Solutions:Elastic SIEM - 适用于家庭和企业的安全防护 ( 三)

这篇文章是我们之前文章“Elastic SIEM - 适用于家庭和企业的安全防护”系列的续集。在今天的这篇文章中,我们接着来讲述数据的导入:Auditbeat 及 Packetbeat。我们系统的配置请参阅之前的文章“Solutions:Elastic SIEM - 适用于家庭和企业的安全防护 ( 二)”。在今天的安装中,我们将把我们的Auditbeat及Packetbeat安装于Ubuntu OS之上。

 

安装Packetbeat

我们可以参照文章“Beats:如何安装Packetbeat” 来在Ubuntu OS上安装Packetbeat。根据一致性的需求,按照我们之前的文章“Solutions:Elastic SIEM - 适用于家庭和企业的安全防护 ( 二)”,我们需要加入相应的processors到我们的packetbeat.yml文件中:

processors: 
  - add_host_metadata:
      netinfo.enabled: true
      geo: # These Geo configurations are optional
        location: 39.931854, 116.470528
        continent_name: Asia
        country_iso_code: CN
        region_name: Beijing
        region_iso_code: CN-BJ
        city_name: Beijing city
        name: myLocation
  - add_locale: ~ 
  - add_cloud_metadata: ~ 
  - add_fields: 
      when.network.source.ip: private 
      fields: 
        source.geo.location: 
          lat: 39.931854 
          lon: 116.470528
        source.geo.continent_name: Asia
        source.geo.country_iso_code: CN
        source.geo.region_name: Beijing
        source.geo.region_iso_code: CN-BJ
        source.geo.city_name: Beijing city
        source.geo.name: myLocation
      target: '' 
  - add_fields: 
      when.network.destination.ip: private 
      fields: 
        destination.geo.location: 
          lat: 39.931854 
          lon: 116.470528 
        destination.geo.continent_name: Asia
        destination.geo.country_iso_code: CN
        destination.geo.region_name: Beijing
        destination.geo.region_iso_code: CN-BJ
        destination.geo.city_name: Beijing city
        destination.geo.name: myLocation
      target: ''

我同时把packetbeat.yml里的name字段设置为ubuntu。这样整个packetbeat.yml的文件如下:

#################### Packetbeat Configuration Example #########################

# This file is an example configuration file highlighting only the most common
# options. The packetbeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/packetbeat/index.html

#============================== Network device ================================

# Select the network interface to sniff the data. On Linux, you can use the
# "any" keyword to sniff on all connected interfaces.
packetbeat.interfaces.device: any

#================================== Flows =====================================

# Set `enabled: false` or comment out all options to disable flows reporting.
packetbeat.flows:
  # Set network flow timeout. Flow is killed if no packet is received before being
  # timed out.
  timeout: 30s

  # Configure reporting period. If set to -1, only killed flows will be reported
  period: 10s

#========================== Transaction protocols =============================

packetbeat.protocols:
- type: icmp
  # Enable ICMPv4 and ICMPv6 monitoring. Default: false
  enabled: true

- type: amqp
  # Configure the ports where to listen for AMQP traffic. You can disable
  # the AMQP protocol by commenting out the list of ports.
  ports: [5672]

- type: cassandra
  #Cassandra port for traffic monitoring.
  ports: [9042]

- type: dhcpv4
  # Configure the DHCP for IPv4 ports.
  ports: [67, 68]

- type: dns
  # Configure the ports where to listen for DNS traffic. You can disable
  # the DNS protocol by commenting out the list of ports.
  ports: [53]

- type: http
  # Configure the ports where to listen for HTTP traffic. You can disable
  # the HTTP protocol by commenting out the list of ports.
  ports: [80, 8080, 8000, 5000, 8002]

- type: memcache
  # Configure the ports where to listen for memcache traffic. You can disable
  # the Memcache protocol by commenting out the list of ports.
  ports: [11211]

- type: mysql
  # Configure the ports where to listen for MySQL traffic. You can disable
  # the MySQL protocol by commenting out the list of ports.
  ports: [3306,3307]

- type: pgsql
  # Configure the ports where to listen for Pgsql traffic. You can disable
  # the Pgsql protocol by commenting out the list of ports.
  ports: [5432]

- type: redis
  # Configure the ports where to listen for Redis traffic. You can disable
  # the Redis protocol by commenting out the list of ports.
  ports: [6379]

- type: thrift
  # Configure the ports where to listen for Thrift-RPC traffic. You can disable
  # the Thrift-RPC protocol by commenting out the list of ports.
  ports: [9090]

- type: mongodb
  # Configure the ports where to listen for MongoDB traffic. You can disable
  # the MongoDB protocol by commenting out the list of ports.
  ports: [27017]

- type: nfs
  # Configure the ports where to listen for NFS traffic. You can disable
  # the NFS protocol by commenting out the list of ports.
  ports: [2049]

- type: tls
  # Configure the ports where to listen for TLS traffic. You can disable
  # the TLS protocol by commenting out the list of ports.
  ports:
    - 443   # HTTPS
    - 993   # IMAPS
    - 995   # POP3S
    - 5223  # XMPP over SSL

