70,6 @@ Options
+----------------------------------------+----------------------------------------------+
| `log_analytics`_ | N/A |
+----------------------------------------+----------------------------------------------+
| `log_analytics\\application_id`_ | Any string |
+----------------------------------------+----------------------------------------------+
| `log_analytics\\application_key`_ | Any string |
+----------------------------------------+----------------------------------------------+
| `log_analytics\\auth_path`_ | File path |
+----------------------------------------+----------------------------------------------+
| `log_analytics\\tenantdomain`_ | Any string |
Expand All @@ -98,10 +88,6 @@ Options
+----------------------------------------+----------------------------------------------+
| `graph`_ | N/A |
+----------------------------------------+----------------------------------------------+
| `graph\\application_id`_ | Any string |
+----------------------------------------+----------------------------------------------+
| `graph\\application_key`_ | Any string |
+----------------------------------------+----------------------------------------------+
| `graph\\auth_path`_ | File path |
+----------------------------------------+----------------------------------------------+
| `graph\\tenantdomain`_ | Any string |
Expand All @@ -118,10 +104,6 @@ Options
+----------------------------------------+----------------------------------------------+
| `storage`_ | N/A |
+----------------------------------------+----------------------------------------------+
| `storage\\account_name`_ | Any string |
+----------------------------------------+----------------------------------------------+
| `storage\\account_key`_ | Any string |
+----------------------------------------+----------------------------------------------+
| `storage\\auth_path`_ | File path |
+----------------------------------------+----------------------------------------------+
| `storage\\tag`_ | Any string |
Expand Down Expand Up @@ -248,52 +230,24 @@ Defines the use of the Azure Log Analytics REST API to get the desired logs.

This block configures the integration with Azure Log Analytics REST API.

- `log_analytics\\application_id`_
- `log_analytics\\application_key`_
- `log_analytics\\auth_path`_
- `log_analytics\\tenantdomain`_
- `log_analytics\\request`_

+----------------------------------------+----------------------------------------------+
| Options | Allowed values |
+========================================+==============================================+
| `log_analytics\\application_id`_ | Any string |
+----------------------------------------+----------------------------------------------+
| `log_analytics\\application_key`_ | Any string |
+----------------------------------------+----------------------------------------------+
| `log_analytics\\auth_path`_ | File path |
+----------------------------------------+----------------------------------------------+
| `log_analytics\\tenantdomain`_ | Any string |
+----------------------------------------+----------------------------------------------+
| `log_analytics\\request`_ | N/A |
+----------------------------------------+----------------------------------------------+

log_analytics\\application_id
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Identifier of the application that we will use for the authentication and to be able to use the Azure Log Analytics API. It must be used next to the ``application_key`` option obligatorily. Incompatible with ``auth_path`` option.

+--------------------+--------------------+
| **Default value** | N/A |
+--------------------+--------------------+
| **Allowed values** | Any string |
+--------------------+--------------------+

log_analytics\\application_key
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Key to the application we will use for authentication and to be able to use the Azure Log Analytics API. It must be used next to the ``application_id`` option obligatorily. Incompatible with ``auth_path`` option.

+--------------------+--------------------+
| **Default value** | N/A |
+--------------------+--------------------+
| **Allowed values** | Any string |
+--------------------+--------------------+

log_analytics\\auth_path
^^^^^^^^^^^^^^^^^^^^^^^^

Path of the file that contains the application identifier and the application key for authentication in order to use the Azure Log Analytics API. Incompatible with ``application_id`` and ``application_key`` options.
Path of the file that contains the application identifier and the application key for authentication in order to use the Azure Log Analytics API.
nico-stefani marked this conversation as resolved.
Show resolved Hide resolved

+--------------------+--------------------+
| **Default value** | N/A |
Expand Down Expand Up @@ -440,52 +394,24 @@ graph

This block configures the integration with Azure Active Directory Graph REST API.

