Skip to main content
This guide provides comprehensive security hardening recommendations for Wazuh Dashboard deployments. Following these practices reduces attack surface, protects sensitive data, and ensures secure operations.

Overview

Security hardening for Wazuh Dashboard encompasses:
  • Access control - Authentication, authorization, and privilege management
  • Transport security - Encryption and certificate management
  • Operational security - Configuration management and monitoring
  • Network security - Firewall rules and network segmentation
  • Data protection - Sensitive data handling and backup security
Reference: docs/ref/security.md

Access control

Implement robust access control mechanisms to restrict dashboard access to authorized personnel.

Change default credentials

Replace default administrative credentials immediately after installation:
  1. Access the Wazuh Dashboard using default credentials:
    • URL: https://<WAZUH_DASHBOARD_IP_ADDRESS>
    • Username: admin
    • Password: admin
  2. Navigate to Security or use the Security plugin API to update credentials
  3. Create a strong administrative password:
    • Minimum 12 characters
    • Combination of uppercase, lowercase, numbers, and special characters
    • No dictionary words or common patterns
    • Unique to the Wazuh Dashboard (not reused across systems)
  4. Update the indexer user credentials: 
    /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh \
  -cd /etc/wazuh-indexer/opensearch-security/ \
  -icl -nhnv \
  -cacert /etc/wazuh-indexer/certs/root-ca.pem \
  -cert /etc/wazuh-indexer/certs/admin.pem \
  -key /etc/wazuh-indexer/certs/admin-key.pem

Implement Single Sign-On (SAML)

Configure SAML authentication for centralized identity management:

SAML configuration

  1. Configure the security plugin in the Wazuh Indexer (config.yml):
config:
  dynamic:
    http:
      anonymous_auth_enabled: false
    authc:
      saml_auth:
        order: 1
        description: "SAML authentication provider"
        http_enabled: true
        transport_enabled: false
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_url: https://idp.example.com/metadata
              entity_id: https://idp.example.com
            sp:
              entity_id: wazuh-dashboard
              signature_private_key_filepath: "certs/saml-key.pem"
            kibana_url: https://wazuh-dashboard.example.com
            roles_key: Role
            exchange_key: <secure-random-key>
        authentication_backend:
          type: noop
Reference: docker/wazuh-4.7/config/wazuh_indexer/config-saml.yml
  1. Update the Wazuh Dashboard configuration (opensearch_dashboards.yml):
opensearch_security.auth.type: "saml"
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout"]

Role mapping

Configure role-based access control through SAML assertions:
  1. Map SAML roles to Wazuh Dashboard roles
  2. Define granular permissions for each role:
    • Administrator: Full access to all features and configuration
    • Analyst: Read-only access to security events and dashboards
    • Operator: Limited access to specific modules or agent groups
  3. Validate role mappings after authentication

Restrict administrative access

Limit access to administrative functions:
  1. Dashboard Management access should be restricted to administrators only
  2. Implement principle of least privilege for user accounts
  3. Create service accounts for API integrations with minimal required permissions
  4. Regularly audit user permissions and remove unnecessary access
  5. Implement multi-factor authentication where supported by the identity provider

Session management

Configure secure session parameters: 
# opensearch_dashboards.yml
opensearch_security.session.ttl: 3600000  # 1 hour in milliseconds
opensearch_security.session.keepalive: false
  • Configure appropriate session timeouts based on security requirements
  • Disable session keepalive for sensitive environments
  • Implement automatic logout after inactivity periods

Transport security

Secure all network communications with encryption and proper certificate management.

TLS/SSL configuration

Configure TLS encryption for all communications:

Dashboard to Indexer

# opensearch_dashboards.yml
opensearch.hosts: https://localhost:9200
opensearch.ssl.verificationMode: certificate
opensearch.ssl.certificateAuthorities:
  - /etc/wazuh-dashboard/certs/root-ca.pem
opensearch.ssl.certificate: /etc/wazuh-dashboard/certs/dashboard.pem
opensearch.ssl.key: /etc/wazuh-dashboard/certs/dashboard-key.pem
Reference: docs/ref/getting-started/installation.md:144

Dashboard HTTPS

# opensearch_dashboards.yml
server.ssl.enabled: true
server.ssl.certificate: /etc/wazuh-dashboard/certs/dashboard.pem
server.ssl.key: /etc/wazuh-dashboard/certs/dashboard-key.pem

Wazuh API connection

# opensearch_dashboards.yml
wazuh_core.hosts:
  default:
    url: https://localhost
    port: 55000
    username: wazuh-wui
    password: <secure-password>
    run_as: false
Ensure the Wazuh API uses HTTPS with valid certificates. Reference: docs/ref/getting-started/installation.md:146

