###################### Auditbeat Configuration Example #########################

1. ###################### Auditbeat Configuration Example #########################
2.  
3. # This is an example configuration file highlighting only the most common
4. # options. The auditbeat.reference.yml file from the same directory contains all
5. # the supported options with more comments. You can use it as a reference.
6. #
7. # You can find the full configuration reference here:
8. # https://www.elastic.co/guide/en/beats/auditbeat/index.html
9.  
10. #========================== Modules configuration =============================
11. auditbeat.modules:
12. auditbeat.modules:
13.  
14. - module: audit
15. metricsets: [kernel]
16. kernel.resolve_ids: true
17. kernel.failure_mode: log
18. kernel.backlog_limit: 8196
19. kernel.rate_limit: 0
20. kernel.include_raw_message: false
21. kernel.include_warnings: false
22. kernel.socket_type: multicast
23. kernel.audit_rules: |
24. -a exit,always -F arch=b32 -S execve -k audit-command
25. -a exit,always -F arch=b64 -S execve -k audit-command
26. ## Things that could affect time
27. -a always,exit -F arch=b32 -S adjtimex,settimeofday,stime -F key=time-change
28. -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
29. #-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
30. #-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
31. -w /etc/localtime -p wa -k time-change
32. ## Things that could affect system locale
33. -a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
34. -a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
35. -w /etc/issue -p wa -k system-locale
36. -w /etc/issue.net -p wa -k system-locale
37. -w /etc/hosts -p wa -k system-locale
38.  
39. # Monitor network changes
40. -w /etc/network/ -p wa -k system-config
41.  
42. ## system startup scripts
43. -w /etc/init/ -p wa -k system-config
44. -w /etc/inittab -p wa -k system-config
45. -w /etc/rc0.d/ -p wa -k system-config
46. -w /etc/rc1.d/ -p wa -k system-config
47. -w /etc/rc2.d/ -p wa -k system-config
48. -w /etc/rc3.d/ -p wa -k system-config
49. -w /etc/rc4.d/ -p wa -k system-config
50. -w /etc/rc5.d/ -p wa -k system-config
51. -w /etc/rc6.d/ -p wa -k system-config
52.  
53. ## library search paths
54. -w /etc/ld.so.conf -p wa -k system-config
55.  
56. ## local time zone
57. -w /etc/localtime -p wa -k system-config
58.  
59. ## kernel parameters
60. -w /etc/sysctl.conf -p wa -k system-config
61. -w /etc/sysctl.d/ -p wa -k system-config
62.  
63. ## modprobe configuration
64. -w /etc/modprobe.d/ -p wa -k system-config
65.  
66. ## pam configuration
67. -w /etc/pam.d/ -p wa -k system-config
68. ## system security config
69. -w /etc/security/access.conf -p wa -k system-config
70. -w /etc/security/limits.conf -p wa -k system-config
71. -w /etc/security/pam_env.conf -p wa -k system-config
72. -w /etc/security/namespace.conf -p wa -k system-config
73. -w /etc/security/namespace.d/ -p wa -k system-config
74. -w /etc/security/namespace.init -p wa -k system-config
75. -w /etc/security/sepermit.conf -p wa -k system-config
76.  
77. # Audit of rsyslog configuration
78. -w /etc/rsyslog.d/ -p wa -k audit-config
79. -w /etc/rsyslog.conf -p wa -k audit-config
80.  
81. # Audit of audit configuration
82. -w /etc/audit/ -p wa -k audit-config
83.  
84. # Audit of filebeat configuration
85. -w /etc/filebeat/ -p wa -k audit-config
86.  
87. ## unsuccessful creation
88. -a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -F key=failed_creation
89. -a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -F key=failed_creation
90. -a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -F key=failed_creation
91. -a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -F key=failed_creation
92.  
