Align security docs with canonical Kibana FIPS and session lifespan defaults#7018
Conversation
|
Thanks @theletterf ! The suggested fix looks good to me. I'll allow another person on the admin-docs team to review. |
Elastic Docs AI PR menuCheck the box to run an AI review for this pull request.
Powered by GitHub Agentic Workflows and docs-actions. For more information, reach out to the docs team. |
shainaraskas
left a comment
There was a problem hiding this comment.
generally looks ok with one nit
would prefer to get these confirmed with a 3p source somewhere (not our docs) to ensure that we're fixing the correct way. usually would start with a codebase/slack search
| * FIPS 140-2 | ||
| * {applies_to}`stack: ga 9.4+` FIPS 140-3 | ||
| - [{{kib}}](/deploy-manage/security/fips-kib.md) offers a FIPS 140-2 compliant mode and as such can run in a Node.js environment configured with a FIPS 140-2 compliant OpenSSL3 provider. | ||
| - [{{kib}}](/deploy-manage/security/fips-kib.md) offers FIPS 140-2 and FIPS 140-3 compliant modes and can run in a Node.js environment configured with a FIPS 140-2 or FIPS 140-3 compliant OpenSSL3 provider. |
There was a problem hiding this comment.
the as such was probably meaningful here, meaning that you need to be using the mode to have it work in this environment
|
Followed this up against the Kibana and Cloud source. The global xpack.security.session.lifespan default is 30 days everywhere (self-managed, ECH, ECE, and ECK). The 24h value only applies to a single per-provider setting, xpack.security.authc.providers.saml.cloud-saml-kibana.session.lifespan, which the Cloud allocator injects on any deployment where Cloud SSO is enabled. That covers ECH and any ECE deployment configured for Cloud SSO, and it only affects sessions established through the Cloud SSO SAML realm, not other auth providers or the global default. So the ECH row in the merged change is incorrect: the global lifespan is still 30d there, and the 24h belongs in a separate note scoped to the Cloud SSO realm. probably could use a better confirmation |
Closes #7017
This updates two pages under
/deploy-manage/securityto remove contradictions with the canonical Kibana docs. The FIPS overview now reflects Kibana’s 140-2/140-3 support, and the session management page now distinguishes lifespan defaults by deployment type.FIPS overview
deploy-manage/security/fips.mdto state that Kibana supports FIPS 140-2 and FIPS 140-3 compliant modes.fips-kib.md, including the OpenSSL3 provider requirement.Session lifespan defaults
deploy-manage/security/kibana-session-management.mdso the defaultxpack.security.session.lifespanis explicit by deployment type:Updated wording