Open PekkaJalonen opened 3 months ago
I came here to log this exact same thing. None of the documents in the vulnerability indices have the agents group assigned so there is no way to filter it that I can see.
It would be really great if this problem could be solved as quickly as possible. As it is, I am unfortunately unable to roll out the new version to our instance.
I don't know if it was the cache in the browser, in any case I can no longer see all events. However, I am able to view all agent names using the filter function and the "agent.name" field.
This issue is still active, you can replicate it by opening Discovery > select wazuh-states-vulnerabilities-* index, it will show all machines. There are no match rules in indexer for this index created and cannot be created as the documents do not have the field of group or labels.
We are discussing this issue internally.
Thanks for the report. We will work on fixing it as part of https://github.com/wazuh/wazuh/issues/22887.
Related issue:
Wazuh has real users serving multiple clients, organizations, or organizational units with the same Wazuh SIEM instance, and restricting them to only seeing data about their own agents through the use of the fine Wazuh RBAC facilities in combination with the use of agent labels. However, with the introduction of 4.8.0, Wazuh broke this use case by introducing a new index (Vulnerability Detection stateful inventory index) without arranging for its records to be marked with agent labels. This leaves such users with only two realistic options that I can think of:
Example of this use case: https://github.com/AhmadMavali/wazuh_multi_tenant
From what I read above, it rather sounds like the present plan may be to fix this issue with the release of 5.0. May I humbly suggest that this would be way too late to address something as disruptive as this? Surely it would not take that much work to get these agent labels included in the VD stateful inventory index, would it?
Kevin Branch
New vulnerability-detection does not honor the RBAC definitions. Based on the discovery, the new vulnerability documents do not include agent group labels, so there is no way to use document level security filtering. So in case multi-tenancy, and using the old RBAC model with example https://documentation.wazuh.com/current/user-manual/user-administration/rbac.html#use-case-give-a-user-permissions-to-read-and-manage-a-group-of-agents, users limited to specific group of agents, can discover events of all agents.
There should be new filtering for wazuh-states-vulnerabilities*, and document level matching. But before that, there has to be the agent group labels included in the documents.