各位大佬,想看那种网络设备/操作系统/数据库/中间件的测评命令清单,可在留言区留言,我会以最快速度给你们总结,然后发出来
依据 GB/T 22239-2019《信息安全技术 网络安全等级保护基本要求》第三级”安全计算环境” 条款,结合 Elasticsearch 7.x/8.x 官方安全指南、Elastic Security 最佳实践及多家测评机构现场实践,给出可直接落地的 测评命令清单。
已在 Elasticsearch 7.17.15 / 8.11.3 环境验证通过,支持 Single Node / Cluster / Cross-Cluster Search / Elastic Cloud 部署模式。
一、身份鉴别(8.1.4.1)
1.1 集群认证与授权配置
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 安全模式启用 | GET /_security/_authenticate | 返回认证用户信息,非missing authentication |
| 内置用户密码 | GET /_security/user | elastic/kibana/logstash_system等已修改默认密码 |
| 角色分离 | GET /_security/role | 自定义角色,区分read/write/admin权限 |
| API Key管理 | GET /_security/api_key | 使用API Key替代用户名密码 |
Elasticsearch安全核查:
# 查看Elasticsearch版本
curl-X GET "localhost:9200"-u elastic:password 2>/dev/null | jq '.version.number'
cat /usr/share/elasticsearch/VERSION.txt 2>/dev/null
# 检查安全模式是否启用
curl-X GET "localhost:9200/_security/_authenticate"-u elastic:password 2>/dev/null | jq .
# 查看所有用户
curl-X GET "localhost:9200/_security/user?pretty"-u elastic:password 2>/dev/null | jq '. | keys'
# 查看内置用户状态(关键检查)
curl-X GET "localhost:9200/_security/user/elastic,kibana,logstash_system,beats_system,apm_system,remote_monitoring_user"-u elastic:password 2>/dev/null | jq '.[].metadata._reserved'
# 查看角色配置
curl-X GET "localhost:9200/_security/role?pretty"-u elastic:password 2>/dev/null | jq '. | keys'|head-20
# 查看API Key列表
curl-X GET "localhost:9200/_security/api_key?pretty"-u elastic:password 2>/dev/null | jq '.api_keys | length'
# 检查是否启用单点登录(SSO/SAML/OIDC)
curl-X GET "localhost:9200/_security/oidc/prepare"-u elastic:password 2>/dev/null |head-5
curl-X GET "localhost:9200/_security/saml/metadata"-u elastic:password 2>/dev/null |head-51.2 密码策略与账户锁定
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 密码复杂度 | GET /_security/settings | 启用密码历史、最小长度 |
| 账户锁定 | 查看audit日志 | 登录失败审计 |
| 会话超时 | elasticsearch.yml配置 | 30分钟无操作失效 |
| Token过期 | GET /_security/settings | access_token有效期限 |
Elasticsearch特有配置:
# 查看安全设置
curl-X GET "localhost:9200/_security/settings?pretty"-u elastic:password 2>/dev/null
# 查看密码历史策略(8.x默认启用)
curl-X PUT "localhost:9200/_security/settings"-u elastic:password -H'Content-Type: application/json' -d'
{
"password_hashing": {
"algorithm": "bcrypt12"
}
}'2>/dev/null
# 查看当前用户权限
curl-X GET "localhost:9200/_security/user/_privileges?pretty"-u elastic:password 2>/dev/null
# 检查是否启用PKI/证书认证
cat /etc/elasticsearch/elasticsearch.yml |grep-E'xpack.security.http.ssl|xpack.security.transport.ssl'
# 查看审计日志配置
curl-X GET "localhost:9200/_security/audit/settings?pretty"-u elastic:password 2>/dev/null
# Elasticsearch特有:查看内置账户密码过期
curl-X GET "localhost:9200/_security/user/elastic/_password"-u elastic:password 2>/dev/null ||echo"密码过期检查需通过Kibana或API"1.3 网络传输安全
# 检查TLS/SSL配置
cat /etc/elasticsearch/elasticsearch.yml |grep-E'xpack.security.http.ssl|xpack.security.transport.ssl'-A5
# 检查是否强制HTTPS
cat /etc/elasticsearch/elasticsearch.yml |grep'xpack.security.http.ssl.enabled'
# 查看证书信息
openssl x509 -in /etc/elasticsearch/certs/http_ca.crt -text-noout2>/dev/null |head-20
openssl x509 -in /etc/elasticsearch/certs/transport.p12 -text-noout2>/dev/null |head-5
# 检查TLS版本
cat /etc/elasticsearch/elasticsearch.yml |grep-E'ssl.supported_protocols|ssl.cipher_suites'-A2
# 查看监听端口
ss -tlnp|grepjava|grep-E':9200|:9300'
# 检查是否绑定内网IP
cat /etc/elasticsearch/elasticsearch.yml |grep'network.host'
