Hello,
I am trying to use this detection rule that relies on AuditBeat events: Modification of OpenSSH Binaries | Elastic Security Solution [7.15] | Elastic
I set up AuditBeat 7.14.2 with the following configuration:
auditbeat.modules:
# ---------------------------- Auditd Configuration ----------------------------
- module: auditd
audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
resolve_ids: true
backlog_limit: 8192
rate_limit: 0
include_raw_message: true
include_warnings: false
backpressure_strategy: auto
audit_rules: |
## Execution monitoring
-a always,exit -F arch=b32 -S all -F key=32bit-abi # TRack 32 bit API call on 64 bit system
-a always,exit -F arch=b64 -S execve,execveat -k exec # Track executions
## Possible security breaches
-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access # External access
-w /etc/group -p wa -k identity # Group change
-w /etc/passwd -p wa -k identity # Identity change
-w /etc/gshadow -p wa -k identity # Identity change
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access # Unauthorized access attempt
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access # Unauthorized access attempt
# ---------------------------- File Integrity Configuration ----------------------------
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
# ================================= Processors =================================
processors:
- add_host_metadata: ~
- add_process_metadata:
match_pids: [system.process.ppid]
target: system.process.parent
When I make some modifications of the /usr/sbin/sshd file, events are correctly generated but do not contain any of the process.* fields that the detection rule relies on.
Does anyone know which AuditBeat configuration needs to be used for this detection rule to work?
Thanks,
Tonio