Search Guard Installation for ELK Stack

Search Guard Installation and Concepts

Search Guard is an Open Source Elasticsearch plugin that offers encryption, authentication, and authorization and can be used to secure your Elasticsearch cluster by working with different industry standard authentication techniques such as Active Directory, LDAP, Kerberos, JSON web tokens and many more, and includes fine grained role-based access control to clusters, indices, documents and fields. It enables multi tenancy in Kibana, and stays compliant with GDPR, HIPAA, PCI, SOX and ISO by using audit logging.

With Community Edition Search Guard offers all basic security features for free. The Community Edition of Search Guard can be used for all projects, including commercial projects, at absolutely no cost. The Community Edition includes:

  •     Full data in transit encryption
  •     Node-to-node encryption
  •     Index level access control
  •     Document type based access control
  •     User-, role- and permission management
  •     HTTP basic authentication
  •     User Impersonation
  •     Proxy support

If you just want to use the free Community Edition, install Search Guard Enterprise and then disable all commercial features.

Basic workflow of Searchguard mechanism

  • A user wants to access an Elasticsearch cluster, for example by issuing a simple query.
  • Search Guard retrieves the user’s credentials from the request (they can be extracted from HTTP Basic Authentication headers, from a JSON web token or from a Kerberos ticket)
  • Search Guard authenticates the credentials against the configured authentication backend(s).
  • Search Guard authorizes the user by retrieving a list of the user’s roles from the configured authorization backend
  • Search Guard maps the user and backend roles to Search Guard roles.
  • Search Guard determines the permissions associated with the Search Guard role and decides whether the action the user wants to perform is allowed or not iewhich role,  can perform which action, against which cluster or index.
  • If Document- and Field-Level-Security is required you can also apply more fine grained permissions based on documents and individual fields.

Search Guard ships with pre-defined groups of permissions like READ, WRITE, SEARCH etc called action groups. An action group is an alias for a set of permissions. Action groups can be nested. For example, the following snippet shows two action groups, where the SUGGEST action group is referenced by the SEARCH action group:

SEARCH:

  - "indices:data/read/search*"

  - "indices:data/read/msearch*"

  - SUGGEST

SUGGEST:

  - "indices:data/read/suggest*"

Action groups can be used in the role configuration instead of or in combination with fine-grained permissions like indices:data/read/search*.

A first time installation of Search Guard on a cluster always requires a full cluster restart. TLS encryption is mandatory on the transport layer of Elasticsearch, and thus all nodes must have Search Guard installed in order to be able to talk to each other.

All configuration settings for Search Guard, such as users, roles and permissions, are stored as documents in a special Search Guard index. This index is secured so that only an admin user with a special SSL certificate may write or read this index. You can define one or more of these certificates, called admin certificates, in elasticsearch.yml.

The Search Guard configuration consists of the following files. These are shipped with Search Guard as templates.

sg_config.yml - configure authenticators and authorisation backends.
sg_roles.yml - define roles and the associated permissions.
sg_roles_mapping.yml - map backend roles, hosts and users to roles.
sg_internal_users.yml - stores users, roles and hashed passwords (hash with hash.sh) in the internal user database.
sg_action_groups.yml - define named permission groups.

Configuration settings are applied by pushing the content of one or more configuration files to the Search Guard secured cluster by using the sgadmin tool. For details, refer to the chapter sgadmin.

The installation Steps

  • Stop Elasticsearch
  • Install the Search Guard plugin
  • Generate or obtain TLS certificates
  • Add at least the TLS configuration to elasticsearch.yml
  • Restart Elasticsearch and check that the nodes come up
  • Configure authentication/authorization, users, roles and permissions by uploading the Search Guard configuration with sgadmin

Search Guard demo installer is an installation script that ships with Search Guard with certificates that you can use to run a PoC. This example uses the internal database for authentication.

Download Search Guard Elasticsearch plugin

[root@myhost bin]# wget https://repo1.maven.org/maven2/com/floragunn/search-guard-6/6.2.4-compliance-rc1/search-guard-6-6.2.4-compliance-rc1.zip
--2018-06-04 08:34:37-- https://repo1.maven.org/maven2/com/floragunn/search-guard-6/6.2.4-compliance-rc1/search-guard-6-6.2.4-compliance-rc1.zip
Resolving repo1.maven.org (repo1.maven.org)... 151.101.40.209
Connecting to repo1.maven.org (repo1.maven.org)|151.101.40.209|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19553206 (19M) [application/zip]
Saving to: ‘search-guard-6-6.2.4-compliance-rc1.zip’

100%[===========================================================================================================================================================>] 19,553,206 226KB/s in 87s