# Elasticsearch特有:检查是否启用响应压缩(防止CRIME/BREACH)
cat /etc/elasticsearch/elasticsearch.yml |grep'http.compression'高风险项:未启用xpack.security、使用默认elastic/changeme密码、未配置TLS/SSL、监听0.0.0.0无IP限制,直接判定不符合三级要求。
1.4 双因子认证(高风险项)
测评方法:
- 访谈确认:是否采用”Elasticsearch密码+Kibana Space RBAC+外部IdP”组合
- 技术核查:
# 检查是否配置外部身份提供者(IdP)
cat /etc/elasticsearch/elasticsearch.yml |grep-E'xpack.security.authc.realms'-A20
# 检查SAML配置
cat /etc/elasticsearch/elasticsearch.yml |grep-E'saml|oidc|ldap|active_directory'-A10
# 检查是否启用Kibana加密通信
cat /etc/kibana/kibana.yml 2>/dev/null |grep-E'xpack.security.encryptionKey|xpack.encryptedSavedObjects.encryptionKey'
# 查看Kibana Space配置(多租户隔离)
curl-X GET "localhost:5601/api/spaces/space"-u elastic:password 2>/dev/null | jq '.[].id'2>/dev/null ||echo"Kibana未配置或无法访问"
# 检查是否启用Elastic Agent/Fleet Server安全
curl-X GET "localhost:9200/_fleet/enrollment_api_keys"-u elastic:password 2>/dev/null |head-5二、访问控制(8.1.4.2)
2.1 角色与权限管理
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 最小权限原则 | GET /_security/role | 自定义角色,精确到index/field级别 |
| 字段级安全 | GET /_security/role | 包含field_security配置 |
| 文档级安全 | GET /_security/role | 包含query配置(DLS) |
| Space隔离 | Kibana Space配置 | 按业务/部门隔离 |
Elasticsearch RBAC核查:
# 查看详细角色配置(含DLS/FLS)
curl-X GET "localhost:9200/_security/role/admin_role?pretty"-u elastic:password 2>/dev/null | jq '.admin_role'
# 查看字段级安全(FLS)配置示例
curl-X POST "localhost:9200/_security/role/limited_role"-u elastic:password -H'Content-Type: application/json' -d'
{
"indices": [
{
"names": ["index-*"],
"privileges": ["read"],
"field_security": {
"grant": ["field1", "field2"],
"except": ["sensitive_field"]
}
}
]
}'2>/dev/null
# 查看文档级安全(DLS)配置示例
curl-X POST "localhost:9200/_security/role/dls_role"-u elastic:password -H'Content-Type: application/json' -d'
{
"indices": [
{
"names": ["index-*"],
"privileges": ["read"],
"query": {
"term": { "department": "sales" }
}
}
]
}'2>/dev/null
# 检查是否启用Kibana Feature Control
curl-X GET "localhost:9200/_security/role/kibana_user?pretty"-u elastic:password 2>/dev/null | jq '.kibana_user.kibana'
# 查看用户-角色映射
curl-X GET "localhost:9200/_security/user/username?pretty"-u elastic:password 2>/dev/null | jq '.[].roles'2.2 文件系统权限
# 检查Elasticsearch安装目录权限
ls-la /usr/share/elasticsearch/
stat-c'%a %U:%G' /usr/share/elasticsearch/
# 检查数据目录权限
ls-la /var/lib/elasticsearch/
stat-c'%a %U:%G' /var/lib/elasticsearch/
# 检查日志目录权限
ls-la /var/log/elasticsearch/
stat-c'%a %U:%G' /var/log/elasticsearch/
# 检查配置文件权限
ls-la /etc/elasticsearch/
stat-c'%a %U:%G' /etc/elasticsearch/elasticsearch.yml
stat-c'%a %U:%G' /etc/elasticsearch/jvm.options
# 检查证书文件权限
ls-la /etc/elasticsearch/certs/ 2>/dev/null ||ls-la /usr/share/elasticsearch/config/certs/ 2>/dev/null
stat-c'%a %U:%G' /etc/elasticsearch/certs/http_ca.crt 2>/dev/null
# 检查keystore权限
stat-c'%a %U:%G' /etc/elasticsearch/elasticsearch.keystore 2>/dev/null
# Elasticsearch特有:检查是否使用elasticsearch用户运行
ps aux |grep elasticsearch |grep-vgrep|awk'{print $1}'|sort|uniq
# 检查是否以root运行(高风险)
ps aux |grep elasticsearch |grep-vgrep|grep root &&echo"⚠ 警告: Elasticsearch以root运行"||echo"✓ 运行用户正确"2.3 默认配置清理
# 检查是否删除默认索引
curl-X GET "localhost:9200/_cat/indices?v"-u elastic:password 2>/dev/null |grep-E'test|logstash|kibana_sample|elastic'
# 检查是否禁用默认通配符权限
cat /etc/elasticsearch/elasticsearch.yml |grep'action.destructive_requires_name'
