Beats: [Auditbeat] Allow flushing of auditd rules

Created on 11 Sep 2018  路  5Comments  路  Source: elastic/beats

Auditbeat doesn't flush auditd rules upon daemon exit. This leads to /var/log/kern.log getting flooded with all the audit messages.

Furthermore, it seems that auditbeat doesn't have a CLI option to flush the auditd rules.

It seems that auditd too doesn't flush rules on daemon exit.

# systemctl start auditd

# auditctl -l
No rules

# auditctl -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time_change
# auditctl -l
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time_change

# systemctl stop auditd

# auditctl -l
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time_change

If flushing rules on daemon exit is not appropriate, then the auditbeat CLI shoould at least provide a way to flush the rules manually.

Details,

  • Version: Auditbeat 6.4.0
  • Operating System: Ubuntu 16.04 LTS / 18.04 LTS
Auditbeat SIEM enhancement
Source
picture kholia
👍4

Most helpful comment

I think this would be a good option to add to Auditbeat. And also add a subcommand to clear the rules (#11825).

picture andrewkroh on 6 Jan 2020
4

All 5 comments

Minimal configuration file,

#==========================  Modules configuration =============================
auditbeat.modules:

- module: auditd
  # Load audit rules from separate files. Same format as audit.rules(7).
  # audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
  audit_rules: |
    ## Executions.
    -a always,exit -F arch=b64 -S execve,execveat -k exec

#==================== Elasticsearch template setting ==========================
setup.template.settings:
  index.number_of_shards: 3
  #index.codec: best_compression
  #_source.enabled: false

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["localhost:9200"]

  1. Start auditbeat with this configuration.

  2. Stop auditbeat.

  3. Run sudo ./auditbeat show auditd-rules, which shows

    -a never,exit -S all -F pid=31859
-a always,exit -F arch=b64 -S execve,execveat -F key=exec
kholia picture kholia on 11 Sep 2018

@andrewkroh any idea?

urso picture urso on 3 Jan 2020

Pinging @elastic/siem (Team:SIEM)

elasticmachine picture elasticmachine on 6 Jan 2020

I think this would be a good option to add to Auditbeat. And also add a subcommand to clear the rules (#11825).

andrewkroh picture andrewkroh on 6 Jan 2020
4

we faced this problem as well, this caused huge problems. I vote for mechanism to flush rules by using AB itself.

rbabyuk-vs picture rbabyuk-vs on 6 Apr 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

musayev-io picture musayev-io  路  3Comments
kemra102 picture kemra102  路  3Comments
EndlessTundra picture EndlessTundra  路  3Comments
adriansr picture adriansr  路  3Comments
ycombinator picture ycombinator  路  3Comments