Installation, configuration and security

Question 1

How to set up number of open file limits for elastic?

Answer 1

• Edit /etc/security/limits.conf
• Add “elastic - nofile 65536

It will complain when running if not setup correctly

Question 2

How to setup vm max size for elastic?

Answer 2

• edit /etc/sysctl.conf
• Add “vm.max_map_count = 262144”

This comes from the documentation and should be verified by elastic on startup

Question 3

Where to install the archive package?

Answer 3

elastic user home (/home/elastic)

Question 4

How to fetch/install elastic?

Answer 4

• Download from the artifacts with curl.
• Unpack inside the home directory
• Clean it up
• Rename the directory to just “elasticsearch”

Question 5

Which version of elastic comes with JDK prepackaged?

Answer 5

From version 7.

Question 6

What are the essential configuration options for each node?

Answer 6

For every node

• cluster.name
• node.name
• network.host: [local, site]
• cluster.initial_master_nodes: [….]. # the name of the initial master nodes (for security and also prevent split brain)

# node roles
master, data, ingest (set true by default)
- node.master = true
- node.data = true
- node.ingest = false

# For non-masters
- discovery.seed_hosts: 

Custom attributes:
- node.attr.zone

Question 7

What’s the difference between local, site and global?

Answer 7

Matches configured network addresses.

local -> loopback: 127.0.0.1
site -> local network eg: 192.168…
global: external network like 200.x.y… etc

Question 8

How do you make a coordinator only node?

Answer 8

Set all data roles to false (node.master: false, node.data: false, node.ingest: false)

Question 9

How to setup java VM heap size for the nodes?

Answer 9

• Edit “config/jvm.options”

- Edit “-Xms” and “-Xmx” options

Question 10

How to start elastic node in the foreground?

Answer 10

./bin/elasticsearch

Question 11

What are the default elastic search ports?

Answer 11

• 9200 (HTTP Rest API)
• 9300 (Transport) binary inter node protocol

-

Question 12

Where to put the the certificate files?

Answer 12

You can put it inside “config/certs”

Question 13

How do you create a certificate authority?

Answer 13

• bin/elasticsearch-certutil ca –out config/certs/ca –pass
• relative paths will be relative to “elasticsearch” directory
• best practice is to create a password for the CA

Question 14

How many certificates do I need?

Answer 14

Create one certificate for each node.

Question 15

How to create the node certificates?

Answer 15

• bin/elasticsearch-certutil cert –ca config/certs/ca –ca-pass –name –out config/certs/ –pass

Question 16

What is DNS verification for the certificates?

Answer 16

You can specify a domain to be verified with the DNS on top of the certificate, allowing the certificate to be used only on the IP/domain it was designed for.
This can be added as an extra option for certutil.

Question 17

What’s the process for securing a cluster?

Answer 17

• Create a certificate authority (CA)
• Create a certificate for each node
• Copy each node’s certificate to its server (scp)
• Make sure permissions are right after you copy (elastic)
• Add the cert passwords to the keystore/truststore on each node
• Add security settings to config file
• Restart process
• Bootstrap passwords
• Update kibana config with the new password.

Question 18

What’s the difference between securing the cluster network and the client network?

Answer 18

In a production environment, you’d want the client network (which could be public facing) to have a global CA certificate that you need to purchase.
The cluster network can be self signed (with a CA that you generate).

For internal use only, you can use the same self signed CA.

Question 19

How to add the certificates to the keystore and trust store?

Answer 19

Cluster network (transport)

• bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
  
  • >
• bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
  
  • >

Client network (http)

• bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
  
  • >
• bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password
  
  • >

Question 20

What certificate type is created by certtool by default and what is its characteristic?

Answer 20

• PKCS 12
• It’s a certificate bundle
• Includes a private key and certificate.
• Extensions usually .p12 or .pfx

Question 21

How to see the current keys set in the keystore?

Answer 21

bin/elasticsearch-keystore list

Question 22

What are the configuration options for enabling security?

Answer 22

in config/elasticsearch.yml (for each node)

xpack.security.enabled: true

cluster

xpack. security.transport.ssl.enabled: true # cluster network
xpack. security.transport.ssl.verification_mode: certificate # this is where you would enable full verification for DNS checks if it was global certificate
xpack. security.transport.ssl.keystore.path: certs/ # relative path
xpack. security.transport.ssl.truststore.path: certs/ # relative path

client

xpack. security.http.ssl.enabled: true # cluster network
xpack. security.http.ssl.verification_mode: certificate # this is where you would enable full verification for DNS checks if it was global certificate
xpack. security.http.ssl.keystore.path: certs/ # relative path
xpack. security.http.ssl.truststore.path: certs/ # relative path

Question 23

What’s the difference between keystore and truststore?

Answer 23

Keystore is used to store private key and identity certificates that a specific program should present to both parties (server or client) for verification.

Truststore is used to store certificates from Certified Authorities (CA) that verify the certificate presented by the server in SSL connection.

https://www.educative.io/answers/keystore-vs-truststore

Question 24

How are elastic’s built-in users bootstraped?

Answer 24

Built-in user passwords are bootstrapped when you enable security

Question 25

How to bootstrap user passwords?

Answer 25

After you enable security: - bin/elasticsearch-setup-passwords interactive - This will cycle through all the default users and ask for a password. - just needs to be done on a single node, this is propagated to the entire cluster.

Question 26

How to setup kibana access to elastic with security on?

Answer 26

config/kibana.yml - elasticsearch.username: kibana - elasticsearch.password: With client ssl on: - elasticsearch.hosts: ["https://localhost:9200"] # must be https - elasticsearch.ssl.verificationMode: none # for self signed certificates

Question 27

What happens if you enable client ssl with a self signed certificate?

Answer 27

Clients like curl will complain about the certificate because it doesn't have the CA config. You can ignore with -k on curl, for example.

Question 28

What is the "run as" option for a user rule?

Answer 28

Allow users with a specific role to send commands as another user. Question: What's the use case for this?

Question 29

How to specify index access for user roles?

Answer 29

Either specify the index name, an alias or a wildcard pattern "with *".

Question 30

What role do you need to access kibana?

Answer 30

kibana_user (or superuser)

Question 31

What happens with security exceptions?

Answer 31

Security exceptions are logged to security indexes which can be monitored.

Question 32

What api to check the existing user roles and create new ones?

Answer 32

GET _security/roles GET _security/roles/ POST _security/roles/ TODO: add sample here

Question 33

Where do I create and manage users?

Answer 33

Either use the API or from kibana admin console as a useradmin.

Question 34

How do you enable DNS certificate check?

Answer 34

in config/elasticsearch.yml (for each node) xpack.security.transport.ssl.verification_mode: certificate this is where you would enable full verification for DNS checks if it was global certificate

Question 35

What are elastic's built-in users?

Answer 35

- elastic - kibana_system - logstash_system - beats_system - apm_system - remote_monitoring_user