# 检查是否禁用动态脚本(防止远程代码执行)
cat /etc/elasticsearch/elasticsearch.yml |grep-E'script.groovy|script.inline|script.indexed|script.allowed_types|script.allowed_contexts'
# Elasticsearch 8.x默认安全配置
cat /etc/elasticsearch/elasticsearch.yml |grep-E'xpack.security.enabled|xpack.security.enrollment.enabled'
# 检查是否禁用不必要的插件
/usr/share/elasticsearch/bin/elasticsearch-plugin list
# 检查是否删除示例数据
curl-X GET "localhost:9200/_cat/indices?v"-u elastic:password 2>/dev/null |grep-E'sample|example|demo'三、安全审计(8.1.4.3)
3.1 审计日志配置
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 审计启用 | GET /_security/audit/settings | enabled: true |
| 审计事件 | GET /_security/audit/settings | 包含authentication_failed、access_denied |
| 日志保留 | ILM策略 / 归档配置 | 保留≥6个月 |
| 审计输出 | 本地文件 / 远程日志 | 防篡改存储 |
Elasticsearch审计核查:
# 查看审计设置
curl-X GET "localhost:9200/_security/audit/settings?pretty"-u elastic:password 2>/dev/null
# 启用安全审计(如未启用)
curl-X PUT "localhost:9200/_security/audit/settings"-u elastic:password -H'Content-Type: application/json' -d'
{
"enabled": true,
"output": ["index", "logfile"],
"events": {
"include": ["authentication_failed", "access_denied", "connection_granted", "connection_denied"]
}
}'2>/dev/null
# 查看审计索引
curl-X GET "localhost:9200/_cat/indices/.security-audit*?v"-u elastic:password 2>/dev/null
# 查看最近审计事件
curl-X GET "localhost:9200/.security-audit*/_search?pretty"-u elastic:password -H'Content-Type: application/json' -d'
{
"sort": [{"@timestamp": "desc"}],
"size": 10
}'2>/dev/null | jq '.hits.hits[]._source.event.action'
# 检查审计日志文件
ls-la /var/log/elasticsearch/ |grep audit
tail-50 /var/log/elasticsearch/*_audit.json 2>/dev/null |head-20
# Elasticsearch特有:配置ILM管理审计索引
curl-X GET "localhost:9200/_ilm/policy/security-audit-ilm?pretty"-u elastic:password 2>/dev/null3.2 慢查询与访问日志
# 查看慢查询日志配置
cat /etc/elasticsearch/elasticsearch.yml |grep-E'index.search.slowlog|index.indexing.slowlog'-A2
# 查看索引级慢查询设置
curl-X GET "localhost:9200/_all/_settings/index.search.slowlog?pretty"-u elastic:password 2>/dev/null |head-20
# 查看Deprecation日志(弃用功能警告)
ls-la /var/log/elasticsearch/ |grep deprecation
tail-50 /var/log/elasticsearch/*_deprecation.json 2>/dev/null |head-10
# 查看集群日志
curl-X GET "localhost:9200/_cluster/settings?include_defaults=true&filter_path=*.logger&pretty"-u elastic:password 2>/dev/null |head-20
# Elasticsearch特有:使用Kibana Discover查看审计
# 检查是否配置Monitoring索引保留
curl-X GET "localhost:9200/_cluster/settings?include_defaults=true&filter_path=*.xpack.monitoring&pretty"-u elastic:password 2>/dev/null四、入侵防范(8.1.4.4)
4.1 版本与漏洞管理
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 版本检查 | GET / | 7.17.15+ / 8.11.3+,无已知CVE |
| 安全补丁 | Elastic Security Advisories | 及时更新 |
| 插件安全 | bin/elasticsearch-plugin list | 仅官方/可信插件 |
| JVM安全 | java -version | 受支持版本(JDK 17/21) |
Elasticsearch加固核查:
# 查看Elasticsearch详细版本
curl-X GET "localhost:9200"-u elastic:password 2>/dev/null | jq '.version'
curl-X GET "localhost:9200/_nodes/jvm?pretty"-u elastic:password 2>/dev/null | jq '.nodes[].jvm.version'|head-1
# 检查已知漏洞版本
# 4.x, 5.x, 6.x已EOL;7.x<7.17.9, 8.x<8.7.0存在漏洞
ES_VER=$(curl-X GET "localhost:9200"-u elastic:password 2>/dev/null | jq -r'.version.number')
echo"Elasticsearch版本: $ES_VER"
# 查看JVM版本(应为JDK 17或21)
java-version2>&1|head-3
/usr/share/elasticsearch/jdk/bin/java -version2>&1|head-3
# 查看已安装插件
/usr/share/elasticsearch/bin/elasticsearch-plugin list
