ELK安全认证体系
大约 6 分钟ELK日志收集技术ELK安全认证X-Pack
ELK安全认证体系
安全认证概述
随着企业对数据安全重视程度的不断提高,ELK Stack的安全认证机制变得越来越重要。ELK安全认证体系基于Elastic Stack的X-Pack安全功能,提供了完整的身份验证、授权、加密和审计功能,确保日志数据的安全性和合规性。
X-Pack安全功能
1. 核心安全特性
身份验证(Authentication)
功能说明:
- 支持多种认证方式(内置用户、LDAP、Active Directory、PKI等)
- 提供用户账户管理功能
- 支持多因素认证授权(Authorization)
功能说明:
- 基于角色的访问控制(RBAC)
- 精细的权限管理
- 空间级别的访问控制加密(Encryption)
功能说明:
- TLS/SSL传输加密
- 节点间通信加密
- HTTP API加密审计(Auditing)
功能说明:
- 详细的访问日志记录
- 安全事件追踪
- 合规性报告生成2. 安全组件架构
安全架构图
[用户/应用] --> [Kibana] --> [Elasticsearch] --> [Logstash/Filebeat]
| | | |
| | | |
v v v v
[认证服务] [安全网关] [安全节点] [安全客户端]Elasticsearch安全配置
1. 启用安全功能
基本安全配置
# elasticsearch.yml
# 启用安全功能
xpack.security.enabled: true
# 启用传输层安全
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /etc/elasticsearch/certs/elastic-certificates.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/elastic-certificates.crt
xpack.security.transport.ssl.certificate_authorities: ["/etc/elasticsearch/certs/elastic-stack-ca.crt"]
# 启用HTTP层安全
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: /etc/elasticsearch/certs/elastic-certificates.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/elastic-certificates.crt
xpack.security.http.ssl.certificate_authorities: ["/etc/elasticsearch/certs/elastic-stack-ca.crt"]证书生成
# 生成证书颁发机构
bin/elasticsearch-certutil ca --out config/certs/elastic-stack-ca.p12 --pass ""
# 生成节点证书
bin/elasticsearch-certutil cert --ca config/certs/elastic-stack-ca.p12 --out config/certs/elastic-certificates.p12 --pass ""
# 将PKCS#12格式转换为PEM格式
openssl pkcs12 -in config/certs/elastic-certificates.p12 -out config/certs/elastic-certificates.crt -nokeys
openssl pkcs12 -in config/certs/elastic-certificates.p12 -out config/certs/elastic-certificates.key -nodes2. 内置用户管理
默认内置用户
内置用户列表:
- elastic:超级用户,拥有所有权限
- kibana_system:Kibana系统用户
- logstash_system:Logstash系统用户
- beats_system:Beats系统用户
- apm_system:APM系统用户
- remote_monitoring_user:远程监控用户设置内置用户密码
# 交互式设置密码
bin/elasticsearch-setup-passwords interactive
# 自动生成密码
bin/elasticsearch-setup-passwords auto
# 重置特定用户密码
bin/elasticsearch-reset-password -u elastic用户密码验证
# 验证用户认证
curl -u elastic http://localhost:9200/_cluster/health
# 验证SSL连接
curl -u elastic --cacert config/certs/elastic-stack-ca.crt https://localhost:9200/_cluster/healthKibana安全配置
1. 基本安全配置
Kibana配置文件
# kibana.yml
# Elasticsearch连接配置
elasticsearch.hosts: ["https://localhost:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "password"
# SSL配置
elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/certs/elastic-stack-ca.crt"]
elasticsearch.ssl.verificationMode: certificate
# 服务器SSL配置
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/kibana.crt
server.ssl.key: /etc/kibana/certs/kibana.key
# 会话配置
xpack.security.encryptionKey: "something_at_least_32_characters"
xpack.security.session.idleTimeout: "1h"
xpack.security.session.lifespan: "30d"会话密钥生成
# 生成会话密钥
openssl rand -hex 322. 空间安全配置
空间权限管理
{
"space": {
"id": "marketing",
"name": "Marketing",
"description": "Marketing team space",
"disabledFeatures": ["canvas", "maps"],
"initials": "MKT"
}
