Elastic Stack sanannen kayan aiki ne a cikin kasuwar tsarin SIEM (a zahiri, ba kawai su ba). Yana iya tattara bayanai masu girma dabam-dabam masu yawa, duka masu hankali kuma ba su da hankali sosai. Ba daidai ba ne gabaɗaya idan ba a kariyar samun damar zuwa abubuwan da ke cikin Elastic Stack da kansu ba. Ta hanyar tsoho, duk abubuwan da ke cikin akwatin na roba (Elasticsearch, Logstash, Kibana, da masu tarawa Beats) suna gudana akan buɗaɗɗen ladabi. Kuma a cikin Kibana kanta, an hana tantancewa. Duk waɗannan hulɗar ana iya kiyaye su kuma a cikin wannan labarin za mu gaya muku yadda ake yin wannan. Don saukakawa, mun raba labarin zuwa sassa 3 na ma'ana:
- Samfurin samun damar bayanai na tushen rawar aiki
- Tsaron bayanai a cikin gungun Elasticsearch
- Tsare bayanai a wajen gungu na Elasticsearch
Cikakken bayani a ƙarƙashin yanke.
Samfurin samun damar bayanai na tushen rawar aiki
Idan kun shigar da Elasticsearch kuma ba ku kunna ta ta kowace hanya ba, samun damar yin amfani da duk firikwensin zai buɗe wa kowa. To, ko waɗanda za su iya amfani da curl. Don guje wa wannan, Elasticsearch yana da abin koyi wanda ke samuwa yana farawa tare da Biyan kuɗi na asali (wanda yake kyauta). A tsari yana kama da wani abu kamar haka:
Me ke cikin hoton
- Masu amfani sune duk wanda zai iya shiga ta amfani da takardun shaidar su.
- Matsayi shine saitin hakkoki.
- Hakkoki jerin gata ne.
- Gata shine izini don rubutawa, karantawa, gogewa, da sauransu. ()
- Abubuwan bayanai fihirisa ne, takardu, filaye, masu amfani, da sauran abubuwan ma'ajiya (abin koyi na wasu albarkatun ana samunsu tare da biyan kuɗi kawai).
Ta hanyar tsoho Elasticsearch yana da , wanda aka haɗa su . Da zarar kun kunna saitunan tsaro, zaku iya fara amfani da su nan take.
Don ba da damar tsaro a cikin saitunan Elasticsearch, kuna buƙatar ƙara shi zuwa fayil ɗin sanyi (ta tsohuwa wannan shine elasticsearch/config/elasticsearch.yml) sabon layi:
xpack.security.enabled: trueBayan canza fayil ɗin sanyi, ƙaddamar ko sake kunna Elasticsearch don canje-canjen suyi tasiri. Mataki na gaba shine sanya kalmomin shiga ga masu amfani da akwatin. Bari mu yi wannan ta hanyar mu'amala ta amfani da umarnin da ke ƙasa:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
Binciken:
[elastic@node1 ~]$ curl -u elastic 'node1:9200/_cat/nodes?pretty'
Enter host password for user 'elastic':
192.168.0.2 23 46 14 0.28 0.32 0.18 dim * node1
Kuna iya shafa kanku a baya - an kammala saitin da ke gefen Elasticsearch. Yanzu lokaci yayi da za a saita Kibana. Idan kun kunna shi yanzu, kurakurai za su bayyana, don haka yana da mahimmanci don ƙirƙirar kantin maɓalli. Ana yin wannan a cikin umarni biyu (mai amfani kiban da kalmar sirri da aka shigar a matakin ƙirƙirar kalmar sirri a cikin Elasticsearch):
[elastic@node1 ~]$ ./kibana/bin/kibana-keystore add elasticsearch.username
[elastic@node1 ~]$ ./kibana/bin/kibana-keystore add elasticsearch.passwordIdan komai yayi daidai, Kibana zai fara neman shiga da kalmar sirri. Biyan kuɗi na asali ya ƙunshi abin koyi dangane da masu amfani da ciki. Fara da Zinariya, zaku iya haɗa tsarin tabbatarwa na waje - LDAP, PKI, Directory Active da tsarin sa hannu guda ɗaya.
Hakanan ana iya iyakance haƙƙin samun damar abubuwa a cikin Elasticsearch. Koyaya, don yin haka don takardu ko filayen, kuna buƙatar biyan kuɗi da aka biya (wannan alatu yana farawa da matakin Platinum). Ana samun waɗannan saitunan a cikin mahallin Kibana ko ta hanyar . Kuna iya duba ta cikin menu na Dev Tools da kuka saba:
Ƙirƙirar rawa
PUT /_security/role/ruslan_i_ludmila_role
{
"cluster": [],
"indices": [
{
"names": [ "ruslan_i_ludmila" ],
"privileges": ["read", "view_index_metadata"]
}
]
}Ƙirƙirar mai amfani
POST /_security/user/pushkin
{
"password" : "nataliaonelove",
"roles" : [ "ruslan_i_ludmila_role", "kibana_user" ],
"full_name" : "Alexander Pushkin",
"email" : "[email protected]",
"metadata" : {
"hometown" : "Saint-Petersburg"
}
}Tsaron bayanai a cikin gungun Elasticsearch
Lokacin da Elasticsearch ke gudana a cikin gungu (wanda ya zama gama gari), saitunan tsaro a cikin tarin sun zama mahimmanci. Don amintaccen sadarwa tsakanin nodes, Elasticsearch yana amfani da ka'idar TLS. Don saita amintaccen hulɗa tsakanin su, kuna buƙatar takaddun shaida. Muna samar da takaddun shaida da maɓalli na sirri a tsarin PEM:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil ca --pemBayan aiwatar da umarnin da ke sama, a cikin directory /.../lasticsearch rumbun adana bayanai zai bayyana roba-stack-ca.zip. A ciki za ku sami takaddun shaida da maɓalli na sirri tare da kari amsar и key bi da bi. Yana da kyau a sanya su a kan albarkatun da aka raba, wanda ya kamata a sami dama daga duk nodes a cikin tari.