93. ## Unauthorized access attempts to files (unsuccessful)
94. -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F auid>=500 -F auid!=4294967295 -F exit=-EACCES -F key=failed_open
95. -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F auid>=500 -F auid!=4294967295 -F exit=-EACCES -F key=failed_open
96. -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F auid>=500 -F auid!=4294967295 -F exit=-EPERM -F key=failed_open
97. -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F auid>=500 -F auid!=4294967295 -F exit=-EPERM -F key=failed_open
98.  
99. ## unsuccessful close
100. -a always,exit -F arch=b32 -S close -F auid>=500 -F auid!=4294967295 -F exit=-EIO -F key=failed_close
101. -a always,exit -F arch=b64 -S close -F auid>=500 -F auid!=4294967295 -F exit=-EIO -F key=failed_close
102.  
103. ## unsuccessful modifications
104. ##- Discretionary access control permission modification (unsuccessful
105. ## and successful use of chown/chmod)
106. -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
107. -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
108. -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
109. -a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
110. -a always,exit -F arch=b32 -S setxattr,truncate,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod
111. -a always,exit -F arch=b64 -S setxattr,truncate,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod
112.  
113. ## unsuccessful deletion
114. -a always,exit -F arch=b32 -S unlink,rmdir,unlinkat -F exit=-EACCES -F key=failed_delete
115. -a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EACCES -F key=failed_delete
116. -a always,exit -F arch=b32 -S unlink,rmdir,unlinkat -F exit=-EPERM -F key=failed_delete
117. -a always,exit -F arch=b64 -S rmdir,unlink,unlinkat -F exit=-EPERM -F key=failed_delete
118.  
119. ## Audit 1, 1(d) Changes in user authenticators.
120. ## Covered by patches to libpam, passwd, and shadow-utils
121. ## Might also want to watch these files for changes
122. -w /etc/group -p wa -k auth
123. -w /etc/passwd -p wa -k auth
124. -w /etc/gshadow -p wa -k auth
125. -w /etc/shadow -p wa -k auth
126. -w /etc/security/ -p wa -k auth
127.  
128. ## Audit 1, 2 Audit Trail Protection. The contents of audit trails
129. ## shall be protected against unauthorized access, modification,
130. ## or deletion.
131. ## This should be covered by file permissions, but we can watch it
132. ## to see any activity
133. #-w /var/log/audit/ -k audit-logs
134.  
135. ## Optional - might want to watch module insertion
136. -w /sbin/insmod -p x -k modules
137. -w /sbin/rmmod -p x -k modules
138. -w /sbin/modprobe -p x -k modules
139. -a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
140. -a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
141. -a always,exit -F arch=b32 -S delete_module -F key=module-unload
142. -a always,exit -F arch=b64 -S delete_module -F key=module-unload
143.  
144. ## Optional - admin may be abusing power by looking in user's home dir
145. -a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
146.  
147. ## Optional - log container creation
148. #-a always,exit -F arch=b32 -S clone -F a0&0x2080505856 -F key=container-create
149. #-a always,exit -F arch=b64 -S clone -F a0&0x2080505856 -F key=container-create
150.  
151. ## Optional - watch for containers that may change their configuration
152. -a always,exit -F arch=b32 -S unshare,setns -F key=container-config
153. -a always,exit -F arch=b64 -S unshare,setns -F key=container-config
154.  
155. ## Put your own watches after this point
156. # -w /your-file -p rwxa -k mykey
157.  
158. # monitor open() system call by Linux UID >= 1000.
159. #-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate -F auid>=1000
160. #-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate,fallocate -F auid>=1000
161.  
162.  
163. - module: audit
164. metricsets: [file]
165. # Scan over the configured file paths at startup and send events for new or
166. # modified files since the last time Auditbeat was running.
167. file.scan_at_start: false
168.  
169. # Average scan rate. This throttles the amount of CPU and I/O that Auditbeat
170. # consumes at startup while scanning. Default is "50 MiB".
171. file.scan_rate_per_sec: 50 MiB
172.  
173. # Limit on the size of files that will be hashed. Default is "100 MiB".
