Ssl auth support

[narkisr]

Hi folks, this is the first draft of a change I made to better secure pfelk, ATM the default docker setup exposes all ports without any security in place, I hope that you would this change valueable.

There is more docs work to do here and I had to change the template upload scripts a bit to support auth + ssl (no included in this change as its not located in this repo).

Description

By default the docker setup isn't using SSL + auth, this reduces the security posture of this solution when deployed as a server on a non trusted network (which is basically any network ;) )

Another issue that this PR aims to solve is the lack of binding of ports to 127.0.0.1, docker exposes all ports on the host machine by default and is pretty tricky to close via a firewall, binding all ports to 127.0.0.1 and using a reverse proxy to expose Kibana and syslog ports solves this (not I didn't include the reverse proxy section here its pretty much vanila nginx with ssl)

Fixes # (issue)

Type of change

Please delete options that are not relevant.

• [x] New feature (non-breaking change which adds functionality)
• [x] Breaking change (fix or feature that would cause existing functionality to not work as expected)
• [x] This change requires a documentation update

How Has This Been Tested?

I ran on my local server and it works :)

• [ ] Original Configuration
• [x ] Adjusted Configuration

Test Configuration:

• Elastic Stack Version: 8.0
• Linux Version/Type: Ubuntu 20.04
• Docker Version:20.10.12
• Docker-Compose Version:1.25.0

[narkisr]

Hi @a3ilson thank you for the merge and the commit bit, with this change the template upload script has to use authentication + ssl as well:

### component>>template>>pfelk-mappings-ecs
wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/templates/pfelk-mappings-ecs -P /tmp/pfELK/templates && cat /tmp/pfELK/templates/pfelk-mappings-ecs | sed '1d' > /tmp/pfELK/templates/pfelk-mappings-ecs.3tmp && curl -X PUT -H "Content-Type: application/json" -d @/tmp/pfELK/templates/pfelk-mappings-ecs.3tmp https://localhost:9200/_component_template/pfelk-mappings-ecs?pretty -u elastic:[pass] --cacert ./certs/ca/ca.crt        

### ilm>>pfelk
wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/templates/pfelk-ilm -P /tmp/pfELK/templates && cat /tmp/pfELK/templates/pfelk-ilm | sed '1d' > /tmp/pfELK/templates/pfelk-ilm.3tmp && curl -X PUT -H "Content-Type: application/json" -d @/tmp/pfELK/templates/pfelk-ilm.3tmp https://localhost:9200/_ilm/policy/pfelk?pretty -u elastic:[pass] --cacert ./certs/ca/ca.crt 

### index>>template>>pfelk
wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/templates/pfelk -P /tmp/pfELK/templates && cat /tmp/pfELK/templates/pfelk | sed '1d' > /tmp/pfELK/templates/pfelk.3tmp && curl -X PUT -H "Content-Type: application/json" -d @/tmp/pfELK/templates/pfelk.3tmp https://localhost:9200/_index_template/pfelk?pretty -u elastic:[pass] --cacert ./certs/ca/ca.crt 

### index>>template>>pfelk-dhcp
wget https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/templates/pfelk-dhcp -P /tmp/pfELK/templates && cat /tmp/pfELK/templates/pfelk-dhcp | sed '1d' > /tmp/pfELK/templates/pfelk-dhcp.3tmp && curl -X PUT -H "Content-Type: application/json" -d @/tmp/pfELK/templates/pfelk-dhcp.3tmp https://localhost:9200/_index_template/pfelk-dhcp?pretty -u elastic:[pass] --cacert ./certs/ca/ca.crt        

Similarly the dashboard script has to use auth (no need for ssl in this case because its not behind the proxy on the local host):

