From 654a18dcdbb2825498dffff29992d5427639e797 Mon Sep 17 00:00:00 2001 From: Antoine Cotten Date: Fri, 18 Nov 2022 17:07:16 +0100 Subject: [PATCH] feat(ext/beats): Monitor using unprivileged user Both the collection and storage of monitoring data are now performed using the unpriviliged built-in users 'remote_monitoring_user' and 'beats_system' respectively, instead of the 'elastic' superuser. --- .env | 12 ++++++++++++ README.md | 2 +- docker-compose.yml | 2 ++ extensions/filebeat/config/filebeat.yml | 3 +++ extensions/filebeat/filebeat-compose.yml | 1 + extensions/heartbeat/config/heartbeat.yml | 3 +++ extensions/heartbeat/heartbeat-compose.yml | 1 + extensions/metricbeat/config/metricbeat.yml | 11 +++++++---- extensions/metricbeat/metricbeat-compose.yml | 2 ++ setup/entrypoint.sh | 2 ++ 10 files changed, 34 insertions(+), 5 deletions(-) diff --git a/.env b/.env index 3bfaf77..1bddff4 100644 --- a/.env +++ b/.env @@ -20,3 +20,15 @@ LOGSTASH_INTERNAL_PASSWORD='changeme' # The user Kibana uses to connect and communicate with Elasticsearch. # https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html KIBANA_SYSTEM_PASSWORD='changeme' + +# User 'beats_system' (built-in) +# +# The user the Beats use when storing monitoring information in Elasticsearch. +# https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html +BEATS_SYSTEM_PASSWORD='' + +# User 'remote_monitoring_user' (built-in) +# +# The user Metricbeat uses when collecting and storing monitoring information in Elasticsearch. +# https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html +REMOTE_MONITORING_USER_PASSWORD='' diff --git a/README.md b/README.md index 1e06acf..85a9101 100644 --- a/README.md +++ b/README.md @@ -163,7 +163,7 @@ reset the passwords of all aforementioned Elasticsearch users to random secrets. 1. Reset passwords for default users - The commands below resets the passwords of the `elastic`, `logstash_internal` and `kibana_system` users. Take note + The commands below reset the passwords of the `elastic`, `logstash_internal` and `kibana_system` users. Take note of them. ```console diff --git a/docker-compose.yml b/docker-compose.yml index d633c90..ef55126 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -24,6 +24,8 @@ services: ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-} LOGSTASH_INTERNAL_PASSWORD: ${LOGSTASH_INTERNAL_PASSWORD:-} KIBANA_SYSTEM_PASSWORD: ${KIBANA_SYSTEM_PASSWORD:-} + BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-} + REMOTE_MONITORING_USER_PASSWORD: ${REMOTE_MONITORING_USER_PASSWORD:-} networks: - elk depends_on: diff --git a/extensions/filebeat/config/filebeat.yml b/extensions/filebeat/config/filebeat.yml index c3772da..005cda6 100644 --- a/extensions/filebeat/config/filebeat.yml +++ b/extensions/filebeat/config/filebeat.yml @@ -21,6 +21,9 @@ processors: monitoring: enabled: true + elasticsearch: + username: beats_system + password: ${BEATS_SYSTEM_PASSWORD} output.elasticsearch: hosts: [ http://elasticsearch:9200 ] diff --git a/extensions/filebeat/filebeat-compose.yml b/extensions/filebeat/filebeat-compose.yml index 04ff104..8411e2c 100644 --- a/extensions/filebeat/filebeat-compose.yml +++ b/extensions/filebeat/filebeat-compose.yml @@ -28,6 +28,7 @@ services: read_only: true environment: ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-} + BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-} networks: - elk depends_on: diff --git a/extensions/heartbeat/config/heartbeat.yml b/extensions/heartbeat/config/heartbeat.yml index 911ed25..bfa2d60 100644 --- a/extensions/heartbeat/config/heartbeat.yml +++ b/extensions/heartbeat/config/heartbeat.yml @@ -22,6 +22,9 @@ processors: monitoring: enabled: true + elasticsearch: + username: beats_system + password: ${BEATS_SYSTEM_PASSWORD} output.elasticsearch: hosts: [ http://elasticsearch:9200 ] diff --git a/extensions/heartbeat/heartbeat-compose.yml b/extensions/heartbeat/heartbeat-compose.yml index a6fe2ad..44ea8f2 100644 --- a/extensions/heartbeat/heartbeat-compose.yml +++ b/extensions/heartbeat/heartbeat-compose.yml @@ -17,6 +17,7 @@ services: - ./extensions/heartbeat/config/heartbeat.yml:/usr/share/heartbeat/heartbeat.yml:ro,Z environment: ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-} + BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-} networks: - elk depends_on: diff --git a/extensions/metricbeat/config/metricbeat.yml b/extensions/metricbeat/config/metricbeat.yml index 14606c5..f33f0e2 100644 --- a/extensions/metricbeat/config/metricbeat.yml +++ b/extensions/metricbeat/config/metricbeat.yml @@ -18,8 +18,8 @@ metricbeat.autodiscover: metricbeat.modules: - module: elasticsearch hosts: [ http://elasticsearch:9200 ] - username: elastic - password: ${ELASTIC_PASSWORD} + username: remote_monitoring_user + password: ${REMOTE_MONITORING_USER_PASSWORD} xpack.enabled: true period: 10s - module: logstash @@ -28,8 +28,8 @@ metricbeat.modules: period: 10s - module: kibana hosts: [ http://kibana:5601 ] - username: elastic - password: ${ELASTIC_PASSWORD} + username: remote_monitoring_user + password: ${REMOTE_MONITORING_USER_PASSWORD} xpack.enabled: true period: 10s - module: docker @@ -51,6 +51,9 @@ processors: monitoring: enabled: true + elasticsearch: + username: beats_system + password: ${BEATS_SYSTEM_PASSWORD} output.elasticsearch: hosts: [ http://elasticsearch:9200 ] diff --git a/extensions/metricbeat/metricbeat-compose.yml b/extensions/metricbeat/metricbeat-compose.yml index da62833..80cb88e 100644 --- a/extensions/metricbeat/metricbeat-compose.yml +++ b/extensions/metricbeat/metricbeat-compose.yml @@ -39,6 +39,8 @@ services: read_only: true environment: ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-} + BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-} + REMOTE_MONITORING_USER_PASSWORD: ${REMOTE_MONITORING_USER_PASSWORD:-} networks: - elk depends_on: diff --git a/setup/entrypoint.sh b/setup/entrypoint.sh index aa25347..68a486f 100755 --- a/setup/entrypoint.sh +++ b/setup/entrypoint.sh @@ -13,6 +13,8 @@ declare -A users_passwords users_passwords=( [logstash_internal]="${LOGSTASH_INTERNAL_PASSWORD:-}" [kibana_system]="${KIBANA_SYSTEM_PASSWORD:-}" + [beats_system]="${BEATS_SYSTEM_PASSWORD=:-}" + [remote_monitoring_user]="${REMOTE_MONITORING_USER_PASSWORD:-}" ) declare -A users_roles