From 436d3e2c78a8bff54f65ca1b07e71f5cc50e355a Mon Sep 17 00:00:00 2001
From: Temoc Rodriguez <cr056n@att.com>
Date: Mon, 11 Dec 2017 15:24:23 -0800
Subject: Add ELK Security

Add security to ELk such that only localhost is able to access ELK.
All other hosts will be denied service. This fixes the open elastic
serach security vulnerability.

Issue-ID: POLICY-495
Change-Id: I7f5d6fef5963f984c2bce6933c8b214c0bd3be2b
Signed-off-by: Temoc Rodriguez <cr056n@att.com>
---
 packages/base/src/files/install/elk/config/elasticsearch.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'packages/base/src/files/install')

diff --git a/packages/base/src/files/install/elk/config/elasticsearch.yml b/packages/base/src/files/install/elk/config/elasticsearch.yml
index b890bb13b..ec6def080 100644
--- a/packages/base/src/files/install/elk/config/elasticsearch.yml
+++ b/packages/base/src/files/install/elk/config/elasticsearch.yml
@@ -54,8 +54,8 @@ path.logs: ${{POLICY_HOME}}/logs
 #
 # Set the bind address to a specific IP (IPv4 or IPv6):
 #
-#network.host: 192.168.0.1
-network.host: ["${{ELK_NETWORK_HOST}}", "127.0.0.1"]
+# Only allow to run on localhost so it can't be queried from outside
+network.bind_host: ["_local_"]
 #
 # Set a custom port for HTTP:
 #
@@ -88,4 +88,4 @@ network.host: ["${{ELK_NETWORK_HOST}}", "127.0.0.1"]
 #
 # Require explicit names when deleting indices:
 #
-#action.destructive_requires_name: true
\ No newline at end of file
+#action.destructive_requires_name: true
-- 
cgit 1.2.3-korg