From 4c58aa2ccf5b264bd7d71225304aa0f21313f833 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Fri, 28 Apr 2023 13:14:30 -0400
Subject: [PATCH 1/3] Add privileged session config option to kratos config UI

---
 salt/kratos/defaults.yaml   | 2 ++
 salt/kratos/soc_kratos.yaml | 6 +++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/salt/kratos/defaults.yaml b/salt/kratos/defaults.yaml
index bcb166772..b1572a5ff 100644
--- a/salt/kratos/defaults.yaml
+++ b/salt/kratos/defaults.yaml
@@ -5,6 +5,8 @@ kratos:
       whoami:
         required_aal: highest_available
     selfservice:
+      settings:
+        privileged_session_max_age: 5m
       methods:
         password:
           enabled: true
diff --git a/salt/kratos/soc_kratos.yaml b/salt/kratos/soc_kratos.yaml
index e3b88e28f..4fefa0583 100644
--- a/salt/kratos/soc_kratos.yaml
+++ b/salt/kratos/soc_kratos.yaml
@@ -12,6 +12,11 @@ kratos:
           advanced: True
           helpLink: kratos.html
     selfservice:
+      settings:
+        privileged_session_max_age:
+          description: The length of time after a successful authentication for a user's session to be elevated to a privileged session. Privileged sessions are able to change passwords and MFA settings for that user. If a session is no longer privileged then the user is sent to the login form first, before the security settings can be adjusted.
+          global: True
+          helpLink: kratos.html
       methods:
         password:
           enabled: 
@@ -23,7 +28,6 @@ kratos:
             haveibeenpwned_enabled:
               description: Set to True to check if a newly chosen password has ever been found in a published list of previously-compromised passwords. Requires outbound Internet connectivity when enabled.
               global: True
-              advanced: True
               helpLink: kratos.html
         totp:
           enabled: 

From 666d4ea260782427877ea5a020c59fbf3ce65728 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Fri, 28 Apr 2023 13:56:28 -0400
Subject: [PATCH 2/3] Add privileged session config option to kratos config UI

---
 salt/kratos/defaults.yaml   | 3 +--
 salt/kratos/soc_kratos.yaml | 9 ++++-----
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/salt/kratos/defaults.yaml b/salt/kratos/defaults.yaml
index b1572a5ff..8f7a72b00 100644
--- a/salt/kratos/defaults.yaml
+++ b/salt/kratos/defaults.yaml
@@ -5,8 +5,6 @@ kratos:
       whoami:
         required_aal: highest_available
     selfservice:
-      settings:
-        privileged_session_max_age: 5m
       methods:
         password:
           enabled: true
@@ -18,6 +16,7 @@ kratos:
             issuer: Security Onion
       flows:
         settings:
+          privileged_session_max_age: 5m
           ui_url: https://URL_BASE/?r=/settings
           required_aal: highest_available
         verification:
diff --git a/salt/kratos/soc_kratos.yaml b/salt/kratos/soc_kratos.yaml
index 4fefa0583..d08e3682b 100644
--- a/salt/kratos/soc_kratos.yaml
+++ b/salt/kratos/soc_kratos.yaml
@@ -12,11 +12,6 @@ kratos:
           advanced: True
           helpLink: kratos.html
     selfservice:
-      settings:
-        privileged_session_max_age:
-          description: The length of time after a successful authentication for a user's session to be elevated to a privileged session. Privileged sessions are able to change passwords and MFA settings for that user. If a session is no longer privileged then the user is sent to the login form first, before the security settings can be adjusted.
-          global: True
-          helpLink: kratos.html
       methods:
         password:
           enabled: 
@@ -43,6 +38,10 @@ kratos:
               helpLink: kratos.html
       flows:
         settings:
+          privileged_session_max_age:
+            description: The length of time after a successful authentication for a user's session to be elevated to a privileged session. Privileged sessions are able to change passwords and MFA settings for that user. If a session is no longer privileged then the user is sent to the login form first, before the security settings can be adjusted.
+            global: True
+            helpLink: kratos.html
           ui_url: 
             description: User accessible URL containing the user self-service profile and security settings. Leave as default to ensure proper operation.
             global: True

From 03c89a02adf8aa6b46edd790db248ccd7bfddd5e Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Fri, 28 Apr 2023 14:01:19 -0400
Subject: [PATCH 3/3] Add privileged session config option to kratos config UI

---
 salt/kratos/soc_kratos.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/kratos/soc_kratos.yaml b/salt/kratos/soc_kratos.yaml
index d08e3682b..d2555bf11 100644
--- a/salt/kratos/soc_kratos.yaml
+++ b/salt/kratos/soc_kratos.yaml
@@ -39,7 +39,7 @@ kratos:
       flows:
         settings:
           privileged_session_max_age:
-            description: The length of time after a successful authentication for a user's session to be elevated to a privileged session. Privileged sessions are able to change passwords and MFA settings for that user. If a session is no longer privileged then the user is sent to the login form first, before the security settings can be adjusted.
+            description: The length of time after a successful authentication for a user's session to remain elevated to a privileged session. Privileged sessions are able to change passwords and other security settings for that user. If a session is no longer privileged then the user is redirected to the login form in order to confirm the security change.
             global: True
             helpLink: kratos.html
           ui_url: