From 486c41e3f9c931632d37f0b345a3b10bef1c5260 Mon Sep 17 00:00:00 2001
From: c-bordon <carlos.e.bordon@gmail.com>
Date: Thu, 9 Nov 2023 09:09:08 -0300
Subject: [PATCH] Updated security config files

---
 README.md                                            |  1 +
 build-docker-images/wazuh-indexer/Dockerfile         |  2 ++
 .../wazuh-indexer/config/action_groups.yml           | 12 ++++++++++++
 build-docker-images/wazuh-indexer/config/config.sh   |  1 +
 build-docker-images/wazuh-indexer/config/roles.yml   | 12 ++++++++++--
 .../wazuh-indexer/config/roles_mapping.yml           | 11 +++++++++--
 6 files changed, 35 insertions(+), 4 deletions(-)
 create mode 100644 build-docker-images/wazuh-indexer/config/action_groups.yml

diff --git a/README.md b/README.md
index 46b093fe..e1df9d68 100644
--- a/README.md
+++ b/README.md
@@ -101,6 +101,7 @@ WAZUH_MONITORING_REPLICAS=0         ##
     │   │   └── Dockerfile
     │   ├── wazuh-indexer
     │   │   ├── config
+    │   │   │   ├── action_groups.yml
     │   │   │   ├── config.sh
     │   │   │   ├── config.yml
     │   │   │   ├── entrypoint.sh
diff --git a/build-docker-images/wazuh-indexer/Dockerfile b/build-docker-images/wazuh-indexer/Dockerfile
index f2b809c3..985a3a05 100644
--- a/build-docker-images/wazuh-indexer/Dockerfile
+++ b/build-docker-images/wazuh-indexer/Dockerfile
@@ -12,6 +12,8 @@ COPY config/config.sh .
 
 COPY config/config.yml /
 
+COPY config/action_groups.yml /
+
 COPY config/internal_users.yml /
 
 COPY config/roles_mapping.yml /
diff --git a/build-docker-images/wazuh-indexer/config/action_groups.yml b/build-docker-images/wazuh-indexer/config/action_groups.yml
new file mode 100644
index 00000000..04119c8a
--- /dev/null
+++ b/build-docker-images/wazuh-indexer/config/action_groups.yml
@@ -0,0 +1,12 @@
+---
+_meta:
+  type: "actiongroups"
+  config_version: 2
+
+# ISM API permissions group
+manage_ism:
+  reserved: true
+  hidden: false
+  allowed_actions:
+  - "cluster:admin/opendistro/ism/*"
+  static: false
\ No newline at end of file
diff --git a/build-docker-images/wazuh-indexer/config/config.sh b/build-docker-images/wazuh-indexer/config/config.sh
index 0b953fc5..0b4b3791 100644
--- a/build-docker-images/wazuh-indexer/config/config.sh
+++ b/build-docker-images/wazuh-indexer/config/config.sh
@@ -120,6 +120,7 @@ cp /$PASSWORD_TOOL ${TARGET_DIR}${INSTALLATION_DIR}/plugins/opensearch-security/
 # Copy Wazuh's config files for the security plugin
 cp -pr /roles_mapping.yml ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/
 cp -pr /roles.yml ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/
+cp -pr /action_groups.yml ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/
 cp -pr /internal_users.yml ${TARGET_DIR}${INSTALLATION_DIR}/opensearch-security/
 cp -pr /opensearch.yml ${TARGET_DIR}${CONFIG_DIR}
 # Copy Wazuh indexer's certificates
diff --git a/build-docker-images/wazuh-indexer/config/roles.yml b/build-docker-images/wazuh-indexer/config/roles.yml
index ed47beae..f8bc557a 100644
--- a/build-docker-images/wazuh-indexer/config/roles.yml
+++ b/build-docker-images/wazuh-indexer/config/roles.yml
@@ -142,7 +142,7 @@ wazuh_ui_user:
     allowed_actions:
     - "read"
   tenant_permissions: []
-  static: false        
+  static: false
 
 wazuh_ui_admin:
   reserved: true
@@ -160,4 +160,12 @@ wazuh_ui_admin:
     - "manage"
     - "index"
   tenant_permissions: []
-  static: false  
\ No newline at end of file
+  static: false
+
+# ISM API permissions role
+manage_ism:
+  reserved: true
+  hidden: false
+  cluster_permissions:
+  - "manage_ism"
+  static: false
\ No newline at end of file
diff --git a/build-docker-images/wazuh-indexer/config/roles_mapping.yml b/build-docker-images/wazuh-indexer/config/roles_mapping.yml
index 6f893132..7fa57a4d 100644
--- a/build-docker-images/wazuh-indexer/config/roles_mapping.yml
+++ b/build-docker-images/wazuh-indexer/config/roles_mapping.yml
@@ -33,7 +33,7 @@ kibana_user:
   - "kibanauser"
   users:
   - "wazuh_user"
-  - "wazuh_admin"    
+  - "wazuh_admin"
   description: "Maps kibanauser to kibana_user"
 
 readall:
@@ -68,4 +68,11 @@ wazuh_ui_user:
   hosts: []
   users:
   - "wazuh_user"
-  and_backend_roles: []
\ No newline at end of file
+  and_backend_roles: []
+
+# ISM API permissions role mapping
+manage_ism:
+  reserved: true
+  hidden: false
+  users:
+  - "kibanaserver"
\ No newline at end of file