CentOS Stream 8
Sponsored Link

Elastic Stack 7 : Install Auditbeat
2021/06/22
 
Install Auditbeat that can monitor Audit actions.
[1] Install Auditbeat. Configure Elasticsearch repository before it.
[root@dlp ~]#
dnf -y install auditbeat
[2] Configure basic settings and start Auditbeat.
[root@dlp ~]#
vi /etc/auditbeat/auditbeat.yml
# line 13 : set Audit action (way of writing rules is the same with auditctl)

- module: auditd
  audit_rules: |
    ## Define audit rules here.
    ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
    ## examples or add your own rules.

    ## If you are on a 64 bit platform, everything should be running
    ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
    ## because this might be a sign of someone exploiting a hole in the 32
    ## bit API.
    #-a always,exit -F arch=b32 -S all -F key=32bit-abi

    ## Executions.
    #-a always,exit -F arch=b64 -S execve,execveat -k exec

    ## External access (warning: these can be expensive to audit).
    #-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access

    ## Identity changes.
    #-w /etc/group -p wa -k identity
    #-w /etc/passwd -p wa -k identity
    #-w /etc/gshadow -p wa -k identity

.....
.....

# line 122 : if use Kibana, uncomment and specify output host

# if SSL is enabled on Kibana, hostname should be the same with the hostname in certs

setup.kibana:
.....
  host: "https://dlp.srv.world:5601"

# line 147 : specify output host

# the default is localhost's Elasticsearch

# if output to Logstash, comment out Elasticsearch and uncomment logstash lines

output.elasticsearch:
  # Array of hosts to connect to.l
  hosts: ["localhost:9200"]

.....
.....

#output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]

[root@dlp ~]#
vi /etc/auditbeat/auditbeat.reference.yml
# line 34 : basic settings for auditd module

- module: auditd
  resolve_ids: true
  failure_mode: silent
  backlog_limit: 8196
  rate_limit: 0
  include_raw_message: false
  include_warnings: false
  audit_rules: |

.....
.....

[root@dlp ~]#
systemctl enable --now auditbeat
[3] Verify status the data has been collected normally.
# index list

[root@dlp ~]#
curl localhost:9200/_cat/indices?v

health status index                               uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   .apm-agent-configuration            y3hQme2SQpGMtb64NLsNdA   1   0          0            0       208b           208b
yellow open   heartbeat-7.13.2-2021.06.22-000001  LHK787g7S92UFiUXDDrwpQ   1   1         53            0    195.8kb        195.8kb
green  open   .kibana_7.13.2_001                  zA_r0rrjT7OMUMVSGmRVfg   1   0       4541          388      3.5mb          3.5mb
green  open   .apm-custom-link                    d1-9Pkn-RXOu_qhMOanvVA   1   0          0            0       208b           208b
green  open   .kibana-event-log-7.13.2-000001     Y-rCmM6yTBKa9W5H1LeJ1g   1   0          1            0      5.6kb          5.6kb
yellow open   filebeat-7.13.2-2021.06.22-000001   c18zEwqAQVeNecW7d6EAQg   1   1      11825            0      1.7mb          1.7mb
yellow open   auditbeat-7.13.2-2021.06.22-000001  -kMW1wnKQ9-b8WjnJmvScA   1   1        904            0    715.8kb        715.8kb
green  open   .async-search                       WRLoMwCITRKD3C_BrFJ9bw   1   0         49          239      157kb          157kb
green  open   .kibana_task_manager_7.13.2_001     x6V232xKQLinqRedJRAbgw   1   0         10         4471    567.2kb        567.2kb
yellow open   packetbeat-7.13.2-2021.06.22-000001 nYN59YPRQwGmDrMRXijZxA   1   1      36649            0     10.6mb         10.6mb
yellow open   test_index                          Vh0HutpLRciaMWX3pFo7Zg   1   1          1            0      5.5kb          5.5kb
yellow open   sshd_fail-2021.06                   HiOI2ac-RzK2BiwQ_gb-VQ   1   1         43            0     68.7kb         68.7kb
yellow open   metricbeat-7.13.2-2021.06.22-000001 aVbbCHScQBujmT8JMRdRBw   1   1      15393            0      8.9mb          8.9mb

# document list on the index

[root@dlp ~]#
curl localhost:9200/auditbeat-7.13.2-2021.06.22-000001/_search?pretty

{
  "took" : 3,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1562,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "auditbeat-7.13.2-2021.06.22-000001",
        "_type" : "_doc",
        "_id" : "1aItMnoB8xzJeutJ83E7",
        "_score" : 1.0,
        "_source" : {
          "@timestamp" : "2021-06-22T05:25:07.631Z",
          "user" : {
            "id" : "0",
            "name" : "root",
            "entity_id" : "Nr6gnj5txO/XVTRU",
            "group" : {
              "name" : "root",
              "id" : "0"
            }
          },
          "related" : {
            "user" : [
              "root"
            ]
          },
          "service" : {
            "type" : "system"
          },
.....
.....
[4] If Kibana is running, it's possible to import data to sample Dashboards.
[root@dlp ~]#
auditbeat setup --dashboards

Loading dashboards (Kibana must be running and reachable)
Loaded dashboards
Matched Content