github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

[DOCS] Creates separate doc for security in production (#103973)

Browse source 
* [DOCS] Creates separate doc for security in production

* Use Kibana attribute

* Update CSP section

* Move SSL section to the top

This is the highest priority item for securing a production installation
of Kibana.

* Add section on using secure HTTP headers

* Write intro

* [DOCS] Fixes broken link and other minor edits

* [DOCS] Changes man to manipulator

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Joe Portner <5295965+jportner@users.noreply.github.com>
This commit is contained in:
gchaps 2021-07-07 13:19:28 -07:00 committed by GitHub
parent d64c3fb5be
commit e92892a174
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 108 additions and 69 deletions
Download patch file Download diff file Expand all files Collapse all files

3
docs/setup/settings.asciidoc
View file

@ -557,11 +557,10 @@ deprecation warning at startup. This setting cannot end in a slash (`/`).
proxy sitting in front of it. This determines whether HTTP compression may be used for responses, based on the request `Referer` header.
This setting may not be used when <<server-compression, `server.compression.enabled`>> is set to `false`. *Default: `none`*
[[server-securityResponseHeaders-strictTransportSecurity]]
a|
`server.securityResponseHeaders:`
`strictTransportSecurity:`
| Controls whether the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security[`Strict-Transport-Security`]
| [[server-securityResponseHeaders-strictTransportSecurity]] Controls whether the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security[`Strict-Transport-Security`]
header is used in all responses to the client from the {kib} server, and specifies what value is used. Allowed values are any text value or
`null`. To disable, set to `null`. *Default:* `null`

4
docs/user/production-considerations/alerting-production-considerations.asciidoc
View file

@ -36,7 +36,7 @@ For detailed guidance, see <<alerting-troubleshooting, Alerting Troubleshooting>
[float]
[[alerting-scaling-guidance]]
=== Scaling Guidance
=== Scaling guidance
As rules and actions leverage background tasks to perform the majority of work, scaling Alerting is possible by following the <<task-manager-scaling-guidance,Task Manager Scaling Guidance>>.
@ -58,7 +58,7 @@ Alerts and actions log activity in a set of "event log" indices. These indices
The name of the index policy is `kibana-event-log-policy`. {kib} creates the index policy on startup, if it doesn't already exist. The index policy can be customized for your environment, but {kib} never modifies the index policy after creating it.
Because Kibana uses the documents to display historic data, you should set the delete phase longer than you would like the historic data to be shown. For example, if you would like to see one month's worth of historic data, you should set the delete phase to at least one month.
Because {kib} uses the documents to display historic data, you should set the delete phase longer than you would like the historic data to be shown. For example, if you would like to see one month's worth of historic data, you should set the delete phase to at least one month.
For more information on index lifecycle management, see:
{ref}/index-lifecycle-management.html[Index Lifecycle Policies].

1
docs/user/production-considerations/index.asciidoc
View file

@ -1,4 +1,5 @@
include::production.asciidoc[]
include::security-production-considerations.asciidoc[]
include::alerting-production-considerations.asciidoc[]
include::reporting-production-considerations.asciidoc[]
include::task-manager-production-considerations.asciidoc[]

81
docs/user/production-considerations/production.asciidoc
View file

@ -5,74 +5,24 @@
<titleabbrev>Production considerations</titleabbrev>
++++
* <<configuring-kibana-shield>>
* <<csp-strict-mode>>
* <<enabling-ssl>>
* <<load-balancing-kibana>>
* <<accessing-load-balanced-kibana>>
* <<high-availability>>
* <<memory>>
How you deploy {kib} largely depends on your use case. If you are the only user,
you can run {kib} on your local machine and configure it to point to whatever
{es} instance you want to interact with. Conversely, if you have a large
number of heavy {kib} users, you might need to load balance across multiple
{kib} instances that are all connected to the same {es} instance.
How you deploy Kibana largely depends on your use case. If you are the only user,
you can run Kibana on your local machine and configure it to point to whatever
Elasticsearch instance you want to interact with. Conversely, if you have a large
number of heavy Kibana users, you might need to load balance across multiple
Kibana instances that are all connected to the same Elasticsearch instance.
While Kibana isn't terribly resource intensive, we still recommend running Kibana
separate from your Elasticsearch data or master nodes. To distribute Kibana
traffic across the nodes in your Elasticsearch cluster,
you can configure Kibana to use a list of Elasticsearch hosts.
[float]
[[configuring-kibana-shield]]
=== Use {stack} {security-features}
You can use {stack} {security-features} to control what {es} data users can
access through Kibana.
When {security-features} are enabled, Kibana users have to log in. They need to
have a role granting <<kibana-privileges, Kibana privileges>> as well as access
to the indices they will be working with in Kibana.
If a user loads a Kibana dashboard that accesses data in an index that they
are not authorized to view, they get an error that indicates the index does
not exist.
For more information on granting access to Kibana, see <<xpack-security-authorization>>.
[float]
[[csp-strict-mode]]
=== Require Content Security Policy
Kibana uses a Content Security Policy to help prevent the browser from allowing
unsafe scripting, but older browsers will silently ignore this policy. If your
organization does not need to support Internet Explorer 11 or much older
versions of our other supported browsers, we recommend that you enable Kibana's
`strict` mode for content security policy, which will block access to Kibana
for any browser that does not enforce even a rudimentary set of CSP
protections.
To do this, set `csp.strict` to `true` in your `kibana.yml`:
[source,js]
--------
csp.strict: true
--------
[float]
[[enabling-ssl]]
=== Enable SSL
See <<configuring-tls>>.
While {kib} isn't terribly resource intensive, we still recommend running {kib}
separate from your {es} data or master nodes. To distribute {kib}
traffic across the nodes in your {es} cluster,
you can configure {kib} to use a list of {es} hosts.
[float]
[[load-balancing-kibana]]
=== Load balancing across multiple Kibana instances
To serve multiple Kibana installations behind a load balancer, you must change the configuration. See {kibana-ref}/settings.html[Configuring Kibana] for details on each setting.
=== Load balancing across multiple {kib} instances
To serve multiple {kib} installations behind a load balancer, you must change the configuration.
See {kibana-ref}/settings.html[Configuring {kib}] for details on each setting.
Settings unique across each Kibana instance:
Settings unique across each {kib} instance:
[source,js]
--------
server.uuid
@ -119,8 +69,8 @@ active in case of failure from the currently used instance.
[float]
[[high-availability]]
=== High availability across multiple {es} nodes
Kibana can be configured to connect to multiple Elasticsearch nodes in the same cluster. In situations where a node becomes unavailable,
Kibana will transparently connect to an available node and continue operating. Requests to available hosts will be routed in a round robin fashion.
{kib} can be configured to connect to multiple {es} nodes in the same cluster. In situations where a node becomes unavailable,
{kib} will transparently connect to an available node and continue operating. Requests to available hosts will be routed in a round robin fashion.
In kibana.yml:
[source,js]
@ -136,6 +86,7 @@ These can be used to automatically update the list of hosts as a cluster is resi
[float]
[[memory]]
=== Memory
Kibana has a default memory limit that scales based on total memory available. In some scenarios, such as large reporting jobs,
it may make sense to tweak limits to meet more specific requirements.

88
docs/user/production-considerations/security-production-considerations.asciidoc Normal file
View file

@ -0,0 +1,88 @@
[role="xpack"]
[[Security-production-considerations]]
== Security production considerations
++++
<titleabbrev>Security</titleabbrev>
++++
:keywords: administrator, analyst, concept, setup, security
:description: Consider the production components for {kib} security.
To secure your {kib} installation in production, consider these high-priority topics to ensure
that only authorized users can access {kib}.
For more information on {kib}'s security controls, see <<using-kibana-with-security, Configure security>>.
[float]
[[enabling-ssl]]
=== Enable SSL/TLS
You should use SSL/TLS encryption to ensure that traffic between browsers and the {kib} server cannot be viewed or tampered with by third
parties. See <<configuring-tls>>.
[float]
[[configuring-kibana-shield]]
=== Use {stack} {security-features}
You can use {stack} {security-features} to control what {es} data users can
access through {kib}.
When {security-features} are enabled, {kib} users have to log in. They must
have a role granting <<kibana-privileges, {kib} privileges>> and access
to the indices that they will be working with in {kib}.
If a user loads a {kib} dashboard that accesses data in an index that they
are not authorized to view, they get an error that indicates the index does
not exist.
For more information on granting access to {kib}, see <<xpack-security-authorization>>.
[float]
[[configuring-security-headers]]
=== Use secure HTTP headers
The {kib} server can instruct browsers to enable additional security controls using HTTP headers.
1. Enable HTTP Strict-Transport-Security.
+
Use <<server-securityResponseHeaders-strictTransportSecurity,`strictTransportSecurity`>> to ensure that browsers will only attempt
to access {kib} with SSL/TLS encryption. This is designed to prevent manipulator-in-the-middle attacks.
To configure this with a lifetime of one
year in your `kibana.yml`:
+
[source,js]
--------
server.securityResponseHeaders.strictTransportSecurity: "max-age=31536000"
--------
+
WARNING: This header will block unencrypted connections for the entire domain. If you host more than one web application on the same domain
using different ports or paths, all of them will be affected.
2. Disable embedding.
+
Use <<server-securityResponseHeaders-disableEmbedding, `disableEmbedding`>> to ensure
that {kib} cannot be embedded in other websites.
To configure this in your `kibana.yml`:
+
[source,js]
--------
server.securityResponseHeaders.disableEmbedding: true
--------
[float]
[[csp-strict-mode]]
=== Require a Content Security Policy
{kib} uses a Content Security Policy (CSP) to prevent the browser from allowing
unsafe scripting, but older browsers will silently ignore this policy. If your
organization does not need to support very old
versions of our supported browsers, we recommend that you enable {kib}'s
`strict` mode for the CSP. This will block access to {kib}
for any browser that does not enforce even a rudimentary set of CSP
protections.
To do this, set `csp.strict` to `true` in your `kibana.yml`:
[source,js]
--------
csp.strict: true
--------