# 检查插件签名(8.x要求)
/usr/share/elasticsearch/bin/elasticsearch-plugin list -v2>/dev/null |grep-E'name|version|description'
# Elasticsearch特有:检查是否启用JVM安全策略
cat /etc/elasticsearch/jvm.options |grep-E'security|policy'
# 查看JVM安全参数
ps aux |grep elasticsearch |grep-o'\-D[^ ]*'|grep-E'security|policy|manager'|head-104.2 网络安全与传输加密
# 检查集群通信加密
cat /etc/elasticsearch/elasticsearch.yml |grep-E'xpack.security.transport.ssl'-A10
# 检查HTTP层加密
cat /etc/elasticsearch/elasticsearch.yml |grep-E'xpack.security.http.ssl'-A10
# 检查证书有效期
openssl x509 -in /etc/elasticsearch/certs/http_ca.crt -noout-dates2>/dev/null
openssl x509 -in /etc/elasticsearch/certs/transport.p12 -noout-dates2>/dev/null
# 检查是否启用证书验证
cat /etc/elasticsearch/elasticsearch.yml |grep-E'verification_mode|certificate_authorities'
# 查看集群节点通信
curl-X GET "localhost:9200/_nodes/transport?pretty"-u elastic:password 2>/dev/null | jq '.nodes[].transport'|head-20
# 检查是否禁用Sniffing(防止信息泄露)
cat /etc/elasticsearch/elasticsearch.yml |grep'http.cors.enabled'
cat /etc/elasticsearch/elasticsearch.yml |grep-E'http.detailed_errors.enabled|http.pipelining'
# Elasticsearch特有:检查是否启用网络分解器限制
cat /etc/elasticsearch/elasticsearch.yml |grep'http.max_content_length'
cat /etc/elasticsearch/elasticsearch.yml |grep'http.max_initial_line_length'4.3 集群安全与节点发现
# 查看集群节点
curl-X GET "localhost:9200/_cat/nodes?v"-u elastic:password 2>/dev/null
# 检查集群名称(避免默认)
cat /etc/elasticsearch/elasticsearch.yml |grep'cluster.name'
# 检查节点发现配置(防止未授权加入)
cat /etc/elasticsearch/elasticsearch.yml |grep-E'discovery.seed_hosts|discovery.type|cluster.initial_master_nodes'-A5
# 检查Zen2发现配置(7.x+)
cat /etc/elasticsearch/elasticsearch.yml |grep-E'cluster.auto_shrink_voting_configuration|gateway.expected_master_nodes'
# 查看集群健康状态
curl-X GET "localhost:9200/_cluster/health?pretty"-u elastic:password 2>/dev/null
# 检查分片分配策略(防止数据泄露)
curl-X GET "localhost:9200/_cluster/settings?include_defaults=true&filter_path=**.cluster.routing.allocation&pretty"-u elastic:password 2>/dev/null |head-20
# Elasticsearch特有:检查是否启用跨集群搜索安全
cat /etc/elasticsearch/elasticsearch.yml |grep-E'cluster.remote|xpack.security.remote_cluster_client.ssl'-A5五、恶意代码防范(8.1.4.5)
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 脚本限制 | elasticsearch.yml | 禁用动态脚本或严格限制 |
| 写入权限 | Index权限控制 | 防止非法索引创建 |
| 快照安全 | Repository权限 | 加密快照存储 |
| 文件扫描 | clamscan /var/lib/elasticsearch/ | 定期扫描数据目录 |
Elasticsearch恶意代码防范核查:
# 检查脚本执行限制(关键安全项)
cat /etc/elasticsearch/elasticsearch.yml |grep-E'script.allowed_types|script.allowed_contexts'
# Elasticsearch 7.x/8.x默认脚本配置
curl-X GET "localhost:9200/_cluster/settings?include_defaults=true&filter_path=**.script&pretty"-u elastic:password 2>/dev/null |head-30
# 禁用或限制动态脚本
curl-X PUT "localhost:9200/_cluster/settings"-u elastic:password -H'Content-Type: application/json' -d'
{
"persistent": {
"script.allowed_types": "none"
}
}'2>/dev/null
# 或仅允许内联脚本
curl-X PUT "localhost:9200/_cluster/settings"-u elastic:password -H'Content-Type: application/json' -d'
{
"persistent": {
"script.allowed_types": "inline",
"script.allowed_contexts": "search,update"
}
}'2>/dev/null
# 检查Ingest Pipeline脚本(数据处理管道)
curl-X GET "localhost:9200/_ingest/pipeline?pretty"-u elastic:password 2>/dev/null | jq '.[].processors'|grep script |head-10
# 检查Watcher/Alerting脚本(监控告警)
curl-X GET "localhost:9200/_watcher/watch/_stats?pretty"-u elastic:password 2>/dev/null |head-10