    - 8443
    - 8883  # Secure MQTT
    - 9243  # Elasticsearch

#==================== Elasticsearch template setting ==========================

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false

#================================ General =====================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
name: "ubuntu"

# The tags of the shipper are included in their own field with each
# transaction published.
tags: ["ubuntu", "HomePC"]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging


#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
#setup.dashboards.enabled: false

# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:

#============================== Kibana =====================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "192.168.43.220:5601"

  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  #space.id:

#============================= Elastic Cloud ==================================

# These settings simplify using Packetbeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:

# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:

#================================ Outputs =====================================

# Configure what output to use when sending the data collected by the beat.

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["192.168.43.220:9200"]

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  #username: "elastic"
  #password: "changeme"

#----------------------------- Logstash output --------------------------------
#output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

#================================ Processors =====================================

# Configure processors to enhance or manipulate events generated by the beat.

processors: 
  - add_host_metadata:
      netinfo.enabled: true
      geo: # These Geo configurations are optional
        location: 39.931854, 116.470528
        continent_name: Asia
        country_iso_code: CN
        region_name: Beijing
        region_iso_code: CN-BJ
        city_name: Beijing city
        name: myLocation
  - add_locale: ~ 
  - add_cloud_metadata: ~ 
  - add_fields: 
      when.network.source.ip: private 
      fields: 
        source.geo.location: 
          lat: 39.931854 
          lon: 116.470528
        source.geo.continent_name: Asia
        source.geo.country_iso_code: CN
        source.geo.region_name: Beijing
        source.geo.region_iso_code: CN-BJ
        source.geo.city_name: Beijing city
        source.geo.name: myLocation
      target: '' 
  - add_fields: 
      when.network.destination.ip: private 
      fields: 
        destination.geo.location: 
          lat: 39.931854 
          lon: 116.470528 
        destination.geo.continent_name: Asia
        destination.geo.country_iso_code: CN
        destination.geo.region_name: Beijing
        destination.geo.region_iso_code: CN-BJ
        destination.geo.city_name: Beijing city
        destination.geo.name: myLocation
      target: ''

#================================ Logging =====================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]

#============================== X-Pack Monitoring ===============================
# packetbeat can export internal metrics to a central Elasticsearch monitoring
# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
# reporting is disabled by default.

# Set to true to enable the monitoring reporter.
monitoring.enabled: true

# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Packetbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:

# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:

#================================= Migration ==================================

# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true

如果我们的Packetbeat安装正确的话,那么,我可以在Kibana的Dashboard中看到如下的画面:

安装Auditbeat

我们可以参照之前的文章“Beats:  Elastic中的Auditbeat使用介绍”来在Ubuntu OS上进行安装。针对Auditbeat的安装,我们需要做一点点小的修改。我们在/etc/auditbeat/audit.rules.d目录下,把默认的样本rule打开:

sudo mv sample-rules.conf.disabled rules.conf

这个rules的内容如下:

## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
-a always,exit -F arch=b32 -S all -F key=32bit-abi

## Executions.
-a always,exit -F arch=b64 -S execve,execveat -k exec

## Identity changes.
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity

## Unauthorized access attempts.
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access

根据一致性的需求,按照我们之前的文章“Solutions:Elastic SIEM - 适用于家庭和企业的安全防护 ( 二)”,我们需要加入相应的processors到我们的auditbeat.yml文件中:修改后的auditbeat.yml文件为:

###################### Auditbeat Configuration Example #########################

# This is an example configuration file highlighting only the most common
# options. The auditbeat.reference.yml file from the same directory contains all
# the supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/auditbeat/index.html

#==========================  Modules configuration =============================
auditbeat.modules:

- module: auditd
  # Load audit rules from separate files. Same format as audit.rules(7).
  audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
  audit_rules: |
    ## Define audit rules here.
    ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
    ## examples or add your own rules.

    ## If you are on a 64 bit platform, everything should be running
    ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
    ## because this might be a sign of someone exploiting a hole in the 32
    ## bit API.
    #-a always,exit -F arch=b32 -S all -F key=32bit-abi

    ## Executions.
    #-a always,exit -F arch=b64 -S execve,execveat -k exec

    ## External access (warning: these can be expensive to audit).
    #-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access

    ## Identity changes.
    #-w /etc/group -p wa -k identity
    #-w /etc/passwd -p wa -k identity
    #-w /etc/gshadow -p wa -k identity

    ## Unauthorized access attempts.
    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access

- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc

- module: system
  datasets:
    - host    # General host information, e.g. uptime, IPs
    - login   # User logins, logouts, and system boots.
    - package # Installed, updated, and removed packages
    - process # Started and stopped processes
    - socket  # Opened and closed sockets
    - user    # User information

  # How often datasets send state updates with the
  # current state of the system (e.g. all currently
  # running processes, all open sockets).
  state.period: 12h

  # Enabled by default. Auditbeat will read password fields in
  # /etc/passwd and /etc/shadow and store a hash locally to
  # detect any changes.
  user.detect_password_changes: true

