ʻO Elastic Stack kahi mea hana kaulana i ka mākeke ʻōnaehana SIEM (ʻoiaʻiʻo, ʻaʻole lākou wale nō). Hiki iā ia ke hōʻiliʻili i ka nui o nā ʻikepili like ʻole, ʻoluʻolu a ʻaʻole paʻakikī loa. ʻAʻole pololei loa inā ʻaʻole pale ʻia ke komo ʻana i nā mea Elastic Stack iā lākou iho. ʻO ka mea paʻamau, holo nā mea Elastic out-of-the-box (Elasticsearch, Logstash, Kibana, a me Beats collectors) ma nā protocol open. A ma Kibana ponoʻī, pio ka hōʻoia. Hiki ke hoʻopaʻa ʻia kēia mau pilina a ma kēia ʻatikala e haʻi mākou iā ʻoe pehea e hana ai. No ka maʻalahi, ua hoʻokaʻawale mākou i ka moʻolelo i 3 mau poloka semantic:
- Ke kumu hoʻohālike e pili ana i ke kuleana
- Palekana ʻikepili i loko o kahi pūʻulu Elasticsearch
- Mālama i ka ʻikepili ma waho o kahi pūʻulu Elasticsearch
Nā kikoʻī ma lalo o ka ʻoki.
Ke kumu hoʻohālike e pili ana i ke kuleana
Inā ʻoe e hoʻokomo iā Elasticsearch a ʻaʻole hoʻokani iā ia ma kekahi ʻano, e wehe ʻia ke komo ʻana i nā papa kuhikuhi āpau i nā mea āpau. ʻAe, a i ʻole nā mea hiki ke hoʻohana i ka curl. No ka pale ʻana i kēia, loaʻa iā Elasticsearch kahi kumu hoʻohālike e loaʻa ana e hoʻomaka me kahi palapala inoa Basic (ʻo ia ka manuahi). Schematically ʻano like kēia:
He aha ka mea i loko o ke kiʻi
- ʻO nā mea hoʻohana ka poʻe a pau e hiki ke komo i ka hoʻohana ʻana i kā lākou ʻike.
- ʻO kahi kuleana he mau kuleana.
- ʻO nā kuleana he pūʻulu o nā pono.
- ʻO nā pono nā ʻae e kākau, heluhelu, holoi, etc. ()
- ʻO nā kumu waiwai nā papa kuhikuhi, nā palapala, nā kahua, nā mea hoʻohana, a me nā mea mālama ʻē aʻe (ʻo ke kumu hoʻohālike no kekahi mau kumuwaiwai aia wale nō me nā kau inoa uku).
Ma ka maʻamau, loaʻa iā Elasticsearch , i pili ia lakou . Ke hoʻā ʻoe i nā hoʻonohonoho palekana, hiki iā ʻoe ke hoʻomaka e hoʻohana koke iā lākou.
I mea e hiki ai i ka palekana i nā hoʻonohonoho Elasticsearch, pono ʻoe e hoʻohui iā ia i ka faila hoʻonohonoho (ma ka maʻamau elasticsearch/config/elasticsearch.yml) laina hou:
xpack.security.enabled: trueMa hope o ka hoʻololi ʻana i ka faila hoʻonohonoho, hoʻomaka a hoʻomaka hou i ka Elasticsearch no ka hoʻololi ʻana i ka hopena. ʻO ka hana aʻe e hāʻawi i nā ʻōlelo huna i nā mea hoʻohana pahu. E hana mākou i kēia me ka hoʻohana ʻana i ke kauoha ma lalo nei:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
E nānā mākou:
[elastic@node1 ~]$ curl -u elastic 'node1:9200/_cat/nodes?pretty'
Enter host password for user 'elastic':
192.168.0.2 23 46 14 0.28 0.32 0.18 dim * node1
Hiki iā ʻoe ke paʻi iā ʻoe iho ma ke kua - ua pau nā hoʻonohonoho ma ka ʻaoʻao Elasticsearch. ʻO ka manawa kēia e hoʻonohonoho iā Kibana. Inā ʻoe e holo i kēia manawa, e ʻike ʻia nā hewa, no laila he mea nui e hana i kahi hale kūʻai kī. Hana ʻia kēia i ʻelua kauoha (user kibana a ua hoʻokomo ʻia ka ʻōlelo huna i ka hana ʻōlelo huna ma Elasticsearch):
[elastic@node1 ~]$ ./kibana/bin/kibana-keystore add elasticsearch.username
[elastic@node1 ~]$ ./kibana/bin/kibana-keystore add elasticsearch.passwordInā pololei nā mea a pau, e hoʻomaka ʻo Kibana e noi i kahi inoa inoa a me ka ʻōlelo huna. Loaʻa i ka inoa Basic kahi kumu hoʻohālike e pili ana i nā mea hoʻohana kūloko. E hoʻomaka ana me ke gula, hiki iā ʻoe ke hoʻohui i nā ʻōnaehana hōʻoia waho - LDAP, PKI, Active Directory a me Single sign-on system.