174. file.max_file_size: 100 MiB
175.  
176. # Hash types to compute when the file changes. Supported types are md5, sha1,
177. # sha224, sha256, sha384, sha512, sha512_224, sha512_256, sha3_224, sha3_256,
178. # sha3_384 and sha3_512. Default is sha1.
179. file.hash_types: [sha1]
180. file.paths:
181. - /bin
182. - /usr/bin
183. - /sbin
184. - /usr/sbin
185. - /etc
186.  
187. #==================== Elasticsearch template setting ==========================
188. setup.template.settings:
189. index.number_of_shards: 3
190. #index.codec: best_compression
191. #_source.enabled: false
192.  
193. #================================ General =====================================
194.  
195. # The name of the shipper that publishes the network data. It can be used to group
196. # all the transactions sent by a single shipper in the web interface.
197. #name:
198.  
199. # The tags of the shipper are included in their own field with each
200. # transaction published.
201. #tags: ["service-X", "web-tier"]
202.  
203. # Optional fields that you can specify to add additional information to the
204. # output.
205. #fields:
206. # env: staging
207.  
208.  
209. #============================== Dashboards =====================================
210. # These settings control loading the sample dashboards to the Kibana index. Loading
211. # the dashboards is disabled by default and can be enabled either by setting the
212. # options here, or by using the `-setup` CLI flag or the `setup` command.
213. #setup.dashboards.enabled: false
214.  
215. # The URL from where to download the dashboards archive. By default this URL
216. # has a value which is computed based on the Beat name and version. For released
217. # versions, this URL points to the dashboard archive on the artifacts.elastic.co
218. # website.
219. #setup.dashboards.url:
220.  
221. #============================== Kibana =====================================
222.  
223. # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
224. # This requires a Kibana endpoint configuration.
225. setup.kibana:
226.  
227. # Kibana Host
228. # Scheme and port can be left out and will be set to the default (http and 5601)
229. # In case you specify and additional path, the scheme is required: http://localhost:5601/path
230. # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
231. #host: "localhost:5601"
232.  
233. #============================= Elastic Cloud ==================================
234.  
235. # These settings simplify using beatname with the Elastic Cloud (https://cloud.elastic.co/).
236.  
237. # The cloud.id setting overwrites the `output.elasticsearch.hosts` and
238. # `setup.kibana.host` options.
239. # You can find the `cloud.id` in the Elastic Cloud web UI.
240. #cloud.id:
241.  
242. # The cloud.auth setting overwrites the `output.elasticsearch.username` and
243. # `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
244. #cloud.auth:
245.  
246. #================================ Outputs =====================================
247.  
248. # Configure what output to use when sending the data collected by the beat.
249.  
250. #-------------------------- Elasticsearch output ------------------------------
251. output.elasticsearch:
252. # Array of hosts to connect to.
253. hosts: ["localhost:9200"]
254.  
255. # Optional protocol and basic auth credentials.
256. #protocol: "https"
257. #username: "elastic"
258. #password: "changeme"
259.  
260. #----------------------------- Logstash output --------------------------------
261. #output.logstash:
262. # The Logstash hosts
263. #hosts: ["localhost:5044"]
264.  
265. # Optional SSL. By default is off.
266. # List of root certificates for HTTPS server verifications
267. #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
268.  
269. # Certificate for SSL client authentication
270. #ssl.certificate: "/etc/pki/client/cert.pem"
271.  
272. # Client Certificate Key
273. #ssl.key: "/etc/pki/client/cert.key"
274.  
275. #================================ Logging =====================================
276.  
277. # Sets log level. The default log level is info.
278. # Available log levels are: critical, error, warning, info, debug
279. #logging.level: debug
280.  
281. # At debug level, you can selectively enable logging only for some components.
282. # To enable all selectors use ["*"]. Examples of other selectors are "beat",
283. # "publish", "service".
284. #logging.selectors: ["*"]