[DOC] Add a new section in documentation for security best practices and recommendations. #5782

hdhalter · 2023-12-04T22:46:28Z

Add a new section in documentation for security best practices and recommendations

stephen-crawford · 2023-12-05T21:29:50Z

Examples:

Don't use default credentials
Use the password tool to create a very strong password
Don't use the demo certificates for anything other than demos
Don't mix standard role and backend role DLS and FLS configurations (i.e. a user has DLS configured through normal roles but also their backend role)
Don't mix multiple DLS/FLS configured roles: [BUG] "Field level security" and "Field masking definitions" don't work together with "Document level security" security#3274
Don't give default user level write permissions (should be read-only)

@DarshitChanpura @cwperks @peternied any other suggestions for good common practices we can add

hdhalter · 2023-12-06T01:12:52Z

Please add a note about #3084. Thanks!

cwperks · 2023-12-07T15:22:59Z

@scrawfor99 You may also want to consider adding a section on dashboards security setup as well.

Make sure the cookie is secure

opensearch_security.cookie.secure: true
opensearch_security.cookie.password: <secret_for_cookie_encryption>

Setup TLS (don't run with opensearch.ssl.verificationMode: none)

Instead:

opensearch.ssl.verificationMode: full
opensearch.ssl.certificateAuthorities: </path/to/root-ca.pem>

Link to: https://opensearch.org/docs/latest/install-and-configure/install-dashboards/tls/

peternied · 2023-12-07T21:23:28Z

Thanks for calling this out @hdhalter just a couple more to add on:

[Serious] Do you think we could get away with linking to XKCD for what 'strong' password practically means - its memorable and insightful? https://xkcd.com/936/
Follow the principle of least privilege for secrets used to configure the cluster and the roles used to access the cluster.
Enable audit logging and verify that the audit data has the information needed by your organizations information security policies.

rursprung · 2023-12-08T07:23:34Z

linking xkcd is certainly never wrong 😉 👍 (i don't know how often i've sent a link to this specific comic - it's just a very good way of explaining the very hard concept of "safe" passwords)

what about TLS settings? i guess they should also be documented (i remember that the default settings for OS have been updated; for OSD the PR is AFAIK still hanging to even add support for TLS v1.3, much less make it the default?). though in the best case the default is already the current "strong" default and no further documentation is needed as it just works out of the box.

john-eliatra · 2023-12-19T19:25:01Z

Hi @hdhalter , adding my comment to be assigned to this one. Thx, John

hdhalter · 2024-05-08T15:35:01Z

@leanneeliatra/@anton - Can you please add a comment so I can assign you?

leanneeliatra · 2024-05-14T15:12:26Z

@hdhalter Please assign me! Thank you.

leanneeliatra · 2024-05-14T15:26:15Z

PR submitted for review #7113

* adding top ten security best practices Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * changing nav order Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * adding to best practices Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * adding to best practices Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * adding to best practices Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * adding bonus tip Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * updates to best practices Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * integrating Darshits suggestions for improvement and reviewdog fixes Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * review suggestions to grammer Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * review suggestions to grammer Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * review suggestions to grammer Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * review suggestions to grammer Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * review suggestions to grammer Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * reviewdog update Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * Apply suggestions from code review Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Signed-off-by: leanneeliatra <131779422+leanneeliatra@users.noreply.github.com> * reviewdog updates Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * Update _security/configuration/best-practices.md Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Nathan Bower <nbower@amazon.com> Signed-off-by: leanneeliatra <131779422+leanneeliatra@users.noreply.github.com> * Update best-practices.md Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Update best-practices.md Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Add editorial comment Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Update best-practices.md Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Update _security/configuration/best-practices.md Co-authored-by: Nathan Bower <nbower@amazon.com> Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Update best-practices.md Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Update best-practices.md Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Nathan Bower <nbower@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --------- Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> Signed-off-by: leanneeliatra <131779422+leanneeliatra@users.noreply.github.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Co-authored-by: AntonEliatra <anton.rubin@eliatra.com> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Co-authored-by: Nathan Bower <nbower@amazon.com>

* adding top ten security best practices Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * changing nav order Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * adding to best practices Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * adding to best practices Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * adding to best practices Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * adding bonus tip Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * updates to best practices Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * integrating Darshits suggestions for improvement and reviewdog fixes Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * review suggestions to grammer Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * review suggestions to grammer Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * review suggestions to grammer Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * review suggestions to grammer Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * review suggestions to grammer Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * reviewdog update Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * Apply suggestions from code review Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Signed-off-by: leanneeliatra <131779422+leanneeliatra@users.noreply.github.com> * reviewdog updates Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * Update _security/configuration/best-practices.md Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Nathan Bower <nbower@amazon.com> Signed-off-by: leanneeliatra <131779422+leanneeliatra@users.noreply.github.com> * Update best-practices.md Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Update best-practices.md Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Add editorial comment Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Update best-practices.md Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Update _security/configuration/best-practices.md Co-authored-by: Nathan Bower <nbower@amazon.com> Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Update best-practices.md Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Update best-practices.md Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Nathan Bower <nbower@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --------- Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> Signed-off-by: leanneeliatra <131779422+leanneeliatra@users.noreply.github.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Co-authored-by: AntonEliatra <anton.rubin@eliatra.com> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Co-authored-by: Nathan Bower <nbower@amazon.com> (cherry picked from commit 8e049cd) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

