Skip to content

Instantly share code, notes, and snippets.

@tsg
Created October 12, 2017 22:47

Revisions

  1. tsg created this gist Oct 12, 2017.
    160 changes: 160 additions & 0 deletions Auditbeat sample configuration
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,160 @@
    ###################### Auditbeat Configuration Example #########################

    # This is an example configuration file highlighting only the most common
    # options. The auditbeat.reference.yml file from the same directory contains all
    # the supported options with more comments. You can use it as a reference.
    #
    # You can find the full configuration reference here:
    # https://www.elastic.co/guide/en/beats/auditbeat/index.html

    #========================== Modules configuration =============================
    auditbeat.modules:

    - module: audit
    metricsets: [kernel]
    kernel.audit_rules: |
    ## Define audit rules here.
    ## Create file watches (-w) or syscall audits (-a or -A). For example:

    ## Things that affect identity
    -w /etc/group -p wa -k identity
    -w /etc/passwd -p wa -k identity
    -w /etc/gshadow -p wa -k identity
    -w /etc/shadow -p wa -k identity
    -w /etc/security/opasswd -p wa -k identity

    # Log read access to passwd from selected users (33=www-data)
    -a exit,always -F path=/etc/passwd -F perm=r -F uid=33 -k www-passwd-read

    ## Log permission errors
    -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access

    ## Log processes that call the `socket` system call
    -a always,exit -F arch=b64 -S socket -F a0=2 -k socket
    -a always,exit -F arch=b64 -S socket -F a0=10 -k socket

    ## The purpose of this rule is to detect when an admin may be abusing power
    ## by looking in user's home dir.
    -a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse

    ## log all executed processes
    #-a always,exit -S execve

    ## All elevation of privileges is logged
    -a always,exit -F arch=b64 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=elevated-privs
    -a always,exit -F arch=b32 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=elevated-privs
    -a always,exit -F arch=b64 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -F key=elevated-privs
    -a always,exit -F arch=b32 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -F key=elevated-privs
    -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=elevated-privs
    -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=elevated-privs

    - module: audit
    metricsets: [file]
    file.paths:
    - /bin
    - /usr/bin
    - /sbin
    - /usr/sbin
    - /etc



    #==================== Elasticsearch template setting ==========================
    setup.template.settings:
    index.number_of_shards: 3
    #index.codec: best_compression
    #_source.enabled: false

    #================================ General =====================================

    # The name of the shipper that publishes the network data. It can be used to group
    # all the transactions sent by a single shipper in the web interface.
    #name:

    # The tags of the shipper are included in their own field with each
    # transaction published.
    #tags: ["service-X", "web-tier"]

    # Optional fields that you can specify to add additional information to the
    # output.
    #fields:
    # env: staging


    #============================== Dashboards =====================================
    # These settings control loading the sample dashboards to the Kibana index. Loading
    # the dashboards is disabled by default and can be enabled either by setting the
    # options here, or by using the `-setup` CLI flag or the `setup` command.
    #setup.dashboards.enabled: false

    # The URL from where to download the dashboards archive. By default this URL
    # has a value which is computed based on the Beat name and version. For released
    # versions, this URL points to the dashboard archive on the artifacts.elastic.co
    # website.
    #setup.dashboards.url:

    #============================== Kibana =====================================

    # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
    # This requires a Kibana endpoint configuration.
    setup.kibana:

    # Kibana Host
    # Scheme and port can be left out and will be set to the default (http and 5601)
    # In case you specify and additional path, the scheme is required: http://localhost:5601/path
    # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
    #host: "localhost:5601"

    #============================= Elastic Cloud ==================================

    # These settings simplify using beatname with the Elastic Cloud (https://cloud.elastic.co/).

    # The cloud.id setting overwrites the `output.elasticsearch.hosts` and
    # `setup.kibana.host` options.
    # You can find the `cloud.id` in the Elastic Cloud web UI.
    #cloud.id:

    # The cloud.auth setting overwrites the `output.elasticsearch.username` and
    # `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
    #cloud.auth:

    #================================ Outputs =====================================

    # Configure what outputs to use when sending the data collected by the beat.
    # Multiple outputs may be used.

    #-------------------------- Elasticsearch output ------------------------------
    output.elasticsearch:
    # Array of hosts to connect to.
    hosts: ["localhost:9200"]

    # Optional protocol and basic auth credentials.
    #protocol: "https"
    #username: "elastic"
    #password: "changeme"

    #----------------------------- Logstash output --------------------------------
    #output.logstash:
    # The Logstash hosts
    #hosts: ["localhost:5044"]

    # Optional SSL. By default is off.
    # List of root certificates for HTTPS server verifications
    #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

    # Certificate for SSL client authentication
    #ssl.certificate: "/etc/pki/client/cert.pem"

    # Client Certificate Key
    #ssl.key: "/etc/pki/client/cert.key"

    #================================ Logging =====================================

    # Sets log level. The default log level is info.
    # Available log levels are: critical, error, warning, info, debug
    #logging.level: debug

    # At debug level, you can selectively enable logging only for some components.
    # To enable all selectors use ["*"]. Examples of other selectors are "beat",
    # "publish", "service".
    #logging.selectors: ["*"]