  # File patterns of the login record files.
  login.wtmp_file_pattern: /var/log/wtmp*
  login.btmp_file_pattern: /var/log/btmp*

#==================== Elasticsearch template setting ==========================
setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false

#================================ General =====================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
name: ubuntu

# The tags of the shipper are included in their own field with each
# transaction published.
tags: ["ubuntu", "HomePC"] 

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging


#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
#setup.dashboards.enabled: false

# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:

#============================== Kibana =====================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "192.168.43.220:5601"

  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  #space.id:

#============================= Elastic Cloud ==================================

# These settings simplify using Auditbeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:

# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:

#================================ Outputs =====================================

# Configure what output to use when sending the data collected by the beat.

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["192.168.43.220:9200"]

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  #username: "elastic"
  #password: "changeme"

#----------------------------- Logstash output --------------------------------
#output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

#================================ Processors =====================================

# Configure processors to enhance or manipulate events generated by the beat.

processors: 
  - add_host_metadata:
      netinfo.enabled: true
      geo: # These Geo configurations are optional
        location: 39.931854, 116.470528
        continent_name: Asia
        country_iso_code: CN
        region_name: Beijing
        region_iso_code: CN-BJ
        city_name: Beijing city
        name: myLocation
  - add_locale: ~ 
  - add_cloud_metadata: ~ 
  - add_fields: 
      when.network.source.ip: private 
      fields: 
        source.geo.location: 
          lat: 39.931854 
          lon: 116.470528
        source.geo.continent_name: Asia
        source.geo.country_iso_code: CN
        source.geo.region_name: Beijing
        source.geo.region_iso_code: CN-BJ
        source.geo.city_name: Beijing city
        source.geo.name: myLocation
      target: '' 
  - add_fields: 
      when.network.destination.ip: private 
      fields: 
        destination.geo.location: 
          lat: 39.931854 
          lon: 116.470528 
        destination.geo.continent_name: Asia
        destination.geo.country_iso_code: CN
        destination.geo.region_name: Beijing
        destination.geo.region_iso_code: CN-BJ
        destination.geo.city_name: Beijing city
        destination.geo.name: myLocation
      target: ''

#================================ Logging =====================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]

#============================== X-Pack Monitoring ===============================
# auditbeat can export internal metrics to a central Elasticsearch monitoring
# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
# reporting is disabled by default.

# Set to true to enable the monitoring reporter.
monitoring.enabled: true

# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Auditbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:

# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:

#================================= Migration ==================================

# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true

等我们的auditbeat已经被成功运行起来后,我们可以在Kibana的Dashboard中看到如下的画面:

安装Filebeat等其它的beats

在很多的情况下,我们还需要根据我们自己的需求安装更多的beats,比如filebeat。这对于很多的情况下是非常有用的。我们可以打开我们的Kibana:

我们点击Add events按钮:

在上面,它显示了许多的应用场景。我们可以根据自己的需求来按照上面的要求来进行安装。大多数情况下,都是安装filebeat,并启动相应的模块:

 

在SIEM里展示数据

我打开在Kibana中的SIEM应用:

我可以同时看到三个来源的数据:Auditbeat,Winlogbeat及Packetbeat。

我们点击Hosts tab:

我们看见有三个hosts。这其中的原因是在中途我修改了在配置文件yml文件里的name从默认值liuxg到ubuntu:

 

我们点击上面的ubuntu超链接,我们可以看到如下的画面:

在上面,我们可以看到关于这个ubuntu host的统计情况。我们可以地哪家下面的Authentications, Uncommon processes, Events及External alerts来进行搜索:

由于我们添加了Packetbeat和Auditbeat,我们可以得到Network的情况:

在上面显示了我们电脑的位置。也显示了Network的所有的events。

在上面,如果我们点击“Detections”,我们会发现如下的错误:

我们点击上面的链接,可以看到对我们的配置有一定的要求

我们按照上面的需求来重新进行配置:

  • 在elasticsearch.yml中,我们添加xpack.security.enabled,并且设置它为true,也即:
    • xpack.security.enabled: true
    • 在Basic授权的情况下,我们必须也设置xpack.security.transport.ssl.enabled为true,否则elasticsearch也启动不了。
    • 由于我们已经启动了Elasticsearch安全,我们必须安装“Elasticsearch:设置Elastic账户安全”来设置账户安全。
    • 同时,我们也必须配置kibana.yml启用安全访问
    • 同时,我们也必须配置我们的各个beats的Elasticsearch访问用户名及密码,然后重新启动beats
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["192.168.43.220:9200"]

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "changeme"
  • 在kibana.yml中,设置xpack.encryptedSavedObjects.encryptionKey: 'fhjskloppd678ehkdfdlliverpoolfcr'

经过上面的修改后,我们再重新点击“Detections”,我们可以看到如下的画面:

好了,今天我们就先讲到这里。在接下来的文章中,我们将着重介绍如何创建一个rule。敬请阅读文章“Solutions:Elastic SIEM - 适用于家庭和企业的安全防护 ( 四)”。

展开阅读全文

没有更多推荐了,返回首页

应支付0元
点击重新获取
扫码支付

支付成功即可阅读