Skip to content

Commit

Permalink
feat(docker): Auditbeat + Awsbeats
Browse files Browse the repository at this point in the history
This allows you to send auditd and file integrity events from auditbeat running in a docker container to Kinesis
  • Loading branch information
mumoshu committed Jun 13, 2018
1 parent a3aaec8 commit aa446b2
Show file tree
Hide file tree
Showing 4 changed files with 96 additions and 0 deletions.
4 changes: 4 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,10 @@ endif
dockerimage:
docker build --build-arg AWSBEATS_VERSION=$(AWSBEATS_VERSION) --build-arg GO_VERSION=$(GO_VERSION) --build-arg BEAT_GITHUB_REPO=$(BEAT_GITHUB_REPO) --build-arg BEAT_GO_PKG=$(BEAT_GO_PKG) --build-arg BEAT_DOCKER_IMAGE=$(BEAT_DOCKER_IMAGE) --build-arg BEATS_VERSION=$(BEATS_VERSION) --build-arg BEAT_NAME=$(BEAT_NAME) -t $(DOCKER_IMAGE):$(DOCKER_TAG) .

.PHONY: auditbeat-image
auditbeat-image:
@bash -c 'make dockerimage BEATS_VERSION=6.2.4 GO_VERSION=1.10.2 BEAT_NAME=auditbeat AWSBEATS_VERSION=$(ref=$(git rev-parse HEAD); ref=${ref:0:7}; echo $ref) GOPATH=$HOME/go'

.PHONY: filebeat-image
filebeat-image:
@bash -c 'make dockerimage BEATS_VERSION=6.2.4 GO_VERSION=1.10.2 BEAT_NAME=filebeat AWSBEATS_VERSION=$(ref=$(git rev-parse HEAD); ref=${ref:0:7}; echo $ref) GOPATH=$HOME/go'
Expand Down
8 changes: 8 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,14 @@ make apm-server-image
hack/containerized-apm-server
```

### auditbeat

```
make auditbeat-image
hack/containerized-auditbeat
```

## Running awsbeats on a Kubernetes cluster

### Filebeat
Expand Down
55 changes: 55 additions & 0 deletions example/auditbeat/auditbeat.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
auditbeat.modules:

- module: auditd
# keep this 0 and be more selective in auditd rules to rate-limit without dropping audit events
rate_limit: 0
# maximum number of audit messages that will be buffered by the kernel
backlog_limit: 8196
# See https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-module-auditd.html for more info
audit_rules: |
# Things that affect identity.
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
# Unauthorized access attempts to files (unsuccessful).
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
# for development
failure_mode: log
include_raw_message: true
include_warnings: true

- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc

processors:
- add_cloud_metadata:
# Match originating pod enrich apm events with metadata from Kubernetes
# See https://github.com/elastic/apm-server/issues/349 for more details
#- add_kubernetes_metadata:
# indexers:
# - ip_port:
# matchers:
# - fields:
# lookup_fields: ["context.system.ip"]

output:
streams:
region: ap-northeast-1
stream_name: kuokatest1
partition_key_provider: xid

queue.mem:
events: 4096
flush.min_events: 5
flush.timeout: 3s
29 changes: 29 additions & 0 deletions hack/containerized-auditbeat
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
#!/usr/bin/env bash

docker run \
--rm \
--pid=host \
--cap-add=AUDIT_CONTROL \
--cap-add=AUDIT_READ \
-v $(pwd)/logs:/mnt/log/ \
-v $(pwd)/example/auditbeat/data:/var/lib/beat \
-v $(pwd)/example/auditbeat:/etc/auditbeat \
-e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \
-e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \
s12v/awsbeats:auditbeat-canary \
auditbeat \
--plugin kinesis.so \
-e \
-d '*' \
-c /etc/auditbeat/auditbeat.yml \
--strict.perms=false \
--path.data=/var/lib/beat

# Note that `strict.perms` seems to be required due to https://discuss.elastic.co/t/volume-mapped-filebeat-yml-permissions-from-docker-on-windows-host/91893/2

# --pid=host, AUDIT_CONTROL, and AUDIT_READ are reequired in order to avoid the following startup error
# 2018-06-13T03:23:30.026ZDEBUG[file_integrity]file_integrity/metricset.go:86Initialized the file event reader. Running as euid=0
# 2018-06-13T03:23:30.026ZERRORinstance/beat.go:667Exiting: 1 error: 1 error: failed to create audit client: failed to get audit status: operation not permitted
# Exiting: 1 error: 1 error: failed to create audit client: failed to get audit status: operation not permitted
#
# See https://github.com/elastic/beats-docker/issues/25 for more info

0 comments on commit aa446b2

Please sign in to comment.