Hiki ke kaupalena ʻia nā kuleana komo i nā mea i loko o Elasticsearch. Eia nō naʻe, no ka hana like no nā palapala a i ʻole nā māla, pono ʻoe i kahi kau inoa uku (e hoʻomaka ana kēia waiwai me ka pae Platinum). Loaʻa kēia mau hoʻonohonoho ma ke kikowaena Kibana a i ʻole ma o . Hiki iā ʻoe ke nānā ma o ka papa kuhikuhi Dev Tools maʻamau:
Ke hana ʻana i kahi kuleana
PUT /_security/role/ruslan_i_ludmila_role
{
"cluster": [],
"indices": [
{
"names": [ "ruslan_i_ludmila" ],
"privileges": ["read", "view_index_metadata"]
}
]
}Ke hana nei i mea hoʻohana
POST /_security/user/pushkin
{
"password" : "nataliaonelove",
"roles" : [ "ruslan_i_ludmila_role", "kibana_user" ],
"full_name" : "Alexander Pushkin",
"email" : "[email protected]",
"metadata" : {
"hometown" : "Saint-Petersburg"
}
}Palekana ʻikepili i loko o kahi pūʻulu Elasticsearch
Ke holo ʻo Elasticsearch i kahi pūʻulu (ʻo ia ka mea maʻamau), lilo nā hoʻonohonoho palekana i loko o ka puʻupuʻu i mea nui. No ke kamaʻilio paʻa ʻana ma waena o nā node, hoʻohana ʻo Elasticsearch i ka protocol TLS. No ka hoʻonohonoho ʻana i ka pilina paʻa ma waena o lākou, pono ʻoe i kahi palapala hōʻoia. Hoʻokumu mākou i kahi palapala hōʻoia a me ke kī pilikino ma ke ʻano PEM:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil ca --pemMa hope o ka hoʻokō ʻana i ke kauoha ma luna, i ka papa kuhikuhi /../elasticsearch e ʻike ʻia ka waihona elastic-stack-ca.zip. Ma loko e loaʻa iā ʻoe kahi palapala hōʻoia a me kahi kī pilikino me nā hoʻonui crt и kī pakahi. Manaʻo ʻia e kau iā lākou ma kahi punawai kaʻana like, pono e ʻike ʻia mai nā nodes a pau o ka hui.
Pono kēlā me kēia node i kāna mau palapala ponoʻī a me nā kī pilikino e pili ana i nā mea i loko o ka papa kuhikuhi. I ka hoʻokō ʻana i ke kauoha, e noi ʻia ʻoe e hoʻonohonoho i kahi ʻōlelo huna. Hiki iā ʻoe ke hoʻohui i nā koho hou -ip a me -dns no ka hōʻoia piha ʻana o nā nodes pili.
