Skip to content

Commit

Permalink
Add Auditbeat dashboards (overview, sockets, execs) (#5516)
Browse files Browse the repository at this point in the history
* Add Auditbeat dashboards (overview, sockets, execs)

Add dashboards to view events generated by the Linux audit framework. This PR adds three dashboards:

- Overview - A general dashboard showing a summary of all events.
- Executions - A dashboard showing process executions (`execve` and `execveat`) syscalls.
- Sockets - A dashboard showing information related sockets and remote connectivity (e.g. `bind`, `connect`, `accept`, `recvfrom`).

* Provide example rules to support the dashboards
  • Loading branch information
andrewkroh authored and tsg committed Nov 6, 2017
1 parent a9c1933 commit 1ec7437
Show file tree
Hide file tree
Showing 12 changed files with 460 additions and 13 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@ https://github.com/elastic/beats/compare/v6.0.0-beta2...master[Check the HEAD di
*Auditbeat*

- Add support for SHA3 hash algorithms to the file integrity module. {issue}5345[5345]
- Add dashboards for Linux audit framework events (overview, executions, sockets). {pull}5516[5516]

*Filebeat*

Expand Down
26 changes: 23 additions & 3 deletions auditbeat/auditbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,30 @@ auditbeat.modules:
kernel.include_raw_message: false
kernel.include_warnings: false
kernel.audit_rules: |
# Define audit rules here.
# Create file watches (-w) or syscall audits (-a or -A). For example:
## Define audit rules here.
## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
## examples or add your own rules.
## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
#-a always,exit -F arch=b32 -S all -F key=32bit-abi
## Executions.
#-a always,exit -F arch=b64 -S execve,execveat -k exec
## External access.
#-a always,exit -F arch=b64 -S accept,bind,connect,recvfrom -F key=external-access
## Identity changes.
#-w /etc/group -p wa -k identity
#-w /etc/passwd -p wa -k identity
#-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
#-w /etc/gshadow -p wa -k identity
## Unauthorized access attempts.
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
# The file integrity metricset sends events when files are changed (created,
# updated, deleted). The events contain file metadata and hashes.
Expand Down
26 changes: 23 additions & 3 deletions auditbeat/auditbeat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,30 @@ auditbeat.modules:
- module: audit
metricsets: [kernel]
kernel.audit_rules: |
# Define audit rules here.
# Create file watches (-w) or syscall audits (-a or -A). For example:
## Define audit rules here.
## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
## examples or add your own rules.
## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
#-a always,exit -F arch=b32 -S all -F key=32bit-abi
## Executions.
#-a always,exit -F arch=b64 -S execve,execveat -k exec
## External access.
#-a always,exit -F arch=b64 -S accept,bind,connect,recvfrom -F key=external-access
## Identity changes.
#-w /etc/group -p wa -k identity
#-w /etc/passwd -p wa -k identity
#-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
#-w /etc/gshadow -p wa -k identity
## Unauthorized access attempts.
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- module: audit
metricsets: [file]
Expand Down
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
26 changes: 23 additions & 3 deletions auditbeat/docs/modules/audit.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,30 @@ auditbeat.modules:
- module: audit
metricsets: [kernel]
kernel.audit_rules: |
# Define audit rules here.
# Create file watches (-w) or syscall audits (-a or -A). For example:
## Define audit rules here.
## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
## examples or add your own rules.
## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
#-a always,exit -F arch=b32 -S all -F key=32bit-abi
## Executions.
#-a always,exit -F arch=b64 -S execve,execveat -k exec
## External access.
#-a always,exit -F arch=b64 -S accept,bind,connect,recvfrom -F key=external-access
## Identity changes.
#-w /etc/group -p wa -k identity
#-w /etc/passwd -p wa -k identity
#-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
#-w /etc/gshadow -p wa -k identity
## Unauthorized access attempts.
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- module: audit
metricsets: [file]
Expand Down
26 changes: 23 additions & 3 deletions auditbeat/module/audit/_meta/config.yml.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,30 @@
kernel.include_warnings: false
{{ end -}}
kernel.audit_rules: |
# Define audit rules here.
# Create file watches (-w) or syscall audits (-a or -A). For example:
## Define audit rules here.
## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
## examples or add your own rules.

## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
#-a always,exit -F arch=b32 -S all -F key=32bit-abi

## Executions.
#-a always,exit -F arch=b64 -S execve,execveat -k exec

## External access.
#-a always,exit -F arch=b64 -S accept,bind,connect,recvfrom -F key=external-access

## Identity changes.
#-w /etc/group -p wa -k identity
#-w /etc/passwd -p wa -k identity
#-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
#-w /etc/gshadow -p wa -k identity

## Unauthorized access attempts.
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access

{{ end -}}

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
{
"objects": [
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchId": "d382f5b0-c1c6-11e7-8995-936807a28b16",
"title": "Error Codes [Auditbeat Kernel Executions]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Error Codes [Auditbeat Kernel Executions]\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.kernel.data.exit\",\"exclude\":\"0\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"
},
"id": "20a8e8d0-c1c8-11e7-8995-936807a28b16",
"type": "visualization",
"version": 1
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"title": "Primary Username Tag Cloud [Auditbeat Kernel]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Primary Username Tag Cloud [Auditbeat Kernel]\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":45},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.kernel.actor.primary\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"
},
"id": "f81a6de0-c1c1-11e7-8995-936807a28b16",
"type": "visualization",
"version": 2
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"savedSearchId": "d382f5b0-c1c6-11e7-8995-936807a28b16",
"title": "Exe Name Tag Cloud [Auditbeat Kernel]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Exe Name Tag Cloud [Auditbeat Kernel]\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":45},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.kernel.data.exe\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"
},
"id": "2efac370-c1ca-11e7-8995-936807a28b16",
"type": "visualization",
"version": 1
},
{
"attributes": {
"columns": [
"beat.hostname",
"audit.kernel.data.cmdline",
"audit.kernel.actor.primary",
"audit.kernel.actor.secondary",
"audit.kernel.data.exe"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"auditbeat-*\",\"key\":\"metricset.name\",\"negate\":false,\"params\":{\"query\":\"kernel\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"kernel\"},\"query\":{\"match\":{\"metricset.name\":{\"query\":\"kernel\",\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"auditbeat-*\",\"key\":\"audit.kernel.action\",\"negate\":false,\"params\":{\"query\":\"executed\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"executed\"},\"query\":{\"match\":{\"audit.kernel.action\":{\"query\":\"executed\",\"type\":\"phrase\"}}}}]}"
},
"sort": [
"@timestamp",
"desc"
],
"title": "Process Executions [Auditbeat Kernel]",
"version": 1
},
"id": "d382f5b0-c1c6-11e7-8995-936807a28b16",
"type": "search",
"version": 3
},
{
"attributes": {
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}"
},
"optionsJSON": "{\"darkTheme\":false}",
"panelsJSON": "[{\"col\":5,\"id\":\"20a8e8d0-c1c8-11e7-8995-936807a28b16\",\"panelIndex\":1,\"row\":1,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":9,\"id\":\"f81a6de0-c1c1-11e7-8995-936807a28b16\",\"panelIndex\":3,\"row\":1,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"id\":\"2efac370-c1ca-11e7-8995-936807a28b16\",\"panelIndex\":5,\"row\":1,\"size_x\":4,\"size_y\":3,\"type\":\"visualization\"},{\"size_x\":12,\"size_y\":5,\"panelIndex\":6,\"type\":\"search\",\"id\":\"d382f5b0-c1c6-11e7-8995-936807a28b16\",\"col\":1,\"row\":4,\"columns\":[\"beat.hostname\",\"audit.kernel.data.cmdline\",\"audit.kernel.actor.primary\",\"audit.kernel.actor.secondary\",\"audit.kernel.data.exe\"],\"sort\":[\"@timestamp\",\"desc\"]}]",
"timeRestore": false,
"title": "[Auditbeat Kernel] Executions",
"uiStateJSON": "{}",
"version": 1
},
"id": "7de391b0-c1ca-11e7-8995-936807a28b16",
"type": "dashboard",
"version": 3
}
],
"version": "6.0.0-rc2"
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
{
"objects": [
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"title": "Event Actions [Auditbeat Kernel Overview]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Event Actions [Auditbeat Kernel Overview]\",\"type\":\"metrics\",\"params\":{\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\",\"series\":[{\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"color\":\"#68BC00\",\"split_mode\":\"terms\",\"metrics\":[{\"id\":\"6b9fb2d0-c1bc-11e7-938f-ab0645b6c431\",\"type\":\"count\"}],\"seperate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"number\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"terms_field\":\"audit.kernel.action\",\"label\":\"Actions\"}],\"time_field\":\"@timestamp\",\"index_pattern\":\"auditbeat-*\",\"interval\":\"auto\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"show_legend\":1,\"show_grid\":1,\"filter\":\"metricset.name:kernel\",\"background_color_rules\":[{\"id\":\"58c95a20-c1bd-11e7-938f-ab0645b6c431\"}],\"bar_color_rules\":[{\"id\":\"5bfc71a0-c1bd-11e7-938f-ab0645b6c431\"}],\"gauge_color_rules\":[{\"id\":\"5d20a650-c1bd-11e7-938f-ab0645b6c431\"}],\"gauge_width\":10,\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"legend_position\":\"left\"},\"aggs\":[]}"
},
"id": "97680df0-c1c0-11e7-8995-936807a28b16",
"type": "visualization",
"version": 3
},
{
"attributes": {
"columns": [
"beat.hostname",
"audit.kernel.actor.primary",
"audit.kernel.actor.secondary",
"audit.kernel.action",
"audit.kernel.thing.what",
"audit.kernel.thing.primary",
"audit.kernel.thing.secondary",
"audit.kernel.how",
"audit.kernel.result"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"index\":\"auditbeat-*\",\"type\":\"phrase\",\"key\":\"metricset.name\",\"value\":\"kernel\",\"params\":{\"query\":\"kernel\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null},\"query\":{\"match\":{\"metricset.name\":{\"query\":\"kernel\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"
},
"sort": [
"@timestamp",
"desc"
],
"title": "Audit Event Table [Auditbeat Kernel]",
"version": 1
},
"id": "0f10c430-c1c3-11e7-8995-936807a28b16",
"type": "search",
"version": 3
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"auditbeat-*\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
},
"title": "Event Categories [Auditbeat Kernel]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Event Categories [Auditbeat Kernel]\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.kernel.category\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Category\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"audit.kernel.action\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}}]}"
},
"id": "08679220-c25a-11e7-8692-232bd1143e8a",
"type": "visualization",
"version": 1
},
{
"attributes": {
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}"
},
"optionsJSON": "{\"darkTheme\":false}",
"panelsJSON": "[{\"col\":1,\"id\":\"97680df0-c1c0-11e7-8995-936807a28b16\",\"panelIndex\":1,\"row\":1,\"size_x\":7,\"size_y\":3,\"type\":\"visualization\"},{\"col\":1,\"columns\":[\"beat.hostname\",\"audit.kernel.actor.primary\",\"audit.kernel.actor.secondary\",\"audit.kernel.action\",\"audit.kernel.thing.what\",\"audit.kernel.thing.primary\",\"audit.kernel.thing.secondary\",\"audit.kernel.how\",\"audit.kernel.result\"],\"id\":\"0f10c430-c1c3-11e7-8995-936807a28b16\",\"panelIndex\":3,\"row\":4,\"size_x\":12,\"size_y\":4,\"sort\":[\"@timestamp\",\"desc\"],\"type\":\"search\"},{\"size_x\":5,\"size_y\":3,\"panelIndex\":4,\"type\":\"visualization\",\"id\":\"08679220-c25a-11e7-8692-232bd1143e8a\",\"col\":8,\"row\":1}]",
"timeRestore": false,
"title": "[Auditbeat Kernel] Overview",
"uiStateJSON": "{}",
"version": 1
},
"id": "c0ac2c00-c1c0-11e7-8995-936807a28b16",
"type": "dashboard",
"version": 7
}
],
"version": "6.0.0-rc2"
}
Loading

0 comments on commit 1ec7437

Please sign in to comment.