Elastic Stack 8 : Install Auditbeat2023/08/04 |
|
Install Auditbeat that can monitor Audit actions.
|
|
| [1] | Install Auditbeat. Configure Elasticsearch repository before it. |
|
root@dlp:~# apt -y install auditbeat
|
| [2] | Configure basic settings and start Auditbeat. |
|
root@dlp:~#
vi /etc/auditbeat/auditbeat.yml # line 13 : set Audit action (way of writing rules is the same with auditctl)
- module: auditd
audit_rules: |
## Define audit rules here.
## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
## examples or add your own rules.
## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
#-a always,exit -F arch=b32 -S all -F key=32bit-abi
## Executions.
#-a always,exit -F arch=b64 -S execve,execveat -k exec
## External access (warning: these can be expensive to audit).
#-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
## Identity changes.
#-w /etc/group -p wa -k identity
#-w /etc/passwd -p wa -k identity
#-w /etc/gshadow -p wa -k identity
.....
.....
# line 122 : if use Kibana, uncomment and specify output host # if SSL is enabled on Kibana, hostname should be the same with the hostname in certs # [username] and [password] is the admin user's one # if using self-signed certificate, specify [ssl.verification_mode: none] setup.kibana: ..... host: "https://dlp.srv.world:5601" protocol: "https" username: "elastic" password: "password" ssl.enabled: true ssl.verification_mode: none # line 154 : specify output of Elasticsearch # [username] and [password] is the admin user's one # [ssl.certificate_authorities] is the cacert generated by Elasticsearch installation output.elasticsearch: # Array of hosts to connect to. hosts: ["https://dlp.srv.world:9200"] protocol: "https" username: "elastic" password: "password" ssl.certificate_authorities: "/etc/elasticsearch/certs/http_ca.crt" ..... .....
root@dlp:~#
vi /etc/auditbeat/auditbeat.reference.yml # line 34 : basic settings for auditd module - module: auditd resolve_ids: true failure_mode: silent backlog_limit: 8196 rate_limit: 0 include_raw_message: false include_warnings: false audit_rules: | ..... ..... # line 1406 : if use Kibana, uncomment and specify output host # if SSL is enabled on Kibana, uncomment ssl related lines # [username] and [password] is the admin user's one # if using self-signed certificate, specify [ssl.verification_mode: none] setup.kibana: # Kibana Host # Scheme and port can be left out and will be set to the default (http and 5601) # In case you specify and additional path, the scheme is required: http://localhost:5601/path # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 host: "https://dlp.srv.world:5601" # Optional protocol and basic auth credentials. protocol: "https" username: "elastic" password: "password" # Optional HTTP Path #path: "" # Use SSL settings for HTTPS. Default is true. ssl.enabled: true ..... ..... # after very careful consideration. It is primarily intended as a temporary # diagnostic mechanism when attempting to resolve TLS errors; its use in # production environments is strongly discouraged. # The default value is full. ssl.verification_mode: noneroot@dlp:~# systemctl enable --now auditbeat
|
| [3] | Verify status the data has been collected normally. |
|
# index list root@dlp:~# curl -u elastic --cacert /etc/elasticsearch/certs/http_ca.crt https://127.0.0.1:9200/_cat/indices?v health status index uuid pri rep docs.count docs.deleted store.size pri.store.size green open .internal.alerts-observability.metrics.alerts-default-000001 JG7OkJGSQoOU1unZWIpPhg 1 0 0 0 247b 247b yellow open .ds-auditbeat-8.9.0-2023.08.04-000001 ybyFPLpJSmSFuZLl0HLfYA 1 1 1543 0 823.9kb 823.9kb yellow open .ds-metricbeat-8.9.0-2023.08.04-000001 _P5TRkvkRQajH-_vCoSxPg 1 1 4334 0 8.9mb 8.9mb green open .internal.alerts-observability.logs.alerts-default-000001 7-mTfD30Qsm_BMQrjWf4wA 1 0 0 0 247b 247b green open .internal.alerts-observability.uptime.alerts-default-000001 5T9PMMMiRkCgUy9SIzj1Mg 1 0 0 0 247b 247b green open .fleet-file-data-agent-000001 g9lX3CKhRVOHtUIQBOYrUw 1 0 0 0 247b 247b green open .fleet-files-agent-000001 9jPGD7QJRXKygS-7h_KsRw 1 0 0 0 247b 247b green open .internal.alerts-security.alerts-default-000001 mx-yDAa7QBmOH0Hqg-ewpg 1 0 0 0 247b 247b green open .internal.alerts-observability.slo.alerts-default-000001 oD35AVTPStG-77Ot13aXJQ 1 0 0 0 247b 247b green open .internal.alerts-observability.apm.alerts-default-000001 ItO4YBEvTYqIV4EM871jDg 1 0 0 0 247b 247b yellow open test_index yW_f_CXpSU6uAqRNpHXyTw 1 1 1 0 6.4kb 6.4kb yellow open .ds-packetbeat-8.9.0-2023.08.04-000001 2naLXq6rTHapYqnMwBQmpQ 1 1 6682 0 5.4mb 5.4mb # document list on the index root@dlp:~# curl -u elastic --cacert /etc/elasticsearch/certs/http_ca.crt https://127.0.0.1:9200/.ds-auditbeat-8.9.0-2023.08.04-000001/_search?pretty
{
"took" : 1,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 1572,
"relation" : "eq"
},
"max_score" : 1.0,
"hits" : [
{
"_index" : ".ds-auditbeat-8.9.0-2023.08.04-000001",
"_id" : "c_0ovokB_raRHX1gWXSu",
"_score" : 1.0,
"_source" : {
"@timestamp" : "2023-08-04T01:27:41.765Z",
"group" : {
"id" : "110",
"name" : "kibana"
},
"agent" : {
"ephemeral_id" : "fe5a6ccf-f460-4dbd-bffd-dd3f1171cbbd",
"id" : "1fec2ad3-01fa-4759-a17f-689432eb1666",
"name" : "dlp.srv.world",
"type" : "auditbeat",
"version" : "8.9.0"
},
"system" : {
"audit" : {
"socket" : {
"gid" : 110,
"euid" : 103,
"egid" : 110,
"kernel_sock_address" : "0xff2c3ca18f47abc0",
"uid" : 103
}
}
},
.....
.....
|
| [4] | If Kibana is running, it's possible to import data to sample Dashboards. |
|
root@dlp:~# auditbeat setup --dashboards Loading dashboards (Kibana must be running and reachable) Loaded dashboards |
|
|
Matched Content