😛
安全运营指南
  • 序言
  • 1 序言
    • 1.1 简介
  • 10 主动防御
    • 10 主动防御
  • 11 安全审计
    • audit
    • osquery
    • sysmon
  • 12 告警手段
    • ESalert告警
    • wazuh邮件告警
    • 自定义告警
  • 13 指标可视化
    • grafana
    • kibana
    • splunk
  • 14 SIEM框架
    • clickhouse
    • splunk
  • 15 nids
    • suricata
  • 16 SIEM集成虚拟机
    • misp
    • ossim
    • selks
    • siemonster
    • wazuh
  • 2 wazuh安装配置
    • 2.1 系统架构
    • 2.2 wazuh管理端安装
      • 2.2.1 Centos 7安装
      • 2.2.2 Ubuntu 18.04安装
    • 2.3 wazuh代理端安装
      • 2.3.3 Windows安装
      • 2.3.1 Centos 7安装
      • 2.3.2 Ubuntu 18.04安装
    • 2.4 管理端与代理端通信
      • 2.4.1 LINUX系统通信
      • 2.4.2 Windows系统通信
    • 2.5 puppet批量部署
      • 2.5.1 puppet server安装
      • 2.5.2 wazuh管理端安装
      • 2.5.3 Ubuntu代理端安装
      • 2.5.4 Windows代理端安装
      • 2.5.5 wazuh参数
    • 2.6 ansible批量部署
      • 2.6.1 ansible Linux 安装
      • 2.6.2 ansible windows安装
      • 2.6.3 wazuh参数
    • 2.7 无状态代理
  • 3 日志收集安装配置
    • 3.1 代理端收集日志
      • Linux日志收集
      • windows日志收集
      • 日志收集安装配置
      • 远程日志收集
    • 3.2 EL(F)K安装配置
      • 3.2.4 Logstash
      • 3.2.5 es集群
      • elasticsearch
      • filebeat
      • kibana
    • 3.3 EL(F)K安装配置(开源)
    • 3.4 splunk安装配置
      • 3.3.1 splunk server
      • 3.3.2 splunk wazuh app
      • 3.3.3 splunk forward
    • 3.5 ELK鉴权机制
      • 3.5.1 HTTP认证
      • 3.5.2 HTTPS认证
    • 3.6 wazuh鉴权机制
      • 3.6.1 管理端与代理端通信
      • 3.6.2 wazuhAPI认证
    • 3.7 syslog导出
  • 4 wazuh共享和集群
    • 4.1 wazuh共享
    • 4.2 wazuh集群
  • 5 文件完整性监控
    • 5.1 功能描述
    • 5.2 实战操作
  • 6 异常和恶意软件检测
    • clamav检测
    • VirusTotal检测
    • 本地规则检测
  • 7 安全基线检测
    • 7.1 安全基线简介
    • 7.2 SCA
    • 7.3 openscap
  • 8 命令内容监控
    • 8.1 命令内容监控
  • 9 主机安全漏洞检测
    • 9.1 配置漏洞扫描
由 GitBook 提供支持
在本页
  • elasticsearch配置
  • kibana配置
  • filebeat配置
  • logstash配置

这有帮助吗?

  1. 3 日志收集安装配置
  2. 3.5 ELK鉴权机制

3.5.2 HTTPS认证

上一页3.5.1 HTTP认证下一页3.6 wazuh鉴权机制

最后更新于1年前

这有帮助吗?

elasticsearch配置

如果你在之前配置了http认证,需要将原来http认证配置删除,并且将原来的用户数据清除,不然不可以重置密码,如果不用重置密码,请忽略这个。

使用开发者工具进行删除安全配置数据索引。

接下来配置HTTPS通信,创建文件/usr/share/elasticsearch/instances.yml,输入对应的资产信息。我这里是ES和Kibana在一起的,所以IP是一样的。

[root@EK ~]# cat /usr/share/elasticsearch/instances.yml 
instances:
    - name: "wazuh-manager"
      ip:
        - "192.168.1.200"
    - name: "elasticsearch"
      ip:
        - "192.168.1.201"
    - name: "kibana"
      ip:
        - "192.168.1.201"

使用elasticsearch-certutil工具创建ELK通信所需要的HTTPS证书。证书压缩包设置在/opt目录中。

[root@EK ~]# /usr/share/elasticsearch/bin/elasticsearch-certutil cert  --pem --silent --in /usr/share/elasticsearch/instances.yml  --out /opt/cert.zip 
[root@EK ~]# ls /opt/cert.zip 
/opt/cert.zip