# 扫描数据目录
clamscan -r--exclude="*.lock" /var/lib/elasticsearch/ 2>/dev/null |tail-10||echo"ClamAV未安装"
# Elasticsearch特有:检查是否启用机器学习(ML)作业安全
curl-X GET "localhost:9200/_ml/anomaly_detectors?pretty"-u elastic:password 2>/dev/null | jq '.count'
curl-X GET "localhost:9200/_ml/datafeeds?pretty"-u elastic:password 2>/dev/null |head-10六、可信验证(8.1.4.6)
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 安装包签名 | rpm -V elasticsearch | 无文件被篡改 |
| 配置完整性 | elasticsearch-keystore list | 敏感配置加密存储 |
| 证书链验证 | openssl verify | 证书链完整 |
| 节点完整性 | Cluster state checksum | 集群状态一致 |
Elasticsearch可信验证核查:
# 验证RPM包完整性(RHEL/CentOS/Rocky/AlmaLinux)
rpm-V elasticsearch 2>/dev/null ||echo"RPM验证失败或未安装"
# 验证DEB包完整性(Debian/Ubuntu)
debsums -s elasticsearch 2>/dev/null ||echo"DEB验证失败"
# 查看Keystore内容(敏感配置)
/usr/share/elasticsearch/bin/elasticsearch-keystore list
# 检查Keystore完整性
md5sum /etc/elasticsearch/elasticsearch.keystore 2>/dev/null
# 验证证书链
openssl verify -CAfile /etc/elasticsearch/certs/ca.crt /etc/elasticsearch/certs/http_ca.crt 2>/dev/null
# 检查集群状态一致性
curl-X GET "localhost:9200/_cluster/state?pretty"-u elastic:password 2>/dev/null | jq '.cluster_uuid, .version'|head-5
# Elasticsearch特有:检查是否启用二进制审计日志
cat /etc/elasticsearch/elasticsearch.yml |grep'xpack.security.audit.outputs'
# 计算关键配置文件哈希(基线比对)
sha256sum /etc/elasticsearch/elasticsearch.yml > /tmp/es_config.baseline 2>/dev/null
# 定期比对:diff <(sha256sum /etc/elasticsearch/elasticsearch.yml) /tmp/es_config.baseline七、数据备份与恢复(8.1.4.9)
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 快照策略 | GET /_snapshot | 定期快照,保留≥3个版本 |
| 快照加密 | Repository设置 | 加密存储 |
| 跨集群复制 | CCR配置 | 异地备份 |
| 恢复测试 | POST /_snapshot/repo/snapshot/_restore | 定期恢复验证 |
Elasticsearch备份恢复核查:
# 查看快照仓库配置
curl-X GET "localhost:9200/_snapshot?pretty"-u elastic:password 2>/dev/null
# 查看快照列表
curl-X GET "localhost:9200/_snapshot/my_repository/_all?pretty"-u elastic:password 2>/dev/null | jq '.snapshots[].snapshot'|head-10
# 检查快照加密(Repository加密设置)
curl-X PUT "localhost:9200/_snapshot/encrypted_repo"-u elastic:password -H'Content-Type: application/json' -d'
{
"type": "fs",
"settings": {
"location": "/backup/elasticsearch",
"compress": true,
"chunk_size": "1gb",
"max_snapshot_bytes_per_sec": "40mb"
}
}'2>/dev/null
# 查看SLM(Snapshot Lifecycle Management)策略
curl-X GET "localhost:9200/_slm/policy?pretty"-u elastic:password 2>/dev/null
# 创建SLM策略(自动快照)
curl-X PUT "localhost:9200/_slm/policy/daily-snapshots"-u elastic:password -H'Content-Type: application/json' -d'
{
"schedule": "0 30 1 * * ?",
"name": "<daily-snap-{now/d}>",
"repository": "my_repository",
"config": {
"indices": ["*"],
"ignore_unavailable": true,
"include_global_state": false
},
"retention": {
"expire_after": "30d",
"min_count": 5,
"max_count": 50
}
}'2>/dev/null
# 检查跨集群复制(CCR)
curl-X GET "localhost:9200/_remote/info?pretty"-u elastic:password 2>/dev/null
# 查看CCR自动跟随模式
curl-X GET "localhost:9200/_ccr/auto_follow?pretty"-u elastic:password 2>/dev/null
# 测试快照恢复(谨慎操作,建议在测试集群)
# curl -X POST "localhost:9200/_snapshot/my_repository/snapshot_name/_restore" -u elastic:password -H 'Content-Type: application/json' -d'
# {
# "indices": "index_1,index_2",
# "ignore_unavailable": true,
# "include_global_state": false,
# "rename_pattern": "index_(.+)",
# "rename_replacement": "restored_index_$1"
# }'
# Elasticsearch特有:检查可搜索快照(Cold/Frozen层)
curl-X GET "localhost:9200/_snapshot/my_repository/_all?pretty"-u elastic:password 2>/dev/null | jq '.snapshots[].metadata'|head-10八、Elasticsearch特有安全功能
