feat(ext/beats): Monitor using unprivileged user

Both the collection and storage of monitoring data are now performed using the unpriviliged built-in users 'remote_monitoring_user' and 'beats_system' respectively, instead of the 'elastic' superuser.
2026-01-02 19:18:05 +01:00 · 2022-11-18 17:07:16 +01:00
parent 595f42cc90
commit 654a18dcdb
10 changed files with 34 additions and 5 deletions
--- a/.env
+++ b/.env
@@ -20,3 +20,15 @@ LOGSTASH_INTERNAL_PASSWORD='changeme'
 # The user Kibana uses to connect and communicate with Elasticsearch.
 # https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html
 KIBANA_SYSTEM_PASSWORD='changeme'
+
+# User 'beats_system' (built-in)
+#
+# The user the Beats use when storing monitoring information in Elasticsearch.
+# https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html
+BEATS_SYSTEM_PASSWORD=''
+
+# User 'remote_monitoring_user' (built-in)
+#
+# The user Metricbeat uses when collecting and storing monitoring information in Elasticsearch.
+# https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html
+REMOTE_MONITORING_USER_PASSWORD=''
--- a/README.md
+++ b/README.md
@@ -163,7 +163,7 @@ reset the passwords of all aforementioned Elasticsearch users to random secrets.

 1. Reset passwords for default users

-    The commands below resets the passwords of the `elastic`, `logstash_internal` and `kibana_system` users. Take note
+    The commands below reset the passwords of the `elastic`, `logstash_internal` and `kibana_system` users. Take note
    of them.

    ```console
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -24,6 +24,8 @@ services:
      ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-}
      LOGSTASH_INTERNAL_PASSWORD: ${LOGSTASH_INTERNAL_PASSWORD:-}
      KIBANA_SYSTEM_PASSWORD: ${KIBANA_SYSTEM_PASSWORD:-}
+      BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-}
+      REMOTE_MONITORING_USER_PASSWORD: ${REMOTE_MONITORING_USER_PASSWORD:-}
    networks:
      - elk
    depends_on:
--- a/extensions/filebeat/config/filebeat.yml
+++ b/extensions/filebeat/config/filebeat.yml
@@ -21,6 +21,9 @@ processors:

 monitoring:
  enabled: true
+  elasticsearch:
+    username: beats_system
+    password: ${BEATS_SYSTEM_PASSWORD}

 output.elasticsearch:
  hosts: [ http://elasticsearch:9200 ]
--- a/extensions/filebeat/filebeat-compose.yml
+++ b/extensions/filebeat/filebeat-compose.yml
@@ -28,6 +28,7 @@ services:
        read_only: true
    environment:
      ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-}
+      BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-}
    networks:
      - elk
    depends_on:
--- a/extensions/heartbeat/config/heartbeat.yml
+++ b/extensions/heartbeat/config/heartbeat.yml
@@ -22,6 +22,9 @@ processors:

 monitoring:
  enabled: true
+  elasticsearch:
+    username: beats_system
+    password: ${BEATS_SYSTEM_PASSWORD}

 output.elasticsearch:
  hosts: [ http://elasticsearch:9200 ]
--- a/extensions/heartbeat/heartbeat-compose.yml
+++ b/extensions/heartbeat/heartbeat-compose.yml
@@ -17,6 +17,7 @@ services:
      - ./extensions/heartbeat/config/heartbeat.yml:/usr/share/heartbeat/heartbeat.yml:ro,Z
    environment:
      ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-}
+      BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-}
    networks:
      - elk
    depends_on:
--- a/extensions/metricbeat/config/metricbeat.yml
+++ b/extensions/metricbeat/config/metricbeat.yml
@@ -18,8 +18,8 @@ metricbeat.autodiscover:
 metricbeat.modules:
 - module: elasticsearch
  hosts: [ http://elasticsearch:9200 ]
-  username: elastic
-  password: ${ELASTIC_PASSWORD}
+  username: remote_monitoring_user
+  password: ${REMOTE_MONITORING_USER_PASSWORD}
  xpack.enabled: true
  period: 10s
 - module: logstash
@@ -28,8 +28,8 @@ metricbeat.modules:
  period: 10s
 - module: kibana
  hosts: [ http://kibana:5601 ]
-  username: elastic
-  password: ${ELASTIC_PASSWORD}
+  username: remote_monitoring_user
+  password: ${REMOTE_MONITORING_USER_PASSWORD}
  xpack.enabled: true
  period: 10s
 - module: docker
@@ -51,6 +51,9 @@ processors:

 monitoring:
  enabled: true
+  elasticsearch:
+    username: beats_system
+    password: ${BEATS_SYSTEM_PASSWORD}

 output.elasticsearch:
  hosts: [ http://elasticsearch:9200 ]
--- a/extensions/metricbeat/metricbeat-compose.yml
+++ b/extensions/metricbeat/metricbeat-compose.yml
@@ -39,6 +39,8 @@ services:
        read_only: true
    environment:
      ELASTIC_PASSWORD: ${ELASTIC_PASSWORD:-}
+      BEATS_SYSTEM_PASSWORD: ${BEATS_SYSTEM_PASSWORD:-}
+      REMOTE_MONITORING_USER_PASSWORD: ${REMOTE_MONITORING_USER_PASSWORD:-}
    networks:
      - elk
    depends_on:
--- a/setup/entrypoint.sh
+++ b/setup/entrypoint.sh
@@ -13,6 +13,8 @@ declare -A users_passwords
 users_passwords=(
 	[logstash_internal]="${LOGSTASH_INTERNAL_PASSWORD:-}"
 	[kibana_system]="${KIBANA_SYSTEM_PASSWORD:-}"
+	[beats_system]="${BEATS_SYSTEM_PASSWORD=:-}"
+	[remote_monitoring_user]="${REMOTE_MONITORING_USER_PASSWORD:-}"
 )

 declare -A users_roles