- `graph\\application_id`_
- `graph\\application_key`_
- `graph\\auth_path`_
- `graph\\tenantdomain`_
- `graph\\request`_

+----------------------------------+----------------------------------------------+
| Options | Allowed values |
+==================================+==============================================+
| `graph\\application_id`_ | Any string |
+----------------------------------+----------------------------------------------+
| `graph\\application_key`_ | Any string |
+----------------------------------+----------------------------------------------+
| `graph\\auth_path`_ | File path |
+----------------------------------+----------------------------------------------+
| `graph\\tenantdomain`_ | Any string |
+----------------------------------+----------------------------------------------+
| `graph\\request`_ | N/A |
+----------------------------------+----------------------------------------------+

graph\\application_id
^^^^^^^^^^^^^^^^^^^^^

Identifier of the application that we will use for the authentication and to be able to use the Azure Active Directory Graph API. It must be used next to the ``application_key`` option obligatorily. Incompatible with ``auth_path`` option.

+--------------------+--------------------+
| **Default value** | N/A |
+--------------------+--------------------+
| **Allowed values** | Any string |
+--------------------+--------------------+

graph\\application_key
^^^^^^^^^^^^^^^^^^^^^^

Key to the application we will use for authentication and to be able to use the Azure Active Directory Graph API. It must be used next to the ``application_id`` option obligatorily. Incompatible with ``auth_path`` option.

+--------------------+--------------------+
| **Default value** | N/A |
+--------------------+--------------------+
| **Allowed values** | Any string |
+--------------------+--------------------+

graph\\auth_path
^^^^^^^^^^^^^^^^

Path of the file that contains the application identifier and the application key for authentication in order to use the Azure Active Directory Graph API. Incompatible with the ``application_id`` and ``application_key`` options. Check the :doc:`credentials </cloud-security/azure/activity-services/prerequisites/credentials>` reference for more information about this topic.
Path of the file that contains the application identifier and the application key for authentication in order to use the AAD Graph API.
nico-stefani marked this conversation as resolved.
Show resolved Hide resolved

+--------------------+--------------------+
| **Default value** | N/A |
Expand Down Expand Up @@ -603,52 +529,24 @@ storage

This block configures the integration with Azure Storage.

- `storage\\account_name`_
- `storage\\account_key`_
- `storage\\auth_path`_
- `storage\\tag`_
- `storage\\container`_

+----------------------------------+----------------------------------------------+
| Options | Allowed values |
+==================================+==============================================+
| `storage\\account_name`_ | Any string |
+----------------------------------+----------------------------------------------+
| `storage\\account_key`_ | Any string |
+----------------------------------+----------------------------------------------+
| `storage\\auth_path`_ | File path |
+----------------------------------+----------------------------------------------+
| `storage\\tag`_ | Any string |
+----------------------------------+----------------------------------------------+
| `storage\\container`_ | N/A |
+----------------------------------+----------------------------------------------+

storage\\account_name
^^^^^^^^^^^^^^^^^^^^^

Identifier of the account name that we will use for the authentication- It must be used next to the ``account_key`` option obligatorily. Incompatible with ``auth_path`` option.

+--------------------+--------------------+
| **Default value** | N/A |
+--------------------+--------------------+
| **Allowed values** | Any string |
+--------------------+--------------------+

storage\\account_key
^^^^^^^^^^^^^^^^^^^^

Identifier of the account key that we will use for the authentication- It must be used next to the ``account_name`` option obligatorily. Incompatible with ``auth_path`` option.

+--------------------+--------------------+
| **Default value** | N/A |
+--------------------+--------------------+
| **Allowed values** | Any string |
+--------------------+--------------------+

storage\\auth_path
^^^^^^^^^^^^^^^^^^

Path of the file that contains the account name and the account key for authentication. Incompatible with ``account_name`` and ``account_key`` options.
Path of the file that contains the account name and the account key for authentication.
nico-stefani marked this conversation as resolved.
Show resolved Hide resolved

+--------------------+--------------------+
| **Default value** | N/A |
Expand Down
Loading
Loading