Immutable indices

zbalkan · September 27, 2022, 6:30pm

I am using OpenSearch as a part of my Wazuh installation. In order to ensure integrity of the logs in the database, I wanted to make the default indices, wazuh-alerts-*, as append-only. This way I could guarantee that logs are not modified by an attacker, either internal or external. Of course, indice management policy can and should modify the indices to cold state and delete the logs, as the only exception.

But until now, I can only find that a 3rd party can provide the immutable index capability. Is it possible to configure it using native capabilities like permissions and other advanced configurations?

pablo · September 30, 2022, 12:25pm

@zbalkan Try the below. I’ve tested it yesterday and it worked.

plugins.security.compliance.immutable_indices
- indexa

It’s not documented in OpenSearch documentation but you can find it through GitHub.

github.com

opensearch-project/security/blob/main/src/main/java/org/opensearch/security/support/ConfigConstants.java

/*
 * Copyright 2015-2018 _floragunn_ GmbH
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

/*
 * SPDX-License-Identifier: Apache-2.0
 *
 * The OpenSearch Contributors require contributions made to
 * this file be licensed under the Apache-2.0 license or a

This file has been truncated. show original

You could report a documentation bug in GitHub. If you do, please share the link here.

zbalkan · September 30, 2022, 12:38pm

Hi Pablo. What you manage to find out is a great finding. I’ll test it out and create a new issue. Thanks for the update.

Topic		Replies	Views
Append only Index OpenSearch	2	710	June 24, 2021
Index state management and java Index Management discuss	2	424	March 17, 2022
Delete all indices OpenDistro	1	425	February 7, 2023
Does ISM apply to system indices with the use of '*' index pattern? Index Management discuss , configure	2	548	February 16, 2022
OpenSearch Index policy with log rotation OpenSearch configure , index-management	7	1901	September 13, 2023

Immutable indices

Related Topics