CYB3RSN0RLAX
TwitterGitHubLinkedin
Search…
About Cyb3rSn0rlax
🛡️ SOC Engineering
🧞
Building an Open SIEM From Scratch
1. Introduction to Elastic Stack
2. Installing OpenDistro for Elasticsearch Plugins
3. Installing ElastAlert
4. ELK Stack: "L" is for Lord of the Stack
5. Alerting in ELK
6. Building Detection Rules
7. Metrics Reports & Dashboards
🛡
A Primer to Detection Engineering Dimensions in a SOC Universe
😺
GitHub Projects
ELK4QRadar
Automating ELK Health Check
💾
DFIR
DFIR-01 : $MFT
DFIR-02 : Journal Forensics
DFIR-03: RDP Authentication Artifacts
☢️ DEATH : Detection Engineering And Threat Hunting
🔑
TA0006 : Credential Access
🦘
TA0008 : Lateral Movement
🔎
Misc
Infosec Game-Sense
Powered By GitBook
2. Installing OpenDistro for Elasticsearch Plugins
The Opendistro allows us to add plugins to our elastic stack, in particular the security plugin which will allow us to secure our stack and add further features like users and roles management, the alerting plugins which will allow us to create rules and send alerts via slack, webhooks and lately they added Email.
If you are using a cluster of nodes installing a plugin would only be successfully operational if it is installed on all nodes.
  • Further information about Opendistro plugins can be found here
  • We are running 7.8.0 so the compatible opendistro plugin version is 1.9.0.0

Disable XPACK security

First lets disable xpack security on both Elasticsearch and Kibana and add this line to their configuration files
1
xpack.security.enabled: false
Copied!

Installing Security plugin for Elasticsearch

Navigate to the Elasticsearch home directory (most likely, it is /usr/share/elasticsearch), and run the install command for each plugin.
1
$ sudo bin/elasticsearch-plugin install https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-security/opendistro_security-1.9.0.0.zip
Copied!

Installing Alerting plugin for Elasticsearch

Before installing alerting plugin, the job scheduler plugin is required to be able to send alerts and take data snapshots.

Job Scheduler Plugin

1
$ sudo bin/elasticsearch-plugin install https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-job-scheduler/opendistro-job-scheduler-1.9.0.0.zip
Copied!

Alerting Plugin

1
$ sudo bin/elasticsearch-plugin install https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-alerting/opendistro_alerting-1.9.0.1.zip
Copied!

Installing Security Plugin for Kibana

Elasticsearch security plugin has a corresponding Kibana plugin which would be a great addition in order to make management tasks easy from a UI.
Navigate to the Kibana home directory (likely /usr/share/kibana) and run the install command for each plugin.
1
$ sudo bin/kibana-plugin install https://d3g5vo6xdbdb9a.cloudfront.net/downloads/kibana-plugins/opendistro-security/opendistro_security_kibana_plugin-1.9.0.0.zip --allow-root
Copied!
This plugin provides a user interface for managing users, roles, mappings, action groups, and tenants.

Installing Alerting Plugin for Kibana

This plugin provides a user interface for creating monitors and managing alerts.
1
$ sudo bin/kibana-plugin install https://d3g5vo6xdbdb9a.cloudfront.net/downloads/kibana-plugins/opendistro-alerting/opendistro-alerting-1.9.0.0.zip --allow-root
Copied!

