1. Role-Based Access Control (RBAC) #
- Purpose: Manage who can access or modify indices.
- Configuration Steps:
- Define roles in the Elasticsearch roles.yml file, specifying permissions for managing indices.
- Assign roles to users in the users_roles file or through the Kibana interface.
2. Index Permissions #
- Purpose: Control access to specific indices based on roles.
- Configuration Steps:
- In your role definitions, specify index-level permissions (e.g., read, write, manage) for different indices.
- Example:
my_role:
cluster: [ “all” ]
indices:
– names: [ “argus-alerts-*”, “my-secure-index” ]
privileges: [ “read”, “write” ]
3. Index Templates #
- Purpose: Define mappings and settings for new indices to ensure proper security configurations.
- Configuration Steps:
- Create index templates that enforce security-related mappings and settings (e.g., restricting certain fields).
- Example:
PUT _template/my_secure_template
{
“index_patterns”: [“secure-*”],
“mappings”: {
“properties”: {
“sensitive_data”: { “type”: “keyword” }
}
}
}
4. Audit Logging #
- Purpose: Monitor and log access to indices for security purposes.
- Configuration Steps:
- Enable audit logging in your Elasticsearch settings.
- Configure what events you want to log (e.g., read, write, delete operations).
- Example:
xpack.security.audit.enabled: true
xpack.security.audit.logfile.events.include: [“access_granted”, “access_denied”]
5. Index Lifecycle Management (ILM) #
- Purpose: Manage the lifecycle of indices, including retention and deletion policies.
- Configuration Steps:
- Create ILM policies to define how long to keep indices and when to delete or move them.
- Example:
PUT _ilm/policy/my_index_policy
{
“policy”: {
“phases”: {
“hot”: {
“actions”: {
“rollover”: {
“max_age”: “30d”
}
}
},
“delete”: {
“min_age”: “90d”,
“actions”: {
“delete”: {}
}
}
}
}
}
6. TLS/SSL Configuration #
- Purpose: Secure data in transit between Argus and Elasticsearch.
- Configuration Steps:
- Generate SSL certificates and configure Elasticsearch to use TLS.
- Modify the elasticsearch.yml file to include paths to your SSL certificates.
- Example:
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.enabled: true
7. Network Security #
- Purpose: Restrict access to Argus and Elasticsearch to trusted IP addresses.
- Configuration Steps:
- Configure firewalls to allow traffic only from specific IP addresses.
- Use security groups or network ACLs in cloud environments.
8. Alerts and Notifications #
- Purpose: Set up alerts based on security events in your indices.
- Configuration Steps:
- Create custom rules in Argus that trigger alerts when certain security events occur (e.g., unauthorized access attempts).
- Use the Argus dashboard to configure notifications.
Example: Configuring Index Permissions #
Here’s an example of how to configure permissions for a specific user:
Define a Role (in roles.yml): #
data_manager:
cluster: [“all”]
indices:
– names: [“argus-alerts-*”]
privileges: [“read”, “write”]
Assign Role to User (in users_roles): #
user1: data_manager