Security research on XPack settings for ES,LogSta & Kib

Elastic Stack Elasticsearch
1

I am conducting a research on the recommended XPack parameters and their settings after i install it for version 6.2. I made this list based on the study i have done so far. My objective is to compile a list in order to harden a stack. Additionally looking for the best practices when it comes to the parameter settings for ElasticSearch,Kibana and Logstash.Any help appreciated

File Parameter Value
elasticsearch.yml xpack.security.enabled "TRUE"
xpack.security.hide_settings <Variable. Needs to be customized to include
Directory Service-related Settings.>
xpack.security.authc.accept_default_password "FALSE"
xpack.security.authc.anonymous.* <The Scan needs to check for this string's absense.
If present, they must have no Values attached.>
xpack.security.dls_fls.enabled "TRUE"
xpack.security.authc.token.enabled "TRUE"
xpack.ssl.client_authentication REQUIRED
xpack.ssl.verification_mode CERTIFICATE
kibana.yml xpack.security.enabled "TRUE"
xpack.security.sessionTimeout <Variable. Needs to be defined and customized.>

xpack.graph.enabled Set to false to disable X-Pack graph features. Configure in both elasticsearch.yml and kibana.yml.
xpack.ml.enabled Set to false to disable X-Pack machine learning features. Configure in both elasticsearch.yml and kibana.yml.
xpack.monitoring.enabled Set to false to disable X-Pack monitoring features. Configure in elasticsearch.yml, kibana.yml, and logstash.yml.
xpack.reporting.enabled Set to false to disable X-Pack reporting features. Configure in kibana.yml only.
xpack.security.enabled Set to false to disable X-Pack security features. Configure in both elasticsearch.yml and kibana.yml.
xpack.watcher.enabled Set to false to disable Watcher. Configure in elasticsearch.yml only.
2

Hi Kaustav,

Good to see you taking steps to harden the stack.

It depends on your environment and what features you are using, what license you have etc.

There are a lot of security knobs that you can use to make es stack more secure. We would recommend going through the documentation for more details. Look out for the annotations like Note: Important: and dig deep further to understand the implications of setting them.

For example, you have xpack.ssl.verification_mode and the value you have chosen is certificate. If you look at the documentation: TLS Settings - xpack.ssl.verification_mode , you will see that to be more secure you would want to use full instead of certificate because certificate does not perform hostname verification.

This was just an example and depending on what realm you are using and what environment you are you may need to visit all the settings for that realm/feature etc to understand right settings. Focus more on what you are using in the system and then look through documentation to add more security.

There are some configurations which may not be listed under security settings but they are important like action.destructive_requires_name: true to eliminate accidental mass deletion of indices and I think a careful analysis of your deployment and requirement is the way to go forward. If you need any help understanding settings we are here.

Thanks and Regards,
Yogesh Gaikwad

1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.