Auditbeat configuration to use the "Modification of OpenSSH binaries" detection rule


I am trying to use this detection rule that relies on AuditBeat events: Modification of OpenSSH Binaries | Elastic Security Solution [7.15] | Elastic

I set up AuditBeat 7.14.2 with the following configuration:

# ---------------------------- Auditd Configuration ----------------------------
- module: auditd
  audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
  resolve_ids: true
  backlog_limit: 8192
  rate_limit: 0
  include_raw_message: true
  include_warnings: false
  backpressure_strategy: auto
  audit_rules: |
    ## Execution monitoring
    -a always,exit -F arch=b32 -S all -F key=32bit-abi # TRack 32 bit API call on 64 bit system
    -a always,exit -F arch=b64 -S execve,execveat -k exec # Track executions

    ## Possible security breaches
    -a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access # External access
    -w /etc/group -p wa -k identity # Group change
    -w /etc/passwd -p wa -k identity # Identity change
    -w /etc/gshadow -p wa -k identity # Identity change
    -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access # Unauthorized access attempt
    -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access # Unauthorized access attempt
# ---------------------------- File Integrity Configuration ----------------------------
- module: file_integrity
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc

# ================================= Processors =================================
  - add_host_metadata: ~
  - add_process_metadata:
      match_pids: [system.process.ppid]
      target: system.process.parent

When I make some modifications of the /usr/sbin/sshd file, events are correctly generated but do not contain any of the process.* fields that the detection rule relies on.

Does anyone know which AuditBeat configuration needs to be used for this detection rule to work?



So I found the solution, we need to set up specific auditd rules like the ones below to have this detection rule working correctly:

-w /usr/sbin/sshd -p wa -k openssh_modification
-w /usr/bin/ssh -p wa -k openssh_modification
-w /usr/bin/sftp -p wa -k openssh_modification
-w /usr/bin/scp -p wa -k openssh_modification

I believe this should be part of the documentation of the detection rule, do you agree?


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.