#                                                                                                                                                                                                 #
#                                                                                   pfELK - Download Saved Objects                                                                                #
#                                                                                                                                                                                                 #
###################################################################################################################################################################################################
wget -q https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/dashboard/22.01-captive.ndjson -P /tmp/pfELK/
wget -q https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/dashboard/22.01-dhcp.ndjson -P /tmp/pfELK/
wget -q https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/dashboard/22.01-firewall.ndjson -P /tmp/pfELK/
wget -q https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/dashboard/22.01-haproxy.ndjson -P /tmp/pfELK/
wget -q https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/dashboard/22.01-nginx.ndjson -P /tmp/pfELK/
wget -q https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/dashboard/22.01-snort.ndjson -P /tmp/pfELK/
wget -q https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/dashboard/22.01-squid.ndjson -P /tmp/pfELK/
wget -q https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/dashboard/22.01-suricata.ndjson -P /tmp/pfELK/
wget -q https://raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/dashboard/22.01-unbound.ndjson -P /tmp/pfELK/
###################################################################################################################################################################################################
#                                                                                                                                                                                                 #
#                                                                                   pfELK - Installing Saved Objects                                                                              #
#                                                                                                                                                                                                 #
###################################################################################################################################################################################################
curl -X POST localhost:5601/api/saved_objects/_import -H "kbn-xsrf: true" --form file=@/tmp/pfELK/22.01-captive.ndjson -H 'kbn-xsrf: true'
curl -X POST localhost:5601/api/saved_objects/_import -H "kbn-xsrf: true" --form file=@/tmp/pfELK/22.01-dhcp.ndjson -H 'kbn-xsrf: true' -u elastic:[pass] 
curl -X POST localhost:5601/api/saved_objects/_import -H "kbn-xsrf: true" --form file=@/tmp/pfELK/22.01-firewall.ndjson -H 'kbn-xsrf: true'  -u elastic:[pass] 
curl -X POST localhost:5601/api/saved_objects/_import -H "kbn-xsrf: true" --form file=@/tmp/pfELK/22.01-haproxy.ndjson -H 'kbn-xsrf: true' -u elastic:[pass] 
curl -X POST localhost:5601/api/saved_objects/_import -H "kbn-xsrf: true" --form file=@/tmp/pfELK/22.01-nginx.ndjson -H 'kbn-xsrf: true' -u elastic:[pass] 
curl -X POST localhost:5601/api/saved_objects/_import -H "kbn-xsrf: true" --form file=@/tmp/pfELK/22.01-snort.ndjson -H 'kbn-xsrf: true' -u elastic:[pass] 
curl -X POST localhost:5601/api/saved_objects/_import -H "kbn-xsrf: true" --form file=@/tmp/pfELK/22.01-squid.ndjson -H 'kbn-xsrf: true' -u elastic:[pass] 
curl -X POST localhost:5601/api/saved_objects/_import -H "kbn-xsrf: true" --form file=@/tmp/pfELK/22.01-suricata.ndjson -H 'kbn-xsrf: true' -u elastic:[pass] 
curl -X POST localhost:5601/api/saved_objects/_import -H "kbn-xsrf: true" --form file=@/tmp/pfELK/22.01-unbound.ndjson -H 'kbn-xsrf: true' -u elastic:[pass] 

I'm not sure how its best to tackle this because I'm not sure if other install methods (not docker) use x-pack + ssl (never went through the process of installing them)

What do you think @a3ilson ?

[a3ilson]

I have omitted x-pack and security primarily to allow ease of installing. Earlier on the majority of the issues were more so troubleshooting so I focused on making it simple (get started). Although there are various aspects that can be explored and leveraged.

Two thoughts on this: (1) Implement security by default but not everyone wants this and it would add another later of complexity (2) Amend the scripts to prompt the use for an input (e.g. No Security / Security Enabled). Then require the password and certificate path.

-thoughts/suggestions/ideas?

[narkisr]

Hi @a3ilson I will amend the template/dashboard upload script to make cert/auth optional and send a PR.

Thanks

[a3ilson]

I'm in the process of update the main repo...I have not been able to automate when security is enabled.

However, I have updated and have everything working but it will require additional steps to finalize due to default security options.

[narkisr]

Please see the two PR's iv submitted they make this process possible, let me know if you have any comments