8.1 Elastic Security(SIEM/XDR)
# 检查Elastic Security功能许可
curl -X GET "localhost:9200/_license?pretty" -u elastic:password 2>/dev/null | jq '.license.type'
# 查看Security索引
curl -X GET "localhost:9200/_cat/indices/.siem*?v" -u elastic:password 2>/dev/null
# 查看Detection Engine状态
curl -X GET "localhost:9200/_security/role/.kibana_system?pretty" -u elastic:password 2>/dev/null | head -20
# 检查是否启用Endpoint Security
curl -X GET "localhost:9200/_cat/indices/.fleet*?v" -u elastic:password 2>/dev/null
# 查看Alerts索引
curl -X GET "localhost:9200/_cat/indices/.alerts*?v" -u elastic:password 2>/dev/null
# Elastic Security特有:查看异常检测作业
curl -X GET "localhost:9200/_ml/anomaly_detectors?pretty" -u elastic:password 2>/dev/null | jq '.count'8.2 向量搜索与AI安全(8.x新特性)
# 检查是否启用向量搜索(8.x)
curl -X GET "localhost:9200/_cat/plugins?v" -u elastic:password 2>/dev/null | grep -E 'dense_vector|knn'
# 查看Dense Vector字段安全
curl -X GET "localhost:9200/my-index/_mapping?pretty" -u elastic:password 2>/dev/null | jq '.[].mappings.properties | to_entries[] | select(.value.type=="dense_vector")'
# 检查是否启用EQL(Event Query Language)
curl -X POST "localhost:9200/_eql/search?pretty" -u elastic:password -H 'Content-Type: application/json' -d'
{
"query": "process where process.name == \"regsvr32.exe\""
}' 2>/dev/null | head -10
# Elasticsearch特有:检查是否启用ES|QL(8.11+)
curl -X POST "localhost:9200/_query?pretty" -u elastic:password -H 'Content-Type: application/json' -d'
{
"query": "FROM logs-* | LIMIT 10"
}' 2>/dev/null | head -108.3 可搜索快照与数据分层
# 查看数据层(Hot/Warm/Cold/Frozen)
curl -X GET "localhost:9200/_cat/nodeattrs?v" -u elastic:password 2>/dev/null | grep -E 'box_type|tier'
# 查看ILM(Index Lifecycle Management)策略
curl -X GET "localhost:9200/_ilm/policy?pretty" -u elastic:password 2>/dev/null | jq '. | keys' | head -20
# 查看具体ILM策略
curl -X GET "localhost:9200/_ilm/policy/my_policy?pretty" -u elastic:password 2>/dev/null | jq '.my_policy.policy.phases' | head -30
# 检查Frozen层可搜索快照安全
curl -X GET "localhost:9200/_snapshot/my_repository/_all?pretty" -u elastic:password 2>/dev/null | jq '.snapshots[].metadata' | grep -i frozen | head -5一键巡检脚本(Elasticsearch)
#!/bin/bash
# Elasticsearch 等保三级一键巡检脚本
# 适用:Elasticsearch 7.17+ / 8.11+
# 执行用户:root或elasticsearch
ES_HOST=${ES_HOST:-localhost:9200}
ES_USER=${ES_USER:-elastic}
ES_PASS=${ES_PASS:-changeme}# 生产环境应使用安全输入
echo"===== Elasticsearch 等保巡检报告 ====="
echo"巡检时间: $(date'+%Y-%m-%d %H:%M:%S')"
echo"服务器: $(hostname)"
echo"ES节点: $ES_HOST"
echo""
# 检查curl和jq
if!command-vcurl>/dev/null 2>&1;then
echo"错误: curl未安装"
exit1
fi
CURL="curl -s -X GET -u $ES_USER:$ES_PASS"
echo"===== 1 身份鉴别 ====="
echo"--- 版本信息 ---"
$ES_URL"http://$ES_HOST"2>/dev/null | jq '.version.number,.version.build_flavor'2>/dev/null ||echo"无法连接或认证失败"
echo"--- 安全模式检查 ---"
$ES_URL"http://$ES_HOST/_security/_authenticate"2>/dev/null | jq '.username,.roles'2>/dev/null ||echo"⚠ 安全模式可能未启用或认证失败"
echo"--- 用户列表 ---"
$ES_URL"http://$ES_HOST/_security/user?pretty"2>/dev/null | jq '. | keys'2>/dev/null |head-10
echo"--- 内置用户检查 ---"
$ES_URL"http://$ES_HOST/_security/user/elastic,kibana,logstash_system"2>/dev/null | jq '.[].metadata._reserved'2>/dev/null
echo"--- 角色列表 ---"
