By
Securitynik on 2020-10-05 12:58:13
Continuing this journey where we install and configure the different components of Elastic Stack. In the first post, we installed Elasticsearc. The second post we installed Kibana. In the third post we provided basic security to Elastic and Kibana. In the fourth post, we installed, configured and secured Metricbeat. In this the fifth post, we are installing, configuring and securing Auditbeat.
Selecting Auditbeat from the list of logs sources and follow the directions.
Below I choose to Install Auditbeat from the repository.
root@securitynik-monitoring:~# apt-get install auditbeat Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: auditbeat 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 26.7 MB of archives. After this operation, 92.4 MB of additional disk space will be used. Get:1 https://artifacts.elastic.co/packages/7.x/apt stable/main amd64 auditbeat amd64 7.9.2 [26.7 MB] Fetched 26.7 MB in 1s (19.8 MB/s) Selecting previously unselected package auditbeat. (Reading database ... 176029 files and directories currently installed.) Preparing to unpack .../auditbeat_7.9.2_amd64.deb ... Unpacking auditbeat (7.9.2) ... Setting up auditbeat (7.9.2) ... Processing triggers for systemd (245.4-4ubuntu3.2) ...
root@securitynik-monitoring:~# cd /etc/auditbeat/ root@securitynik-monitoring:/etc/auditbeat# cp auditbeat.yml auditbeat.yml.ORIGINAL
root@securitynik-monitoring:~# cat /etc/auditbeat/auditbeat.yml | grep --perl-regexp "^\s+host|^\s+username|^\s+password|^\s+protocol" host: "https://10.0.0.1:5601" hosts: ["https://10.0.0.1:9200"] protocol: "https" username: "elastic" password: "WelcomeToSecurityNikElastic"
root@securitynik-monitoring:~# tail --lines 8 /etc/metricbeat/metricbeat.yml >> /etc/auditbeat/auditbeat.yml root@securitynik-monitoring:~# tail --lines 8 /etc/auditbeat/auditbeat.yml # SSL Configuration enabled by Nik ssl.enabled: true output.elasticsearch.hosts: ["https://10.0.0.1:9200"] output.elasticsearch.ssl.certificate_authorities: ["/etc/kibana/SecurityNik-CA.pem"] setup.kibana.ssl.enabled: true setup.kibana.ssl.certificate_authorities: ["/etc/kibana/SecurityNik-CA.pem"]
root@securitynik-monitoring:~# auditbeat test config Config OK
securitynik@securitynik-monitoring:~$ sudo auditbeat show auditd-status [sudo] password for securitynik: enabled 0 failure 1 pid 0 rate_limit 0 backlog_limit 64 lost 0 backlog 0 backlog_wait_time 15000 features 0x7f
securitynik@securitynik-monitoring:~$ sudo auditbeat show auditd-rules No rules
securitynik@securitynik-monitoring:~$ sudo cat /etc/auditbeat/auditbeat.yml | grep "audit_rules:" --after-context=20 audit_rules: | ## Define audit rules here. ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these ## examples or add your own rules. ## If you are on a 64 bit platform, everything should be running ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls ## because this might be a sign of someone exploiting a hole in the 32 ## bit API. -a always,exit -F arch=b32 -S all -F key=32bit-abi ## Executions. -a always,exit -F arch=b64 -S execve,execveat -k exec ## External access (warning: these can be expensive to audit). -a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access ## Identity changes. -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity
root@securitynik-monitoring:~# auditbeat test output elasticsearch: https://10.0.0.1:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 10.0.0.1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.9.2
root@securitynik-monitoring:~# auditbeat setup Overwriting ILM policy is disabled. Set `setup.ilm.overwrite:true` for enabling. Index setup finished. Loading dashboards (Kibana must be running and reachable) Loaded dashboards
root@securitynik-monitoring:~# systemctl enable --now auditbeat.service Synchronizing state of auditbeat.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable auditbeat Created symlink /etc/systemd/system/multi-user.target.wants/auditbeat.service → /lib/systemd/system/auditbeat.service. root@securitynik-monitoring:~# systemctl status auditbeat.service ● auditbeat.service - Audit the activities of users and processes on your system. Loaded: loaded (/lib/systemd/system/auditbeat.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2020-08-14 13:48:43 EDT; 2s ago Docs: https://www.elastic.co/products/beats/auditbeat Main PID: 35398 (auditbeat) Tasks: 11 (limit: 4563) Memory: 22.6M CGroup: /system.slice/auditbeat.service └─35398 /usr/share/auditbeat/bin/auditbeat -environment systemd -c /etc/auditbeat/auditbeat.yml -path.home /usr/share/auditbeat -path.config /etc/auditbeat ->
root@securitynik-monitoring:~# vi /etc/metricbeat/metricbeat.yml^C root@securitynik-monitoring:~# auditbeat show auditd-rules -a never,exit -S all -F pid=707 -a always,exit -F arch=b32 -S all -F key=32bit-abi -a always,exit -F arch=b64 -S execve,execveat -F key=exec -a always,exit -F arch=b64 -S connect,accept,bind -F key=external-access -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F key=access -a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F key=access
Posts in this series: