V_ID,Severity,CCI,Version,Title,Description,Service,IA Controls,ruleID,fixid,fixtext,checkid,checktext,,Response,Title,Description
V-26681,medium,CCI-000068,SRG-APP-000014,Applications providing remote access capabilities must utilize approved cryptography to protect the confidentiality of remote access sessions.,"Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless.  

Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection.  These connections will typically occur over either the public Internet or the Public Switched Telephone Network (PSTN).  Since neither of these internetworking mechanisms are private nor secure, if cryptography is not used, then the session data traversing the remote connection could be intercepted and compromised.  Cryptography provides a means to secure the remote connection so as to prevent unauthorized access to the data traversing the remote access connection thereby providing a degree of confidentiality. The encryption strength of mechanism is selected based on the security categorization of the information traversing the remote connection.",Core,None,SV-33881r1_rule,None,"Implement protective measures when providing remote access.       
     
See the official documentation for the complete  guide on establishing SSL configuration: https://www.elastic.co/guide/en/x-pack/current/ssl-tls.html",None,"Application must utilize approved cryptography to protect remote access sessions.       

As the application administrator (usually elasticsearch), check the xpack.ssl settings are set to the correct values.

$cat elasticsearch.yml | grep xpack.ssl

xpack.ssl.key:                     <server_key>.key 
xpack.ssl.certificate:             <server_certificate>.crt 
xpack.ssl.certificate_authorities: [ <approved_ca>.crt"" ]     

If these setting are not set or the underlining certificate and keys are not correct, this is a finding.  

$cat elasticsearch.yml | grep xpack.security.http.ssl.enabled: true

If this setting is not present or set to true, this is a finding. 
 
As a elasticsearch user, check that non-secure http traffic does not response with 200 status:

$curl http://<elasticsearchIP:9200>/  

If a 200 response comes back, this is a finding.",,,Encrypt information in transit both at the application and Elasticsearch perimeter and within the Elasticsearch cluster,Use SSL / TLS communication for all networked access to Elasticsearch and connected components such as Kibana and Logstash.  X-Pack Security should be configured with organization approved cryptography.
V-26682,medium,CCI-001453,SRG-APP-000015,Applications providing remote access connectivity must use cryptography to protect the integrity of the remote access session.,"Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless.  

Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection.  These connections will typically occur over the public Internet, the Public Switched Telephone Network (PSTN) or sometimes both.  Since neither of these internetworking mechanisms are private nor secure, if cryptography is not used, then the session data traversing the remote connection could be intercepted and potentially modified.  Cryptography provides a means to secure the remote connection so as to prevent unauthorized access to the data traversing the remote access connection thereby providing a degree of integrity.  The encryption strength of mechanism is selected based on the security categorization of the information traversing the remote connection.",,None,SV-33882r1_rule,None,"Implement protective measures when providing remote access.       
     
See the official documentation for the complete  guide on establishing SSL configuration: https://www.elastic.co/guide/en/x-pack/current/ssl-tls.html",None,"Application must utilize approved cryptography to protect remote access sessions.      

As the application administrator (usually elasticsearch), check the xpack.ssl settings are set to the correct values.

$cat elasticsearch.yml | grep xpack.ssl

xpack.ssl.key:                     <server_key>.key 
xpack.ssl.certificate:             <server_certificate>.crt 
xpack.ssl.certificate_authorities: [ <approved_ca>.crt"" ]     

If these setting are not set or the underlining certificate and keys are not correct, this is a finding.  

$cat elasticsearch.yml | grep xpack.security.http.ssl.enabled: true

If this setting is not present or set to true, this is a finding. 
 
As a elasticsearch user, check that non-secure http traffic does not response with 200 status:

$curl http://<elasticsearchIP:9200>/  

If a 200 response comes back, this is a finding.",,,Encrypt information in transit both at the Elasticsearch perimeter and within the Elasticsearch cluster,Use SSL / TLS communication for all networked access to Elasticsearch and connected components such as Kibana and Logstash.  X-Pack Security should be configured with organization approved cryptography.
V-26849,medium,CCI-000132,SRG-APP-000097,The application must produce audit records containing sufficient information to establish where the events occurred.,"Information system auditing capability is critical for accurate forensic analysis.   Audit record content that may be necessary to satisfy the requirement of this control, includes:  time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. 

Without sufficient information establishing where the audit events occurred, investigation into the cause of events is severely hindered.",,None,SV-34129r1_rule,None,"Configure elasticsearch audit settings to contain sifficient information to establish where an event occured. 

See the official documentation for the instructions on audit configuration:  https://www.elastic.co/guide/en/x-pack/current/auditing.html",None,"Check Elasticsearch.yml settings and existing audit records to verify information specific to the nessacary content of the event is being captured and stored with audit records.     
     
As the application administrator (usually elasticsearch, check the xpack.security.audit.outputs setting contains logfile by running the following:  
      
$ cat config/elasticsearch.yml | grep xpack.security.audit.outputs 

If this configuration setting is not present, this is a finding.  If this configuration setting does not contain logfile, this is a finding.    
 