…5782 (opensearch-project#7113) * adding top ten security best practices Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * changing nav order Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * adding to best practices Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * adding to best practices Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * adding to best practices Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * adding bonus tip Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * updates to best practices Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * integrating Darshits suggestions for improvement and reviewdog fixes Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * review suggestions to grammer Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * review suggestions to grammer Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * review suggestions to grammer Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * review suggestions to grammer Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * review suggestions to grammer Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * reviewdog update Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * Apply suggestions from code review Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Signed-off-by: leanneeliatra <131779422+leanneeliatra@users.noreply.github.com> * reviewdog updates Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> * Update _security/configuration/best-practices.md Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Nathan Bower <nbower@amazon.com> Signed-off-by: leanneeliatra <131779422+leanneeliatra@users.noreply.github.com> * Update best-practices.md Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Update best-practices.md Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Add editorial comment Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Update best-practices.md Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Update _security/configuration/best-practices.md Co-authored-by: Nathan Bower <nbower@amazon.com> Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Update best-practices.md Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Update best-practices.md Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Nathan Bower <nbower@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --------- Signed-off-by: leanne.laceybyrne@eliatra.com <leanne.laceybyrne@eliatra.com> Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> Signed-off-by: leanneeliatra <131779422+leanneeliatra@users.noreply.github.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Co-authored-by: AntonEliatra <anton.rubin@eliatra.com> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Co-authored-by: Nathan Bower <nbower@amazon.com>

hdhalter mentioned this issue Dec 4, 2023

[DOC-META] Security Plugin Documentation #816

Open

19 tasks

github-actions bot added the untriaged label Dec 4, 2023

hdhalter added security and removed untriaged labels Dec 4, 2023

hdhalter mentioned this issue Dec 6, 2023

[DOC] document http.detailed_errors.enabled config option & related security considerations #3084

Closed

4 tasks

hdhalter added 2 - In progress Issue/PR: The issue or PR is in progress. 1 - Backlog - CON labels Dec 21, 2023

hdhalter assigned john-eliatra Dec 21, 2023

hdhalter removed the 1 - Backlog - CON label Jan 17, 2024

hdhalter changed the title ~~Add a new section in documentation for security best practices and recommendations.~~ [Doc] Add a new section in documentation for security best practices and recommendations. Jan 17, 2024

hdhalter changed the title ~~[Doc] Add a new section in documentation for security best practices and recommendations.~~ [DOC] Add a new section in documentation for security best practices and recommendations. Jan 17, 2024

hdhalter unassigned john-eliatra Mar 27, 2024

leanneeliatra mentioned this issue May 8, 2024

Security best practices - 10 points to consider - #5782 #7113

Merged

1 task

hdhalter assigned leanneeliatra May 14, 2024

Naarcha-AWS closed this as completed in #7113 May 30, 2024

github-actions bot pushed a commit that referenced this issue May 30, 2024

Security best practices - 10 points to consider - #5782 (#7113) (#7274)

83a637b

hdhalter added 3 - Done Issue is done/complete and removed 2 - In progress Issue/PR: The issue or PR is in progress. labels Jun 6, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[DOC] Add a new section in documentation for security best practices and recommendations. #5782

[DOC] Add a new section in documentation for security best practices and recommendations. #5782

hdhalter commented Dec 4, 2023 •

edited

Loading

stephen-crawford commented Dec 5, 2023

hdhalter commented Dec 6, 2023

cwperks commented Dec 7, 2023

peternied commented Dec 7, 2023

rursprung commented Dec 8, 2023

john-eliatra commented Dec 19, 2023

hdhalter commented May 8, 2024

leanneeliatra commented May 14, 2024 •

edited

Loading

leanneeliatra commented May 14, 2024 •

edited

Loading

[DOC] Add a new section in documentation for security best practices and recommendations. #5782

[DOC] Add a new section in documentation for security best practices and recommendations. #5782

Comments

hdhalter commented Dec 4, 2023 • edited Loading

stephen-crawford commented Dec 5, 2023

hdhalter commented Dec 6, 2023

cwperks commented Dec 7, 2023

peternied commented Dec 7, 2023

rursprung commented Dec 8, 2023

john-eliatra commented Dec 19, 2023

hdhalter commented May 8, 2024

leanneeliatra commented May 14, 2024 • edited Loading

leanneeliatra commented May 14, 2024 • edited Loading

hdhalter commented Dec 4, 2023 •

edited

Loading

leanneeliatra commented May 14, 2024 •

edited

Loading

leanneeliatra commented May 14, 2024 •

edited

Loading