Search Guard - Enterprise Security for Elasticsearch

Search Guard 6.x-24.0

Release Date: 20.12.2018

Security Fixes

Field anonymization

  • Field anonymization: Added support for string arrays
  • Until now string content within arrays where not masked/anonymized
  • 4af8dde

DLS/FLS

  • DLS/FLS: Fix field capabilities API and get mapping when FLS is activated
    • Until now the field caps and the mapping API has leaked field names (not values) for fields which are not allowed for the user because FLS was activated
    • PR #17

Fixes

Search Guard

  • Impersonation: Only one authentication domain used for impersonated user lookup
    • Only the domain which authenticated the user in the first place was considered for impersonation
    • PR #597
  • Core: username_atttibute is now also supported for Transport authentication
  • Core: Log more infos if authentication has finally failed
    • Include the remote address in the log message
    • PR #595

sgadmin

  • sgadmin: sgadmin does now print out stracktrace in case of an error
    • Stacktrace is now printed out to stdout instead of stderr
    • PR #598

LDAP

  • LDAP: Fix LDAP hostname verification
    • Hostname verfification can now be properly turned off
    • PR #21
  • LDAP: Skipping users for authz not working as expected
    • LDAP authenticated users were not skipped properly
    • PR #16

SAML

  • SAML: IdP initiated SSO throws an error in Kibana (requires Kibana Plugin v17 or newer)
    • The acsEndpoint to the authtoken call used by SAML was added
    • PR #23

REST API

  • REST API should support the username attribute
    • The username attribute supports usernames containing dots
    • PR #20

Features

Audit logging

  • Audit logging: index does now have an additional @timestamp field
  • Audit logging: Implemented retry for all auditlog sinks
    • Non-persistent retry capabilities for sinks which can occasionally fail
    • PR #19

Field anonymization

  • Field anonymization: Custom field anonymization
    • More fine grained control which parts of a field value should be anonymized
    • Alternative hashing algorithms can now be configured
    • 4af8dde

DLS/FLS

  • DLS/FLS: Add support for ${user.roles} property for DLS
    • ${user.roles} will expand to a comma delimited list of the backend roles of the current user
    • 74f292c

REST API

  • REST API: Password rules for REST API
    • It’s now possible to configure a regex to define miniumum requirements for passwords
    • PR #14
  • REST API: Validate masked fields when regex or custom hashing algo used

LDAP

  • LDAP: Connection pooling load balancing
    • New LDAP implementation which supports connection pooling and better load balancing when more than one LDAP server is configured (BETA)
    • PR #18
  • LDAP: Make it possible to query more than one user- and rolebase