For a complete list of extra information that can be added to log_line_prefix, see the official documentation: https://www.elastic.co/guide/en/x-pack/current/auditing.html      
     
 If the current settings do not provide enough information regarding the content of the event, this is a finding.",,,Generate Audits to assist monitoring and alerting of activities on the system,"Utilize perimeter, application, centralized authentication, and repository audit controls to audit the use of systems in real time with sufficient context.  X-Pack Security audit controls should be enabled to audit the defaults of all HTTP/S based access to Elasticsearch.  All applications should use HTTP/S  rather than Elasticsearch transport protocol."
V-26685,medium,CCI-000069,SRG-APP-000017,Applications providing remote access must have capabilities that allow all remote access to be routed through managed access control points.,"This requirement relates to the use of applications providing remote access services.  Remote access is any access to an organizational information system by a user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). Examples of remote access methods include dial-up, broadband, and wireless.  

Remote network access is accomplished by leveraging common communication protocols and establishing a remote connection.  These connections will typically occur over either the public Internet or the Public Switched Telephone Network (PSTN).   

Please note, utilization of a virtual private network when adequately provisioned with appropriate security controls, is considered an internal network and is not considered remote access.

Without centralized control of inbound connections, management of these access points is difficult at best.  It is critical that applications providing or offering remote access capabilities also have the capability to route the access through managed access control points. 

One example is the use of software applications such as PCAnywhere or Terminal Services.  Rather than having PCAnywhere installed on multiple systems, remote access software must have the capability to be centrally managed and controlled so there are not multiple disparate access points into the environment.

Applications providing remote access must have capabilities that allow all remote access to be routed through managed access control points.",,None,SV-33908r1_rule,None,"Note: The following instructions use the ESHOME environment variable. See supplementary content APPENDIX-XXX for
instructions on configuring ESHOME.

To change the Managed access control points of the application, as the application administrator, change the following setting in elasticsearch.conf:

$ sudo su - elasticsearch
$ vi $ESHOME/config/elasticsearch.yml 

Change the Managed access control points parameter to the desired addresses, i.e.:
     xpack.security.http.filter.enabled: true 
     xpack.security.http.filter.allow: ""Managed access control points""
     xpack.security.http.filter.deny: _all          
     
Next, restart the application:
$ sudo su - elasticsearch

# SYSTEMD SERVER ONLY
$ systemctl restart elasticsearch",None,"Check Elasticsearch.yml settings and existing IP filtering rules to verify that only sepecific IP behind hardware/software ""Managed access control points"" are listed.
     
As the application administrator (usually elasticsearch, check the xpack.security.http.filter setting contains IP address(es) of the  ""Managed access control points"":  

$cat elasticsearch.yml | grep ""xpack.security.http.filter"", Verify all three settings; xpack.security.http.filter.enabled: true; xpack.security.http.filter.allow: ""Managed access control points""; xpack.security.http.filter.deny: _all

As an elasticsearch administrator test; verify runtime environment within _culster settings are set to ""{}"" OR Verify all three settings are xpack.security.http.filter.enabled: true; xpack.security.http.filter.allow: ""Managed access control points""; xpack.security.http.filter.deny: _all

$ curl -h content_type:application-json    -XGET ""http://<elasticsearch>:9200/_cluster/settings""

If these configuration setting are disabled, or not pointing to the ""Managed access control points"", this is a finding. ",,,Control network access to Elasticsearch,Limit network access to Elasticsearch software from known points of origin with the use of software and hardware firewalls as well as X-Pack Security IP Filtering. Change the elasticsearch cluster name to an instance unique value for all elasticsearch nodes and all applications should use HTTP/S  rather than Elasticsearch transport protocol.
V-26847,medium,CCI-000131,SRG-APP-000096,The application must produce audit records containing sufficient information to establish when (date and time) the events occurred.,"Information system auditing capability is critical for accurate forensic analysis.   Audit record content that may be necessary to satisfy the requirement of this control, includes:  time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.",,None,SV-34127r1_rule,None,"Configure elasticsearch audit settings to contain sifficient information to establish where an event occured. 

See the official documentation for the instructions on audit configuration:  https://www.elastic.co/guide/en/x-pack/current/auditing.html",None,"Check Elasticsearch.yml settings and existing audit records to verify information specific to the nessacary content of the event is being captured and stored with audit records.     
     
As the application administrator (usually elasticsearch, check the xpack.security.audit.outputs setting contains logfile by running the following:  
      
$ cat config/elasticsearch.yml | grep xpack.security.audit.outputs 

If this configuration setting is not present, this is a finding.  If this configuration setting does not contain logfile, this is a finding.    
 
For a complete list of extra information that can be added to log_line_prefix, see the official documentation: https://www.elastic.co/guide/en/x-pack/current/auditing.html      
     
 If the current settings do not provide enough information regarding the content of the event, this is a finding.",,,Generate Audits to assist monitoring and alerting of activities on the system,"Utilize perimeter, application, centralized authentication, and repository audit controls to audit the use of systems in real time with sufficient context.  X-Pack Security audit controls should be enabled to audit the defaults of all HTTP/S based access to Elasticsearch.  All applications should use HTTP/S  rather than Elasticsearch transport protocol."
V-26845,medium,CCI-000130,SRG-APP-000095,The application must produce audit records containing sufficient information to establish what type of events occurred.,"Information system auditing capability is critical for accurate forensic analysis.   Audit record content that may be necessary to satisfy the requirement of this control, includes:  time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. ",,None,SV-34125r1_rule,None,"Configure elasticsearch audit settings to contain sifficient information to establish where an event occured. 

