Siren Platform User Guide

Migrating the security settings from version 10.1.x to version 10.2.x

Search Guard and X-Pack roles have been renamed to reflect new action names. As a sirenadmin, you must update these roles.

Note

Siren Platform version 10.2.3 supports the use of Elasticsearch 6.8.0 and also Elasticsearch 6.5.4. The following procedure assumes Elasticsearch 6.8.0 is being used.

To upgrade from Siren Platform version 10.1.x with Elasticsearch 6.3.2 to Siren Platform version 10.2.3 with Elasticsearch 6.8.0, complete the following steps:

  1. Back up the Search Guard configuration from Elasticsearch 6.3.2 by running the following command from the Elasticsearch 6.3.2 home directory:

    ./plugins/search-guard-6/tools/sgadmin.sh \
      --retrieve \
      -cn siren-distribution \
      -ts config/truststore.jks \
      -tspass password \
      -ks ../siren-investigate/pki/searchguard/CN\=sgadmin-keystore.jks \
      -kspass password \
      -h localhost \
      -p 9330 \
      -nhnv     
  2. Modify the sg_action_groups.yml and sg_roles.yml files. Ensure that all action groups as well as the actions listed below are included. Existing action groups and actions can be kept or added.

    UNLIMITED:
    - "*"
    INDICES_ALL:
    - "indices:*"
    ALL:
    - "INDICES_ALL"
    MANAGE:
    - "indices:monitor/*"
    - "indices:admin/*"
    MONITOR:
    - MANAGE
    CREATE_INDEX:
    - "indices:admin/create"
    - "indices:admin/mapping/put"
    MANAGE_ALIASES:
    - "indices:admin/aliases*"
    INDICES_MONITOR:
    - "indices:monitor/*"
    DATA_ACCESS:
    - "indices:data/*"
    - "CRUD"
    WRITE:
    - "indices:data/write*"
    - "indices:admin/mapping/put"
    READ:
    - "indices:data/read*"
    VIEW_INDEX_METADATA:
    - "indices:admin/aliases/get"
    - "indices:admin/aliases/exists"
    - "indices:admin/get"
    - "indices:admin/exists"
    - "indices:admin/mappings/fields/get*"
    - "indices:admin/mappings/get*"
    - "indices:admin/mappings/federate/connector/get*"
    - "indices:admin/mappings/federate/connector/fields/get*"
    - "indices:admin/types/exists"
    - "indices:admin/validate/query"
    - "indices:monitor/settings/get"
    DELETE:
    - "indices:data/write/delete*"
    CRUD:
    - "READ"
    - "WRITE"
    SEARCH:
    - "indices:data/read/search*"
    - "indices:data/read/msearch*"
    - "indices:siren/plan*"
    - "indices:siren/mplan*"
    - "SUGGEST"
    SUGGEST:
    - "indices:data/read/suggest*"
    INDEX:
    - "indices:data/write/index*"
    - "indices:data/write/update*"
    - "indices:admin/mapping/put"
    - "indices:data/write/bulk*"
    GET:
    - "indices:data/read/get*"
    - "indices:data/read/mget*"
    CLUSTER_ALL:
    - "cluster:*"
    CLUSTER_MONITOR:
    - "cluster:monitor/*"
    CLUSTER_COMPOSITE_OPS_RO:
    - "indices:data/read/mget"
    - "indices:data/read/msearch"
    - "indices:data/read/mtv"
    - "indices:data/read/scroll*"
    - "indices:admin/template/get"
    
    CLUSTER_COMPOSITE_OPS:
    
    - "CLUSTER_COMPOSITE_OPS_RO"
    - "indices:data/write/bulk"
    - "indices:admin/template/put"
    CLUSTER_MANAGE:
    - CLUSTER_INTERNAL_FEDERATE
    - "cluster:admin/federate/*"
    - "indices:admin/aliases*"
    - "cluster:admin/ingest/*"
    CLUSTER_INTERNAL_FEDERATE:
    - "cluster:internal/federate/*"     
  3. Modify the sg_roles.yml file to replace the roles federateserver, sirenserver, sirenadmin, sirenuser, logstash, and sg_all_access as below. 'INDEX_NAME' must be replaced with the right index pattern name:

    federateserver:
      cluster:
      - "indices:admin/aliases"
      indices:
    
