Add permissions to kibana_system for TI package transforms to support IOC expiration #94506
Conversation
elasticsearchmachine
added
v8.8.0
external-contributor
kcreddy
changed the title
elasticsearchmachine
added
the
needs:triage
elasticsearchmachine
added
Team:Security
|
Pinging @elastic/es-security (Team:Security) |
|
Ping @elastic/kibana-security for awareness |
ACK! Thanks for the update! |
|
Just before we merge, @andrewkroh, would it be wise to have a pattern outside of |
There was a problem hiding this comment.
Would it be possible to change the name of the indices being used so that they have a . preceding? This would be more in line with other system indices. (like the indices listed at the bottom of this comment
As is, this change may allow kibana_system to access user defined indices that follow a similar pattern.
Generally we would like to prevent the kibana_system user from getting too powerful.
cc: @azasypkin @legrego
|
Hey @andrewkroh, |
@P1llus What specifically is the concern that could cause a complication? And by "to place all our TI transforms there" do you mean the destination index name for the installed transforms? What naming conventions are you thinking? In elastic/integrations#5582 the convention used is IIUC Fleet should create an index template for the transform's target index. This is described at https://github.com/elastic/package-spec/blob/29cc306237b541e7c32841548c09e25dcfd19333/spec/integration/elasticsearch/transform/spec.yml#L7-L10. That template should have a priority of 200 according to this. So as long as the transforms destination index names don't overlap with the integration data stream naming it shouldn't be an issue. I think the inclusion of I'm not opposed to a completely non-overlapping naming convention, but there is no prior art within Fleet that I'm aware of. |
There was a problem hiding this comment.
Would it be possible to change the name of the indices being used so that they have a
.preceding? This would be more in line with other system indices.
@kc13greiner It's not really a "system index" as I have seen the term defined in various Elasticsearch issues. It is going to contain data that users directly access. Users will utilize it through the Security Indicator Match Rules, the Security Intelligence page, and possibly Discover. Therefore I think it would be better to not use a . to indicate this is a system or hidden.
I view this as a workaround until a proper mechanism exists for authorizing the transform setup based on the user installing the Fleet integration. That feature is described in elastic/kibana#137278, but AFAIK is not started yet. I would hope that we could remove the privileges directly related to transform setup after that task is completed.
These other changes have added similar workarounds:
- add privileges for kIbana_system user to serve cloud security posture… #84941
- add privileges in vulnerabilities index #94255
But if a dot is required and users will still be able to directly read the data through the aforementioned apps then a dot prefix can work.
| @@ -871,7 +871,17 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) { | |||
| UpdateSettingsAction.NAME | |||
| ) | |||
| .build(), | |||
| RoleDescriptor.IndicesPrivileges.builder().indices(".ds-logs-ti*").privileges("read", "view_index_metadata").build(), | |||
| RoleDescriptor.IndicesPrivileges.builder() | |||
| .indices(".ds-logs-ti*") | |||
There was a problem hiding this comment.
Should this be on the data stream itself rather than the backing indices? It looks like the prior art mostly uses the data stream name (e.g. logs-ti_*.*-*).
There was a problem hiding this comment.
Updated as suggested
| RoleDescriptor.IndicesPrivileges.builder() | ||
| .indices(".ds-logs-ti*") | ||
| .privileges( | ||
| UpdateSettingsAction.NAME, |
There was a problem hiding this comment.
These first three (update settings, put mapping, and rollover) are already granted to logs-* on L798. So I think they can be omitted.
There was a problem hiding this comment.
Removed update settings, put mapping, and rollover as suggested
| UpdateSettingsAction.NAME, | ||
| PutMappingAction.NAME, | ||
| RolloverAction.NAME, | ||
| DeleteIndexAction.NAME, |
There was a problem hiding this comment.
I think there should be a comment similar to L829 that states that the ILM policies for Threat Intelligence packages may include delete actions.
There was a problem hiding this comment.
Added separate comments for ILM and transform permissions
| UpdateSettingsAction.NAME | ||
| ) | ||
| .build(), | ||
| // For source indices of the Threat Intel (ti*) packages that ships a transform for supporting IOC expiration |
There was a problem hiding this comment.
Perhaps this comment should be directly above the "read" priv, and indicate that read and view_index_metadata are required for transforms to read the source data. I say this because it is mixing privileges related to ILM and transforms.
There was a problem hiding this comment.
Added separate comments for ILM and transform permissions
| @@ -858,6 +858,31 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) { | |||
| ) | |||
| .privileges("create_index", "delete_index", "read", "index", IndicesAliasesAction.NAME, UpdateSettingsAction.NAME) | |||
| .build(), | |||
| // For destination indices of the Threat Intel (ti*) packages that ships a transform for supporting IOC expiration | |||
There was a problem hiding this comment.
The TI packages all share the common prefix of ti_ so I would include the understand.
| // For destination indices of the Threat Intel (ti*) packages that ships a transform for supporting IOC expiration | |
| // For destination indices of the Threat Intel (ti_*) packages that ships a transform for supporting IOC expiration |
There was a problem hiding this comment.
Updated as suggested
| @@ -858,6 +858,31 @@ public static RoleDescriptor kibanaSystemRoleDescriptor(String name) { | |||
| ) | |||
| .privileges("create_index", "delete_index", "read", "index", IndicesAliasesAction.NAME, UpdateSettingsAction.NAME) | |||
| .build(), | |||
| // For destination indices of the Threat Intel (ti*) packages that ships a transform for supporting IOC expiration | |||
| RoleDescriptor.IndicesPrivileges.builder() | |||
| .indices(".logs-ti_*latest*") | |||
There was a problem hiding this comment.
| .indices(".logs-ti_*latest*") | |
| .indices(".logs-ti_*_latest.*") |
I'm trying to be as specific as possible.
There was a problem hiding this comment.
Updated as suggested
@andrewkroh I was just concerned that any future ILM, index templates, dynamic templates or other settings that might be added to logs-* as a global pattern could affect the destination index for the transforms, outside of that I do not have any other concerns. |
|
Hey @kc13greiner
The current code has the |
I have discussed with the security team and we are ok to approve without the Sorry for the confusion. |
|
@kc13greiner, |
Closes #94505 by adding required permissions to
kibana_systemto support IOC expiration of Threat Intel indices.