See the official documentation for the instructions on audit configuration:  https://www.elastic.co/guide/en/x-pack/current/auditing.html",None,"Check Elasticsearch.yml settings and existing audit records to verify information specific to the nessacary content of the event is being captured and stored with audit records.     
     
As the application administrator (usually elasticsearch, check the xpack.security.audit.outputs setting contains logfile by running the following:  
      
$ cat config/elasticsearch.yml | grep xpack.security.audit.outputs 

If this configuration setting is not present, this is a finding.  If this configuration setting does not contain logfile, this is a finding.    
 
For a complete list of extra information that can be added to log_line_prefix, see the official documentation: https://www.elastic.co/guide/en/x-pack/current/auditing.html      
     
 If the current settings do not provide enough information regarding the content of the event, this is a finding.",,,Generate Audits to assist monitoring and alerting of activities on the system,"Utilize perimeter, application, centralized authentication, and repository audit controls to audit the use of systems in real time with sufficient context.  X-Pack Security audit controls should be enabled to audit the defaults of all HTTP/S based access to Elasticsearch.  All applications should use HTTP/S  rather than Elasticsearch transport protocol."
V-26921,medium,CCI-001619,SRG-APP-000169,The application must support organizational requirements to enforce password complexity by the number of special characters used.,"Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. 

Password complexity is one factor in determining how long it takes to crack a password. 

The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised. 

Use of a complex password helps to increase the time and resources required to compromise the password. ",,None,SV-34201r1_rule,None,None,None,"None ()ELasticsearch supports LDAP, AD, and PKI, if you use AD verify these are set -   xpack:
  security:
    authc:
      realms:
        active_directory:
          type: active_directory
          order: 0 
          domain_name: ad.example.com
          url: ldaps://ad.example.com:636 
          unmapped_groups_as_roles: true ",,Guidance - System accounts cannot be disabled and elasticsearch does not enforce password complexity rules.,Ensure Elasticsearch passwords and credentials meet organizational requirements.,"Configure the centralized authentication service to enforce organization policies such as password strength, lockout, expiration, notification, and screen obfuscation."
V-26924,medium,CCI-000197,SRG-APP-000172,The application must support organizational requirements to enforce password encryption for transmission.,Passwords need to be protected at all times and encryption is the standard method for protecting passwords during transmission.,,None,SV-34204r1_rule,None,"Implement protective measures when enforcing password encryption for transmission.       
      
 See the official documentation for the complete  guide on establishing SSL configuration: https://www.elastic.co/guide/en/x-pack/current/ssl-tls.html",None,"Application must utilize approved cryptography to protect passwords in transmission.
As the application administrator (usually elasticsearch), check the xpack.ssl settings are set to the correct values.

$cat elasticsearch.yml | grep xpack.ssl

xpack.ssl.key:                     <server_key>.key 
xpack.ssl.certificate:             <server_certificate>.crt 
xpack.ssl.certificate_authorities: [ <approved_ca>.crt"" ]     

If these setting are not set or the underlining certificate and keys are not correct, this is a finding.  

$cat elasticsearch.yml | grep xpack.security.http.ssl.enabled: true

If this setting is not present or set to true, this is a finding. 
 
$cat elasticsearch.yml | grep xpack.security.transport.ssl.enabled: true

If this setting is not present or set to true, this is a finding.

As a elasticsearch user, check that non-secure http traffic does not response with 200 status:

$curl http://<elasticsearchIP:9200>/  

If a 200 response comes back, this is a finding.",,,Encrypt information in transit both at the Elasticsearch perimeter and within the Elasticsearch cluster,Use SSL / TLS communication for all networked access to Elasticsearch and connected components such as Kibana and Logstash.  X-Pack Security should be configured with organization approved cryptography.
V-27160,medium,CCI-000164,SRG-APP-000120,The application must protect audit information from unauthorized deletion.,"If audit data were to become compromised then competent forensic analysis and discovery of the true source of potentially malicious system activity is impossible to achieve. 

To ensure the veracity of audit data the information system and/or the application must protect audit information from unauthorized deletion.  This requirement can be achieved through multiple methods which will depend upon system architecture and design.  

Some commonly employed methods include:  ensuring log files enjoy the proper file system permissions utilizing file system protections; restricting access and backing up log data to ensure log data is retained.  

Applications providing a user interface to audit data will leverage user permissions and roles identifying the user accessing the data and the corresponding rights the user enjoys in order make access decisions regarding the deletion of audit data.

Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit information system activity. ",,None,SV-34459r1_rule,None,None,None,"None - enforce Auditd to establish immutable file, and alerts when changes occur",,,Move Audit records off Elasticsearch boxes,Configure operating system protections for audit records such that the records are not editable or deletable by Elasticsearch administrators and not accessible by unauthorized users.
V-26902,medium,CCI-000171,SRG-APP-000090,The application must allow designated organizational personnel to select which auditable events are to be audited by specific components of the system.,"Audit records can be generated from various components within the information system, such as network interfaces, hard disks, modems, etc. From an application perspective, certain specific application functionalities may be audited, as well.

The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked).

Organizations may define the organizational personal accountable for determining which application components shall provide auditable events.",,None,SV-34182r1_rule,None,,,"Note: The following instructions use the ESHOME environment variable. See supplementary content APPENDIX-F for instructions on configuring ESHOME.       
       
$ cat config/elasticsearch.yml | grep xpack.security.audit.outputs              
     
Check elasticsearch settings and documentation to determine whether designated personnel are able to select which auditable events are being audited.        
        
