[DOC] Add a new section in documentation for security best practices and recommendations.

[hdhalter]

Add a new section in documentation for security best practices and recommendations

[stephen-crawford]

Examples:

1. Don't use default credentials
2. Use the password tool to create a very strong password
3. Don't use the demo certificates for anything other than demos
4. Don't mix standard role and backend role DLS and FLS configurations (i.e. a user has DLS configured through normal roles but also their backend role)
5. Don't mix multiple DLS/FLS configured roles: [BUG] "Field level security" and "Field masking definitions" don't work together with "Document level security" security#3274
6. Don't give default user level write permissions (should be read-only)

@DarshitChanpura @cwperks @peternied any other suggestions for good common practices we can add

[hdhalter]

Please add a note about #3084. Thanks!

[cwperks]

@scrawfor99 You may also want to consider adding a section on dashboards security setup as well.

1. Make sure the cookie is secure

opensearch_security.cookie.secure: true
opensearch_security.cookie.password: <secret_for_cookie_encryption>

2. Setup TLS (don't run with opensearch.ssl.verificationMode: none)

Instead:

opensearch.ssl.verificationMode: full
opensearch.ssl.certificateAuthorities: </path/to/root-ca.pem>

Link to: https://opensearch.org/docs/latest/install-and-configure/install-dashboards/tls/

[peternied]

Thanks for calling this out @hdhalter just a couple more to add on:

1. [Serious] Do you think we could get away with linking to XKCD for what 'strong' password practically means - its memorable and insightful? https://xkcd.com/936/
2. Follow the principle of least privilege for secrets used to configure the cluster and the roles used to access the cluster.
3. Enable audit logging and verify that the audit data has the information needed by your organizations information security policies.

[rursprung]

linking xkcd is certainly never wrong 😉 👍 (i don't know how often i've sent a link to this specific comic - it's just a very good way of explaining the very hard concept of "safe" passwords)

what about TLS settings? i guess they should also be documented (i remember that the default settings for OS have been updated; for OSD the PR is AFAIK still hanging to even add support for TLS v1.3, much less make it the default?). though in the best case the default is already the current "strong" default and no further documentation is needed as it just works out of the box.

[john-eliatra]

Hi @hdhalter , adding my comment to be assigned to this one. Thx, John

[hdhalter]

@leanneeliatra/@anton - Can you please add a comment so I can assign you?

[leanneeliatra]

@hdhalter Please assign me! Thank you.

[leanneeliatra]

PR submitted for review #7113