Siren Platform User Guide

Siren Investigate access control configuration

Edit config/investigate.yml and specify the credentials of the sirenserver user, for example:

elasticsearch.username: 'sirenserver'
elasticsearch.password: 'password'

If HTTPS is enabled for the Elasticsearch REST API, ensure that the elasticsearch.url setting contains a URL starting with https, for example:

elasticsearch.url: 'https://localhost:9220'

If the certificate is not signed by a public authority, you will also need to set the elasticsearch.ssl.certificateAuthorities to the path of the CA chain bundle in PEM format, for example:

elasticsearch.ssl.certificateAuthorities: 'pki/searchguard/ca.pem'

If you are using the certificates generated by the TLS generator service, the PEM file containing the certification bundles is available in root-ca/root-ca.pem.

To enable certificate verification, set elasticsearch.ssl.verificationMode to full, for example:

elasticsearch.ssl.verificationMode: full

If you want to validate the certificate but not the hostname, set elasticsearch.ssl.verificationMode to certificate, for example:

elasticsearch.ssl.verificationMode: certificate

Set the investigate_core.elasticsearch.auth_plugin option to searchguard:

investigate_core:
  elasticsearch:
    auth_plugin: searchguard

To enable the Siren Investigate access control plugin, specify the following configuration values in the investigate_access_control section:

  • enabled: Set to true to enable the Siren Investigate access control plugin. Defaults to false.
  • backend: The authentication backend installed in the cluster; valid values are searchguard and xpack. Defaults to searchguard.
  • cookie.password: A 32 characters long alphanumeric string used to derive the key used to encrypt and sign cookies.
  • cookie.secure: If set to true, the cookie will be transmitted only if the request is being served over HTTPS. You must set this to false if Siren Investigate is behind an SSL proxy or if you are running Siren Investigate without HTTPS (which is not advised). Defaults to true.
  • admin_role: The name role that will have access to the access control management UI. This user will not be subject to any permission check by Siren Investigate, but will still be subject to permission checks when issuing queries to Elasticsearch. Defaults to sirenadmin.
  • acl.enabled: Set to true to switch off access control on saved objects. Defaults to false.

Example minimal configuration:

investigate_access_control:
  enabled: true
  acl:
    enabled: true
  cookie:
    secure: true
    password: '12345678123456781234567812345678'

Make sure to personalize the session cookie password.

Additional configuration options:

  • session.ttl: The lifetime of the session in milliseconds. If not set, the session will last as long as the session cookie is valid. Defaults to 3600000 (1 hour).
  • session.keepAlive: If set to true, every time a request is received within the session lifetime, the session lifetime will be extended by session.ttl. Defaults to true.
  • cookie.password: A 32 characters long alphanumeric string used to derive the key used to encrypt and sign cookies.
  • cookie.ttl: The lifetime of the session cookie in milliseconds. If not set, the cookie will expire when the browser is closed, which is the recommended setting. Note that browsers may not remove session cookies when a tab is closed or even across restarts, so you should set session.ttl for additional protection. Defaults to null.
  • cookie.name: The name of the session cookie. Defaults to kac.
  • acl.index: The Elasticsearch index in which access control rules and saved objects metadata will be stored (.sirenaccess by default).

If Siren Investigate is running behind a reverse SSL proxy like Nginx, remember to set cookie.secure to false otherwise the cookie will not be sent, for example:

investigate_access_control:
  enabled: true
  acl:
    enabled: true
  cookie:
    password: '12345678123456781234567812345678'
    secure: false

If you want to use the Siren Alert plugin, you must specify the Siren Alert user credentials in the investigate_access_control.sirenalert section, For example:

investigate_access_control:
  enabled: true
  acl:
    enabled: true
  cookie:
    password: '12345678123456781234567812345678'
    secure: false
  sirenalert:
    elasticsearch:
      username: sirenalert
      password: password

If Siren Alert credentials are not specified, Siren Alert will use the backend credentials to execute the watchers.

Restart Siren Investigate after changing the configuration file; if the configuration is correct, you should see an authentication dialog when browsing to Siren Investigate.

Authentication dialog

Search results

    No results found