2018-06-04 08:36:06 (219 KB/s) - ‘search-guard-6-6.2.4-compliance-rc1.zip’ saved [19553206/19553206]

Install the plugin

[root@myhost bin]# ./elasticsearch-plugin install file:///usr/share/elasticsearch/bin/search-guard-6-6.2.4-compliance-rc1.zip
-> Downloading file:///usr/share/elasticsearch/bin/search-guard-6-6.2.4-compliance-rc1.zip
[=================================================] 100%  
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: plugin requires additional permissions @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.io.FilePermission /proc/sys/net/core/somaxconn read
* java.lang.RuntimePermission accessClassInPackage.com.sun.jndi.ldap
* java.lang.RuntimePermission accessClassInPackage.sun.misc
* java.lang.RuntimePermission accessClassInPackage.sun.nio.ch
* java.lang.RuntimePermission accessClassInPackage.sun.security.x509
* java.lang.RuntimePermission accessDeclaredMembers
* java.lang.RuntimePermission accessUserInformation
* java.lang.RuntimePermission getClassLoader
* java.lang.RuntimePermission setContextClassLoader
* java.lang.RuntimePermission shutdownHooks
* java.lang.reflect.ReflectPermission suppressAccessChecks
* java.net.NetPermission getNetworkInformation
* java.net.NetPermission getProxySelector
* java.net.SocketPermission * connect,accept,resolve
* java.security.SecurityPermission getProperty.ssl.KeyManagerFactory.algorithm
* java.security.SecurityPermission insertProvider.BC
* java.security.SecurityPermission putProviderProperty.BC
* java.security.SecurityPermission setProperty.ocsp.enable
* java.util.PropertyPermission * read,write
* javax.security.auth.AuthPermission doAs
* javax.security.auth.AuthPermission modifyPrivateCredentials
* javax.security.auth.kerberos.ServicePermission * accept
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.

Continue with installation? [y/N]y
-> Installed search-guard-6
[root@myhost bin]#

Installing the demo configuration script

[root@myhost tools]# chmod a+x install_demo_configuration.sh
[root@myhost tools]# ./install_demo_configuration.sh
Search Guard 6 Demo Installer
** Warning: Do not use on production or public reachable systems **
Install demo certificates? [y/N] N
[root@bnghqsiem tools]# ./install_demo_configuration.sh
Search Guard 6 Demo Installer
** Warning: Do not use on production or public reachable systems **
Install demo certificates? [y/N] y
Initialize Search Guard? [y/N] y
Cluster mode requires maybe additional setup of:
- Virtual memory (vm.max_map_count)
See https://www.elastic.co/guide/en/elasticsearch/reference/current/vm-max-map-count.html

Enable cluster mode? [y/N] N
Basedir: /usr/share/elasticsearch
This script maybe require your root password for 'sudo' privileges
Elasticsearch install type: rpm/deb on CentOS Linux release 7.2.1511 (Core)
Elasticsearch config dir: /etc/elasticsearch
Elasticsearch config file: /etc/elasticsearch/elasticsearch.yml
Elasticsearch bin dir: /usr/share/elasticsearch/bin
Elasticsearch plugins dir: /usr/share/elasticsearch/plugins
Elasticsearch lib dir: /usr/share/elasticsearch/lib
Detected Elasticsearch Version: launchers-6.2.4
Detected Search Guard Version: 6.2.4-compliance-rc1

### Success
### Execute this script now on all your nodes and then start all nodes
### Search Guard will be automatically initialized.
### If you like to change the runtime configuration
### change the files in ../sgconfig and execute:
sudo /usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig -icl -key /etc/elasticsearch/kirk-key.pem -cert /etc/elasticsearch/kirk.pem -cacert /etc/elasticsearch/root-ca.pem -nhnv
### or run ./sgadmin_demo.sh
### To use the Search Guard Configuration GUI see http://docs.search-guard.com/v6/configuration-gui
### To access your Search Guard secured cluster open https://<hostname>:<HTTP port> and log in with admin/admin.
### (Ignore the SSL certificate warning because we installed self-signed demo certificates)
[root@myhost tools]# cd /etc/elasticsearch/
[root@myhost elasticsearch]# ls

Run the sgadmin_demo.sh script for installing the demo configuration files

[root@myhost tools]# ls
hash.bat hash.sh install_demo_configuration.sh sgadmin.bat sgadmin_demo.sh sgadmin.sh
[root@bnghqsiem tools]# ./sgadmin_demo.sh
WARNING: JAVA_HOME not set, will use /bin/java
Search Guard Admin v6
Will connect to localhost:9300 ... done