       '?siren-federate*':
          '*':
          - INDICES_ALL
    
    sirenserver:
      cluster:
        - "CLUSTER_COMPOSITE_OPS"
        - "CLUSTER_MANAGE"
        - "CLUSTER_MONITOR"
      indices:
        '?siren*':
          '*':
            - "INDICES_ALL"
        '?kibi*':
          '*':
            - "INDICES_ALL"
        'watcher*':
          '*':
            - READ
            - VIEW_INDEX_METADATA
            - MANAGE
            - WRITE
    
        INDEX_NAME:
          '*':
            - READ
            - VIEW_INDEX_METADATA
            - "indices:monitor/stats"
        '*':
          '*':
            - 'indices:admin/aliases/get'
    
    
    sirenuser:
      cluster:
      - "CLUSTER_COMPOSITE_OPS_RO"
      - "CLUSTER_INTERNAL_FEDERATE"
      indices:
        'INDEX_NAME':
          '*':
          - READ
          - VIEW_INDEX_METADATA
    
    sirenadmin:
      cluster:
      - 
      - CLUSTER_COMPOSITE_OPS
      - CLUSTER_MANAGE
      - CLUSTER_MONITOR
      indices:
        '?siren*':
          '*':
          - READ
          - MANAGE
          - WRITE
          - VIEW_INDEX_METADATA
        watcher_alarms*:
          '*':
          - READ
          - MANAGE
          - WRITE
          - VIEW_INDEX_METADATA
        watcher:
          '*':
          - READ
          - MANAGE
          - WRITE
          - VIEW_INDEX_METADATA
        'INDEX_NAME':    #Replace INDEX_NAME with actual index pattern name
          '*':
          - READ
          - VIEW_INDEX_METADATA
    
        'VIRTUAL_INDEX_NAME':    #Replace 'VIRTUAL_INDEX_NAME' with actual virtual index pattern name for JDBC connector
          '*':
          - READ
          - VIEW_INDEX_METADATA
          - MANAGE
          - WRITE
    
    sg_all_access:
      cluster:
      - "*"
      indices:
        '*':
          '*':
          - "*"
    
    logstash:
      cluster:
      - "indices:data/write/bulk*"
      - "indices:admin/template/*"
      - "CLUSTER_MONITOR"
      - "SIREN_CLUSTER"
      indices:
        '*beat*':
          '*':
          - "CRUD"
          - "CREATE_INDEX"
        logstash-*:
          '*':
          - "CRUD"
          - "CREATE_INDEX"
    
  4. Add the following actions to sirenalert. You can still keep the old actions:

    sirenalert:
      cluster:
      - CLUSTER_INTERNAL_FEDERATE 
      - CLUSTER_COMPOSITE_OPS
      - CLUSTER_MONITOR
    
      watcher_alarms*:
        '*':
          - INDICES_ALL
    
      watcher:
        '*':
          - INDICES_ALL
    
      '?siren':
        '*':
          - INDICES_ALL
     'INDEX_NAME':
        '*':
          - READ
          - VIEW_INDEX_METADATA
          - 'indices:monitor/stats'
    