As the application administrator (shown here as ""elasticsearch""), verify the permissions for ESHOME:        
       
$ ls -la ${ESHOME?}        
       
If anything in ESHOME is not owned by the application administrator, this is a finding.        
       
Next, as the elasticsearch administrator, run the following CURL command:        
       
$ curl -XGET  -h content_type:application-json https://localhost:9200/_xpack/security/role          
     
Review the role permissions, if any role is listed as superuser but should not have that access, this is a finding.",,,Generate Audits to assist monitoring and alerting of activities on the system,"Utilize perimeter, application, centralized authentication, and repository audit controls to audit the use of systems in real time with sufficient context.  X-Pack Security audit controls should be enabled to audit the defaults of all HTTP/S based access to Elasticsearch.  All applications should use HTTP/S  rather than Elasticsearch transport protocol."
V-26947,medium,CCI-000880,SRG-APP-NA,The organization must audit non-local maintenance and diagnostic sessions.,"Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the Internet) or an internal network in order to conduct system diagnostics.  

This is an organizational requirement to audit non-local maintenance sessions. This does not address an application characteristic and does not apply to applications.",,None,SV-34229r1_rule,None,"Configure elasticsearch audit settings to audit non-local maintenacne and diagnositic sessions.

See the official documentation for the instructions on audit configuration:  https://www.elastic.co/guide/en/x-pack/current/auditing.html",None,"Check Elasticsearch.yml settings and existing audit records to verify information specific to the nessacary content of the event is being captured and stored with audit records.     
     
As the application administrator (usually elasticsearch, check the xpack.security.audit.outputs setting contains logfile by running the following:  
      
$ cat config/elasticsearch.yml | grep xpack.security.audit.outputs 

If this configuration setting is not present, this is a finding.  If this configuration setting does not contain logfile, this is a finding.    
 
For a complete list of extra information that can be added to log_line_prefix, see the official documentation: https://www.elastic.co/guide/en/x-pack/current/auditing.html      
     
 If the current settings do not provide enough information regarding the content of the event, this is a finding.",,,Generate Audits to assist monitoring and alerting of activities on the system,"Utilize perimeter, application, centralized authentication, and repository audit controls to audit the use of systems in real time with sufficient context.  X-Pack Security audit controls should be enabled to audit the defaults of all HTTP/S based access to Elasticsearch.  All applications should use HTTP/S  rather than Elasticsearch transport protocol."
V-27130,medium,CCI-001135,SRG-APP-000191,The application must establish a trusted communications path between the user and organization-defined security functions within the information system.,"The application user interface must provide an unspoofable and faithful communication channel between the user and any entity trusted to manipulate authorities on the user's behalf. 

A trusted path shall be employed for high-confidence connections between the security functions of the information system and the user (e.g., for login). ",,None,SV-34428r1_rule,None,"Implement protective measures when establishing a trusted communication path between entities.     
      
 See the official documentation for the complete  guide on establishing SSL configuration: https://www.elastic.co/guide/en/x-pack/current/ssl-tls.html",None,"Application must utilize approved cryptography to protect the communication path between entities.   

As the application administrator (usually elasticsearch), check the xpack.ssl settings are set to the correct values.

$cat elasticsearch.yml | grep xpack.ssl

xpack.ssl.key:                     <server_key>.key 
xpack.ssl.certificate:             <server_certificate>.crt 
xpack.ssl.certificate_authorities: [ <approved_ca>.crt"" ]     

If these setting are not set or the underlining certificate and keys are not correct, this is a finding.  

$cat elasticsearch.yml | grep xpack.security.http.ssl.enabled: true

If this setting is not present or set to true, this is a finding. 
 
As a elasticsearch user, check that non-secure http traffic does not response with 200 status:

$curl http://<elasticsearchIP:9200>/  

If a 200 response comes back, this is a finding.",,,Encrypt information in transit both at the Elasticsearch perimeter and within the Elasticsearch cluster,Use SSL / TLS communication for all networked access to Elasticsearch and connected components such as Kibana and Logstash.  X-Pack Security should be configured with organization approved cryptography.
V-26851,medium,CCI-000133,SRG-APP-000098,The application must produce audit records containing sufficient information to establish the sources of the events.,"Information system auditing capability is critical for accurate forensic analysis.   Audit record content that may be necessary to satisfy the requirement of this control, includes but is not limited to:  time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application specific events, success/fail indications, filenames involved, access control or flow control rules invoked. 

Without information establishing the source of activity, the value of audit records from a forensics perspective is questionable.",,None,SV-34131r1_rule,None,"Configure elasticsearch audit settings to contain sifficient information to establish where an event occured. 

See the official documentation for the instructions on audit configuration:  https://www.elastic.co/guide/en/x-pack/current/auditing.html",None,"Check Elasticsearch.yml settings and existing audit records to verify information specific to the nessacary content of the event is being captured and stored with audit records.     
     
As the application administrator (usually elasticsearch, check the xpack.security.audit.outputs setting contains logfile by running the following:  
      
$ cat config/elasticsearch.yml | grep xpack.security.audit.outputs 

If this configuration setting is not present, this is a finding.  If this configuration setting does not contain logfile, this is a finding.    
 