}角色映射配置
{
"role_mapping": {
"marketing_analyst": {
"enabled": true,
"roles": ["marketing_analyst"],
"rules": {
"field": {
"username": "*marketing*"
}
}
}
}
}Logstash安全配置
1. Elasticsearch输出安全
安全输出配置
output {
elasticsearch {
hosts => ["https://localhost:9200"]
user => "logstash_system"
password => "password"
# SSL配置
ssl => true
cacert => "/etc/logstash/certs/elastic-stack-ca.crt"
ssl_certificate_verification => true
# 索引配置
index => "logstash-%{+YYYY.MM.dd}"
}
}客户端证书认证
output {
elasticsearch {
hosts => ["https://localhost:9200"]
# 客户端证书配置
ssl => true
cacert => "/etc/logstash/certs/elastic-stack-ca.crt"
ssl_certificate => "/etc/logstash/certs/logstash.crt"
ssl_key => "/etc/logstash/certs/logstash.key"
}
}2. Beats输入安全
安全输入配置
input {
beats {
port => 5044
# SSL配置
ssl => true
ssl_certificate => "/etc/logstash/certs/logstash.crt"
ssl_key => "/etc/logstash/certs/logstash.key"
}
}Filebeat安全配置
1. Elasticsearch输出安全
基本安全配置
# filebeat.yml
output.elasticsearch:
hosts: ["https://localhost:9200"]
username: "filebeat_system"
password: "password"
# SSL配置
ssl.enabled: true
ssl.verification_mode: full
ssl.certificate_authorities: ["/etc/filebeat/certs/elastic-stack-ca.crt"]客户端证书认证
# filebeat.yml
output.elasticsearch:
hosts: ["https://localhost:9200"]
# 客户端证书配置
ssl.enabled: true
ssl.verification_mode: full
ssl.certificate: "/etc/filebeat/certs/filebeat.crt"
ssl.key: "/etc/filebeat/certs/filebeat.key"
ssl.certificate_authorities: ["/etc/filebeat/certs/elastic-stack-ca.crt"]2. Logstash输出安全
安全输出配置
# filebeat.yml
output.logstash:
hosts: ["localhost:5044"]
# SSL配置
ssl.enabled: true
ssl.certificate_authorities: ["/etc/filebeat/certs/logstash-ca.crt"]
ssl.certificate: "/etc/filebeat/certs/filebeat.crt"
ssl.key: "/etc/filebeat/certs/filebeat.key"用户和角色管理
1. 用户管理
创建用户
# 使用API创建用户
POST /_security/user/new_user
{
"password" : "new_user_password",
"roles" : [ "kibana_user", "monitoring_user" ],
"full_name" : "New User",
"email" : "newuser@example.com",
"metadata" : {
"department" : "IT"
}
}修改用户
# 修改用户信息
PUT /_security/user/existing_user
{
"password" : "new_password",
"roles" : [ "kibana_admin", "monitoring_user" ],
"full_name" : "Updated User"
}删除用户
# 删除用户
DELETE /_security/user/old_user2. 角色管理
创建角色
# 创建自定义角色
POST /_security/role/log_reader
{
"cluster": ["monitor"],
"indices": [
{
"names": ["logstash-*"],
"privileges": ["read", "view_index_metadata"]
}
],
"applications": [
{
"application": "kibana-.kibana",
"resources": ["space:marketing"],
"privileges": ["feature_dashboard.read", "feature_visualize.read"]
}
]
}角色权限配置
{
"role": {
"name": "app_admin",
"cluster": ["all"],
"indices": [
{
"names": ["app-*"],
"privileges": ["all"]
}
],
"applications": [
{
"application": "kibana-.kibana",
"resources": ["*"],
"privileges": ["all"]
}
]
}
}LDAP集成
1. LDAP配置
Elasticsearch LDAP配置
# elasticsearch.yml
xpack.security.authc.realms.ldap.ldap1:
order: 0
url: "ldaps://ldap.example.com:636"
bind_dn: "cn=admin,dc=example,dc=com"
bind_password: "password"
user_search.base_dn: "dc=example,dc=com"
user_search.filter: "(uid={0})"
group_search.base_dn: "dc=example,dc=com"
