Provide example rules to support the dashboards

auditbeat/auditbeat.reference.yml

@@ -40,10 +40,30 @@ auditbeat.modules:
   kernel.include_raw_message: false
   kernel.include_warnings: false
   kernel.audit_rules: |
-    # Define audit rules here.
-    # Create file watches (-w) or syscall audits (-a or -A). For example:
+    ## Define audit rules here.
+    ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
+    ## examples or add your own rules.
+
+    ## If you are on a 64 bit platform, everything should be running
+    ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
+    ## because this might be a sign of someone exploiting a hole in the 32
+    ## bit API.
+    #-a always,exit -F arch=b32 -S all -F key=32bit-abi
+
+    ## Executions.
+    #-a always,exit -F arch=b64 -S execve,execveat -k exec
+
+    ## External access.
+    #-a always,exit -F arch=b64 -S accept,bind,connect,recvfrom -F key=external-access
+
+    ## Identity changes.
+    #-w /etc/group -p wa -k identity
     #-w /etc/passwd -p wa -k identity
-    #-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
+    #-w /etc/gshadow -p wa -k identity
+
+    ## Unauthorized access attempts.
+    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
+    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
 
 # The file integrity metricset sends events when files are changed (created,
 # updated, deleted). The events contain file metadata and hashes.

auditbeat/auditbeat.yml

@@ -13,10 +13,30 @@ auditbeat.modules:
 - module: audit
   metricsets: [kernel]
   kernel.audit_rules: |
-    # Define audit rules here.
-    # Create file watches (-w) or syscall audits (-a or -A). For example:
+    ## Define audit rules here.
+    ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
+    ## examples or add your own rules.
+
+    ## If you are on a 64 bit platform, everything should be running
+    ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
+    ## because this might be a sign of someone exploiting a hole in the 32
+    ## bit API.
+    #-a always,exit -F arch=b32 -S all -F key=32bit-abi
+
+    ## Executions.
+    #-a always,exit -F arch=b64 -S execve,execveat -k exec
+
+    ## External access.
+    #-a always,exit -F arch=b64 -S accept,bind,connect,recvfrom -F key=external-access
+
+    ## Identity changes.
+    #-w /etc/group -p wa -k identity
     #-w /etc/passwd -p wa -k identity
-    #-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
+    #-w /etc/gshadow -p wa -k identity
+
+    ## Unauthorized access attempts.
+    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
+    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
 
 - module: audit
   metricsets: [file]

auditbeat/docs/modules/audit.asciidoc

@@ -24,10 +24,30 @@ auditbeat.modules:
 - module: audit
   metricsets: [kernel]
   kernel.audit_rules: |
-    # Define audit rules here.
-    # Create file watches (-w) or syscall audits (-a or -A). For example:
+    ## Define audit rules here.
+    ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
+    ## examples or add your own rules.
+
+    ## If you are on a 64 bit platform, everything should be running
+    ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
+    ## because this might be a sign of someone exploiting a hole in the 32
+    ## bit API.
+    #-a always,exit -F arch=b32 -S all -F key=32bit-abi
+
+    ## Executions.
+    #-a always,exit -F arch=b64 -S execve,execveat -k exec
+
+    ## External access.
+    #-a always,exit -F arch=b64 -S accept,bind,connect,recvfrom -F key=external-access
+
+    ## Identity changes.
+    #-w /etc/group -p wa -k identity
     #-w /etc/passwd -p wa -k identity
-    #-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
+    #-w /etc/gshadow -p wa -k identity
+
+    ## Unauthorized access attempts.
+    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
+    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
 
 - module: audit
   metricsets: [file]

auditbeat/module/audit/_meta/config.yml.tpl

@@ -14,10 +14,30 @@
   kernel.include_warnings: false
   {{ end -}}
   kernel.audit_rules: |
-    # Define audit rules here.
-    # Create file watches (-w) or syscall audits (-a or -A). For example:
+    ## Define audit rules here.
+    ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
+    ## examples or add your own rules.
+
+    ## If you are on a 64 bit platform, everything should be running
+    ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
+    ## because this might be a sign of someone exploiting a hole in the 32
+    ## bit API.
+    #-a always,exit -F arch=b32 -S all -F key=32bit-abi
+
+    ## Executions.
+    #-a always,exit -F arch=b64 -S execve,execveat -k exec
+
+    ## External access.
+    #-a always,exit -F arch=b64 -S accept,bind,connect,recvfrom -F key=external-access
+
+    ## Identity changes.
+    #-w /etc/group -p wa -k identity
     #-w /etc/passwd -p wa -k identity
-    #-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
+    #-w /etc/gshadow -p wa -k identity
+
+    ## Unauthorized access attempts.
+    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
+    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
 
 {{ end -}}