securityonion/salt/kratos/soc_kratos.yaml

kratos:
  enabled:
    description: You can enable or disable Kratos.
    advanced: True
    helpLink: kratos.html
  config:
    session:
      lifespan: 
        description: Defines the length of a login session.
        global: True
        helpLink: kratos.html
      whoami:
        required_aal: 
          description: Sets the Authenticator Assurance Level. Leave as default to ensure proper security protections remain in place.
          global: True
          advanced: True
          helpLink: kratos.html
    selfservice:
      methods:
        password:
          enabled: 
            description: Set to True to enable traditional password authentication. Leave as default to ensure proper security protections remain in place.
            global: True
            advanced: True
            helpLink: kratos.html
          config:
            haveibeenpwned_enabled:
              description: Set to True to check if a newly chosen password has ever been found in a published list of previously-compromised passwords. Requires outbound Internet connectivity when enabled.
              global: True
              helpLink: kratos.html
        totp:
          enabled: 
            description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA). Enable to ensure proper security protections remain in place. Be aware that disabling this setting, after users have already setup TOTP, may prevent users from logging in.
            global: True
            helpLink: kratos.html
          config:
            issuer: 
              description: The name to show in the MFA authenticator app. Useful for differentiating between installations that share the same user email address.
              global: True
              advanced: True
              helpLink: kratos.html
        webauthn:
          enabled:
            description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. Be aware that disabling this setting, after users have already setup their accounts with Security Keys, may prevent users from logging in.
            global: True
            helpLink: kratos.html
          config:
            passwordless: 
              description: Set to True to utilize Security Keys (WebAuthn / PassKeys) for passwordless logins. Set to false to utilize Security Keys as a multi-factor authentication (MFA) method supplementing password logins. Be aware that changing this value, after users have already setup their accounts with the previous value, may prevent users from logging in.
              global: True
              helpLink: kratos.html
            rp:
              id: 
                description: The internal identification used for registering new Security Keys. Leave as default to ensure Security Keys function properly.
                global: True
                advanced: True
                helpLink: kratos.html
              origin: 
                description: The URL used to login to SOC. Leave as default to ensure Security Keys function properly.
                global: True
                advanced: True
                helpLink: kratos.html
              display_name: 
                description: The name assigned to the security key. Note that URL_BASE is replaced with the hostname or IP address used to login to SOC, to help distinguish multiple Security Onion installations.
                global: True
                advanced: True
                helpLink: kratos.html
      flows:
        settings:
          privileged_session_max_age:
            description: The length of time after a successful authentication for a user's session to remain elevated to a privileged session. Privileged sessions are able to change passwords and other security settings for that user. If a session is no longer privileged then the user is redirected to the login form in order to confirm the security change.
            global: True
            helpLink: kratos.html
          ui_url: 
            description: User accessible URL containing the user self-service profile and security settings. Leave as default to ensure proper operation.
            global: True
            advanced: True
            helpLink: kratos.html
          required_aal:
            description: Sets the Authenticator Assurance Level for accessing user self-service profile and security settings. Leave as default to ensure proper security enforcement remains in place.
            global: True
            advanced: True
            helpLink: kratos.html
        verification:
          ui_url: 
            description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
            global: True
            advanced: True
            helpLink: kratos.html
        login:
          ui_url: 
            description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
            global: True
            advanced: True
            helpLink: kratos.html
        error:
          ui_url: 
            description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
            global: True
            advanced: True
            helpLink: kratos.html
        registration:
          ui_url: 
            description: User accessible URL containing the Security Onion login page. Leave as default to ensure proper operation.
            global: True
            advanced: True
            helpLink: kratos.html
      default_browser_return_url:
        description: Security Onion Console landing page URL. Leave as default to ensure proper operation.
        global: True
        advanced: True
        helpLink: kratos.html
      allowed_return_urls:
        description: Internal redirect URL. Leave as default to ensure proper operation.
        global: True
        advanced: True
        helpLink: kratos.html
    log:
      level: 
        description: Log level to use for Kratos logs.
        global: True
        helpLink: kratos.html
      format: 
        description: Log output format for Kratos logs.
        global: True
        helpLink: kratos.html
    secrets:
      default: 
        description: Secret key used for protecting session cookie data. Generated during installation.
        global: True
        sensitive: True
        advanced: True
        helpLink: kratos.html
    serve:
      public:
        base_url: 
          description: User accessible URL for authenticating to Kratos. Leave as default for proper operation.
          global: True
          advanced: True
          helpLink: kratos.html
      admin:
        base_url: 
          description: User accessible URL for accessing Kratos administration API. Leave as default for proper operation.
          global: True
          advanced: True
          helpLink: kratos.html
    hashers:
      bcrypt:
        cost: 
          description: Bcrypt hashing algorithm cost. Higher values consume more CPU and take longer to complete. Actual cost is computed as 2^X where X is the value in this setting.
          global: True
          advanced: True
          helpLink: kratos.html
    courier:
      smtp:
        connection_uri: 
          description: SMTPS URL for sending outbound account-related emails. Not utilized with the standard Security Onion installation.
          global: True
          advanced: True
          helpLink: kratos.html