Integrating Elastic Stack security
To use Siren Investigate with an Elasticsearch cluster having Elastic Stack security features enabled, you must create the following roles:
investigate_system: a role that allows Investigate to store user generated content.
investigate_admin: a role that designates users with administrative privileges on an Investigate installation.
investigate_user: a role that designates users with read access to specific indices.
federate_system: a role used by the Siren Federate plugin to perform privileged operations in the cluster.
Two sample bash scripts to quickly initialize an Elasticsearch installation are provided below:
The script provided for the Platinum subscription enables Document level security on indices managed by Siren Investigate and grants the Siren Investigate user the privileges required to support OpenID Connect.
Both scripts requires a working
curl command on your system.
To use the script, download the version for your subscription and execute it as follows:
You will be asked to provide the following information:
Elasticsearch username: the username of an Elasticsearch user with administrative privileges (defaults to
Elasticsearch password: the password of the Elasticsearch user in the previous step (defaults to
Elasticsearch URL: the URL of your Elasticsearch cluster (defaults to
Investigate index prefix: the prefix on Investigate indices (defaults to
Index pattern readable by Investigate users: an index pattern matching indices that will be readable by users having the
curl flags: any custom curl flag that should be set in requests to Elasticsearch (for example
-kto ignore validation of private CA certificates or
--cacert <ca.pem file>to validate certificates signed by a private CA)
Once the roles have been created, you’ll need to create two system users:
sirenserver: a user with the
federate: a user with the
When evaluating Siren, we recommend creating at least two additional end users, one with administrative privileges on the Investigate installation:
sirenadmin: a user with the
sirenuser: a user with the
A script to create all of the above users is available at initusers.sh.
To use the script, download it and execute:
Once the users have been created,
investigate.yml will have to be
modified as follows:
the credentials of the
sirenserver user, for example:
elasticsearch.username: sirenserver elasticsearch.password: password
If HTTPS is enabled for the Elasticsearch REST API, ensure
elasticsearch.url setting contains a URL starting with
https, for example:
If the certificate is not signed by a public authority, you
will also need to set the
the path of the CA chain bundle in PEM format, for example:
To enable certificate verification, set
full, for example:
Set the backend parameter of the
section of the
investigate_access_control: admin_role: investigate_admin enabled: true backend: xpack acl: enabled: true cookie: secure: true password: '12345678123456781234567812345678'
If you are running Siren Investigate with https disabled, remember to set
After restarting Siren Investigate you should be able to login as
using the password set previously.