For a complete list of extra information that can be added to log_line_prefix, see the official documentation: https://www.elastic.co/guide/en/x-pack/current/auditing.html      
     
 If the current settings do not provide enough information regarding the content of the event, this is a finding.",,,Generate Audits to assist monitoring and alerting of activities on the system,"Utilize perimeter, application, centralized authentication, and repository audit controls to audit the use of systems in real time with sufficient context.  X-Pack Security audit controls should be enabled to audit the defaults of all HTTP/S based access to Elasticsearch.  All applications should use HTTP/S  rather than Elasticsearch transport protocol."
V-26904,medium,CCI-001464,SRG-APP-000092,The application must initiate session auditing upon start up.,"Session auditing activities are developed, integrated, and used in consultation with legal counsel in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations. ",,None,SV-34184r1_rule,None,"Configure elasticsearch audit settings to contain sifficient information to establish where an event occured. 

See the official documentation for the instructions on audit configuration:  https://www.elastic.co/guide/en/x-pack/current/auditing.html",None,"Check Elasticsearch.yml settings and existing audit records to verify information specific to the nessacary content of the event is being captured and stored with audit records.     
     
As the application administrator (usually elasticsearch, check the xpack.security.audit.outputs setting contains logfile by running the following:  
      
$ cat config/elasticsearch.yml | grep xpack.security.audit.outputs 

If this configuration setting is not present, this is a finding.  If this configuration setting does not contain logfile, this is a finding.    
 
For a complete list of extra information that can be added to log_line_prefix, see the official documentation: https://www.elastic.co/guide/en/x-pack/current/auditing.html      
     
 If the current settings do not provide enough information regarding the content of the event, this is a finding.",,,Generate Audits to assist monitoring and alerting of activities on the system,"Utilize perimeter, application, centralized authentication, and repository audit controls to audit the use of systems in real time with sufficient context.  X-Pack Security audit controls should be enabled to audit the defaults of all HTTP/S based access to Elasticsearch.  All applications should use HTTP/S  rather than Elasticsearch transport protocol."
V-26887,medium,CCI-000138,SRG-APP-000071,Applications must configure their auditing to reduce the likelihood of storage capacity being exceeded.,"Applications need to be cognizant of potential audit log storage capacity issues.  During the installation and/or configuration process, applications should detect and determine if adequate storage capacity has been allocated for audit logs.  

During the installation process, a notification may be provided to the installer indicating, based on the auditing configuration chosen and the amount of storage space allocated for audit logs, the amount of storage capacity available is not sufficient enough to meet storage requirements.",,None,SV-34167r1_rule,None,,None,,,,Move Audit records off Elasticsearch boxes / Setup watcher/alerting on secondary system,Offload and centralize audit records retention to a separate system from the sources of audit records.
V-26860,medium,CCI-000134,SRG-APP-000099,The application must produce audit records that contain sufficient information to establish the outcome (success or failure) of the events.,"Information system auditing capability is critical for accurate forensic analysis.   Audit record content that may be necessary to satisfy the requirement of this control, includes but is not limited to: time stamps, source and destination IP addresses, user/process identifiers, event descriptions, application specific events, success/fail indications, filenames involved, access control or flow control rules invoked. 

Success and failure indicators ascertain the outcome of a particular event.  As such, they also provide a means to measure the impact of an event and help authorized personnel to determine the appropriate response.",,None,SV-34140r1_rule,None,"Configure elasticsearch audit settings to contain sifficient information to establish the outcome of an event occured. 

See the official documentation for the instructions on audit configuration:  https://www.elastic.co/guide/en/x-pack/current/auditing.html",None,"Check Elasticsearch.yml settings and existing audit records to verify information specific to the nessacary content of the event is being captured and stored with audit records.     
     
As the application administrator (usually elasticsearch, check the xpack.security.audit.outputs setting contains logfile by running the following:  
      
$ cat config/elasticsearch.yml | grep xpack.security.audit.outputs 

If this configuration setting is not present, this is a finding.  If this configuration setting does not contain logfile, this is a finding.    
 
For a complete list of extra information that can be added to log_line_prefix, see the official documentation: https://www.elastic.co/guide/en/x-pack/current/auditing.html      
     
 If the current settings do not provide enough information regarding the content of the event, this is a finding.",,,Generate Audits to assist monitoring and alerting of activities on the system,"Utilize perimeter, application, centralized authentication, and repository audit controls to audit the use of systems in real time with sufficient context.  X-Pack Security audit controls should be enabled to audit the defaults of all HTTP/S based access to Elasticsearch.  All applications should use HTTP/S  rather than Elasticsearch transport protocol."
V-26864,medium,CCI-001487,SRG-APP-000100,The application must produce audit records containing sufficient information to establish the identity of any user/subject or process associated with the event.,"Information system auditing capability is critical for accurate forensic analysis.   Audit record content that may be necessary to satisfy the requirement of this control, includes:  time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. ",,None,SV-34144r1_rule,None,"Configure elasticsearch audit settings to contain sifficient information to establish the user/subject associated with an event. 

See the official documentation for the instructions on audit configuration:  https://www.elastic.co/guide/en/x-pack/current/auditing.html",None,"Check Elasticsearch.yml settings and existing audit records to verify information specific to the nessacary content of the event is being captured and stored with audit records.     
     
As the application administrator (usually elasticsearch, check the xpack.security.audit.outputs setting contains logfile by running the following:  
      
$ cat config/elasticsearch.yml | grep xpack.security.audit.outputs 

If this configuration setting is not present, this is a finding.  If this configuration setting does not contain logfile, this is a finding.    
 