解压证书压缩包,其中ca目录ca.crt是私钥文件为所有实例共享。其他目录分别对应自身公钥和私钥。

[root@EK opt]# unzip cert.zip 
Archive:  cert.zip
   creating: ca/
  inflating: ca/ca.crt               
   creating: wazuh-manager/
  inflating: wazuh-manager/wazuh-manager.crt  
  inflating: wazuh-manager/wazuh-manager.key  
   creating: elasticsearch/
  inflating: elasticsearch/elasticsearch.crt  
  inflating: elasticsearch/elasticsearch.key  
   creating: kibana/
  inflating: kibana/kibana.crt       
  inflating: kibana/kibana.key       
[root@EK opt]# ls 
ca  cert.zip  elasticsearch  kibana  wazuh-manager

创建目录/etc/elasticsearch/certs,然后复制如下文件。

[root@EK opt]# mkdir -p /etc/elasticsearch/certs/ca
[root@EK opt]# cp /opt/ca/ca.crt /etc/elasticsearch/certs/ca/ca.crt
[root@EK opt]# cp /opt/elasticsearch/elasticsearch.crt /etc/elasticsearch/certs/
[root@EK opt]# cp /opt/elasticsearch/elasticsearch.key /etc/elasticsearch/certs/

在/etc/elasticsearch/elasticsearch.yml文件最下面添加以下内容。

xpack.security.enabled: true
xpack.security.audit.enabled: true
xpack.license.self_generated.type: basic

# Transport layer
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt
xpack.security.transport.ssl.certificate_authorities: [ "/etc/elasticsearch/certs/ca/ca.crt" ]

# HTTP layer
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt
xpack.security.http.ssl.certificate_authorities: [ "/etc/elasticsearch/certs/ca/ca.crt" ]

配置完成之后,重新启动服务:systemctl restart elasticsearch。

elasticsearch再重新设置密码,这次就不自动生成,我们直接设置密码。

[root@EK opt]# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y


Enter password for [elastic]: 
Reenter password for [elastic]: 
Enter password for [apm_system]: 
Reenter password for [apm_system]: 
Enter password for [kibana_system]: 
Reenter password for [kibana_system]: 
Enter password for [logstash_system]: 
Reenter password for [logstash_system]: 
Enter password for [beats_system]: 
Reenter password for [beats_system]: 
Enter password for [remote_monitoring_user]: 
Reenter password for [remote_monitoring_user]: 
Changed password for user [apm_system]
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]

kibana配置

创建kibana证书目录:/etc/kibana/certs/ca。将证书文件复制进去。

[root@EK opt]# mkdir -p /etc/kibana/certs/ca
[root@EK opt]# cp /opt/ca/ca.crt /etc/kibana/certs/ca/
[root@EK opt]# cp /opt/kibana/kibana.key /etc/kibana/certs/
[root@EK opt]# cp /opt/kibana/kibana.crt /etc/kibana/certs/

其中kibana配置文件如下:

[root@EK opt]# cat /etc/kibana/kibana.yml 
server.host: "0.0.0.0"

elasticsearch.hosts: ["https://192.168.1.201:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "123456"

elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/certs/ca/ca.crt"]
elasticsearch.ssl.certificate: "/etc/kibana/certs/kibana.crt"
elasticsearch.ssl.key: "/etc/kibana/certs/kibana.key"

server.ssl.enabled: true
server.ssl.certificate: "/etc/kibana/certs/kibana.crt"
server.ssl.key: "/etc/kibana/certs/kibana.key"

kibana配置文件的server.host参数内容不能设置127.0.0.1,设置0.0.0.0。

重启kibana服务

打开浏览器输入https://192.168.1.201:5601/地址就可以看到配置完成。

filebeat配置

新建filebeat证书目录:/etc/filebeat/certs/ca。

[root@wazuh-manager ~]# mkdir -p  /etc/filebeat/certs/ca

上传证书到/etc/filebeat/certs/目录下面。

[root@wazuh-manager certs]# tree /etc/filebeat/certs/
/etc/filebeat/certs/
├── ca
│   └── ca.crt
├── wazuh-manager.crt
└── wazuh-manager.key

1 directory, 3 files

修改/etc/filebeat/filebeat.yml,添加如下内容

output.elasticsearch.hosts: ['https://192.168.1.201:9200']
output.elasticsearch.username: "beats_system"
output.elasticsearch.password: "123456"

output.elasticsearch.protocol: https
output.elasticsearch.ssl.certificate: "/etc/filebeat/certs/wazuh-manager.crt"
output.elasticsearch.ssl.key: "/etc/filebeat/certs/wazuh-manager.key"
output.elasticsearch.ssl.certificate_authorities: ["/etc/filebeat/certs/ca/ca.crt"]

重启filebeat服务,测试连接ES情况。

[root@wazuh-manager ~]# filebeat test output
elasticsearch: https://192.168.1.201:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.1.201
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.11.2

logstash配置