forked from s12v/awsbeats
-
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This allows you to send auditd and file integrity events from auditbeat running in a docker container to Kinesis
- Loading branch information
Showing
4 changed files
with
96 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
auditbeat.modules: | ||
|
||
- module: auditd | ||
# keep this 0 and be more selective in auditd rules to rate-limit without dropping audit events | ||
rate_limit: 0 | ||
# maximum number of audit messages that will be buffered by the kernel | ||
backlog_limit: 8196 | ||
# See https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-module-auditd.html for more info | ||
audit_rules: | | ||
# Things that affect identity. | ||
-w /etc/group -p wa -k identity | ||
-w /etc/passwd -p wa -k identity | ||
-w /etc/gshadow -p wa -k identity | ||
-w /etc/shadow -p wa -k identity | ||
# Unauthorized access attempts to files (unsuccessful). | ||
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access | ||
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access | ||
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access | ||
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access | ||
# for development | ||
failure_mode: log | ||
include_raw_message: true | ||
include_warnings: true | ||
|
||
- module: file_integrity | ||
paths: | ||
- /bin | ||
- /usr/bin | ||
- /sbin | ||
- /usr/sbin | ||
- /etc | ||
|
||
processors: | ||
- add_cloud_metadata: | ||
# Match originating pod enrich apm events with metadata from Kubernetes | ||
# See https://github.com/elastic/apm-server/issues/349 for more details | ||
#- add_kubernetes_metadata: | ||
# indexers: | ||
# - ip_port: | ||
# matchers: | ||
# - fields: | ||
# lookup_fields: ["context.system.ip"] | ||
|
||
output: | ||
streams: | ||
region: ap-northeast-1 | ||
stream_name: kuokatest1 | ||
partition_key_provider: xid | ||
|
||
queue.mem: | ||
events: 4096 | ||
flush.min_events: 5 | ||
flush.timeout: 3s |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
#!/usr/bin/env bash | ||
|
||
docker run \ | ||
--rm \ | ||
--pid=host \ | ||
--cap-add=AUDIT_CONTROL \ | ||
--cap-add=AUDIT_READ \ | ||
-v $(pwd)/logs:/mnt/log/ \ | ||
-v $(pwd)/example/auditbeat/data:/var/lib/beat \ | ||
-v $(pwd)/example/auditbeat:/etc/auditbeat \ | ||
-e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \ | ||
-e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ | ||
s12v/awsbeats:auditbeat-canary \ | ||
auditbeat \ | ||
--plugin kinesis.so \ | ||
-e \ | ||
-d '*' \ | ||
-c /etc/auditbeat/auditbeat.yml \ | ||
--strict.perms=false \ | ||
--path.data=/var/lib/beat | ||
|
||
# Note that `strict.perms` seems to be required due to https://discuss.elastic.co/t/volume-mapped-filebeat-yml-permissions-from-docker-on-windows-host/91893/2 | ||
|
||
# --pid=host, AUDIT_CONTROL, and AUDIT_READ are reequired in order to avoid the following startup error | ||
# 2018-06-13T03:23:30.026ZDEBUG[file_integrity]file_integrity/metricset.go:86Initialized the file event reader. Running as euid=0 | ||
# 2018-06-13T03:23:30.026ZERRORinstance/beat.go:667Exiting: 1 error: 1 error: failed to create audit client: failed to get audit status: operation not permitted | ||
# Exiting: 1 error: 1 error: failed to create audit client: failed to get audit status: operation not permitted | ||
# | ||
# See https://github.com/elastic/beats-docker/issues/25 for more info |