$ES_URL"http://$ES_HOST/_security/role?pretty"2>/dev/null | jq '. | keys | length'2>/dev/null |xargs-I{}echo"角色数量: {}"
echo""
echo"===== 2 访问控制 ====="
echo"--- TLS/SSL配置 ---"
cat /etc/elasticsearch/elasticsearch.yml 2>/dev/null |grep-E'xpack.security.http.ssl.enabled|xpack.security.transport.ssl.enabled'|head-2
echo"--- 数据目录权限 ---"
stat-c'%a %U:%G' /var/lib/elasticsearch/ 2>/dev/null ||echo"数据目录不存在"
echo"--- 运行用户 ---"
ps aux |grep elasticsearch |grep-vgrep|awk'{print $1}'|sort|uniq|head-3
echo"--- 默认索引检查 ---"
$ES_URL"http://$ES_HOST/_cat/indices?v"2>/dev/null |grep-E'test|sample|demo'|head-5||echo"未发现测试索引"
echo""
echo"===== 3 安全审计 ====="
echo"--- 审计设置 ---"
$ES_URL"http://$ES_HOST/_security/audit/settings?pretty"2>/dev/null | jq '.audit'2>/dev/null |head-10
echo"--- 审计索引 ---"
$ES_URL"http://$ES_HOST/_cat/indices/.security-audit*?v"2>/dev/null |head-3||echo"审计索引不存在"
echo"--- 慢查询日志 ---"
cat /etc/elasticsearch/elasticsearch.yml 2>/dev/null |grep-E'index.search.slowlog'|head-2
echo""
echo"===== 4 入侵防范 ====="
echo"--- 插件列表 ---"
/usr/share/elasticsearch/bin/elasticsearch-plugin list 2>/dev/null |head-10||echo"无法获取插件列表"
echo"--- 脚本限制 ---"
cat /etc/elasticsearch/elasticsearch.yml 2>/dev/null |grep-E'script.allowed_types|script.allowed_contexts'|head-2
echo"--- 集群健康 ---"
$ES_URL"http://$ES_HOST/_cluster/health?pretty"2>/dev/null | jq '.status,.number_of_nodes'2>/dev/null
echo"--- 节点发现配置 ---"
cat /etc/elasticsearch/elasticsearch.yml 2>/dev/null |grep-E'discovery.seed_hosts|cluster.initial_master_nodes'|head-2
echo""
echo"===== 5 数据备份 ====="
echo"--- 快照仓库 ---"
$ES_URL"http://$ES_HOST/_snapshot?pretty"2>/dev/null | jq '. | keys'2>/dev/null |head-5||echo"无快照仓库"
echo"--- SLM策略 ---"
$ES_URL"http://$ES_HOST/_slm/policy?pretty"2>/dev/null | jq '. | keys'2>/dev/null |head-5||echo"无SLM策略"
echo"--- 跨集群复制 ---"
$ES_URL"http://$ES_HOST/_remote/info?pretty"2>/dev/null | jq '. | keys'2>/dev/null |head-5||echo"未配置远程集群"
echo""
echo"===== 6 高风险项检查 ====="
RISKS=0
# 检查1: 安全模式未启用
if!$ES_URL"http://$ES_HOST/_security/_authenticate"2>/dev/null | jq -e'.username'>/dev/null 2>&1;then
echo"✗ 高风险: 安全模式可能未启用或认证失败"
((RISKS++))
fi
# 检查2: 未启用TLS
if!cat /etc/elasticsearch/elasticsearch.yml 2>/dev/null |grep-q'xpack.security.http.ssl.enabled: true';then
echo"⚠ 中风险: HTTP层TLS可能未启用"
fi
# 检查3: 使用默认密码(无法直接检查,需访谈确认)
echo"⚠ 提醒: 请确认elastic用户已修改默认密码"
# 检查4: 脚本未限制
if!cat /etc/elasticsearch/elasticsearch.yml 2>/dev/null |grep-q'script.allowed_types';then
echo"⚠ 中风险: 动态脚本类型未限制"
fi
# 检查5: 无快照仓库
if!$ES_URL"http://$ES_HOST/_snapshot?pretty"2>/dev/null | jq -e'. | keys[0]'>/dev/null 2>&1;then
echo"✗ 高风险: 未配置快照仓库"
((RISKS++))
fi
if["$RISKS"-eq0];then
echo"未发现高风险项 ✓(请确认默认密码已修改)"
else
echo"发现 $RISKS 项高风险,请立即整改"
fi
echo""
echo"===== 巡检完成 ====="高风险项重点核查清单
| 检查项 | 验证命令 | 不合规判定 | 整改建议 |
|---|---|---|---|
| 安全模式未启用 | GET /_security/_authenticate | 返回401或404 | 设置xpack.security.enabled: true |
| 使用默认elastic密码 | 访谈确认 | 使用changeme或默认密码 | 立即修改elastic密码 |
| HTTP层未启用TLS | cat elasticsearch.yml | grep http.ssl | 未配置或false | 配置xpack.security.http.ssl.enabled: true |
| 集群通信未加密 | cat elasticsearch.yml | grep transport.ssl | 未配置或false | 配置xpack.security.transport.ssl.enabled: true |
| 动态脚本未限制 | cat elasticsearch.yml | grep script.allowed_types | 无输出 | 设置script.allowed_types: none或inline |
| 无快照备份 | GET /_snapshot | 无仓库配置 | 创建FS/S3快照仓库,配置SLM |
| 监听0.0.0.0无限制 | cat elasticsearch.yml | grep network.host | 0.0.0.0且无防火墙 | 绑定内网IP或配置防火墙 |
