Installation, configuration and security Flashcards

1
Q

How to set up number of open file limits for elastic?

A
  • Edit /etc/security/limits.conf
  • Add “elastic - nofile 65536

It will complain when running if not setup correctly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How to setup vm max size for elastic?

A
  • edit /etc/sysctl.conf
  • Add “vm.max_map_count = 262144”

This comes from the documentation and should be verified by elastic on startup

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Where to install the archive package?

A

elastic user home (/home/elastic)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How to fetch/install elastic?

A
  • Download from the artifacts with curl.
  • Unpack inside the home directory
  • Clean it up
  • Rename the directory to just “elasticsearch”
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which version of elastic comes with JDK prepackaged?

A

From version 7.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the essential configuration options for each node?

A

For every node

  • cluster.name
  • node.name
  • network.host: [local, site]
  • cluster.initial_master_nodes: [….]. # the name of the initial master nodes (for security and also prevent split brain)
# node roles
master, data, ingest (set true by default)
- node.master = true
- node.data = true
- node.ingest = false
# For non-masters
- discovery.seed_hosts: 

Custom attributes:
- node.attr.zone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What’s the difference between local, site and global?

A

Matches configured network addresses.

local -> loopback: 127.0.0.1
site -> local network eg: 192.168…
global: external network like 200.x.y… etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How do you make a coordinator only node?

A

Set all data roles to false (node.master: false, node.data: false, node.ingest: false)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How to setup java VM heap size for the nodes?

A
  • Edit “config/jvm.options”

- Edit “-Xms” and “-Xmx” options

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How to start elastic node in the foreground?

A

./bin/elasticsearch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the default elastic search ports?

A
  • 9200 (HTTP Rest API)
  • 9300 (Transport) binary inter node protocol

-

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Where to put the the certificate files?

A

You can put it inside “config/certs”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How do you create a certificate authority?

A
  • bin/elasticsearch-certutil ca –out config/certs/ca –pass
  • relative paths will be relative to “elasticsearch” directory
  • best practice is to create a password for the CA
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How many certificates do I need?

A

Create one certificate for each node.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How to create the node certificates?

A
  • bin/elasticsearch-certutil cert –ca config/certs/ca –ca-pass –name –out config/certs/ –pass
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is DNS verification for the certificates?

A

You can specify a domain to be verified with the DNS on top of the certificate, allowing the certificate to be used only on the IP/domain it was designed for.
This can be added as an extra option for certutil.

17
Q

What’s the process for securing a cluster?

A
  • Create a certificate authority (CA)
  • Create a certificate for each node
  • Copy each node’s certificate to its server (scp)
  • Make sure permissions are right after you copy (elastic)
  • Add the cert passwords to the keystore/truststore on each node
  • Add security settings to config file
  • Restart process
  • Bootstrap passwords
  • Update kibana config with the new password.
18
Q

What’s the difference between securing the cluster network and the client network?

A

In a production environment, you’d want the client network (which could be public facing) to have a global CA certificate that you need to purchase.
The cluster network can be self signed (with a CA that you generate).

For internal use only, you can use the same self signed CA.

19
Q

How to add the certificates to the keystore and trust store?

A

Cluster network (transport)

  • bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
    • >
  • bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
    • >

Client network (http)

  • bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
    • >
  • bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password
    • >
20
Q

What certificate type is created by certtool by default and what is its characteristic?

A
  • PKCS 12
  • It’s a certificate bundle
  • Includes a private key and certificate.
  • Extensions usually .p12 or .pfx
21
Q

How to see the current keys set in the keystore?

A

bin/elasticsearch-keystore list

22
Q

What are the configuration options for enabling security?

A

in config/elasticsearch.yml (for each node)

xpack.security.enabled: true

cluster

xpack. security.transport.ssl.enabled: true # cluster network
xpack. security.transport.ssl.verification_mode: certificate # this is where you would enable full verification for DNS checks if it was global certificate
xpack. security.transport.ssl.keystore.path: certs/ # relative path
xpack. security.transport.ssl.truststore.path: certs/ # relative path

client

xpack. security.http.ssl.enabled: true # cluster network
xpack. security.http.ssl.verification_mode: certificate # this is where you would enable full verification for DNS checks if it was global certificate
xpack. security.http.ssl.keystore.path: certs/ # relative path
xpack. security.http.ssl.truststore.path: certs/ # relative path

23
Q

What’s the difference between keystore and truststore?

A

Keystore is used to store private key and identity certificates that a specific program should present to both parties (server or client) for verification.

Truststore is used to store certificates from Certified Authorities (CA) that verify the certificate presented by the server in SSL connection.

https://www.educative.io/answers/keystore-vs-truststore

24
Q

How are elastic’s built-in users bootstraped?

A

Built-in user passwords are bootstrapped when you enable security

25
Q

How to bootstrap user passwords?

A

After you enable security:

  • bin/elasticsearch-setup-passwords interactive
  • This will cycle through all the default users and ask for a password.
  • just needs to be done on a single node, this is propagated to the entire cluster.
26
Q

How to setup kibana access to elastic with security on?

A

config/kibana.yml

  • elasticsearch.username: kibana
  • elasticsearch.password:

With client ssl on:

  • elasticsearch.hosts: [“https://localhost:9200”] # must be https
  • elasticsearch.ssl.verificationMode: none # for self signed certificates
27
Q

What happens if you enable client ssl with a self signed certificate?

A

Clients like curl will complain about the certificate because it doesn’t have the CA config. You can ignore with -k on curl, for example.

28
Q

What is the “run as” option for a user rule?

A

Allow users with a specific role to send commands as another user.

Question: What’s the use case for this?

29
Q

How to specify index access for user roles?

A

Either specify the index name, an alias or a wildcard pattern “with *”.

30
Q

What role do you need to access kibana?

A

kibana_user (or superuser)

31
Q

What happens with security exceptions?

A

Security exceptions are logged to security indexes which can be monitored.

32
Q

What api to check the existing user roles and create new ones?

A

GET _security/roles

GET _security/roles/

POST _security/roles/

TODO: add sample here

33
Q

Where do I create and manage users?

A

Either use the API or from kibana admin console as a useradmin.

34
Q

How do you enable DNS certificate check?

A

in config/elasticsearch.yml (for each node)

xpack.security.transport.ssl.verification_mode: certificate

this is where you would enable full verification for DNS checks if it was global certificate

35
Q

What are elastic’s built-in users?

A
  • elastic
  • kibana_system
  • logstash_system
  • beats_system
  • apm_system
  • remote_monitoring_user