Siren Platform User Guide

Migrating the security settings from version 10.1.x to version 10.2.x

Search Guard and X-Pack roles have been renamed to reflect new action names. As a sirenadmin, you must update these roles.

Note

Siren Platform version 10.2.3 supports the use of Elasticsearch 6.8.0 and also Elasticsearch 6.5.4. The following procedure assumes Elasticsearch 6.8.0 is being used.

To upgrade from Siren Platform version 10.1.x with Elasticsearch 6.3.2 to Siren Platform version 10.2.3 with Elasticsearch 6.8.0, complete the following steps:

  1. Back up the Search Guard configuration from Elasticsearch 6.3.2 by running the following command from the Elasticsearch 6.3.2 home directory:

    ./plugins/search-guard-6/tools/sgadmin.sh \
  --retrieve \
  -cn siren-distribution \
  -ts config/truststore.jks \
  -tspass password \
  -ks ../siren-investigate/pki/searchguard/CN\=sgadmin-keystore.jks \
  -kspass password \
  -h localhost \
  -p 9330 \
  -nhnv

  2. Modify the sg_action_groups.yml and sg_roles.yml files. Ensure that all action groups as well as the actions listed below are included. Existing action groups and actions can be kept or added.

    UNLIMITED:
- "*"
INDICES_ALL:
- "indices:*"
ALL:
- "INDICES_ALL"
MANAGE:
- "indices:monitor/*"
- "indices:admin/*"
MONITOR:
- MANAGE
CREATE_INDEX:
- "indices:admin/create"
- "indices:admin/mapping/put"
MANAGE_ALIASES:
- "indices:admin/aliases*"
INDICES_MONITOR:
- "indices:monitor/*"
DATA_ACCESS:
- "indices:data/*"
- "CRUD"
WRITE:
- "indices:data/write*"
- "indices:admin/mapping/put"
READ:
- "indices:data/read*"
VIEW_INDEX_METADATA:
- "indices:admin/aliases/get"
- "indices:admin/aliases/exists"
- "indices:admin/get"
- "indices:admin/exists"
- "indices:admin/mappings/fields/get*"
- "indices:admin/mappings/get*"
- "indices:admin/mappings/federate/connector/get*"
- "indices:admin/mappings/federate/connector/fields/get*"
- "indices:admin/types/exists"
- "indices:admin/validate/query"
- "indices:monitor/settings/get"
DELETE:
- "indices:data/write/delete*"
CRUD:
- "READ"
- "WRITE"
SEARCH:
- "indices:data/read/search*"
- "indices:data/read/msearch*"
- "indices:siren/plan*"
- "indices:siren/mplan*"
- "SUGGEST"
SUGGEST:
- "indices:data/read/suggest*"
INDEX:
- "indices:data/write/index*"
- "indices:data/write/update*"
- "indices:admin/mapping/put"
- "indices:data/write/bulk*"
GET:
- "indices:data/read/get*"
- "indices:data/read/mget*"
CLUSTER_ALL:
- "cluster:*"
CLUSTER_MONITOR:
- "cluster:monitor/*"
CLUSTER_COMPOSITE_OPS_RO:
- "indices:data/read/mget"
- "indices:data/read/msearch"
- "indices:data/read/mtv"
- "indices:data/read/scroll*"
- "indices:admin/template/get"

CLUSTER_COMPOSITE_OPS:

- "CLUSTER_COMPOSITE_OPS_RO"
- "indices:data/write/bulk"
- "indices:admin/template/put"
CLUSTER_MANAGE:
- CLUSTER_INTERNAL_FEDERATE
- "cluster:admin/federate/*"
- "indices:admin/aliases*"
- "cluster:admin/ingest/*"
CLUSTER_INTERNAL_FEDERATE:
- "cluster:internal/federate/*"

  3. Modify the sg_roles.yml file to replace the roles federateserver, sirenserver, sirenadmin, sirenuser, logstash, and sg_all_access as below. 'INDEX_NAME' must be replaced with the right index pattern name:

    federateserver:
  cluster:
  - "indices:admin/aliases"
  indices:

   '?siren-federate*':
      '*':
      - INDICES_ALL

sirenserver:
  cluster:
    - "CLUSTER_COMPOSITE_OPS"
    - "CLUSTER_MANAGE"
    - "CLUSTER_MONITOR"
  indices:
    '?siren*':
      '*':
        - "INDICES_ALL"
    '?kibi*':
      '*':
        - "INDICES_ALL"
    'watcher*':
      '*':
        - READ
        - VIEW_INDEX_METADATA
        - MANAGE
        - WRITE

    INDEX_NAME:
      '*':
        - READ
        - VIEW_INDEX_METADATA
        - "indices:monitor/stats"
    '*':
      '*':
        - 'indices:admin/aliases/get'


sirenuser:
  cluster:
  - "CLUSTER_COMPOSITE_OPS_RO"
  - "CLUSTER_INTERNAL_FEDERATE"
  indices:
    'INDEX_NAME':
      '*':
      - READ
      - VIEW_INDEX_METADATA

sirenadmin:
  cluster:
  - 
  - CLUSTER_COMPOSITE_OPS
  - CLUSTER_MANAGE
  - CLUSTER_MONITOR
  indices:
    '?siren*':
      '*':
      - READ
      - MANAGE
      - WRITE
      - VIEW_INDEX_METADATA
    watcher_alarms*:
      '*':
      - READ
      - MANAGE
      - WRITE
      - VIEW_INDEX_METADATA
    watcher:
      '*':
      - READ
      - MANAGE
      - WRITE
      - VIEW_INDEX_METADATA
    'INDEX_NAME':    #Replace INDEX_NAME with actual index pattern name
      '*':
      - READ
      - VIEW_INDEX_METADATA

