Auditbeat configuration to use the "Modification of OpenSSH binaries" detection rule


I am trying to use this detection rule that relies on AuditBeat events: Modification of OpenSSH Binaries | Elastic Security Solution [7.15] | Elastic

I set up AuditBeat 7.14.2 with the following configuration:

# ---------------------------- Auditd Configuration ----------------------------
- module: auditd
  audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
  resolve_ids: true
  backlog_limit: 8192
  rate_limit: 0
  include_raw_message: true
  include_warnings: false
  backpressure_strategy: auto
  audit_rules: |
    ## Execution monitoring
    -a always,exit -F arch=b32 -S all -F key=32bit-abi # TRack 32 bit API call on 64 bit system
    -a always,exit -F arch=b64 -S execve,execveat -k exec # Track executions

    ## Possible security breaches
    -a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access # External access
    -w /etc/group -p wa -k identity # Group change
    -w /etc/passwd -p wa -k identity # Identity change
    -w /etc/gshadow -p wa -k identity # Identity change
    -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access # Unauthorized access attempt
    -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access # Unauthorized access attempt
# ---------------------------- File Integrity Configuration ----------------------------
- module: file_integrity
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc

# ================================= Processors =================================
  - add_host_metadata: ~
  - add_process_metadata:
      match_pids: [system.process.ppid]
      target: system.process.parent

When I make some modifications of the /usr/sbin/sshd file, events are correctly generated but do not contain any of the process.* fields that the detection rule relies on.

Does anyone know which AuditBeat configuration needs to be used for this detection rule to work?



So I found the solution, we need to set up specific auditd rules like the ones below to have this detection rule working correctly:

-w /usr/sbin/sshd -p wa -k openssh_modification
-w /usr/bin/ssh -p wa -k openssh_modification
-w /usr/bin/sftp -p wa -k openssh_modification
-w /usr/bin/scp -p wa -k openssh_modification

I believe this should be part of the documentation of the detection rule, do you agree?