files.role_mapping: "/etc/elasticsearch/role_mapping.yml"
unmapped_groups_as_roles: false角色映射文件
# role_mapping.yml
admin:
- "cn=admins,dc=example,dc=com"
power_user:
- "cn=power_users,dc=example,dc=com"
user:
- "cn=users,dc=example,dc=com"2. Active Directory集成
AD配置
# elasticsearch.yml
xpack.security.authc.realms.active_directory.ad1:
order: 0
domain_name: "example.com"
url: "ldaps://ad.example.com:636"
bind_dn: "cn=admin,cn=Users,dc=example,dc=com"
bind_password: "password"
user_search.base_dn: "cn=Users,dc=example,dc=com"
group_search.base_dn: "cn=Users,dc=example,dc=com"审计日志
1. 审计配置
启用审计日志
# elasticsearch.yml
xpack.security.audit.enabled: true
xpack.security.audit.logfile.events.include: [
"access_denied",
"access_granted",
"anonymous_access_denied",
"authentication_failed",
"connection_denied",
"tampered_request",
"run_as_denied",
"run_as_granted"
]审计日志格式
{
"type": "audit",
"timestamp": "2023-01-01T10:00:00,000Z",
"node.name": "elasticsearch-node-1",
"event.type": "access_denied",
"origin.type": "rest",
"origin.address": "192.168.1.100",
"user.name": "test_user",
"realm": "native",
"url.path": "/_cluster/health",
"url.query": "pretty"
}2. 审计日志管理
日志轮转配置
# elasticsearch.yml
xpack.security.audit.logfile.events.emit_request_body: true
xpack.security.audit.logfile.events.exclude: [
"anonymous_access_denied",
"authentication_failed"
]审计日志分析
# 分析审计日志
grep "access_denied" /var/log/elasticsearch/audit.log | wc -l
# 统计用户访问情况
awk '/user\.name/ {print $NF}' /var/log/elasticsearch/audit.log | sort | uniq -c安全监控
1. 安全指标监控
监控API
# 获取安全统计信息
GET /_security/_authenticate
# 获取用户信息
GET /_security/user/_has_privileges
{
"index": [
{
"names": ["logstash-*"],
"privileges": ["read"]
}
]
}健康检查
# 检查安全功能状态
GET /_cluster/health
# 检查节点安全状态
GET /_nodes/stats/security2. 告警配置
安全告警规则
{
"name": "Failed Login Attempts",
"schedule": {
"interval": "1m"
},
"input": {
"search": {
"request": {
"indices": [".security-*"],
"body": {
"query": {
"match": {
"event.type": "authentication_failed"
}
},
"aggs": {
"failed_logins": {
"terms": {
"field": "user.name"
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.aggregations.failed_logins.buckets.0.doc_count": {
"gt": 5
}
}
},
"actions": {
"send_email": {
"email": {
"to": "admin@example.com",
"subject": "Security Alert: Multiple Failed Login Attempts",
"body": "User {{ctx.payload.aggregations.failed_logins.buckets.0.key}} has failed to login {{ctx.payload.aggregations.failed_logins.buckets.0.doc_count}} times."
}
}
}
}最佳实践
1. 安全配置最佳实践
密码策略
密码要求:
- 最小长度:8个字符
- 必须包含数字、大小写字母和特殊字符
- 定期更换密码(建议90天)
- 禁止使用常见密码证书管理
证书管理建议:
- 使用有效的SSL证书
- 定期更新证书
- 妥善保管私钥文件
- 启用证书吊销检查2. 访问控制最佳实践
最小权限原则
权限分配原则:
- 只授予完成工作所需的最小权限
- 定期审查用户权限
- 及时删除离职用户账户
- 使用角色组简化权限管理网络安全
网络安全建议:
- 限制Elasticsearch端口访问
- 使用防火墙规则
- 启用网络加密
- 部署在安全的网络环境中3. 监控和维护
定期安全检查
检查项目:
□ 用户账户和权限审查
□ 证书有效性检查
□ 审计日志分析
□ 安全补丁更新
□ 配置文件备份应急响应
应急响应步骤:
1. 立即隔离受影响的系统
2. 分析安全事件原因
3. 修复安全漏洞
4. 恢复系统正常运行
5. 总结经验教训总结
ELK安全认证体系为日志数据提供了全面的安全保护,通过身份验证、授权、加密和审计等机制,确保系统的安全性和合规性。在实际部署中,需要根据具体的安全需求和合规要求,合理配置安全功能,并建立完善的监控和维护机制,确保ELK Stack的安全稳定运行。