I-Elastic Stack sisixhobo esaziwayo kwiimarike zeenkqubo ze-SIEM (eneneni, kungekhona bona kuphela). Iyakwazi ukuqokelela idatha eninzi enobungakanani obahlukeneyo, bobabini abanovakalelo kwaye abancinci kakhulu. Ayichanekanga ngokupheleleyo ukuba ukufikelela kwi-Elastic Stack ngokwayo akukhuselwanga. Ngokungagqibekanga, zonke izinto ze-Elastic ngaphandle kwebhokisi (i-Elasticsearch, i-Logstash, i-Kibana, kunye nabaqokeleli be-Beats) zisebenza kwiiprothokholi ezivulekileyo. Kwaye kwi-Kibana ngokwayo, ukuqinisekiswa kuvaliwe. Zonke ezi ntsebenziswano zinokukhuseleka kwaye kweli nqaku siza kukuxelela indlela yokwenza oku. Ukwenzela lula, sahlulahlule ibali libe ziibhloko ezi-3 zesemantic:
- Imodeli yokufikelela kwidatha esekwe kwindima
- Ukhuseleko lwedatha ngaphakathi kweqela le-Elasticsearch
- Ukukhusela idatha ngaphandle kweqela le-Elasticsearch
Iinkcukacha phantsi kokusikwa.
Imodeli yokufikelela kwidatha esekwe kwindima
Ukuba ufaka i-Elasticsearch kwaye ungayithumeli nangayiphi na indlela, ukufikelela kuzo zonke izalathisi kuya kuvulelwa wonke umntu. Ewe, okanye abo banokusebenzisa i-curl. Ukunqanda oku, i-Elasticsearch inomzekelo okhoyo ofumaneka ngokuqala ngobhaliso oluSisiseko (olusimahla). Ngokucwangcisiweyo ijongeka ngolu hlobo:
Yintoni esemfanekisweni
- Abasebenzisi ngumntu wonke onokungena usebenzisa iziqinisekiso zabo.
- Indima yiqela lamalungelo.
- Amalungelo luluhlu lwamalungelo.
- Amalungelo ziimvume zokubhala, ukufunda, ukucima, njl. ()
- Izibonelelo zizalathisi, amaxwebhu, amasimi, abasebenzisi, kunye namanye amaziko okugcina (umzekelo wezinye izibonelelo zifumaneka kuphela ngemirhumo ehlawulweyo).
Ngokungagqibekanga i-Elasticsearch ine , apho zincanyathiselwe khona . Nje ukuba uvule useto lokhuseleko, ungaqala ukuzisebenzisa kwangoko.
Ukwenza ukhuseleko kwizicwangciso ze-Elasticsearch, kufuneka udibanise kwifayile yoqwalaselo (ngokungagqibekanga oku elasticsearch/config/elasticsearch.yml) umgca omtsha:
xpack.security.enabled: trueEmva kokutshintsha ifayile yoqwalaselo, qalisa okanye uqalise kwakhona i-Elasticsearch ukuze utshintsho lusebenze. Inyathelo elilandelayo ukunika amagama ayimfihlo kwibhokisi abasebenzisi. Masenze oku ngokusebenzisana sisebenzisa lo myalelo ungezantsi:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
Ukuhlola:
[elastic@node1 ~]$ curl -u elastic 'node1:9200/_cat/nodes?pretty'
Enter host password for user 'elastic':
192.168.0.2 23 46 14 0.28 0.32 0.18 dim * node1
Unokuzibamba ngasemva - useto olukwicala le-Elasticsearch lugqityiwe. Ngoku lixesha lokuqwalasela i-Kibana. Ukuba uyayiqhuba ngoku, iimpazamo ziya kubonakala, ngoko kubalulekile ukwenza ivenkile engundoqo. Oku kwenziwa kwimiyalelo emibini (umsebenzisi ibana kunye negama lokugqitha elifakwe kwinqanaba lokudala igama lokugqitha kwi-Elasticsearch):
[elastic@node1 ~]$ ./kibana/bin/kibana-keystore add elasticsearch.username
[elastic@node1 ~]$ ./kibana/bin/kibana-keystore add elasticsearch.passwordUkuba yonke into ichanekile, i-Kibana iya kuqala ukucela ukungena kunye negama lokugqitha. Ubhaliso oluSiseko lubandakanya imodeli esekelwe kubasebenzisi bangaphakathi. Ukuqala ngeGolide, unokudibanisa iinkqubo zokuqinisekisa zangaphandle - i-LDAP, i-PKI, i-Active Directory kunye ne-Single sign-on systems.
