I-Elastic Stack iyithuluzi elaziwayo emakethe yezinhlelo ze-SIEM (empeleni, hhayi bona kuphela). Ingakwazi ukuqoqa idatha eminingi enosayizi abahlukene, kokubili ebucayi futhi engazweli kakhulu. Akulungile ngokuphelele uma ukufinyelela kuzinto ze-Elastic Stack ngokwayo kungavikelekile. Ngokuzenzakalelayo, zonke izici ze-Elastic ezingaphandle kwebhokisi (i-Elasticsearch, i-Logstash, i-Kibana, nabaqoqi be-Beats) zisebenza kumaphrothokholi avuliwe. Futhi e-Kibana uqobo, ukufakazela ubuqiniso kukhutshaziwe. Konke lokhu kusebenzisana kungavikelwa futhi kulesi sihloko sizokutshela ukuthi ungakwenza kanjani lokhu. Ukuze kube lula, sihlukanise indaba ibe ngamabhulokhi ama-semantic angu-3:
- Imodeli yokufinyelela idatha esekelwe endimeni
- Ukuphepha kwedatha ngaphakathi kweqoqo le-Elasticsearch
- Ukuvikela idatha ngaphandle kweqoqo le-Elasticsearch
Imininingwane ngaphansi kokusikwa.
Imodeli yokufinyelela idatha esekelwe endimeni
Uma ufaka i-Elasticsearch futhi ungayishuni nganoma iyiphi indlela, ukufinyelela kuzo zonke izinkomba kuzovulelwa wonke umuntu. Hhayi-ke, noma labo abangasebenzisa i-curl. Ukuze ugweme lokhu, i-Elasticsearch inesibonelo esihle esitholakalayo siqala ngokubhalisa Okuyisisekelo (okumahhala). Ngokohlelo kubukeka kanjena:
Yini esesithombeni
- Abasebenzisi yibo bonke abangangena besebenzisa imininingwane yabo.
- Indima isethi yamalungelo.
- Amalungelo ayisethi yamalungelo.
- Amalungelo yizimvume zokubhala, ukufunda, ukususa, njll. ()
- Izinsiza ziyizinkomba, amadokhumenti, izinkambu, abasebenzisi, nezinye izinhlangano zesitoreji (isibonelo sezinye izinsiza sitholakala kuphela ngokubhaliselwe okukhokhelwayo).
Ngokuzenzakalelayo i-Elasticsearch ine , anamathele kukho . Uma usunike amandla izilungiselelo zokuphepha, ungaqala ukuzisebenzisa ngokushesha.
Ukuze unike amandla ukuphepha kuzilungiselelo ze-Elasticsearch, udinga ukuyengeza efayeleni lokumisa (ngokuzenzakalelayo lokhu elasticsearch/config/elasticsearch.yml) umugqa omusha:
xpack.security.enabled: trueNgemva kokushintsha ifayela lokumisa, vula noma qala kabusha i-Elasticsearch ukuze izinguquko zisebenze. Isinyathelo esilandelayo ukunikeza abasebenzisi amaphasiwedi ebhokisini. Masenze lokhu ngokuhlanganyela sisebenzisa umyalo ongezansi:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
Sihlola:
[elastic@node1 ~]$ curl -u elastic 'node1:9200/_cat/nodes?pretty'
Enter host password for user 'elastic':
192.168.0.2 23 46 14 0.28 0.32 0.18 dim * node1
Ungakwazi ukuzibamba ngemuva - izilungiselelo ezisohlangothini lwe-Elasticsearch ziqediwe. Manje sekuyisikhathi sokumisa i-Kibana. Uma uyisebenzisa manje, amaphutha azovela, ngakho-ke kubalulekile ukudala isitolo sokhiye. Lokhu kwenziwa ngemiyalo emibili (umsebenzisi kibana kanye nephasiwedi efakwe esinyathelweni sokwenza iphasiwedi ku-Elasticsearch):
[elastic@node1 ~]$ ./kibana/bin/kibana-keystore add elasticsearch.username
[elastic@node1 ~]$ ./kibana/bin/kibana-keystore add elasticsearch.passwordUma konke kulungile, u-Kibana uzoqala ukucela ukungena ngemvume nephasiwedi. Okubhaliselwe Okuyisisekelo kufaka phakathi imodeli esekelwe kubasebenzisi bangaphakathi. Ukuqala ngeGolide, ungaxhuma amasistimu okuqinisekisa angaphandle - i-LDAP, i-PKI, Uhlu Olusebenzayo kanye namasistimu okungena ngemvume Okukodwa.
