elasticsearch
elasticsearch copied to clipboard
elastic
[Cloud Security][CDR] Update Wiz vuln privileges
Solves:
- https://github.com/elastic/security-team/issues/9829
Summary
Update kibana_system privileges:
- Include the privilege to create the latest Transform index.
- Include the privilege to read from the Transform's source index.
Integration PR:
- https://github.com/elastic/integrations/pull/10895
@CohenIdo Could you please add corresponding test for security_solution-wiz.vulnerability_latest-* and logs-wiz.vulnerability-*" in ReservedRolesStoreTests#testKibanaSystemRole method?
@CohenIdo Could you please add corresponding test for
security_solution-wiz.vulnerability_latest-*andlogs-wiz.vulnerability-*"in ReservedRolesStoreTests#testKibanaSystemRole method?
Done:)
Hey @CohenIdo
After having discussed this with the KB team, we've got a few questions -
- Given that the result needs to be written to
security_solution...., can this be granted justindexandcreate_index? If it does require the other two privileges, can you clarify why and add that to the PR description? - Do we have any user facing docs that specify that users should not be writing to this index due to pattern collisions like we have here: https://www.elastic.co/guide/en/elasticsearch/reference/current/index-templates.html?
We try to be quite restrictive for kibana_system privileges to prevent any exploits should credentials or configs be compromised.
Given that the result needs to be written to security_solution...., can this be granted just index and create_index? If it does require the other two privileges, can you clarify why and add that to the PR description?
It's a good point, I will test that with those privilege, I guess you right and we can use just index and create_index
Do we have any user facing docs that specify that users should not be writing to this index due to pattern collisions like we have here: https://www.elastic.co/guide/en/elasticsearch/reference/current/index-templates.html?
Our PMs probably will be able to help here @smriti0321 @tinnytintin10
Given that the result needs to be written to security_solution...., can this be granted just index and create_index? If it does require the other two privileges, can you clarify why and add that to the PR description?
@SiddharthMantri, from the transform docs:
Elasticsearch API user
To manage transforms, you must meet all of the following requirements:
- create_index, index, manage, and read index privileges on destination indices. If a retention_policy is configured, delete index privilege is also required on the destination index.
Thanks for the catch on doc update @SiddharthMantri and @CohenIdo , I will work on this along with our documentation team. @benironside do you know who will be able to help with the updates on this page- https://www.elastic.co/guide/en/elasticsearch/reference/current/index-templates.html?
Also, we will introduce the change closer to GA of this feature. @CohenIdo
Hey @CohenIdo ! So after consulting with the team, I think we are good now. It's not super apparent from the PR, but we'd like to know why the source and destination index can't be the same one? Something like this: https://github.com/elastic/elasticsearch/blob/afd4bf41388600fae23dbd4c7210fc94a1fb5006/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java#L357-L383
Hey @CohenIdo ! So after consulting with the team, I think we are good now. It's not super apparent from the PR, but we'd like to know why the source and destination index can't be the same one? Something like this:
Good Idea @SiddharthMantri , I changed the index pattern to match any future integration we are going to add.
Instead security_solution-wiz.vulnerability_latest-* I am using now security_solution-*.vulnerability_latest-*