Securing ElasticSearch

Auditbox uses ElasticSearch as its primary active storage, so it's extremely important to make sure it's configured in a secure manner.

Adding a restricted user

In order to ensure principal of least privilege, it's highly recommended to use a user with a custom role that has only the permissions needed for Auditbox to operate.

Create role

ou can create a custom role in a few ways, depending on your setup:

• Using API call
• Using ECK operator

Whichever solution you'll choose, the required permissions are as such:

{
  {
    "cluster": [
      "manage",
      "manage_ilm",
      "manage_index_templates"
    ],
    "indices": [
      {
        "names": [
          "auditevent-*"
        ],
        "privileges": [
          "manage",
          "maintenance",
          "create_index",
          "create_doc",
          "index",
          "read"
        ]
      },
      {
        "names": [
          "auditbox-idp",
          "auditbox-sessions"
        ],
        "privileges": [
          "manage",
          "maintenance",
          "create_index",
          "index",
          "read",
          "delete",
          "create"
        ]
      }
    ]
  }
}

Create user for the role

In order to use newly defined role, you need a user with that role attached. Just as with creating roles, there's a few options:

• Using API call
• Using ECK operator

The only requirement is that user has the role defined previously attached.

Adjust Auditbox settings

On Auditbox side, you only need to change a AUDITBOX_ES_AUTH variable so that it reflects the credentials for newly created user:

AUDITBOX_ES_AUTH: "${username}:${password}"

Reload the app

After reloading the application, the user will now be used, and the setup is complete.