Amalungelo okufinyelela ezintweni ezingaphakathi kwe-Elasticsearch nawo anganqunyelwa. Nokho, ukwenza okufanayo kumadokhumenti noma izinkambu, uzodinga ukubhalisa okukhokhelwayo (lokhu kunethezeka kuqala ngezinga lePlatinum). Lezi zilungiselelo ziyatholakala kusixhumi esibonakalayo se-Kibana noma nge- . Ungahlola kumenyu yamathuluzi e-Dev esivele ajwayelekile:
Ukudala indima
PUT /_security/role/ruslan_i_ludmila_role
{
"cluster": [],
"indices": [
{
"names": [ "ruslan_i_ludmila" ],
"privileges": ["read", "view_index_metadata"]
}
]
}Ukudala umsebenzisi
POST /_security/user/pushkin
{
"password" : "nataliaonelove",
"roles" : [ "ruslan_i_ludmila_role", "kibana_user" ],
"full_name" : "Alexander Pushkin",
"email" : "[email protected]",
"metadata" : {
"hometown" : "Saint-Petersburg"
}
}Ukuphepha kwedatha ngaphakathi kweqoqo le-Elasticsearch
Lapho i-Elasticsearch isebenza kuqoqo (okuyinto evamile), izilungiselelo zokuphepha ngaphakathi kweqoqo zibaluleka. Ukuze uthole ukuxhumana okuphephile phakathi kwamanodi, i-Elasticsearch isebenzisa umthetho olandelwayo we-TLS. Ukuze usethe ukusebenzisana okuphephile phakathi kwabo, udinga isitifiketi. Senza isitifiketi nokhiye oyimfihlo ngefomethi ye-PEM:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil ca --pemNgemva kokwenza umyalo ongenhla, ohlwini lwemibhalo /../elasticsearch kuzovela ingobo yomlando elastic-stack-ca.zip. Ngaphakathi kuyo uzothola isitifiketi nokhiye oyimfihlo onezandiso crt ΠΈ ukhiye ngokulandelana. Kutuswa ukuthi uwabeke esisetshenziswa okwabelwana ngaso, okumele kufinyeleleke kuwo wonke ama-node ku-cluster.
I-node ngayinye manje idinga izitifiketi zayo kanye nokhiye abayimfihlo ngokusekelwe kulabo abakunkomba eyabiwe. Lapho ukhipha umyalo, uzocelwa ukuthi usethe iphasiwedi. Ungangeza izinketho ezengeziwe -ip kanye -dns ukuze uthole ukuqinisekiswa okuphelele kwamanodi asebenzisanayo.