For a complete list of extra information that can be added to log_line_prefix, see the official documentation: https://www.elastic.co/guide/en/x-pack/current/auditing.html      
     
 If the current settings do not provide enough information regarding the content of the event, this is a finding.",,,Generate Audits to assist monitoring and alerting of activities on the system,"Utilize perimeter, application, centralized authentication, and repository audit controls to audit the use of systems in real time with sufficient context.  X-Pack Security audit controls should be enabled to audit the defaults of all HTTP/S based access to Elasticsearch.  All applications should use HTTP/S  rather than Elasticsearch transport protocol."
V-27062,medium,CCI-001132,SRG-APP-000230,"Applications must maintain the confidentiality of information during aggregation, packaging, and transformation in preparation for transmission.  When transmitting data, applications need to leverage transmission protection mechanisms such as TLS, SSL VPNs, or IPSEC.  ","Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission.  This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel. 

Alternative physical protection measures include, protected distribution systems. Protective Distribution Systems (PDS) are used to transmit unencrypted classified NSI through an area of lesser classification or control. In as much as the classified NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic and physical safeguards to deter exploitation. Refer to NSTSSI No. 7003 for additional details on a PDS.",,None,SV-34357r1_rule,None,"Implement protective measures during data transmission.      
      
 See the official documentation for the complete  guide on establishing SSL configuration: https://www.elastic.co/guide/en/x-pack/current/ssl-tls.html",None,"Application must utilize approved cryptography to protect data transmission.       

As the application administrator (usually elasticsearch), check the xpack.ssl settings are set to the correct values.

$cat elasticsearch.yml | grep xpack.ssl

xpack.ssl.key:                     <server_key>.key 
xpack.ssl.certificate:             <server_certificate>.crt 
xpack.ssl.certificate_authorities: [ <approved_ca>.crt"" ]     

If these setting are not set or the underlining certificate and keys are not correct, this is a finding.  

$cat elasticsearch.yml | grep xpack.security.http.ssl.enabled: true

If this setting is not present or set to true, this is a finding. 
 
$cat elasticsearch.yml | grep xpack.security.transport.ssl.enabled: true

If this setting is not present or set to true, this is a finding.

As a elasticsearch user, check that non-secure http traffic does not response with 200 status:

$curl http://<elasticsearchIP:9200>/  

If a 200 response comes back, this is a finding.",,,Encrypt information in transit both at the Elasticsearch perimeter and within the Elasticsearch cluster,Use SSL / TLS communication for all networked access to Elasticsearch and connected components such as Kibana and Logstash.  X-Pack Security should be configured with organization approved cryptography.
V-27061,medium,CCI-001131,SRG-APP-000264,The application must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission unless the transmitted data is otherwise protected by alternative physical measures.,"Preventing the disclosure of transmitted information requires that applications take measures to employ some form of cryptographic mechanism in order to protect the information during transmission.  This is usually achieved through the use of Transport Layer Security (TLS), SSL VPN, or IPSEC tunnel. 

Alternative physical protection measures include, Protected Distribution Systems (PDS). PDS are used to transmit unencrypted classified NSI through an area of lesser classification or control. In as much as the classified NSI is unencrypted, the PDS must provide adequate electrical, electromagnetic, and physical safeguards to deter exploitation. Refer to NSTSSI No. 7003 for additional details on a PDS.",,None,SV-34356r1_rule,None,"Implement protective measures during data transmission.
      
 See the official documentation for the complete  guide on establishing SSL configuration: https://www.elastic.co/guide/en/x-pack/current/ssl-tls.html",None,"Application must utilize approved cryptography to protect data transmission.      

As the application administrator (usually elasticsearch), check the xpack.ssl settings are set to the correct values.

$cat elasticsearch.yml | grep xpack.ssl

xpack.ssl.key:                     <server_key>.key 
xpack.ssl.certificate:             <server_certificate>.crt 
xpack.ssl.certificate_authorities: [ <approved_ca>.crt"" ]     

If these setting are not set or the underlining certificate and keys are not correct, this is a finding.  

$cat elasticsearch.yml | grep xpack.security.http.ssl.enabled: true

If this setting is not present or set to true, this is a finding. 
 
$cat elasticsearch.yml | grep xpack.security.transport.ssl.enabled: true

If this setting is not present or set to true, this is a finding.

As a elasticsearch user, check that non-secure http traffic does not response with 200 status:

$curl http://<elasticsearchIP:9200>/  

If a 200 response comes back, this is a finding.",,,Encrypt information in transit both at the Elasticsearch perimeter and within the Elasticsearch cluster,Use SSL / TLS communication for all networked access to Elasticsearch and connected components such as Kibana and Logstash.  X-Pack Security should be configured with organization approved cryptography.
V-27060,medium,CCI-001130,SRG-APP-NA,Applications must protect the confidentiality of transmitted information.,"Ensuring the confidentiality of transmitted information requires that applications take feasible measures to employ security mechanisms during data transmission.  Examples include but are not limited to, SSL, TLS, IPSec, and VPN.   This requirement applies to communications across internal and external networks. If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service, it may be more difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission integrity. 

When it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk.",,None,SV-34355r1_rule,None,"Implement confidentiality measures of transmitted data.    
      