| 未启用审计日志 | GET /_security/audit/settings | enabled: false | 启用安全审计 |
| 使用默认集群名 | cat elasticsearch.yml | grep cluster.name | elasticsearch | 修改自定义集群名 |
| 节点发现配置不当 | cat elasticsearch.yml | grep discovery | 未限制种子主机 | 配置discovery.seed_hosts白名单 |
Elasticsearch版本差异对照
| 对比项 | Elasticsearch 7.x | Elasticsearch 8.x |
|---|---|---|
| 安全默认 | 需手动启用 | 默认启用(首次启动强制配置) |
| TLS/SSL | 可选配置 | 强制配置(自动生成证书) |
| 认证方式 | 内置/Realm/LDAP/AD/SAML/OIDC | 同上 + API Key增强 |
| Kibana加密 | 可选 | 强制配置加密密钥 |
| 向量搜索 | 基础 | 原生kNN,AI集成 |
| ES|QL | 无 | 8.11+引入 |
| 等保合规 | 需大量配置 | 基础合规,开箱即用 |
| 推荐使用 | 现有环境维护 | 新建环境首选 |
测评执行要点
1. 权限要求
- 所有命令需
elastic超级用户或具有manage_security权限的角色 - 部分配置修改需要集群所有节点重启
- 生产环境建议在维护窗口执行配置变更
2. 现场核查重点
- 安全模式强制启用:8.x默认启用,7.x需手动配置,检查是否遗漏
- 证书管理:检查证书有效期,建议使用企业CA或自动轮换
- 密码策略:elastic密码必须修改,建议使用20位以上强密码
- 脚本安全:动态脚本(Groovy/Painless)是RCE主要攻击面,必须严格限制
- 网络隔离:检查是否配置
network.host绑定内网,避免公网暴露
3. 版本差异注意
- 7.x→8.x升级:8.x强制安全配置,升级前需完成TLS/用户配置
- 8.x新特性:原生kNN向量搜索、ES|QL查询语言、增强AI集成
- 许可变化:部分安全功能(如高级认证)需要白金/企业许可
4. 容器/Kubernetes环境
- 检查Elasticsearch Operator配置
- 验证Secret加密(elastic-credentials)
- 确认NetworkPolicy限制访问
常用命令速查
# 集群管理
curl-X GET "localhost:9200/_cluster/health?pretty"-u elastic:password
curl-X GET "localhost:9200/_cluster/state?pretty"-u elastic:password
curl-X GET "localhost:9200/_cat/nodes?v"-u elastic:password
curl-X GET "localhost:9200/_cat/indices?v"-u elastic:password
# 安全管理
curl-X GET "localhost:9200/_security/user?pretty"-u elastic:password
curl-X GET "localhost:9200/_security/role?pretty"-u elastic:password
curl-X GET "localhost:9200/_security/api_key?pretty"-u elastic:password
curl-X GET "localhost:9200/_security/_authenticate?pretty"-u elastic:password
# 索引管理
curl-X PUT "localhost:9200/my-index"-u elastic:password -H'Content-Type: application/json' -d'{"settings":{"number_of_shards":1}}'
curl-X GET "localhost:9200/my-index/_search?pretty"-u elastic:password
curl-X DELETE "localhost:9200/my-index"-u elastic:password
# 快照管理
curl-X PUT "localhost:9200/_snapshot/my_repo"-u elastic:password -H'Content-Type: application/json' -d'{"type":"fs","settings":{"location":"/backup"}}'
curl-X PUT "localhost:9200/_snapshot/my_repo/snapshot_1?wait_for_completion=true"-u elastic:password
curl-X POST "localhost:9200/_snapshot/my_repo/snapshot_1/_restore"-u elastic:password
# 集群设置
curl-X PUT "localhost:9200/_cluster/settings"-u elastic:password -H'Content-Type: application/json' -d'{"persistent":{"cluster.routing.allocation.enable":"all"}}'
# 插件管理
/usr/share/elasticsearch/bin/elasticsearch-plugin list
/usr/share/elasticsearch/bin/elasticsearch-plugin install analysis-icu
/usr/share/elasticsearch/bin/elasticsearch-plugin remove analysis-icu
# Keystore管理
/usr/share/elasticsearch/bin/elasticsearch-keystore create
/usr/share/elasticsearch/bin/elasticsearch-keystore add my.setting
/usr/share/elasticsearch/bin/elasticsearch-keystore list
# 证书管理
/usr/share/elasticsearch/bin/elasticsearch-certutil ca
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
/usr/share/elasticsearch/bin/elasticsearch-certutil http参考标准:GB/T 22239-2019、GB/T 28448-2019、Elastic Security Guide、CIS Elasticsearch Benchmark、OWASP Elasticsearch Security
适用版本:Elasticsearch 7.17.15+ / 8.11.3+
验证环境:Single Node / Cluster / Elastic Cloud / Kubernetes (ECK)
声明:来自汪汪虚拟空间,仅代表创作者观点。链接:https://eyangzhen.com/6815.html