Amalungelo okufikelela kwizinto ezingaphakathi kwe-Elasticsearch nawo anokuthintelwa. Nangona kunjalo, ukwenza okufanayo kumaxwebhu okanye amasimi, uya kufuna umrhumo ohlawulelwayo (obu bunewunewu buqala kwinqanaba lePlatinum). Ezi zicwangciso zifumaneka kwi-interface ye-Kibana okanye nge . Ungajonga kwimenyu esele iqhelekile yeZixhobo zeDev:
Ukudala indima
PUT /_security/role/ruslan_i_ludmila_role
{
"cluster": [],
"indices": [
{
"names": [ "ruslan_i_ludmila" ],
"privileges": ["read", "view_index_metadata"]
}
]
}Ukudala umsebenzisi
POST /_security/user/pushkin
{
"password" : "nataliaonelove",
"roles" : [ "ruslan_i_ludmila_role", "kibana_user" ],
"full_name" : "Alexander Pushkin",
"email" : "[email protected]",
"metadata" : {
"hometown" : "Saint-Petersburg"
}
}Ukhuseleko lwedatha ngaphakathi kweqela le-Elasticsearch
Xa i-Elasticsearch ibaleka kwiqela (eliqhelekileyo), useto lokhuseleko ngaphakathi kwiqela lubaluleka. Kunxibelelwano olukhuselekileyo phakathi kweendawo, i-Elasticsearch isebenzisa iprotocol yeTLS. Ukuseta unxibelelwano olukhuselekileyo phakathi kwabo, udinga isatifikethi. Senza isatifikethi kunye nesitshixo sabucala kwifomathi yePEM:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil ca --pemEmva kokuphumeza umyalelo ongentla, kulawulo /../elasticsearch indawo yokugcina iya kuvela elastic-stack-ca.zip. Ngaphakathi kuyo uya kufumana isatifikethi kunye nesitshixo sabucala kunye nezandiso crt ΠΈ isitshixo ngokulandelelanayo. Kucetyiswa ukuba uzibeke kwiresource ekwabelwana ngayo, ekufuneka ifikeleleke kuzo zonke iinodes kwi-cluster.
Indawo nganye ngoku idinga izatifikethi zayo kunye nezitshixo zabucala ezisekwe kwezo zikuluhlu ekwabelwana ngalo. Xa uphumeza lo myalelo, uya kucelwa ukuba usete igama eligqithisiweyo. Unokongeza iinketho ezongezelelweyo -ip kunye -dns zokuqinisekisa ngokupheleleyo iinodi ezisebenzisanayo.
