Sécurisation x-pack ou ReadonlyRest

From Tuxunix
Jump to: navigation, search

X-pack (v5.4)

Prérequis :

X-pack est plugin intégrant la couche sécurité et authentification (entre autres) des flux pour les clients (filebeats), l'indexeur (ES), et Kibana. L'inconvénient -> la Licence! notamment pour la partie sécurité et authentification il va falloir mettre la main au panier.

A savoir : La basic-licence gratuite intègre la partie Monitoring d'ES.

ES (v5.4)

Prérequis :

Jdk8


Add plugin x-pack

./bin/elasticsearch-plugin install file:///home/elasticsearch/sources/x-pack-5.4.0.zip

Initialisation des mdp pour les users par défaut :


curl -XPUT -u elastic 'ns328975:9200/_xpack/security/user/elastic/_password' -H "Content-Type: application/json" -d '{
 "password" : "xxxxxx"
}'
curl -XPUT -u logstash_system 'ns328975:9200/_xpack/security/user/logstash_system/_password' -H "Content-Type: application/json" -d '{
 "password" : "xxxxx"
}'

Importer les templates de dashboard filebeat

  • Prerequis installer filebeat
/usr/share/filebeat/scripts/import_dashboards -es https://xxxxxxx:9200 -user xxxxxx -pass xxxxx

Crypter les communications avec X-Pack

Génération des certificat éxécuté ceci : /bin/x-pack/certgen

  • Dans le fichier “elasticsearch.yml”
action.auto_create_index: .security,.monitoring*,.watches,.triggered_watches,.watcher-history*,filebeat-*
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.enabled: true
xpack.ssl.key:                     name.key
xpack.ssl.certificate:             name.crt
xpack.ssl.certificate_authorities: [ "config/x-pack/ca/ca.crt" ]
xpack.security.transport.filter.enabled: true
xpack.security.transport.filter.allow: [ "127.0.0.1", "x.x.x.x", "x.x.x.x", "x.x.x.x" ]
xpack.security.transport.filter.deny: _all
xpack.security.http.filter.enabled: true
xpack.security.http.filter.allow: [ "x.x.x.x", "127.0.0.1" ]
xpack.security.http.filter.deny: _all


Apres avoir setter les passwords

Ajouter ceci à la configuration ES:

xpack.security.authc.accept_default_password: false


KIBANA (v5.4)

Ajout du plugin x-pack

./bin/kibana-plugin install x-pack

Changer le password pour l'appli Kibana or via application :

curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/kibana/_password' -H "Content-Type: application/json" -d '{
 "password" : "xxxxx"
}'

Définition du compte et du role pour filebeat.

Compte : filebeat Role : « remote_log »

PrivKibana.jpg

Filebeat

Installation

wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.4.0-amd64.deb
Dpkg –i package.deb

Copier les cert généré sur ES.

Config with ssl + nginx module

filebeat.prospectors:
- input_type: log
 paths:
   - /xxxxx/logs/access.log
 document_type: nginx
 exclude_files: [".gz$"]
filebeat.modules:
- module: nginx
 access:
   enabled: true
   var.paths: [ "/var/log/nginx/access.log" ]
 error:
   enabled: true
   var.paths: [ "/var/log/nginx/error.log" ]
tags: ["nameSite.fr"]
output.elasticsearch:
 hosts: ["x.x.x.x:9200"]
 protocol: "https"
 username: "xxxxx"
 password: "xxxxxx"
 ssl.enabled: true
 ssl.certificate_authorities: ["/xxxxx/ca.crt"]
 ssl.certificate: "/xxxx/name.crt"

Activation du basic License x-pack

curl -k --user xxxxx:xxxxx -XPUT  'https://xxxxxxx:9200/_xpack/license?acknowledge=true' -H "Content-Type: application/json" -d @sources/license.json

ReadonlyRest

Est un plugin ES, qui permet d'avoir le cryptage des flux et l'authentification, ainsi que la gestion des ACLs (identique à X-pack pour la partie sécurité) L'avantage il est gratuit, pas de licence nécessaire.

Installation

./elasticsearch-plugin install file:///home/elasticsearch/sources/readonlyrest-1.15.0_es5.4.0.zip

Génération du keystore

openssl pkcs12 -export -in certs/NAME.fr.crt -inkey certs/NAME.fr.key -out pkcs.p12 -name NAME
jdk1.8.0_131/bin/keytool -importkeystore -deststorepass PASS_STORE -destkeypass PASS_KEYPASS -destkeystore keystore.jks\
 -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass toto -alias NAME

Config elasticsearch

  • elasticsearch.yml


xpack.security.enabled: false

http.type: ssl_netty4
readonlyrest:
   enable: true
   ssl:
     enable: true
     keystore_file: "/xxxxx/keystore.jks"
     keystore_pass: PASS_STORE
     key_pass: PASS_KEYPASS
   response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin
   access_control_rules:
   - name: "::LOGSTASH::"
     # auth_key is good for testing, but replace it with `auth_key_sha1`!
     auth_key_sha256: "6325952d08bcf50f39bea8256344d8908be52485dc4db229a3c616f88c0bf4c1"
     type: allow
     #actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
     indices: ["filebeat-*"]
   # We trust Kibana's server side process, full access granted via HTTP authentication
   - name: "::KIBANA-SRV::"
     # auth_key is good for testing, but replace it with `auth_key_sha256`!
     auth_key_sha256: "6325952d08bcf50f39bea8256344d8908be52485dc4db229a3c616f88c0bf4c1"
     type: allow
     verbosity: error # don't log successful request
   - name: "Accept all requests from localhost"
     type: allow
     hosts: [127.0.0.1]
  • Chaine auth_key_sha256 :
#> echo -n "test:testpassword" | openssl dgst -sha256
28773897a77cc1f3a08eebe5075a464560053aa56eedbf617e9cc6f2894a730b

Config Kibana

  • kibana.yml
server.port: 5601
server.host: "localhost"
elasticsearch.url: "https://NAME.fr:9200"
kibana.index: ".kibana"
elasticsearch.username: "test"
elasticsearch.password: "pass"
xpack.security.enabled: false


Config Filebeat

filebeat.prospectors:
filebeat.modules:
- module: nginx
 access:
   enabled: true
   var.paths: [ "/var/log/access.log" ]
 error:
   enabled: true
   var.paths: [ "/var/log/error.log" ]
tags: ["name.fr"]
output.elasticsearch:
 hosts: ["name:9200"]
 protocol: "https"
 username: "xxxxx"
 password: "xxxx"
 ssl.enabled: true