 See the official documentation for the complete  guide on establishing SSL configuration: https://www.elastic.co/guide/en/x-pack/current/ssl-tls.html",None,"Application must utilize approved cryptography to establish confidentiality of transmitted data.      

As the application administrator (usually elasticsearch), check the xpack.ssl settings are set to the correct values.

$cat elasticsearch.yml | grep xpack.ssl

xpack.ssl.key:                     <server_key>.key 
xpack.ssl.certificate:             <server_certificate>.crt 
xpack.ssl.certificate_authorities: [ <approved_ca>.crt"" ]     

If these setting are not set or the underlining certificate and keys are not correct, this is a finding.  

$cat elasticsearch.yml | grep xpack.security.http.ssl.enabled: true

If this setting is not present or set to true, this is a finding. 
 
$cat elasticsearch.yml | grep xpack.security.transport.ssl.enabled: true

If this setting is not present or set to true, this is a finding.

As a elasticsearch user, check that non-secure http traffic does not response with 200 status:

$curl http://<elasticsearchIP:9200>/  

If a 200 response comes back, this is a finding.",,,Encrypt information in transit both at the Elasticsearch perimeter and within the Elasticsearch cluster,Use SSL / TLS communication for all networked access to Elasticsearch and connected components such as Kibana and Logstash.  X-Pack Security should be configured with organization approved cryptography.
V-26868,medium,CCI-000135,SRG-APP-000101,"Applications must include organization-defined additional, more detailed information in the audit records for audit events identified by type, location, or subject.","Information system auditing capability is critical for accurate forensic analysis.   Audit record content that may be necessary to satisfy the requirement of this control, includes:  time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.

In addition, the application must have the capability to include organization-defined additional, more detailed information in the audit records for audit events. These events may be identified by type, location, or subject. 

An example of detailed information that the organization may require in audit records is full-text recording of privileged commands or the individual identities of group account users.",,None,SV-34148r1_rule,None,"Configure elasticsearch audit settings to contain sifficient information to establish where an event occured. 

See the official documentation for the instructions on audit configuration:  https://www.elastic.co/guide/en/x-pack/current/auditing.html",None,"Check Elasticsearch.yml settings and existing audit records to verify information specific to the nessacary content of the event is being captured and stored with audit records.     
     
As the application administrator (usually elasticsearch, check the xpack.security.audit.outputs setting contains logfile by running the following:  
      
$ cat config/elasticsearch.yml | grep xpack.security.audit.outputs 

If this configuration setting is not present, this is a finding.  If this configuration setting does not contain logfile, this is a finding.    
 
For a complete list of extra information that can be added to log_line_prefix, see the official documentation: https://www.elastic.co/guide/en/x-pack/current/auditing.html      
     
 If the current settings do not provide enough information regarding the content of the event, this is a finding.",,,Generate Audits to assist monitoring and alerting of activities on the system,"Utilize perimeter, application, centralized authentication, and repository audit controls to audit the use of systems in real time with sufficient context.  X-Pack Security audit controls should be enabled to audit the defaults of all HTTP/S based access to Elasticsearch.  All applications should use HTTP/S  rather than Elasticsearch transport protocol."
V-27059,medium,CCI-001129,SRG-APP-NA,"The application must maintain the integrity of information during aggregation, packaging, and transformation in preparation for transmission.","Ensuring the confidentiality of transmitted information requires that applications take feasible measures to employ transmission layer security.  This requirement applies to communications across internal and external networks. If the organization is relying on a commercial service provider for transmission services as a commodity item rather than a fully dedicated service, it may be more difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission integrity. 

When it is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness through appropriate contracting vehicles, the organization either implements appropriate compensating security controls or explicitly accepts the additional risk. 

When transmitting data, applications need to leverage transmission protection mechanisms such as TLS, SSL VPNs, or IPSEC.  ",,None,SV-34354r1_rule,None,"Implement integrity measures during preparation of data transmission.    
      
 See the official documentation for the complete  guide on establishing SSL configuration: https://www.elastic.co/guide/en/x-pack/current/ssl-tls.html",None,"Application must utilize approved cryptography to establish integrity during preparation of data transmission.      

As the application administrator (usually elasticsearch), check the xpack.ssl settings are set to the correct values.

$cat elasticsearch.yml | grep xpack.ssl

xpack.ssl.key:                     <server_key>.key 
xpack.ssl.certificate:             <server_certificate>.crt 
xpack.ssl.certificate_authorities: [ <approved_ca>.crt"" ]     

If these setting are not set or the underlining certificate and keys are not correct, this is a finding.  

$cat elasticsearch.yml | grep xpack.security.http.ssl.enabled: true

If this setting is not present or set to true, this is a finding. 
 
$cat elasticsearch.yml | grep xpack.security.transport.ssl.enabled: true

If this setting is not present or set to true, this is a finding.

As a elasticsearch user, check that non-secure http traffic does not response with 200 status:

$curl http://<elasticsearchIP:9200>/  

If a 200 response comes back, this is a finding.",,,Encrypt information in transit both at the Elasticsearch perimeter and within the Elasticsearch cluster,Use SSL / TLS communication for all networked access to Elasticsearch
V-26903,medium,CCI-000172,SRG-APP-000091,Applications must generate audit records for the DoD selected list of auditable events.,"Audit records can be generated from various components within the information system. The list of audited events is the set of events for which audits are to be generated. 