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil cert --ca-cert /shared_folder/ca/ca.crt --ca-key /shared_folder/ca/ca.keyNjengomphumela wokwenza umyalo, sizothola isitifiketi nokhiye oyimfihlo ngefomethi ye-PKCS#12, evikelwe yiphasiwedi. Okusele nje ukuhambisa ifayela elakhiwe p12 kumkhombandlela wokumisa:
[elastic@node1 ~]$ mv elasticsearch/elastic-certificates.p12 elasticsearch/configEngeza iphasiwedi esitifiketini ngefomethi p12 ku-keystore kanye ne-truststore endaweni ngayinye:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_passwordSekwaziwa elasticsearch.yml Okusele nje ukwengeza imigqa enedatha yesitifiketi:
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12Sethula wonke ama-node e-Elasticsearch futhi sisebenzise i-curl. Uma konke kwenziwe ngendlela efanele, impendulo enamanodi amaningana izobuyiswa:
[elastic@node1 ~]$ curl node1:9200/_cat/nodes -u elastic:password
172.18.0.3 43 75 4 0.00 0.05 0.05 dim * node2
172.18.0.4 21 75 3 0.00 0.05 0.05 dim - node3
172.18.0.2 39 75 4 0.00 0.05 0.05 dim - node1Kukhona enye inketho yokuphepha - ukuhlunga ikheli le-IP (elitholakala kokubhaliselwe okusuka ezingeni Legolide). Ikuvumela ukuthi udale izinhlu ezimhlophe zamakheli e-IP ovunyelwe ukufinyelela kuwo amanodi.
Ukuvikela idatha ngaphandle kweqoqo le-Elasticsearch
Ngaphandle kweqoqo kusho ukuxhuma amathuluzi angaphandle: i-Kibana, i-Logstash, i-Beats noma amanye amaklayenti angaphandle.
Ukuze ulungiselele usekelo lwe-https (esikhundleni se-http), engeza imigqa emisha ku-elasticsearch.yml:
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12Ngoba Isitifiketi sivikelwe ngephasiwedi, singeze ku-keystore kanye ne-truststore endaweni ngayinye:
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_passwordNgemva kokwengeza okhiye, amanodi e-Elasticsearch alungele ukuxhuma nge-https. Manje zingaqalwa.
Isinyathelo esilandelayo ukwakha ukhiye wokuxhuma i-Kibana bese uyengeza ekucushweni. Ngokusekelwe kusitifiketi esesivele sikhona kuhla lwemibhalo okwabelwana ngalo, sizokhiqiza isitifiketi ngefomethi ye-PEM (i-PKCS#12 i-Kibana, i-Logstash ne-Beats awakasekeli):
[elastic@node1 ~]$ ./elasticsearch/bin/elasticsearch-certutil cert --ca-cert /shared_folder/ca/ca.crt --ca-key /shared_folder/ca/ca.key --pemOkusele nje ukukhipha okhiye abadaliwe kufolda ngokucushwa kwe-Kibana:
[elastic@node1 ~]$ unzip elasticsearch/certificate-bundle.zip -d kibana/configOkhiye bakhona, ngakho-ke okusele wukushintsha ukucushwa kwe-Kibana ukuze iqale ukuzisebenzisa. Efayeleni lokumisa le-kibana.yml, shintsha okuthi http kuya ku-https bese wengeza imigqa enezilungiselelo zokuxhuma kwe-SSL. Imigqa emithathu yokugcina ilungisa ukuxhumana okuphephile phakathi kwesiphequluli somsebenzisi ne-Kibana.
elasticsearch.hosts: ["https://${HOSTNAME}:9200"]
elasticsearch.ssl.certificateAuthorities: /shared_folder/ca/ca.crt
elasticsearch.ssl.verificationMode: certificate
server.ssl.enabled: true
server.ssl.key: /../kibana/config/instance/instance.key
server.ssl.certificate: /../kibana/config/instance/instance.crtNgakho, izilungiselelo ziyaqedwa futhi ukufinyelela kudatha kuqoqo le-Elasticsearch kubethelwe.
Uma unemibuzo mayelana namandla e-Elastic Stack ekubhaliseni kwamahhala noma okukhokhelwayo, imisebenzi yokuqapha noma ukudala uhlelo lwe-SIEM, shiya isicelo ku- kuwebhusayithi yethu.
Okuningi kwezindatshana zethu mayelana ne-Elastic Stack ku-HabrΓ©:
Source: www.habr.com