  5. Add a new role for reflection as below; this will not be used until the user is mapped to this role:

    # Role for any user that should be able to use reflection
    reflection_user:
      cluster:
        - 'cluster:admin/federate/connector/ingestion/search'  # To fetch the list of ingestion configs
        - 'cluster:admin/federate/connector/ingestion/run'     # To manually trigger an ingestion
        - 'cluster:admin/federate/connector/jobs/abort'        # To abort a job
        - 'cluster:admin/federate/connector/ingestion/get'     # To fetch an ingestion config.
        - 'cluster:admin/federate/connector/ingestion/put'     # To create an ingestion config
        - 'cluster:admin/federate/connector/ingestion/delete'  # To delete an ingestion config
        - 'cluster:admin/federate/connector/datasource/sample' # To sample a SQL query
        - 'cluster:admin/ingest/pipeline/simulate'             # To test transform pipeline
        - 'cluster:admin/ingest/pipeline/put'                  # To put transform pipeline (Excel)
        - 'cluster:admin/ingest/pipeline/delete'               # To delete a transform pipeline (Excel) (We need to clear temporary pipelines after import)
      indices:
        'csv-*': # This can be limited to specific indices and such permissions would be regarded by Excel Import
          '*':
            - 'indices:admin/get'          # To check if an index already exists, if received 403 then user cannot use excel import on that index
            - 'indices:admin/create'       # Create an index (You may prevent it in case you want users to only append data to an existing index)
            - 'indices:admin/delete'       # Delete an index (You may prevent it, in case you don't want users deleting stuff)
            - 'indices:admin/mapping/put'  # Define mapping (You may prevent it in case you want users to only append to an existing index and modify mappings)
            - 'indices:data/write/index'   # To write docs
            - 'indices:data/write/bulk[s]' # To write docs
            - READ                         # To see field capabilities on data model page
            - VIEW_INDEX_METADATA          # Needed to create index patterns
        '?siren-excel-configs':
          '*':
            - 'indices:data/read/search'   # List saved configs
            - 'indices:data/write/index'   # Create a saved config
            - 'indices:data/write/bulk[s]' # Create a saved config
            - 'indices:data/read/get'      # Use a saved config
            - 'indices:data/write/delete'  # Delete a saved config
    

    For the other roles defined, replace SIREN_READONLY with:

          - READ
          - VIEW_INDEX_METADATA      

    And replace SIREN_READWRITE with:

          - READ
          - WRITE
          - VIEW_INDEX_METADATA
          - MANAGE
    
  6. Edit sg_roles_mapping.yml and add the username of the siren administrator to the reflection role. Any user who wants to use ingestion can be added to this role:

    reflection_user:
      users:
      - "sirenadmin"
    
  7. Edit the sg_roles_mapping.yml file and add the username “sirenserver” to the sirenalert role. Any user who wants to use ingestion can be added to this role:

    sirenalert:
      users:
      - "sirenalert"
      - "sirenserver"
    
  8. Rename the files to sg_internal_users.yml, sg_config.yml, sg_action_groups.yml, sg_roles.yml, and sg_roles_mapping.yml and copy them into the /ES6.8.0/config/sgconfig folder.

  9. Stop Elasticsearch version 6.3.2.

  10. Start Elasticsearch version 6.8.0.

  11. Restore the Search Guard configuration on Elasticsearch version 6.8.0 by running the sgadmin command from the Elasticsearch 6.8.0 home directory:

    bash plugins/search-guard-6/tools/sgadmin.sh \
      -cd config/sgconfig \
      -cn siren-distribution \
      -ts config/truststore.jks \
      -tspass password \
      -ks ../siren-investigate/pki/searchguard/CN\=sgadmin-keystore.jks \
      -kspass password \
      -h localhost \
      -p 9330 \
      -nhnv
    
  12. Modify the investigate.yml file by adding the following parameters under the investigate_access_control section:

    acl:
        enabled: true
        index: .sirenaccess
    admin_role: sirenadmin
    
  13. Modify the investigate.yml file by adding the following parameters under the sentinl section to include the user_role as sirenalert:

    sentinl:
        app_name: 'Siren Alert'
        user_role: sirenalert
    
  14. Finally, in the sentinl section of the investigate.yml file, add the following settings:

    sentinl:
        es:
          ignore_unavailable: true
          allow_no_indices: true
    

If further ingestion setup is required, please refer to the following document: Security setup.