Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add kernel.audit_rules config option to set audit rules #4482

Merged
merged 4 commits into from
Jun 15, 2017
Merged

Add kernel.audit_rules config option to set audit rules #4482

merged 4 commits into from
Jun 15, 2017

Conversation

andrewkroh
Copy link
Member

This PR adds the ability to have Metricbeat install audit rules to the kernel.

Metricbeat supports adding both file watch rules (-w) and syscall rules (-a or -A). The format for specifying rules is the same as with auditd. For example, both of these are supported.

kernel.audit_rules: |
  -w /etc/passwd -p wa -k identity
  -a always,exit -F arch=b64 -S open -F exit=-EACCES -F key=access

This PR depends on elastic/go-libaudit#7.

@andrewkroh andrewkroh force-pushed the feature/mb/audit-kernel-rules branch from 099b043 to ad06c40 Compare June 9, 2017 11:41
tsg
tsg reviewed Jun 12, 2017
View reviewed changes
NOTICE Outdated


--------------------------------------------------------------------
github.com/stretchr/testify
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm sure we had at least this one already, I wonder if duplicates are somehow created here in the NOTICE file.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I accidentally added an uncommitted NOTICE file when updating the go-libaudit vendor copy. Then the vendor/github.com/elastic/go-libaudit/NOTICE file was include in the beat NOTICE file

@andrewkroh andrewkroh force-pushed the feature/mb/audit-kernel-rules branch from ad06c40 to a069964 Compare June 12, 2017 17:43
exekias
exekias approved these changes Jun 15, 2017
View reviewed changes
Copy link
Contributor

@exekias exekias left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking awesome, left a minor question

metricbeat/metricbeat.full.yml Outdated
@@ -126,6 +126,11 @@ metricbeat.modules:
kernel.rate_limit: 0
kernel.include_raw_message: false
kernel.include_warnings: false
kernel.audit_rules: |
# Define audit rules here.
# Create file watches (-a) or syscall audits (-a or -A). For example:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I'm not familiar with audit rules, this comment refers to '-w /etc/passwd` or the next line?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was suppose to refer to them both, but has a typo. It should say "Create file watches (-w)...". Will fix.

@exekias exekias merged commit e443859 into elastic:master Jun 15, 2017
@monicasarbu monicasarbu deleted the feature/mb/audit-kernel-rules branch June 15, 2017 20:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tsg tsg tsg left review comments

@exekias exekias exekias approved these changes

Assignees
No one assigned
Labels
enhancement Metricbeat Metricbeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andrewkroh @tsg @exekias