Certificate management

Implement secure certificate lifecycle management:

Certificate generation

  1. Use strong key sizes (minimum 2048-bit RSA or 256-bit ECC)
  2. Generate certificates with appropriate Subject Alternative Names (SANs)
  3. Use internal Certificate Authority or trusted commercial CA
  4. Document certificate inventory and expiration dates

Certificate deployment

  1. Create certificate directory with restricted permissions: 
    mkdir /etc/wazuh-dashboard/certs
chmod 500 /etc/wazuh-dashboard/certs
  2. Deploy certificates with secure ownership and permissions: 
    tar -xf wazuh-certificates.tar -C /etc/wazuh-dashboard/certs/
chmod 400 /etc/wazuh-dashboard/certs/*
chown -R wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/certs
Reference: docs/ref/getting-started/installation.md:166

Certificate rotation

  1. Monitor certificate expiration dates
  2. Plan certificate renewal 30-60 days before expiration
  3. Test renewed certificates in non-production environments
  4. Implement rolling updates to minimize service disruption
  5. Update all configuration references to new certificates

Certificate validation

Configure appropriate certificate verification: 
# opensearch_dashboards.yml
opensearch.ssl.verificationMode: certificate  # or 'full' for hostname validation
Options:
  • certificate: Validate certificate chain and expiration
  • full: Validate certificate and hostname match
  • none: Disable validation (not recommended for production)

TLS protocol configuration

Enforce modern TLS protocols and cipher suites: 
# opensearch_dashboards.yml
server.ssl.supportedProtocols: ['TLSv1.2', 'TLSv1.3']
server.ssl.cipherSuites:
  - TLS_AES_256_GCM_SHA384
  - TLS_CHACHA20_POLY1305_SHA256
  - TLS_AES_128_GCM_SHA256
  - ECDHE-RSA-AES256-GCM-SHA384
  - ECDHE-RSA-AES128-GCM-SHA256
  • Disable TLS 1.0 and 1.1
  • Prefer TLS 1.3 where supported
  • Disable weak cipher suites
  • Configure Forward Secrecy

Network security

Implement network-level controls to restrict access to the dashboard.

Firewall configuration

Restrict network access to required ports: 
# Allow HTTPS traffic to dashboard
firewall-cmd --permanent --add-port=443/tcp

# Allow dashboard to indexer communication
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<indexer-ip>" port port="9200" protocol="tcp" accept'

# Reload firewall
firewall-cmd --reload

IP whitelisting

Restrict access to trusted IP ranges: 
# opensearch_dashboards.yml
server.host: "0.0.0.0"  # Bind to all interfaces
Implement IP filtering at the network level (firewall, load balancer, or reverse proxy): 
# Example nginx configuration
allow 10.0.0.0/8;
allow 192.168.1.0/24;
deny all;

Private networking

Deploy Wazuh Dashboard in private networks:
  1. Place dashboard in private subnet without direct internet access
  2. Use VPN or bastion hosts for administrative access
  3. Route internet-bound traffic through NAT gateway for updates
  4. Implement network segmentation between dashboard, indexer, and agents

Reverse proxy deployment

Deploy a reverse proxy for additional security: 
server {
    listen 443 ssl http2;
    server_name wazuh-dashboard.example.com;

    ssl_certificate /etc/nginx/certs/dashboard.crt;
    ssl_certificate_key /etc/nginx/certs/dashboard.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Rate limiting
    limit_req zone=dashboard burst=10 nodelay;

    location / {
        proxy_pass https://localhost:5601;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Operational security

Maintain secure operational practices for ongoing security.

Keep software updated

Implement regular update procedures:
  1. Subscribe to Wazuh security advisories
  2. Test updates in non-production environments
  3. Schedule maintenance windows for updates
  4. Follow upgrade procedures documented in the release notes
  5. Backup configuration before applying updates
Reference: docs/ref/upgrade.md:46

Configuration management

Secure configuration files:
  1. Restrict file permissions: 
    chmod 640 /etc/wazuh-dashboard/opensearch_dashboards.yml
chown root:wazuh-dashboard /etc/wazuh-dashboard/opensearch_dashboards.yml
  2. Version control configuration files (excluding sensitive credentials)
  3. Implement configuration validation before deployment
  4. Document all configuration changes
  5. Maintain separate configurations for different environments

Secrets management

Protect sensitive credentials:
  1. Never commit credentials to version control
  2. Use environment variables or secret management systems for credentials
  3. Rotate credentials regularly (quarterly or after personnel changes)
  4. Implement audit logging for credential access
  5. Encrypt credentials at rest