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil cert --ca-cert /shared_folder/ca/ca.crt --ca-key /shared_folder/ca/ca.keyNjengomphumo wokuphumeza lo myalelo, siya kufumana isatifikethi kunye nesitshixo sabucala kwifomathi ye-PKCS#12, ekhuselwe ngegama lokugqitha. Konke okuseleyo kukuhambisa ifayile eyenziweyo p12 kulawulo loqwalaselo:
[elastic@node1 ~]$ mv elasticsearch/elastic-certificates.p12 elasticsearch/configYongeza igama lokugqitha kwisatifikethi kwifomathi p12 kwi-keystore kunye ne-truststore kwindawo nganye:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_passwordSele isaziwa elasticsearch.yml Ekuphela kwento eseleyo kukongeza imigca enedatha yesatifikethi:
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12Siphehlelela zonke iindawo ze-Elasticsearch kwaye siphumeze curl. Ukuba yonke into yenziwe ngokuchanekileyo, impendulo enamanqaku amaninzi iya kubuyiselwa:
[elastic@node1 ~]$ curl node1:9200/_cat/nodes -u elastic:password
172.18.0.3 43 75 4 0.00 0.05 0.05 dim * node2
172.18.0.4 21 75 3 0.00 0.05 0.05 dim - node3
172.18.0.2 39 75 4 0.00 0.05 0.05 dim - node1Kukho enye inketho yokhuseleko - idilesi ye-IP yokucoca (ekhoyo kwimirhumo ukusuka kwinqanaba leGolide). Ikuvumela ukuba wenze uluhlu olumhlophe lweedilesi ze-IP apho uvumelekileyo ukufikelela kwiindawo.
Ukukhusela idatha ngaphandle kweqela le-Elasticsearch
Ngaphandle kweqela lithetha ukudibanisa izixhobo zangaphandle: i-Kibana, i-Logstash, i-Beats okanye abanye abathengi bangaphandle.
Ukuqwalasela inkxaso ye-https (endaweni ye-http), yongeza imigca emitsha kwi-elasticsearch.yml:
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12Ngokuba Isatifikethi sikhuselwe igama eliyimfihlo, songeze kwivenkile yezitshixo kunye netruststore kwindawo nganye:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_passwordEmva kokongeza izitshixo, ii-Elasticsearch node zikulungele ukuqhagamshela nge-https. Ngoku zinokusungulwa.
Isinyathelo esilandelayo kukudala isitshixo sokudibanisa i-Kibana kwaye uyongeze kwi-configuration. Ngokusekwe kwisatifikethi esele sikuluhlu lolawulo ekwabelwana ngalo, siya kuvelisa isatifikethi kwifomathi yePEM (PKCS#12 Kibana, Logstash kunye neeBeats azikaxhasi):
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil cert --ca-cert /shared_folder/ca/ca.crt --ca-key /shared_folder/ca/ca.key --pemKonke okuseleyo kukukhupha izitshixo ezenziweyo kwifolda kunye noqwalaselo lwe-Kibana:
[elastic@node1 ~]$ unzip elasticsearch/certificate-bundle.zip -d kibana/configIzitshixo zikhona, ngoko konke okuseleyo kukutshintsha uqwalaselo lwe-Kibana ukuze iqalise ukuzisebenzisa. Kwifayile yokumisela i-kibana.yml, tshintsha i-http ukuya kwi-https kwaye wongeze imigca enezicwangciso zoqhagamshelwano lwe-SSL. Imigca emithathu yokugqibela ilungiselela unxibelelwano olukhuselekileyo phakathi kwesiphequluli somsebenzisi kunye neKibana.
elasticsearch.hosts: ["https://${HOSTNAME}:9200"]
elasticsearch.ssl.certificateAuthorities: /shared_folder/ca/ca.crt
elasticsearch.ssl.verificationMode: certificate
server.ssl.enabled: true
server.ssl.key: /../kibana/config/instance/instance.key
server.ssl.certificate: /../kibana/config/instance/instance.crtKe, useto lugqityiwe kwaye ukufikelela kwidatha kwiqela le-Elasticsearch kufihliwe.
Ukuba unemibuzo malunga nokubanakho kwe-Elastic Stack kwimirhumo yasimahla okanye ehlawulweyo, ukubeka iliso kwimisebenzi okanye ukwenza inkqubo ye-SIEM, shiya isicelo kwiwebhusayithi yethu.
Ngakumbi kumanqaku ethu malunga ne-Elastic Stack kwiHabrΓ©:
umthombo: www.habr.com