    'VIRTUAL_INDEX_NAME':    #Replace 'VIRTUAL_INDEX_NAME' with actual virtual index pattern name for JDBC connector
      '*':
      - READ
      - VIEW_INDEX_METADATA
      - MANAGE
      - WRITE

sg_all_access:
  cluster:
  - "*"
  indices:
    '*':
      '*':
      - "*"

logstash:
  cluster:
  - "indices:data/write/bulk*"
  - "indices:admin/template/*"
  - "CLUSTER_MONITOR"
  - "SIREN_CLUSTER"
  indices:
    '*beat*':
      '*':
      - "CRUD"
      - "CREATE_INDEX"
    logstash-*:
      '*':
      - "CRUD"
      - "CREATE_INDEX"

  4. Add the following actions to sirenalert. You can still keep the old actions:

    sirenalert:
  cluster:
  - CLUSTER_INTERNAL_FEDERATE 
  - CLUSTER_COMPOSITE_OPS
  - CLUSTER_MONITOR

  watcher_alarms*:
    '*':
      - INDICES_ALL

  watcher:
    '*':
      - INDICES_ALL

  '?siren':
    '*':
      - INDICES_ALL
 'INDEX_NAME':
    '*':
      - READ
      - VIEW_INDEX_METADATA
      - 'indices:monitor/stats'

  5. Add a new role for reflection as below; this will not be used until the user is mapped to this role:

    # Role for any user that should be able to use reflection
reflection_user:
  cluster:
    - 'cluster:admin/federate/connector/ingestion/search'  # To fetch the list of ingestion configs
    - 'cluster:admin/federate/connector/ingestion/run'     # To manually trigger an ingestion
    - 'cluster:admin/federate/connector/jobs/abort'        # To abort a job
    - 'cluster:admin/federate/connector/ingestion/get'     # To fetch an ingestion config.
    - 'cluster:admin/federate/connector/ingestion/put'     # To create an ingestion config
    - 'cluster:admin/federate/connector/ingestion/delete'  # To delete an ingestion config
    - 'cluster:admin/federate/connector/datasource/sample' # To sample a SQL query
    - 'cluster:admin/ingest/pipeline/simulate'             # To test transform pipeline
    - 'cluster:admin/ingest/pipeline/put'                  # To put transform pipeline (Excel)
    - 'cluster:admin/ingest/pipeline/delete'               # To delete a transform pipeline (Excel) (We need to clear temporary pipelines after import)
  indices:
    'csv-*': # This can be limited to specific indices and such permissions would be regarded by Excel Import
      '*':
        - 'indices:admin/get'          # To check if an index already exists, if received 403 then user cannot use excel import on that index
        - 'indices:admin/create'       # Create an index (You may prevent it in case you want users to only append data to an existing index)
        - 'indices:admin/delete'       # Delete an index (You may prevent it, in case you don't want users deleting stuff)
        - 'indices:admin/mapping/put'  # Define mapping (You may prevent it in case you want users to only append to an existing index and modify mappings)
        - 'indices:data/write/index'   # To write docs
        - 'indices:data/write/bulk[s]' # To write docs
        - READ                         # To see field capabilities on data model page
        - VIEW_INDEX_METADATA          # Needed to create index patterns
    '?siren-excel-configs':
      '*':
        - 'indices:data/read/search'   # List saved configs
        - 'indices:data/write/index'   # Create a saved config
        - 'indices:data/write/bulk[s]' # Create a saved config
        - 'indices:data/read/get'      # Use a saved config
        - 'indices:data/write/delete'  # Delete a saved config

    For the other roles defined, replace SIREN_READONLY with:

          - READ
      - VIEW_INDEX_METADATA

    And replace SIREN_READWRITE with:

          - READ
      - WRITE
      - VIEW_INDEX_METADATA
      - MANAGE

  6. Edit sg_roles_mapping.yml and add the username of the siren administrator to the reflection role. Any user who wants to use ingestion can be added to this role:

    reflection_user:
  users:
  - "sirenadmin"

  7. Edit the sg_roles_mapping.yml file and add the username “sirenserver” to the sirenalert role. Any user who wants to use ingestion can be added to this role:

    sirenalert:
  users:
  - "sirenalert"
  - "sirenserver"

  8. Rename the files to sg_internal_users.yml, sg_config.yml, sg_action_groups.yml, sg_roles.yml, and sg_roles_mapping.yml and copy them into the /ES6.8.0/config/sgconfig folder.

  9. Stop Elasticsearch version 6.3.2.

  10. Start Elasticsearch version 6.8.0.

  11. Restore the Search Guard configuration on Elasticsearch version 6.8.0 by running the sgadmin command from the Elasticsearch 6.8.0 home directory:

    bash plugins/search-guard-6/tools/sgadmin.sh \
  -cd config/sgconfig \
  -cn siren-distribution \
  -ts config/truststore.jks \
  -tspass password \
  -ks ../siren-investigate/pki/searchguard/CN\=sgadmin-keystore.jks \
  -kspass password \
  -h localhost \
  -p 9330 \
  -nhnv

  12. Modify the investigate.yml file by adding the following parameters under the investigate_access_control section:

    acl:
    enabled: true
    index: .sirenaccess
admin_role: sirenadmin

  13. Modify the investigate.yml file by adding the following parameters under the sentinl section to include the user_role as sirenalert:

    sentinl:
    app_name: 'Siren Alert'
    user_role: sirenalert

  14. Finally, in the sentinl section of the investigate.yml file, add the following settings:

    sentinl:
    es:
      ignore_unavailable: true
      allow_no_indices: true

If further ingestion setup is required, please refer to the following document: Security setup.

In this section: