Securing the Elastic Stack

Size: px

Start display at page:

Download "Securing the Elastic Stack"

Christal Simmons
6 years ago
Views:

1 Securing the Elastic Stack Jay Modi, Security Software Engineer Tim Vernum, Security Software Engineer Elastic March

2 Authentication

3 Who are you? 3

4 Built-in Users elastic kibana logstash_system 4

5 Default Passwords Elasticsearch 5.x changeme please? Setup Passwords New utility in Elasticsearch 6.x Auto or Interactive modes 5

6 How does setup-passwords access my cluster before I ve setup the passwords? 6

7 7 Authentication on Docker

8 8 The elastic user is a superuser

9 Native Realm Kibana Management UI Elasticsearch Rest API 9

10 File Realm Elasticsearch Elasticsearch Elasticsearch X-Pack X-Pack X-Pack Users Users Users 10

11 Other Realms More Authentication Options for X-Pack LDAP & Active Directory PKI (TLS client certificates) Custom Realms 11

12 SAML Security Assertion Markup Language a.k.a More XML than you ever wanted to deal with. 12

13 SAML Why should you care? The Elastic Stack never sees your password You have control over your security policies Network controls MFA Password policies / expiry Password reset Lots of options for Identity Providers 13

14 SAML authentication is only usable in Kibana. 14

15 Authentication What s coming up? Kerberos OAuth2 Changes to Custom Realms 15

16 Authorization

17 Can you really do that? 17

18 18

19 19 superuser root superuser Administrators

20 Role Mapping API { "roles": [ "superuser" ], "enabled": true, "rules": { "any": [ { "field": { "username": "esadmin" } }, { "field": { "groups": "cn=admins,dc=example,dc=com" } } ] } } 20

21 Attribute Based Access Control (ABAC) Authorization Rules 21

22 Attribute Based Access Control Example role { "indices": [{ "names": ["my_index"], "privileges": ["read"], "query": { "template": { "source": "{\"bool\": {\"filter\": [{\"terms_set\": {\"security_attributes\": {\"terms\": {{#tojson}} _user.metadata.security_attributes{{/tojson}},\"minimum_should_match_script\":{\"source\":\"params.num_terms\"}}}}]}}" } } }] } 22

23 Dashboard Only Mode 23

24 Coming Soon to a Stack Near You Finer Grained Privileges Kibana Access Controls 24

25 Auditing

26 Audit Log Filters Example filter policy xpack.security.audit.logfile.events.ignore_filters: example1: users: ["kibana", "admin_user"] indices: ["app-logs*"] 26

27 Filebeat Module for Audit Logs Audit Logs Filebeat Elasticsearch 27 Kibana

28 SSL / TLS

29 Transport Layer Security TLS is available across the stack Elasticsearch (X-Pack) Kibana Logstash Beats APM 29

30 Transport Layer Security Common Configuration Options elasticsearch.ssl.certificate: /path/to/kibana/client.crt elasticsearch.ssl.key: /path/to/kibana/client.key elasticsearch.ssl.certificateauthorities: /path/to/es/ca.crt elasticsearch.ssl.verificationmode: full 30

31 Mandatory TLS in Elasticsearch 6.x 31

32 Mandatory TLS Cluster Security requires Cluster Trust 32

33 Mandatory TLS Required for the transport interface (i.e. within your cluster) Recommended for HTTP interface (Rest API) Required if you use SAML 33

34 Mandatory TLS New certutil tool for generating certificates Defaults to PKCS#12 We want to keep improving the tooling 34

35 Storing Secrets

36 Secret Stores What s available today? Keystore/Secret Store available across the stack: Elasticsearch (5.2), Kibana (6.1), Logstash, Beats, APM (6.2) Gets those passwords out of clear text configuration files. 36

37 Secret Stores What s coming? Encrypted Keystores Reloadable Keystores (Elasticsearch) Possible integration with external tools 37

38 Cross Cluster Search Security Trust between clusters using TLS Elasticsearch Elasticsearch Elasticsearch Kibana

39 Painless Scripting language designed to be secure from the start POST hockey/player/_update_by_query { "script": { "lang": "painless", "source": "ctx._source.last = ctx._source.last.replaceall(/[aeiou]/, m -> m.group().touppercase(locale.root))" } } 39

40 Secure Runtime Environment Java Security Manager Seccomp Content Security Policy 40

41 More Questions? Visit us at the AMA or BoF: Elastic Stack Authentication 11:30 Today, Foothill G2 41

43 Please attribute Elastic with a link to elastic.co Except where otherwise noted, this work is licensed under Creative Commons and the double C in a circle are registered trademarks of Creative Commons in the United States and other countries. Third party marks and brands are the property of their respective holders. 43

E l a s t i c s e a r c h F e a t u r e s. Contents

E l a s t i c s e a r c h F e a t u r e s. Contents Elasticsearch Features A n Overview Contents Introduction... 2 Location Based Search... 2 Search Social Media(Twitter) data from Elasticsearch... 4 Query Boosting in Elasticsearch... 4 Machine Learning