Scripting and security

edit

While Elasticsearch contributors make every effort to prevent scripts from running amok, security is something best done in layers because all software has bugs and it is important to minimize the risk of failure in any security layer. Find below rules of thumb for how to keep Elasticsearch from being a vulnerability.

Do not run as root

edit

First and foremost, never run Elasticsearch as the root user as this would allow any successful effort to circumvent the other security layers to do anything on your server. Elasticsearch will refuse to start if it detects that it is running as root but this is so important that it is worth double and triple checking.

Do not expose Elasticsearch directly to users

edit

Do not expose Elasticsearch directly to users, instead have an application make requests on behalf of users. If this is not possible, have an application to sanitize requests from users. If that is not possible then have some mechanism to track which users did what. Understand that it is quite possible to write a _search that overwhelms Elasticsearch and brings down the cluster. All such searches should be considered bugs and the Elasticsearch contributors make an effort to prevent this but they are still possible.

Do not expose Elasticsearch directly to the Internet

edit

Do not expose Elasticsearch to the Internet, instead have an application make requests on behalf of the Internet. Do not entertain the thought of having an application "sanitize" requests to Elasticsearch. Understand that it is possible for a sufficiently determined malicious user to write searches that overwhelm the Elasticsearch cluster and bring it down. For example:

Good:

  • Users type text into a search box and the text is sent directly to a Match, Match phrase, Simple query string, or any of the Suggesters.
  • Running a script with any of the above queries that was written as part of the application development process.
  • Running a script with params provided by users.
  • User actions makes documents with a fixed structure.

Bad:

  • Users can write arbitrary scripts, queries, _search requests.
  • User actions make documents with structure defined by users.

Other security layers

edit

In addition to user privileges and script sandboxing Elasticsearch uses the Java Security Manager and native security tools as additional layers of security.

As part of its startup sequence Elasticsearch enables the Java Security Manager which limits the actions that can be taken by portions of the code. Painless uses this to limit the actions that generated Painless scripts can take, preventing them from being able to do things like write files and listen to sockets.

Elasticsearch uses seccomp in Linux, Seatbelt in macOS, and ActiveProcessLimit on Windows to prevent Elasticsearch from forking or executing other processes.

Below this we describe the security settings for scripts and how you can change from the defaults described above. You should be very, very careful when allowing more than the defaults. Any extra permissions weakens the total security of the Elasticsearch deployment.

Allowed script types setting

edit

Elasticsearch supports two script types: inline and stored (How to write scripts). By default, Elasticsearch is configured to run both types of scripts. To limit what type of scripts are run, set script.allowed_types to inline or stored. To prevent any scripts from running, set script.allowed_types to none.

If you use Kibana, set script.allowed_types to both or inline. Some Kibana features rely on inline scripts and do not function as expected if Elasticsearch does not allow inline scripts.

For example, to run inline scripts but not stored scripts, specify:

script.allowed_types: inline 

This will allow only inline scripts to be executed but not stored scripts (or any other types).

Allowed script contexts setting

edit

By default all script contexts are allowed to be executed. This can be modified using the setting script.allowed_contexts. Only the contexts specified as part of the setting will be allowed to be executed. To specify no contexts are allowed, set script.allowed_contexts to be none.

script.allowed_contexts: score, update 

This will allow only scoring and update scripts to be executed but not aggs or plugin scripts (or any other contexts).