Hello,
i have a strong password for my kibanaserver user (tested with curl -u), i have auth proxy on kibana and this auth proxy requires ip + auth.
I have weird entries in my audit log:
{
“_index”: “security-auditlog-2020.11.03”,
“type": "doc",
"id": “FItFkHUBExj94YVRPBn0”,
“version": 1,
"score": null,
"source": {
“audit_cluster_name”: “cluster”,
“audit_rest_request_params”: {
“index”: ".ent-search-,.app-search-,magento2,magento,shopify,wordpress,drupal,joomla,search,sharepoint,squarespace,sitecore,weebly,acquia,filebeat-,metricbeat-,apm-,functionbeat-,heartbeat-,logstash-,fluentd*,telegraf*,prometheusbeat*,fluentbit*,nginx,apache,endgame-,logs-endpoint.,metrics-endpoint.,.siem-signals-,auditbeat-,winlogbeat-,packetbeat-,tomcat,artifactory,aruba,barracuda,bluecoat,arcsight-,checkpoint,cisco,citrix,cyberark,cylance,fireeye,fortinet,infoblox,kaspersky,mcafee,paloaltonetworks,pan-*,pan,pan.,rsa.,rsa-,rsa,snort-,logstash-snort*,sonicwall,sophos,squid-*,squid,squid.,symantec,tippingpoint,trendmicro,tripwire,zscaler,zeek,sigma_doc,ecs-corelight*,suricata,wazuh,meow,---”,
“metric”: “docs,store”,
“filter_path”: "indices..total"
},
“audit_node_name”: “kib2”,
“audit_request_initiating_user”: “kibanaserver”,
“audit_rest_request_method”: “GET”,
“audit_category”: “AUTHENTICATED”,
“audit_request_origin”: “REST”,
“audit_node_id”: “bWorEG9NQyGZX1KDSSu50g”,
“audit_request_layer”: “REST”,
“audit_rest_request_path”: "/.ent-search-,.app-search-,magento2,magento,shopify,wordpress,drupal,joomla,search,sharepoint,squarespace,sitecore,weebly,acquia,filebeat-,metricbeat-,apm-,functionbeat-,heartbeat-,logstash-,fluentd,telegraf*,prometheusbeat*,fluentbit*,nginx,apache,endgame-,logs-endpoint.,metrics-endpoint.,.siem-signals-,auditbeat-,winlogbeat-,packetbeat-,tomcat,artifactory,aruba,barracuda,bluecoat,arcsight-,checkpoint,cisco,citrix,cyberark,cylance,fireeye,fortinet,infoblox,kaspersky,mcafee,paloaltonetworks,pan-*,pan,pan.,rsa.,rsa-,rsa,snort-,logstash-snort*,sonicwall,sophos,squid-*,squid,squid.,symantec,tippingpoint,trendmicro,tripwire,zscaler,zeek,sigma_doc,ecs-corelight*,suricata,wazuh,meow,---/_stats/docs,store”,
“@timestamp”: “2020-11-03T22:40:58.100+00:00”,
“audit_request_effective_user_is_admin”: false,
“audit_format_version”: 4,
“audit_request_remote_address”: “2ndkibip”,
“audit_node_host_address”: “nodeip”,
“audit_rest_request_headers”: {
“Connection”: [
“keep-alive”
],
“Host”: [
“kib2:9200”
],
“Content-Length”: [
“0”
]
},
“audit_request_effective_user”: “kibanaserver”,
“audit_node_host_name”: “kib1ip”
},
“fields”: {
“@timestamp”: [
“2020-11-03T22:40:58.100Z”
]
},
“highlight”: {
“audit_rest_request_path”: [
“,symantec,tippingpoint,trendmicro,tripwire,zscaler,zeek,sigma_doc,ecs-corelight,suricata,wazuh,@kibana-highlighted-field@meow@/kibana-highlighted-field@,---/_stats/docs,store”
],
“audit_rest_request_params.index”: [
“,symantec,tippingpoint,trendmicro,tripwire,zscaler,zeek,sigma_doc,ecs-corelight,suricata,wazuh,@kibana-highlighted-field@meow@/kibana-highlighted-field@,---”
]
},
“sort”: [
1604443258100
]
}
I can’t find anything in my kibana logs and nginx logs
I wonder if this is an automated test ? Or is there a flaw i didn’t see and someone bypassed the security?
Thanks !
