Add users with group permissions

Add group
Run the following commands on the Wazuh server to create the agent groups joss_wintel,
joss_linux :
/var/ossec/bin/agent_groups -a -g joss_wintel -q
/var/ossec/bin/agent_groups -a -g joss_linux -q

Assign groups to agent

Run the following commands on the Wazuh server to assign joss_wintel group to the ID: 002 's
Agent:
/var/ossec/bin/agent_groups -a -i 002 -g joss_wintel

Adding an agents group label

To prepare the environment, add a label in the joss_wintel centralized configuration agent.conf.

1. Log into the Wazuh dashboard as administrator.

2. Click Wazuh to open the Wazuh dashboard menu, select Management and then Groups to
open the page.
3. Select your group, for example, joss_wintel.
4. Select Files and click Edit group configuration.
5. Add a label to identify the group, for example:
<agent_config>
<labels>
<label key="group"> joss_wintel </label>
</labels>
</agent_config>
6. Click Save to complete the action.

You have now added a group label that allows us to identify all the Wazuh alerts coming from this
group of agents. Note that only new alerts will include this group label.
Creating and mapping an internal user
Follow these steps to create an internal user, create a custom role and map it to the new user.

1. Click the upper-left menu icon ☰ to open the available options, select Security, and then
Internal users to open the internal users' page.
2. Click Create internal user, provide a username and password, and click Create to complete the
action.
3. To create a custom role and map the user to it, follow these steps:
a. Go to Security, select Roles to open the page.
b. Click Create role, complete the empty fields with the following parameters:
 Name: Assign a name to the role.
 Cluster permissions: cluster_composite_ops_ro
 Index: *
 Index permissions: read
c. Click Add another index permission and unfold the new section Add index permission.
Complete the empty fields with the following parameters and make sure to replace your
group name accordingly:
 Index: wazuh-alerts*
 Index permissions: read
 Document level security:
{
"bool": {
"must": {
"match": {
"agent.labels.group": "joss_wintel"
}
}
}
}
d. Click Add another index permission and unfold the new section Add index permission.
Complete the empty fields with the following parameters and make sure to replace your
group name accordingly:
 Index: wazuh-monitoring*
 Index permissions: read
 Document level security:
{
"bool": {
"must": {
"match": {
"group": "joss_wintel"
}
}
 }
}
e. Under Tenant permissions, select Tenant: global_tenant and the Read only option.
f. Click Create to complete the task.
g. Select the Mapped users tab and click Manage mapping.
h. Add the user you created in the previous steps and click Map to confirm the action.

You have now created an internal user and assigned it reading permissions over the Wazuh alerts
and Wazuh monitoring documents from the authorized agents group.

Mapping with Wazuh

To map the user with Wazuh, follow these steps:

1. Click the upper-left menu icon ☰ to open the available options and click Wazuh.
2. Click Wazuh to open the Wazuh dashboard menu, select Security, and then Policies to open
the policies page.
3. Click Create policy and complete the empty fields with the requested information.

Policy name: Assign a name to the new policy.

Action: Select the actions that the user is allowed to perform, for example, agent:read,
and click Add. Select as many actions as needed.
 Resource: Select agent:group.
 Resource identifier: Write the name of the agents' group, for example, joss_wintel, and
click Add. You can add as many resources as needed.
 Select an effect: Select Allow.
4. Click Create policy to complete the action.

5. Click Roles to open the tab, click Create Role, and fill in the empty fields with the requested
information.
 Role name: Assign a name to the new role.
 Policies: Select the policy created previously.
6. Click Create role to confirm the action.

7. Click Create Role mapping and complete the empty fields with the requested information.
 Role mapping name: Assign a name to the role mapping.
 Roles: Select the role created previously, for example joss_wintel, and the
cluster_readonly role. The latter assigns the user basic configuration reading
permissions.
 Internal users: Select the internal user created previously.
8. Click Save role mapping to finish the action.
For the role mapping to take effect, make sure that run_as is set to true in the /usr/share/wazuh-
dashboard/data/wazuh/config/wazuh.yml configuration file. Restart the Wazuh dashboard service
and clear your browser cache and cookies.

You have now created a new internal user and mapped it to manage a Wazuh agents' group.
Authenticate with the new user and open the Wazuh dashboard, see that only joss_wintel agents'
alerts and information are displayed.

How to rebuild the Vulnerability Database

Login to Server, Stop the wazuh manger service first, then rename or delete the vulnerability
database, then start the wazuh manger service, and finally restart the wazuh manger service again.
cd /var/ossec/queue/vulnerabilities
systemctl stop wazuh-manager
mv cve.db cve.db.bak
systemctl start wazuh-manager
systemctl restart wazuh-manager