Skip to content

Security Checklist

Abstract

This guide provide useful check lists for you to secure the punchplatform following requirements, technical and non technical information

Before going further, you should follow the Project Checklist first !

In this guide we will refer to the following terms :

  • ES : for Elasticsearch cluster
  • SSL : for TLS v1.2 or v1.3
  • RBAC : for authentication and authorization mechanics, only applied to Elasticsearch indices
  • ACL : for application control to Kafka

Elasticsearch/Kibana security

You have to use either (not both) :

  • Open Distro Security
  • ModSecurity

RBAC with Open Distro :

  • Install Open Distro Security for ES :
    • Authentication to ES
    • At least one admin user can perform any request
    • SSL transfer protocol between each node
    • Admin SSL certificates for security management
    • DNS hostname verification enforcement
    • User access per tenant
    • Authentication for Punch ES reporters
    • Ciphers restriction to RSA and ECDSA 256 bits keys
  • Install Open Distro Security for Kibana :
    • Login page to Kibana
    • Security tab (admin only) to manage access control to ES
    • Tenant based access control for dashboards
    • Kibana server authentication to ES

SSL with Open Distro :

  • Install Open Distro Security for ES :
    • HTTPS to ES
    • CA verification
    • Optionally, SSL certificate authentication to ES
    • SSL for Punch ES reporters
  • Install Open Distro Security for Kibana :
    • HTTPS to Kibana
    • HTTPS between Kibana and ES
    • SSL authentication to ES
    • Different certificates for Kibana server and Kibana client

Punch Gateway Security

  • One Gateway grants access to one tenant
  • Authentication to the ES data cluster
  • Authentication to the ES metrics cluster
  • HTTPS to Gateway
  • Optionally, SSL certificate authentication to Gateway
  • HTTPS forwarding to ES
  • Optionally, SSL certificate authentication to ES
  • Different certificates for Gateway server and Gateway client

Punchlines

  • ES inputs and outputs :
    • Authentication to ES
    • HTTPS to ES

Punch metric Reporters

  • ES reporters security :
    • Authentication to ES
    • HTTPS to ES

Elastalert

  • Authentication to ES
  • SSL configuration to ES