This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events). 

DoD shall select the list of auditable events and applications must generate audit records for those events.",,None,SV-34183r1_rule,None,"Configure elasticsearch audit settings to contain sifficient information to establish where an event occured. 

See the official documentation for the instructions on audit configuration:  https://www.elastic.co/guide/en/x-pack/current/auditing.html",None,"Check Elasticsearch.yml settings and existing audit records to verify information specific to the nessacary content of the event is being captured and stored with audit records.     
     
As the application administrator (usually elasticsearch, check the xpack.security.audit.outputs setting contains logfile by running the following:  
      
$ cat config/elasticsearch.yml | grep xpack.security.audit.outputs 

If this configuration setting is not present, this is a finding.  If this configuration setting does not contain logfile, this is a finding.    
 
For a complete list of extra information that can be added to log_line_prefix, see the official documentation: https://www.elastic.co/guide/en/x-pack/current/auditing.html      
     
 If the current settings do not provide enough information regarding the content of the event, this is a finding.",,,Generate Audits to assist monitoring and alerting of activities on the system,"Utilize perimeter, application, centralized authentication, and repository audit controls to audit the use of systems in real time with sufficient context.  X-Pack Security audit controls should be enabled to audit the defaults of all HTTP/S based access to Elasticsearch.  All applications should use HTTP/S  rather than Elasticsearch transport protocol."
V-26910,medium,CCI-000779,SRG-APP-000159,Applications managing devices must authenticate devices before establishing remote network connections using bidirectional authentication between devices that are cryptographically based.,"Device authentication is a solution enabling an organization to manage devices.  

It is an additional layer of authentication ensuring only specific pre-authorized devices operated by specific pre-authorized users can access the network. 

Device authentication requires unique identification and authentication that may be defined by type, by specific device, or by a combination of type and device, as deemed appropriate by the organization. 

The application typically uses either shared known information (e.g., Media Access Control [MAC] or Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for identification or an organizational authentication solution (e.g., IEEE 802.1x and Extensible Authentication Protocol [EAP], Radius server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and/or wide area networks. 

The required strength of the device authentication mechanism is determined by the security categorization of the information system. 

Remote network connection is any connection with a device communicating through an external network (e.g., the Internet). 

Bidirectional authentication provides a means for both connecting parties to mutually authenticate one another and cryptographically based authentication provides a secure means of authenticating without the use of clear text passwords. ",,None,SV-34190r1_rule,None,"Implement bidirectional (client-server handshake) for establishing cryptographic communication.
      
 See the official documentation for the complete  guide on establishing SSL configuration: https://www.elastic.co/guide/en/x-pack/current/ssl-tls.html",None,"Application must utilize bidirectional authentication for cryptographic device communication.      

As the application administrator (usually elasticsearch), check the xpack.ssl settings are set to the correct values.

$cat elasticsearch.yml | grep xpack.ssl

xpack.ssl.key:                     <server_key>.key 
xpack.ssl.certificate:             <server_certificate>.crt 
xpack.ssl.certificate_authorities: [ <approved_ca>.crt"" ]     

If these setting are not set or the underlining certificate and keys are not correct, this is a finding.  

$cat elasticsearch.yml | grep xpack.security.http.ssl.enabled: true

If this setting is not present or set to true, this is a finding. 
 
$cat elasticsearch.yml | grep xpack.security.transport.ssl.enabled: true

If this setting is not present or set to true, this is a finding.

As a elasticsearch user, check that non-secure http traffic does not response with 200 status:

$curl http://<elasticsearchIP:9200>/  

If a 200 response comes back, this is a finding.",,,Encrypt information in transit both at the Elasticsearch perimeter and within the Elasticsearch cluster,Use SSL / TLS communication for all networked access to Elasticsearch and connected components such as Kibana and Logstash.  X-Pack Security should be configured with organization approved cryptography.
V-26900,medium,CCI-001353,SRG-APP-000088,The application must produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.,"Audits records can be generated from various components within the information system. The list of audited events is the set of events for which audits are to be generated. This set of events is typically a subset of the list of all events for which the system is capable of generating audit records (i.e., auditable events).  ",,None,SV-34180r1_rule,None,"Configure elasticsearch audit settings to contain sifficient information to establish where an event occured. 

See the official documentation for the instructions on audit configuration:  https://www.elastic.co/guide/en/x-pack/current/auditing.html",None,"Check Elasticsearch.yml settings and existing audit records to verify information specific to the nessacary content of the event is being captured and stored with audit records.     
     
As the application administrator (usually elasticsearch, check the xpack.security.audit.outputs setting contains logfile by running the following:  
      
$ cat config/elasticsearch.yml | grep xpack.security.audit.outputs 

If this configuration setting is not present, this is a finding.  If this configuration setting does not contain logfile, this is a finding.    
 
For a complete list of extra information that can be added to log_line_prefix, see the official documentation: https://www.elastic.co/guide/en/x-pack/current/auditing.html      
     
 If the current settings do not provide enough information regarding the content of the event, this is a finding.",,,Generate Audits to assist monitoring and alerting of activities on the system,"Utilize perimeter, application, centralized authentication, and repository audit controls to audit the use of systems in real time with sufficient context.  X-Pack Security audit controls should be enabled to audit the defaults of all HTTP/S based access to Elasticsearch.  All applications should use HTTP/S  rather than Elasticsearch transport protocol."