Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ###################### Auditbeat Configuration Example #########################
- # This is an example configuration file highlighting only the most common
- # options. The auditbeat.reference.yml file from the same directory contains all
- # the supported options with more comments. You can use it as a reference.
- #
- # You can find the full configuration reference here:
- # https://www.elastic.co/guide/en/beats/auditbeat/index.html
- #========================== Modules configuration =============================
- auditbeat.modules:
- auditbeat.modules:
- - module: audit
- metricsets: [kernel]
- kernel.resolve_ids: true
- kernel.failure_mode: log
- kernel.backlog_limit: 8196
- kernel.rate_limit: 0
- kernel.include_raw_message: false
- kernel.include_warnings: false
- kernel.socket_type: multicast
- kernel.audit_rules: |
- -a exit,always -F arch=b32 -S execve -k audit-command
- -a exit,always -F arch=b64 -S execve -k audit-command
- ## Things that could affect time
- -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change
- -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
- #-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
- #-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
- -w /etc/localtime -p wa -k time-change
- ## Things that could affect system locale
- -a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
- -a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
- -w /etc/issue -p wa -k system-locale
- -w /etc/issue.net -p wa -k system-locale
- -w /etc/hosts -p wa -k system-locale
- # Monitor network changes
- -w /etc/network/ -p wa -k system-config
- ## system startup scripts
- -w /etc/init/ -p wa -k system-config
- -w /etc/inittab -p wa -k system-config
- -w /etc/rc0.d/ -p wa -k system-config
- -w /etc/rc1.d/ -p wa -k system-config
- -w /etc/rc2.d/ -p wa -k system-config
- -w /etc/rc3.d/ -p wa -k system-config
- -w /etc/rc4.d/ -p wa -k system-config
- -w /etc/rc5.d/ -p wa -k system-config
- -w /etc/rc6.d/ -p wa -k system-config
- ## library search paths
- -w /etc/ld.so.conf -p wa -k system-config
- ## local time zone
- -w /etc/localtime -p wa -k system-config
- ## kernel parameters
- -w /etc/sysctl.conf -p wa -k system-config
- -w /etc/sysctl.d/ -p wa -k system-config
- ## modprobe configuration
- -w /etc/modprobe.d/ -p wa -k system-config
- ## pam configuration
- -w /etc/pam.d/ -p wa -k system-config
- ## system security config
- -w /etc/security/access.conf -p wa -k system-config
- -w /etc/security/limits.conf -p wa -k system-config
- -w /etc/security/pam_env.conf -p wa -k system-config
- -w /etc/security/namespace.conf -p wa -k system-config
- -w /etc/security/namespace.d/ -p wa -k system-config
- -w /etc/security/namespace.init -p wa -k system-config
- -w /etc/security/sepermit.conf -p wa -k system-config
- # Audit of rsyslog configuration
- -w /etc/rsyslog.d/ -p wa -k audit-config
- -w /etc/rsyslog.conf -p wa -k audit-config
- # Audit of audit configuration
- -w /etc/audit/ -p wa -k audit-config
- # Audit of filebeat configuration
- -w /etc/filebeat/ -p wa -k audit-config
- ## unsuccessful creation
- -a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -F key=failed_creation
- -a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -F key=failed_creation
- -a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -F key=failed_creation
- -a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -F key=failed_creation
- ## Unauthorized access attempts to files (unsuccessful)
- -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F auid>=500 -F auid!=4294967295 -F exit=-EACCES -F key=failed_open
- -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F auid>=500 -F auid!=4294967295 -F exit=-EACCES -F key=failed_open
- -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F auid>=500 -F auid!=4294967295 -F exit=-EPERM -F key=failed_open
- -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F auid>=500 -F auid!=4294967295 -F exit=-EPERM -F key=failed_open
- ## unsuccessful close
- -a always,exit -F arch=b32 -S close -F auid>=500 -F auid!=4294967295 -F exit=-EIO -F key=failed_close
- -a always,exit -F arch=b64 -S close -F auid>=500 -F auid!=4294967295 -F exit=-EIO -F key=failed_close
- ## unsuccessful modifications
- ##- Discretionary access control permission modification (unsuccessful
- ## and successful use of chown/chmod)
- -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
- -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
- -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
- -a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
- -a always,exit -F arch=b32 -S setxattr,truncate,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod
- -a always,exit -F arch=b64 -S setxattr,truncate,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod
- ## unsuccessful deletion
- -a always,exit -F arch=b32 -S unlink,rmdir,unlinkat -F exit=-EACCES -F key=failed_delete
- -a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EACCES -F key=failed_delete
- -a always,exit -F arch=b32 -S unlink,rmdir,unlinkat -F exit=-EPERM -F key=failed_delete
- -a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EPERM -F key=failed_delete
- ## Audit 1, 1(d) Changes in user authenticators.
- ## Covered by patches to libpam, passwd, and shadow-utils
- ## Might also want to watch these files for changes
- -w /etc/group -p wa -k auth
- -w /etc/passwd -p wa -k auth
- -w /etc/gshadow -p wa -k auth
- -w /etc/shadow -p wa -k auth
- -w /etc/security/ -p wa -k auth
- ## Audit 1, 2 Audit Trail Protection. The contents of audit trails
- ## shall be protected against unauthorized access, modification,
- ## or deletion.
- ## This should be covered by file permissions, but we can watch it
- ## to see any activity
- #-w /var/log/audit/ -k audit-logs
- ## Optional - might want to watch module insertion
- -w /sbin/insmod -p x -k modules
- -w /sbin/rmmod -p x -k modules
- -w /sbin/modprobe -p x -k modules
- -a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
- -a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
- -a always,exit -F arch=b32 -S delete_module -F key=module-unload
- -a always,exit -F arch=b64 -S delete_module -F key=module-unload
- ## Optional - admin may be abusing power by looking in user's home dir
- -a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
- ## Optional - log container creation
- #-a always,exit -F arch=b32 -S clone -F a0&0x2080505856 -F key=container-create
- #-a always,exit -F arch=b64 -S clone -F a0&0x2080505856 -F key=container-create
- ## Optional - watch for containers that may change their configuration
- -a always,exit -F arch=b32 -S unshare,setns -F key=container-config
- -a always,exit -F arch=b64 -S unshare,setns -F key=container-config
- ## Put your own watches after this point
- # -w /your-file -p rwxa -k mykey
- # monitor open() system call by Linux UID >= 1000.
- #-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate -F auid>=1000
- #-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate -F auid>=1000
- - module: audit
- metricsets: [file]
- # Scan over the configured file paths at startup and send events for new or
- # modified files since the last time Auditbeat was running.
- file.scan_at_start: false
- # Average scan rate. This throttles the amount of CPU and I/O that Auditbeat
- # consumes at startup while scanning. Default is "50 MiB".
- file.scan_rate_per_sec: 50 MiB
- # Limit on the size of files that will be hashed. Default is "100 MiB".
- file.max_file_size: 100 MiB
- # Hash types to compute when the file changes. Supported types are md5, sha1,
- # sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224, sha3_256,
- # sha3_384 and sha3_512. Default is sha1.
- file.hash_types: [sha1]
- file.paths:
- - /bin
- - /usr/bin
- - /sbin
- - /usr/sbin
- - /etc
- #==================== Elasticsearch template setting ==========================
- setup.template.settings:
- index.number_of_shards: 3
- #index.codec: best_compression
- #_source.enabled: false
- #================================ General =====================================
- # The name of the shipper that publishes the network data. It can be used to group
- # all the transactions sent by a single shipper in the web interface.
- #name:
- # The tags of the shipper are included in their own field with each
- # transaction published.
- #tags: ["service-X", "web-tier"]
- # Optional fields that you can specify to add additional information to the
- # output.
- #fields:
- # env: staging
- #============================== Dashboards =====================================
- # These settings control loading the sample dashboards to the Kibana index. Loading
- # the dashboards is disabled by default and can be enabled either by setting the
- # options here, or by using the `-setup` CLI flag or the `setup` command.
- #setup.dashboards.enabled: false
- # The URL from where to download the dashboards archive. By default this URL
- # has a value which is computed based on the Beat name and version. For released
- # versions, this URL points to the dashboard archive on the artifacts.elastic.co
- # website.
- #setup.dashboards.url:
- #============================== Kibana =====================================
- # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
- # This requires a Kibana endpoint configuration.
- setup.kibana:
- # Kibana Host
- # Scheme and port can be left out and will be set to the default (http and 5601)
- # In case you specify and additional path, the scheme is required: http://localhost:5601/path
- # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
- #host: "localhost:5601"
- #============================= Elastic Cloud ==================================
- # These settings simplify using beatname with the Elastic Cloud (https://cloud.elastic.co/).
- # The cloud.id setting overwrites the `output.elasticsearch.hosts` and
- # `setup.kibana.host` options.
- # You can find the `cloud.id` in the Elastic Cloud web UI.
- #cloud.id:
- # The cloud.auth setting overwrites the `output.elasticsearch.username` and
- # `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
- #cloud.auth:
- #================================ Outputs =====================================
- # Configure what output to use when sending the data collected by the beat.
- #-------------------------- Elasticsearch output ------------------------------
- output.elasticsearch:
- # Array of hosts to connect to.
- hosts: ["localhost:9200"]
- # Optional protocol and basic auth credentials.
- #protocol: "https"
- #username: "elastic"
- #password: "changeme"
- #----------------------------- Logstash output --------------------------------
- #output.logstash:
- # The Logstash hosts
- #hosts: ["localhost:5044"]
- # Optional SSL. By default is off.
- # List of root certificates for HTTPS server verifications
- #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
- # Certificate for SSL client authentication
- #ssl.certificate: "/etc/pki/client/cert.pem"
- # Client Certificate Key
- #ssl.key: "/etc/pki/client/cert.key"
- #================================ Logging =====================================
- # Sets log level. The default log level is info.
- # Available log levels are: critical, error, warning, info, debug
- #logging.level: debug
- # At debug level, you can selectively enable logging only for some components.
- # To enable all selectors use ["*"]. Examples of other selectors are "beat",
- # "publish", "service".
- #logging.selectors: ["*"]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement