Beginning Elastic - Installing and Providing Basic Security to Auditbeat - Elastic Stack 7.9 on Ubuntu 20.04
By Securitynik on 2020-10-05 12:58:13
Continuing this journey where we install and configure the different components of Elastic Stack. In the first post, we installed Elasticsearc. The second post we installed Kibana. In the third post we provided basic security to Elastic and Kibana. In the fourth post, we installed, configured and secured Metricbeat. In this the fifth post, we are installing, configuring and securing Auditbeat. Selecting Auditbeat from the list of logs sources and follow the directions.
Below I choose to Install Auditbeat from the repository.
root@securitynik-monitoring:~# apt-get install auditbeat
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  auditbeat
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 26.7 MB of archives.
After this operation, 92.4 MB of additional disk space will be used.
Get:1 https://artifacts.elastic.co/packages/7.x/apt stable/main amd64 auditbeat amd64 7.9.2 [26.7 MB]
Fetched 26.7 MB in 1s (19.8 MB/s)
Selecting previously unselected package auditbeat.
(Reading database ... 176029 files and directories currently installed.)
Preparing to unpack .../auditbeat_7.9.2_amd64.deb ...
Unpacking auditbeat (7.9.2) ...
Setting up auditbeat (7.9.2) ...
Processing triggers for systemd (245.4-4ubuntu3.2) ...
Make a copy of the original "auditbeat.yml" file.
root@securitynik-monitoring:~# cd /etc/auditbeat/
root@securitynik-monitoring:/etc/auditbeat# cp auditbeat.yml auditbeat.yml.ORIGINAL
Make the necessary configuration changes.
root@securitynik-monitoring:~# cat /etc/auditbeat/auditbeat.yml | grep --perl-regexp "^\s+host|^\s+username|^\s+password|^\s+protocol"
  host: "https://10.0.0.1:5601"
  hosts: ["https://10.0.0.1:9200"]
  protocol: "https"
  username: "elastic"
  password: "WelcomeToSecurityNikElastic"
Using a shortcut, let's ake the last 8 lines of the "metricbeat.yml" file and insert them into the "auditbeat.yml" file
root@securitynik-monitoring:~# tail --lines 8 /etc/metricbeat/metricbeat.yml >> /etc/auditbeat/auditbeat.yml

root@securitynik-monitoring:~#  tail --lines 8 /etc/auditbeat/auditbeat.yml
# SSL Configuration enabled by Nik
ssl.enabled: true
output.elasticsearch.hosts: ["https://10.0.0.1:9200"]
output.elasticsearch.ssl.certificate_authorities: ["/etc/kibana/SecurityNik-CA.pem"]

setup.kibana.ssl.enabled: true
setup.kibana.ssl.certificate_authorities: ["/etc/kibana/SecurityNik-CA.pem"]
Before loading up, we test that all is well with the configuration.
root@securitynik-monitoring:~# auditbeat test config
Config OK
Looking at "auditd-status"
securitynik@securitynik-monitoring:~$ sudo auditbeat show auditd-status
[sudo] password for securitynik:

enabled 0
failure 1
pid 0
rate_limit 0
backlog_limit 64
lost 0
backlog 0
backlog_wait_time 15000
features 0x7f
Looking at "auditd-rules", we see no rules defined.
securitynik@securitynik-monitoring:~$ sudo auditbeat show auditd-rules
No rules
Guess we should ensure a few rules are defined, so that we have something to monitor. For simplicity sake, let's use the rules in the "auditbeat.yml" file. To do this, I uncommented the rules as they were previously commented. Below represents those changes.
securitynik@securitynik-monitoring:~$ sudo cat /etc/auditbeat/auditbeat.yml | grep "audit_rules:" --after-context=20
  audit_rules: |
    ## Define audit rules here.
    ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
    ## examples or add your own rules.

    ## If you are on a 64 bit platform, everything should be running
    ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
    ## because this might be a sign of someone exploiting a hole in the 32

    ## bit API.
    -a always,exit -F arch=b32 -S all -F key=32bit-abi

    ## Executions.
    -a always,exit -F arch=b64 -S execve,execveat -k exec

    ## External access (warning: these can be expensive to audit).
    -a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access

    ## Identity changes.
    -w /etc/group -p wa -k identity
    -w /etc/passwd -p wa -k identity
    -w /etc/gshadow -p wa -k identity
With the above now configured, let's execute Verify we can connect to Elastic
root@securitynik-monitoring:~# auditbeat test output
elasticsearch: https://10.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.9.2
Next up, load the index template and appropriate dashboards, etc.
root@securitynik-monitoring:~# auditbeat setup
Overwriting ILM policy is disabled. Set `setup.ilm.overwrite:true` for enabling.

Index setup finished.
Loading dashboards (Kibana must be running and reachable)
Loaded dashboards
Enable and startup Auditbeat.
root@securitynik-monitoring:~# systemctl enable --now auditbeat.service
Synchronizing state of auditbeat.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable auditbeat
Created symlink /etc/systemd/system/multi-user.target.wants/auditbeat.service → /lib/systemd/system/auditbeat.service.

root@securitynik-monitoring:~# systemctl status auditbeat.service
● auditbeat.service - Audit the activities of users and processes on your system.
     Loaded: loaded (/lib/systemd/system/auditbeat.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2020-08-14 13:48:43 EDT; 2s ago
       Docs: https://www.elastic.co/products/beats/auditbeat
   Main PID: 35398 (auditbeat)
      Tasks: 11 (limit: 4563)
     Memory: 22.6M
     CGroup: /system.slice/auditbeat.service
             └─35398 /usr/share/auditbeat/bin/auditbeat -environment systemd -c /etc/auditbeat/auditbeat.yml -path.home /usr/share/auditbeat -path.config /etc/auditbeat ->
Verifying that data is coming into to Elastic.
We also verify now that we have some working rules.
root@securitynik-monitoring:~# vi /etc/metricbeat/metricbeat.yml^C
root@securitynik-monitoring:~# auditbeat show auditd-rules
-a never,exit -S all -F pid=707
-a always,exit -F arch=b32 -S all -F key=32bit-abi
-a always,exit -F arch=b64 -S execve,execveat -F key=exec
-a always,exit -F arch=b64 -S connect,accept,bind -F key=external-access
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F key=access
Looking at some actual data now in Elastic
Ok. Let's move on to install, configure and secure Filebeat.
Posts in this series:
References: https://www.elastic.co/downloads/beats/auditbeat https://www.elastic.co/guide/en/beats/auditbeat/7.9/setup-repositories.html#_apt https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-overview.html https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-module-auditd.html https://logz.io/blog/linux-auditbeat-elk/