Elastic Security

Mayank from YOUnite is working on Elastic + Security technology discovery.

• Kevin and Richard to team up with Mayank to create a Custome Realm to enable auto-login 

We want to limit the scope of what a zone user can see in logstash to their zone and the zone's they have permission to.

Mayank has ELK running locally.

• He has Elastic Stack + X-Pack (latest versions) running locally and will update our docker containers accordingly

He has added a Shield plugin (now X-Pack Security) for security – the pricing is unclear (Mark TODO).

• Configuration

  • config/elasticsearch.yml

He is able to add rules to Shield (now Security)

Security - User/role mapping.   

• Elastic user

  • config/elasticsearch/shield/users

    • Create a user for each zone

  • config/elasticsearch/shield/roles.yaml

    • Define a role for a zone

  • config/elasticsearch/sheild/user_roles

    • Map users to roles

  • config/elasticsearch/shield/role_mapping.yaml

    • Create groups of users

• Security user

  • POST API call for creating users for Kibana and Logstash
    
    

    • We can store the creds for the zone and any zone user with log zone settings == true can access the logs tied to the user/role

• Mayank: He can create a shield user via the API so it it feasible to add that to our POST /zone

• Can we create an access token for the zone so the UI user can select a button?

• Logstash profile – will capture entries based on zone-uuid – zone-uuid is stored in configuration

Do we create one log or one log for each user?

• One log with zone-uuid 

HTTPS only

logstash.conf – set filters here

ELK security between services (Elasticsearch, Logstash, Kibana and Sheild) is Basic Auth/SSL - Shield adds an encryption key

BIG ISSUE: Can sheild user login to Kibana w/o knowing username/password (stored in zone table)

• Put creds in HTTP header

BIG ISSUE: Enforce filters so shield user can only see log entries tied to their zone