*** This is a RC version and NOT suitable for production. ***
Elasticsearch Version: 6.2.4
Search Guard Version: 6.2.4-compliance-rc1
Connected as CN=kirk,OU=client,O=client,L=test,C=de
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: MY-SIEM
Clusterstate: GREEN
Number of nodes: 1
Number of data nodes: 1
searchguard index already exists, so we do not need to create one.
Populate config from /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/
Will update 'sg/config' with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_config.yml
SUCC: Configuration for 'config' created or updated
Will update 'sg/roles' with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles.yml
SUCC: Configuration for 'roles' created or updated
Will update 'sg/rolesmapping' with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update 'sg/internalusers' with /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update 'sg/actiongroups' with /usr/share/elasticsearch/plugins/search-guard
SUCC: Configuration for 'actiongroups' created or updated
Done with success
[root@myhost tools]#

Download and install the Search Guard Kibana plugin

[root@myhost bin]# ./kibana-plugin install file:///usr/share/kibana/bin/search-guard-kibana-plugin-6.2.4-13.zip
Attempting to transfer from file:///usr/share/kibana/bin/search-guard-kibana-plugin-6.2.4-13.zip
Transferring 2958310 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Optimizing and caching browser bundles...
Plugin installation complete
[root@myhost bin]#

elasticsearch.yml settings

######## Start Search Guard Demo Configuration ########
# WARNING: revise all the lines below before you go into production
searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=test, C=de

searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: ["sg_all_access"]
cluster.routing.allocation.disk.threshold_enabled: false
discovery.zen.minimum_master_nodes: 1
node.max_local_storage_nodes: 3
searchguard.enterprise_modules_enabled: false
######## End Search Guard Demo Configuration ########

kibana.yml settings

# Use HTTPS instead of HTTP
elasticsearch.url: "https://localhost:9200"
#
# # Configure the Kibana internal server user
elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"
#
# # Disable SSL verification because we use self-signed demo certificates
elasticsearch.ssl.verificationMode: none
#
# # Whitelist the Search Guard Multi Tenancy Header
elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant" ]

Internal user database installed by the demo installer script. All the passwords are hashed. You can use hash.sh to hash passwords.

[root@myhost tools]# vim /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_internal_users.yml
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh

#password is: admin
admin:
readonly: true
hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG
roles:
- admin
attributes:
#no dots allowed in attribute names
attribute1: value1
attribute2: value2
attribute3: value3

#password is: logstash
logstash:
hash: $2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2
roles:
- logstash

#password is: kibanaserver
kibanaserver:
readonly: true
hash: $2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H.

#password is: kibanaro
kibanaro:
hash: $2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC
roles:
- kibanauser
- readall

#password is: readall
readall:
hash: $2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2
#password is: readall
roles:
- readall

#password is: snapshotrestore
snapshotrestore:
hash: $2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W
roles:
- snapshotrestore

Roles configuratin

[root@myhost tools]# vim /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/sg_roles.yml

# For logstash and beats
sg_logstash:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- indices:admin/template/get
- indices:admin/template/put
indices:
'logstash-*':
'*':
- CRUD
- CREATE_INDEX
'*beat*':
'*':
- CRUD
- CREATE_INDEX
'exchange*':
'*':
- CRUD
- CREATE_INDEX
'iis*':
'*':
- CRUD
- CREATE_INDEX
'mcafee*':
'*':
- CRUD
- CREATE_INDEX
'san*':
'*':
- CRUD
- CREATE_INDEX
'cisco*':
'*':
- CRUD
- CREATE_INDEX
'usb*':
'*':
- CRUD
- CREATE_INDEX
'bakup*':
'*':
- CRUD
- CREATE_INDEX
'wazuh*':
'*':

Logstash output configuration

Make sure that the url is modified with https and credentials are givem

output {
if [indexType]== "WIN-LOGS"
{
elasticsearch {
user => logstash
password => logstash
ssl => true
ssl_certificate_verification => false
hosts => "https://localhost:9200"
manage_template => false
#index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => doc
}
}
else if [indexType]== "SYS-LOGS"
{
elasticsearch {
user => logstash
password => logstash
ssl => true
ssl_certificate_verification => false
hosts => "https://localhost:9200"
manage_template => false
index => "syslog-%{+YYYY.MM.dd}"
document_type => doc
}
}

Seach Guard Community License shows “No license required because enterprise modules not enabled.” message

https://127.0.0.1:9200/_searchguard/license

{"_nodes":{"total":1,"successful":1,"failed":0},"cluster_name":"MY-SIEM","sg_license":{"msgs":["No license required because enterprise modules not enabled."],"license_required":false},"modules":{"INTERNAL_USERS_AUTHENTICATION_BACKEND":

Kibana Login page