Audit logging

Enable comprehensive audit logging:
  1. Configure OpenSearch audit logging: 
    # opensearch.yml
plugins.security.audit.type: internal_opensearch
plugins.security.audit.config.disabled_rest_categories: NONE
plugins.security.audit.config.disabled_transport_categories: NONE
  2. Monitor dashboard access logs: 
    tail -f /var/log/wazuh-dashboard/opensearch_dashboards.log
  3. Centralize logs to SIEM or log management platform
  4. Configure alerts for suspicious activities:
    • Failed authentication attempts
    • Privilege escalation attempts
    • Configuration changes
    • Unusual access patterns

Backup security

Secure backup procedures:
  1. Backup critical components:
    • Configuration files: /etc/wazuh-dashboard/opensearch_dashboards.yml
    • TLS certificates: /etc/wazuh-dashboard/certs/
    • Saved objects and dashboards
Reference: docs/ref/backup-restore.md:8
  1. Encrypt backups at rest and in transit
  2. Store backups in secure, access-controlled locations
  3. Test backup restoration procedures regularly
  4. Implement backup retention policies
  5. Document backup and recovery procedures

Security monitoring

Implement continuous security monitoring:
  1. Monitor authentication failures and unauthorized access attempts
  2. Track configuration changes and administrative actions
  3. Alert on certificate expiration approaching
  4. Monitor system resource utilization for anomalies
  5. Review security logs regularly

Data protection

Protect sensitive data within the dashboard environment.

Saved object review

Regularly review saved objects for sensitive data:
  1. Navigate to Stack Management > Saved Objects
  2. Review visualizations, dashboards, and searches
  3. Identify objects containing sensitive queries or filters
  4. Remove or restrict access to sensitive objects
  5. Implement naming conventions to identify sensitive content

Notification channel security

Secure external integration credentials:
  1. Review notification channels for embedded credentials
  2. Use webhook URLs without embedded secrets where possible
  3. Rotate integration API keys regularly
  4. Restrict who can create or modify notification channels
  5. Audit notification channel usage

Index-level security

Implement field-level and document-level security:
  1. Configure field masking for sensitive data (PII, credentials)
  2. Implement document-level security to restrict data access by user role
  3. Use read-only aliases for analyst access
  4. Audit index access patterns

Data retention

Implement appropriate data retention policies:
  1. Define retention periods based on compliance requirements
  2. Configure Index State Management (ISM) policies
  3. Securely delete expired data
  4. Archive long-term data to secure, encrypted storage
  5. Document retention policy rationale

Compliance considerations

Align security hardening with regulatory requirements:

PCI DSS

  • Implement strong access control (Requirement 7, 8)
  • Encrypt data in transit (Requirement 4)
  • Maintain audit logs (Requirement 10)
  • Regular security testing (Requirement 11)

HIPAA

  • Access control and authentication (164.312(a))
  • Encryption and integrity controls (164.312(e))
  • Audit controls (164.312(b))
  • Transmission security (164.312(e)(1))

GDPR

  • Access control and authorization (Article 32)
  • Encryption of personal data (Article 32)
  • Ability to ensure confidentiality (Article 32)
  • Regular testing of security measures (Article 32)

Security checklist

Use this checklist to validate security hardening:
  • Default administrative credentials changed
  • SAML SSO configured with role-based access control
  • TLS 1.2+ configured for all communications
  • Valid certificates deployed with proper permissions
  • Certificate expiration monitoring implemented
  • Firewall rules restrict access to required ports only
  • Dashboard deployed in private network segment
  • Configuration files have restricted permissions
  • Secrets stored securely (not in configuration files)
  • Software update process documented and scheduled
  • Audit logging enabled and monitored
  • Backup procedures documented and tested
  • Saved objects reviewed for sensitive data
  • Notification channels secured
  • Data retention policies implemented
  • Security monitoring alerts configured

Troubleshooting

Certificate errors

  • Verify certificate paths in opensearch_dashboards.yml are correct
  • Check certificate file permissions (should be 400)
  • Validate certificate chain includes root CA
  • Confirm certificate has not expired
  • Verify hostname matches certificate CN or SAN

SAML authentication issues

  • Verify IdP metadata URL is accessible
  • Check exchange key configuration matches between components
  • Validate role mapping configuration
  • Review security plugin logs for SAML errors
  • Confirm callback URLs are whitelisted

Connection failures

  • Verify TLS configuration matches between dashboard and indexer
  • Check firewall rules allow required ports
  • Validate certificate verification mode settings
  • Test connectivity using curl or openssl commands
  • Review network security group or ACL configurations
  • Installation guide for initial certificate deployment procedures
  • Upgrade guide for maintaining security during updates
  • Backup and restore guide for securing configuration backups
  • Migration guide for security considerations during platform migrations

Build docs developers (and LLMs) love

Get started for freeTalk to us