Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Auditbeat dashboards (overview, sockets, execs) #5516

Merged
merged 2 commits into from
Nov 6, 2017

Conversation

andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented Nov 5, 2017

Add dashboards to view events generated by the Linux audit framework. This PR adds three dashboards:

  • Overview - A general dashboard showing a summary of all events. Executions
  • Executions - A dashboard showing process executions (execve and execveat) syscalls. Executions
  • Sockets - A dashboard showing information related sockets and remote connectivity (e.g. bind, connect, accept, recvfrom). Sockets

Add dashboards to view events generated by the Linux audit framework. This PR adds three dashboards:

- Overview - A general dashboard showing a summary of all events.
- Executions - A dashboard showing process executions (`execve` and `execveat`) syscalls.
- Sockets - A dashboard showing information related sockets and remote connectivity (e.g. `bind`, `connect`, `accept`, `recvfrom`).
@andrewkroh andrewkroh force-pushed the feature/auditbeat-kernel-dashboards branch from 9ed4e00 to 98cb495 Compare November 5, 2017 20:31
@andrewkroh andrewkroh added the needs_backport PR is waiting to be backported to other branches. label Nov 5, 2017
Copy link
Contributor

@ruflin ruflin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. What happens if someone does only specificy a subset of the rules for the dashboard? I assume some of the graphs will just show "no data"?

@andrewkroh
Copy link
Member Author

Without adding the proper rules the execution and socket dashboards will show no data. The overview dashboard will likely contain some events because even with no audit rules installed there are some events generated.

@andrewkroh
Copy link
Member Author

Should this be back-ported to 6.0 or is it too late?

## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
#-a always,exit -F arch=b32 -S all -F key=32bit-abi
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome that we've got these.

@andrewkroh
Copy link
Member Author

Will add the 5.x conversions in a separate PR.

@tsg tsg merged commit 1ec7437 into elastic:master Nov 6, 2017
@andrewkroh andrewkroh removed the needs_backport PR is waiting to be backported to other branches. label Nov 28, 2017
@andrewkroh andrewkroh deleted the feature/auditbeat-kernel-dashboards branch January 17, 2018 16:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants