Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve Kibana account management and security #84784

Closed
mbudge opened this issue Dec 2, 2020 · 3 comments
Closed

Improve Kibana account management and security #84784

mbudge opened this issue Dec 2, 2020 · 3 comments
Labels
enhancement New value added to drive a business result Meta Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@mbudge
Copy link

mbudge commented Dec 2, 2020

Hi,

With the Elastic Stack moving more into the security space, the following needs to be improved

  • Audit logs for user login/out, admin activities and changes, API access.
  • Separate IP filtering for API and Kibana in Elastic Cloud (e.g. IP filter for API, none for Kibana).
  • Better account management - password complexity rules and expiration in particular.
  • Account lockout protection against brute-force attacks
  • Kibana 2-Factor authentication Elastic Cloud

The audit logs are a requirement for any business which gets audited. It's common for auditors to ask for evidence of user login activity from random dates.

Thanks

@Dosant Dosant added enhancement New value added to drive a business result Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! labels Dec 4, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@legrego
Copy link
Member

legrego commented Dec 4, 2020

Hi @mbudge, thanks for opening this. I'll address your requests in order:

  • Audit logs for user login/out, admin activities and changes, API access.

We've made a lot of improvements to Kibana audit logging in the upcoming 7.11 release:

Separate IP filtering for API and Kibana in Elastic Cloud (e.g. IP filter for API, none for Kibana).

I can pass this request along to the Cloud team. This doesn't sound like something we can solve within Kibana itself.

Better account management - password complexity rules and expiration in particular.

This is being discussed in elastic/elasticsearch#29913

  • Account lockout protection against brute-force attacks

This is being discussed in #18491. The summary of the conversation is that this would need to be solved in Elasticsearch if this is something we decide to do.

Kibana 2-Factor authentication Elastic Cloud

I'm not sure what resources are available to you, but if you were to authenticate via SAML or another SSO provider, then your provider could enable 2-Factor authentication (and password enforcement, lockout protection, etc) on your behalf.

We have a related issue around webauthn here: #39414


One of the reasons we don't have some of these features implemented yet, is that we've historically tried not to make Elasticsearch a full-fledged authentication/identity provider. We allow for basic user and account management via their native realm, but we've encouraged users needing more sophisticated setups to adopt an external identity provider.

That's not to say we won't ever do these things -- I'm just giving you some context to explain our current state.

@legrego legrego added the Meta label Dec 4, 2020
@legrego
Copy link
Member

legrego commented Aug 3, 2021

In the interest of consolidating the discussion, I am going to close this in favor of the linked issues above. Thanks!

@legrego legrego closed this as completed Aug 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New value added to drive a business result Meta Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Development

No branches or pull requests

4 participants