Shulou(Shulou.com)06/01 Report--

Today, I would like to share with you how to use the Auditbeat module to monitor shell commands. The content is detailed and the logic is clear. I believe most people still know too much about this knowledge, so share this article for your reference. I hope you can get something after reading this article.

Disable Auditd

The system daemon auditd affects the normal use of the Auditbeat Audited module, so it must be disabled.

# stop auditd:service auditd stop# disable service: systemctl disable auditd.service

If you have to run the Audited process while using the Auditbeat Auditd module, consider setting the socket_type: multicast parameter if the kernel version is 3.16 or higher. The default is unicast.

Configure Auditbeat

The Auditbeat daemon sends event data to an Elasticsearch Service (ESS) cluster.

To get a working example, you must configure the cloud.id and cloud.auth parameters of Auditbeat.

Edit / etc/auditbeat/auditbeat.yml:

Cloud.id: cloud.auth: ingest_user:passwordAuditbeat module rules

The Audited module subscribes to the kernel to receive system events. Define rules to capture these events and use the format used by the Linux Auditctl process, as detailed in this document: [https://linux.die.net/man/8/auditctl].

# cat / etc/auditbeat/audit.rules.d/rules.conf-an exit,always-F arch=b64-F euid=0-S execve-k root_acct-an exit,always-F arch=b32-F euid=0-S execve-k root_acct-an exit,always-F arch=b64-F euid > = 1000-S execve-k user_acct-an exit,always-F arch=b32-F euid > = 1000-S execve-k user_acct

Euid is a valid ID for the user. 0 means to get all the activities of root users and other users with uid > = 1000 or higher privileges.

-k is used to assign any "key" to the event, which will be displayed in the tags field. It can also be used in Kibana to filter and classify events.

Auditbeat setup command

Run Auditbeat to load the index template, read node pipelines, index file cycle policy and Kibana dashboard.

Auditbeat-e setup

Start using systemctl start auditbeat# to list enabled rules: auditbeat show auditd-rules-a never,exit-S all-F pid=23617-an always,exit-F arch=b64-S execve-F euid=root-F key=root_acct-an always,exit-F arch=b32-S execve-F euid=root-F key=root_acct-an always,exit-F arch=b64-S execve-F euid > = vagrant-F key=user_acct-an always,exit-F arch=b32-S execve-F euid > = vagrant-F key=user_acct Monitoring data

These events are found in kibana when the user executes shell commands like whoami,ls and lsblk.

Kibana displays selected fields such as user.name,process.executable,process.args and tags.

The filtered fields are user.name: root and auditd.data.syscall: execve.

The data is refreshed every second.

TTY audit

When TTY events occur in the system, the Auditbeat Audited module can also receive them. Configure the system-auth PAM profile to enable TTY. Only TTY events for root users will be logged in real time. Events for other users are usually buffered until exit. TTY audits capture system built-in commands such as pwd,test.

Append the following to / etc/pam.d/system-auth to enable auditing for all users.

Session required pam_tty_audit.so enable=*

Test $sudo su-Last login: Fri Nov 22 23:43:00 UTC 2019 on pts/0$ helllloooo there colors: helllloooo: command not found$ exitKibana Discovery thinking

What else can Auditbeat do:

Events can be sent when a file is changed (created, updated, or deleted) on disk, thanks to the file_integrity module.

Send indicators about the system through the system module.

These are all the contents of the article "how to use the Auditbeat module to monitor shell commands". Thank you for reading! I believe you will gain a lot after reading this article. The editor will update different knowledge for you every day. If you want to learn more knowledge, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.