Kowane kumburi yanzu yana buƙatar takaddun takaddun kansa da maɓallan sirri bisa waɗanda ke cikin kundin adireshi. Lokacin aiwatar da umarnin, za a tambaye ku don saita kalmar sirri. Kuna iya ƙara ƙarin zaɓuɓɓuka -ip da -dns don cikakken tabbatar da nodes masu mu'amala.
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil cert --ca-cert /shared_folder/ca/ca.crt --ca-key /shared_folder/ca/ca.keySakamakon aiwatar da umarnin, za mu sami takaddun shaida da maɓalli na sirri a cikin tsarin PKCS#12, mai kariya ta kalmar sirri. Abin da ya rage shi ne matsar da fayil ɗin da aka ƙirƙira p12 zuwa ga tsarin daidaitawa:
[elastic@node1 ~]$ mv elasticsearch/elastic-certificates.p12 elasticsearch/configƘara kalmar sirri zuwa takaddun shaida a cikin tsari p12 a cikin maɓalli da rumbun ajiya akan kowane kulli:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_passwordAn riga an sani elasticsearch.yml Abin da ya rage shine ƙara layi tare da bayanan takaddun shaida:
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12Muna ƙaddamar da duk nodes na Elasticsearch kuma muna aiwatar da su Curl. Idan duk abin da aka yi daidai, za a mayar da martani tare da nodes da yawa:
[elastic@node1 ~]$ curl node1:9200/_cat/nodes -u elastic:password
172.18.0.3 43 75 4 0.00 0.05 0.05 dim * node2
172.18.0.4 21 75 3 0.00 0.05 0.05 dim - node3
172.18.0.2 39 75 4 0.00 0.05 0.05 dim - node1Akwai wani zaɓin tsaro - tace adireshin IP (akwai a cikin biyan kuɗi daga matakin Zinare). Yana ba ku damar ƙirƙirar jerin fararen adiresoshin IP daga waɗanda aka ba ku damar samun damar nodes.
Tsare bayanai a wajen gungu na Elasticsearch
Waje gungu yana nufin haɗa kayan aikin waje: Kibana, Logstash, Beats ko wasu abokan ciniki na waje.
Don saita tallafi don https (maimakon http), ƙara sabbin layi zuwa elasticsearch.yml:
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12Domin Takaddun shaida yana da kariya ta kalmar sirri, ƙara shi zuwa maɓalli da ma'ajiyar amintacce akan kowane kumburi:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_passwordBayan ƙara makullin, Elasticsearch nodes suna shirye don haɗi ta https. Yanzu ana iya kaddamar da su.
Mataki na gaba shine ƙirƙirar maɓalli don haɗa Kibana kuma ƙara shi zuwa daidaitawa. Dangane da takardar shaidar da ta riga ta kasance a cikin kundin adireshi, za mu samar da takaddun shaida a cikin tsarin PEM (PKCS#12 Kibana, Logstash da Beats ba su goyi bayan):
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil cert --ca-cert /shared_folder/ca/ca.crt --ca-key /shared_folder/ca/ca.key --pemAbin da ya rage shi ne a kwance maɓallan da aka ƙirƙira cikin babban fayil tare da daidaitawar Kibana:
[elastic@node1 ~]$ unzip elasticsearch/certificate-bundle.zip -d kibana/configMaɓallai suna nan, don haka abin da ya rage shine canza tsarin Kibana don fara amfani da su. A cikin fayil ɗin sanyi na kibana.yml, canza http zuwa https kuma ƙara layi tare da saitunan haɗin SSL. Layuka uku na ƙarshe sun tsara ingantaccen sadarwa tsakanin mai binciken mai amfani da Kibana.
elasticsearch.hosts: ["https://${HOSTNAME}:9200"]
elasticsearch.ssl.certificateAuthorities: /shared_folder/ca/ca.crt
elasticsearch.ssl.verificationMode: certificate
server.ssl.enabled: true
server.ssl.key: /../kibana/config/instance/instance.key
server.ssl.certificate: /../kibana/config/instance/instance.crtDon haka, an kammala saitunan kuma an rufaffen samun damar yin amfani da bayanai a cikin tarin Elasticsearch.
Idan kuna da tambayoyi game da iyawar Elastic Stack akan biyan kuɗi kyauta ko biya, ayyukan sa ido ko ƙirƙirar tsarin SIEM, bar buƙatar zuwa akan shafin yanar gizon mu.
Ƙarin labaran mu game da Elastic Stack akan Habré:
source: www.habr.com