Loading the security configuration

Prerequisites

In order to apply the minimal security configuration required to run Siren Investigate, you need:

  • The password of the elastic administrative user.

  • The commands bash and curl.

ECK initializes a random password for the elastic user during the setup and stores it in a secret named <cluster name>-es-elastic-user>. To get the password, fetch the secret and decode the password with kubectl, for example:

kubectl -n siren get secret/siren-es-elastic-user -o go-template='{{.data.elastic | base64decode}}'

Initializing and configuring the roles

  1. Download the initialization scripts.

  2. Forward the cluster HTTP port to your machine, for example:

    kubectl -n siren port-forward service/siren-es-http 9200
  3. In a different terminal window, execute the initroles.sh script:

    bash initroles.sh
  4. When prompted, enter the following information:

    • Elasticsearch username: Press kbd:[Enter].

    • Elasticsearch password: Enter the password of the elastic user.

    • Elasticsearch URL: Enter https://localhost:9200

    • Investigate index prefix: Press kbd:[Enter].

    • Prefix for data indices managed through Investigate: Press Enter.

    • Index pattern matching indices readable by Investigate users: Press Enter.

    • curl flags: Enter -k to skip the certificate validation. This is necessary because the certificate automatically generated by ECK does not contain localhost as a valid hostname.

      If the script is successful, you will see a list of replies from Elasticsearch to confirm the creation of the default roles, for example:

    Creating investigate_system role...
    {"role":{"created":true}}
    
    Creating federate_system role...
    {"role":{"created":true}}
    
    Creating investigate_user role
    {"role":{"created":true}}
    
    Creating investigate_admin role
    {"role":{"created":true}}
  5. Execute the initusers.sh and when prompted, enter the following information:

    • Elasticsearch username: Press kbd:[Enter].

    • Elasticsearch password: Enter the password of the elastic user.

    • Elasticsearch URL: Enter https://localhost:9200

    • Password of sirenserver user: Enter a password for the sirenserver user.

    • Password of federate user: Enter a password for the federate user. This user can be used by Siren Federate for internal operations on the cluster indices.

    • Password of sirenuser user: Enter a password for the sirenuser user. This user can be used to sign in to Siren Investigate with administrative privileges.

    • Password of sirenadmin user: Enter a password for the sirenadmin user. This user can be used to sign in to Siren Investigate with a reduced set of privileges for testing.

    • curl flags: Enter -k to skip the certificate validation.

      If the script is successful you will see a list of replies from Elasticsearch to confirm the creation of the users, for example:

    Creating sirenserver user
    {"created":true}
    
    Creating sirenadmin user
    {"created":true}
    
    Creating sirenuser user
    {"created":true}
    
    Creating federate system user
    {"created":true}

Next steps

To deploy Siren Investigate on Kubernetes, see Setting up Siren Investigate on Kubernetes.

For more information about ECK options and scenarios, refer to Elastic’s ECK documentation.