Setting up default certificates

After installing the modules we must restart Elasticsearch and Kibana to take into account the installed plugins but before restarting them we must run the following script to generate the default certificates of opendistro
If you have a cluster, this step must be done on all Elasticsearch instances before restarting the Elasticsearch service
1
$ chmod +x /usr/share/elasticsearch/plugins/opendistro_security/tools/install_demo_configuration.sh
2
$ /usr/share/elasticsearch/plugins/opendistro_security/tools/install_demo_configuration.sh
3
$ sudo systemctl restart elasticsearch
4
$ sudo systemctl restart kibana
Copied!
Default credentials are admin:admin to test if everything is working check Elasticsearch response by running the following command
1
$ curl -XGET "https://localhost:9200/_cat/nodes?v" -u admin -k
Copied!
Generating our own certificates is not within the scope of this blog. so make sure you modify these certificates before putting this on production.
After restart you would notice some changes to Elasticsearch configuration file.
1
######## Start OpenDistro for Elasticsearch Security Demo Configuration ########
2
# WARNING: revise all the lines below before you go into production
3
opendistro_security.ssl.transport.pemcert_filepath: esnode.pem
4
opendistro_security.ssl.transport.pemkey_filepath: esnode-key.pem
5
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
6
opendistro_security.ssl.transport.enforce_hostname_verification: false
7
opendistro_security.ssl.http.enabled: true
8
opendistro_security.ssl.http.pemcert_filepath: esnode.pem
9
opendistro_security.ssl.http.pemkey_filepath: esnode-key.pem
10
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
11
opendistro_security.allow_unsafe_democertificates: true
12
opendistro_security.allow_default_init_securityindex: true
13
opendistro_security.authcz.admin_dn:
14
- CN=kirk,OU=client,O=client,L=test, C=de
15
16
opendistro_security.audit.type: internal_elasticsearch
17
opendistro_security.enable_snapshot_restore_privilege: true
18
opendistro_security.check_snapshot_restore_write_privileges: true
19
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
20
cluster.routing.allocation.disk.threshold_enabled: false
21
node.max_local_storage_nodes: 3
22
######## End OpenDistro for Elasticsearch Security Demo Configuration ########
Copied!

Changing Logstash and Kibana's configuration

Since we installed security plugin all communication now to our node is in https so we need to change their configurations accordingly.
Copy demo certificates to accessible locations for kibana and logstash and change, if necessary, the owner and group of the files.
1
$ cp /etc/elasticsearch/esnode.pem /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/root-ca.pem /etc/kibana/
2
$ cp /etc/elasticsearch/root-ca.pem /etc/logstash/
3
$ chown logstash:logstash /etc/logstash/root-ca.pem
4
$ chown kibana:kibana /etc/kibana/esnode.pem /etc/kibana/esnode-key.pem /etc/kibana/root-ca.pem
Copied!

Kibana.yml

1
server.port: 5601
2
server.host: "192.168.20.222"
3
server.name: "elk-allinone"
4
elasticsearch.hosts: ["https://localhost:9200"]
5
######### for demo purposes I am using the same user admin but you can create a dedicated user for communications between kibana and elasticsearch
6
elasticsearch.username: "admin"
7
elasticsearch.password: "admin"
8
xpack.security.enabled: false
9
######### Enable SSL #################”
10
server.ssl.enabled: true
11
server.ssl.certificate: /etc/kibana/esnode.pem
12
server.ssl.key: /etc/kibana/esnode-key.pem
13
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/root-ca.pem" ]
14
elasticsearch.ssl.verificationMode: certificate
Copied!
1
$ sudo systemctl restart kiban
Copied!

Logstash.yml

1
xpack.monitoring.enabled: true
2
xpack.monitoring.elasticsearch.username: admin
3
xpack.monitoring.elasticsearch.password: admin
4
xpack.monitoring.elasticsearch.hosts: ["https://192.168.20.22:9200"]
5
xpack.monitoring.elasticsearch.ssl.certificate_authority: /etc/logstash/root-ca.pem
6
xpack.monitoring.elasticsearch.ssl.verification_mode: none
7
Copied!
Previous
c. Installing and configuring Logstash
Next
3. Installing ElastAlert
Last modified 1yr ago
Copy link
Contents
Disable XPACK security
Installing Security plugin for Elasticsearch
Installing Alerting plugin for Elasticsearch
Job Scheduler Plugin
Alerting Plugin
Installing Security Plugin for Kibana
Installing Alerting Plugin for Kibana
Setting up default certificates
Changing Logstash and Kibana's configuration
Kibana.yml
Logstash.yml