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil cert --ca-cert /shared_folder/ca/ca.crt --ca-key /shared_folder/ca/ca.keyMa muli o ka hoʻokō ʻana i ke kauoha, e loaʻa iā mākou kahi palapala hōʻoia a me kahi kī pilikino ma ke ʻano PKCS#12, i pale ʻia e ka ʻōlelo huna. ʻO ka mea i koe e hoʻoneʻe i ka faila i hana ʻia p12 i ka papa kuhikuhi hoʻonohonoho:
[elastic@node1 ~]$ mv elasticsearch/elastic-certificates.p12 elasticsearch/configE hoʻohui i kahi ʻōlelo huna i ka palapala hōʻoia ma ke ʻano p12 ma ka hale kūʻai kī a me ka hale kūʻai hilinaʻi ma kēlā me kēia node:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_passwordUa ʻike ʻia elasticsearch.yml ʻO nā mea i koe e hoʻohui i nā laina me ka ʻikepili palapala:
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12Hoʻomaka mākou i nā node Elasticsearch āpau a hoʻokō pana. Inā hana pololei nā mea a pau, e hoʻihoʻi ʻia kahi pane me kekahi mau nodes:
[elastic@node1 ~]$ curl node1:9200/_cat/nodes -u elastic:password
172.18.0.3 43 75 4 0.00 0.05 0.05 dim * node2
172.18.0.4 21 75 3 0.00 0.05 0.05 dim - node3
172.18.0.2 39 75 4 0.00 0.05 0.05 dim - node1Aia kekahi koho palekana - ka kānana IP address (loaʻa i nā kau inoa mai ka pae gula). Hāʻawi iā ʻoe e hana i nā papa inoa keʻokeʻo o nā helu IP kahi i ʻae ʻia ai ʻoe e komo i nā nodes.
Mālama i ka ʻikepili ma waho o kahi pūʻulu Elasticsearch
Ma waho o ka pūʻulu ʻo ia ka hoʻopili ʻana i nā mea hana waho: Kibana, Logstash, Beats a i ʻole nā mea kūʻai aku o waho.
E hoʻonohonoho i ke kākoʻo no https (ma kahi o http), e hoʻohui i nā laina hou i elasticsearch.yml:
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12No ka mea Mālama ʻia ka palapala hōʻoia, e hoʻohui i ka hale kūʻai kī a me ka hale kūʻai hilinaʻi ma kēlā me kēia node:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_passwordMa hope o ka hoʻohui ʻana i nā kī, ua mākaukau nā node Elasticsearch e hoʻopili ma o https. I kēia manawa hiki iā lākou ke hoʻokuʻu.
ʻO ka hana aʻe e hana i kahi kī e hoʻopili iā Kibana a hoʻohui iā ia i ka hoʻonohonoho. Ma muli o ka palapala hōʻoia i loaʻa i ka papa kuhikuhi kaʻana like, e hana mākou i palapala hōʻoia ma ke ʻano PEM (PKCS#12 Kibana, Logstash a me Beats ʻaʻole i kākoʻo):
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil cert --ca-cert /shared_folder/ca/ca.crt --ca-key /shared_folder/ca/ca.key --pemʻO nā mea a pau i koe e wehe i nā kī i hana ʻia i loko o ka waihona me ka hoʻonohonoho Kibana:
[elastic@node1 ~]$ unzip elasticsearch/certificate-bundle.zip -d kibana/configAia nā kī, no laila ʻo ka mea i koe e hoʻololi i ka hoʻonohonoho Kibana i hoʻomaka ai e hoʻohana iā lākou. Ma ka waihona hoʻonohonoho kibana.yml, hoʻololi i ka http i https a hoʻohui i nā laina me nā hoʻonohonoho pili SSL. Hoʻonohonoho nā laina hope ʻekolu i ke kamaʻilio paʻa ma waena o ka polokalamu kele pūnaewele a me Kibana.
elasticsearch.hosts: ["https://${HOSTNAME}:9200"]
elasticsearch.ssl.certificateAuthorities: /shared_folder/ca/ca.crt
elasticsearch.ssl.verificationMode: certificate
server.ssl.enabled: true
server.ssl.key: /../kibana/config/instance/instance.key
server.ssl.certificate: /../kibana/config/instance/instance.crtNo laila, ua hoʻopau ʻia nā hoʻonohonoho a hoʻopili ʻia ke komo ʻana i ka ʻikepili i ka hui Elasticsearch.
Inā he mau nīnau kāu e pili ana i ka hiki o Elastic Stack ma nā kau inoa manuahi a uku ʻia, nānā i nā hana a i ʻole ka hana ʻana i kahi ʻōnaehana SIEM, waiho i kahi noi i ma kā mākou pūnaewele.
ʻO nā mea hou aʻe o kā mākou ʻatikala e pili ana i ka Elastic Stack ma Habré:
Source: www.habr.com