Auditbeat not picking up authentication events in CentOs 7

arunpmohan · January 15, 2019, 12:01pm

I am trying to ship the authentication related of my CentOS 7 to Elasticsearch. Strangely I am not getting any authentication events.

When I ran the debug command auditbeat -c auditbeat.conf -d -e "*" , I found something like below:

     {
      "@timestamp": "2019-01-15T11:54:37.246Z",
      "@metadata": {
        "beat": "auditbeat",
        "type": "doc",
        "version": "6.4.0"
      },
      "error": {
        "message": "failed to set audit PID. An audit process is already running (PID 68504)"
      },
      "beat": {
        "name": "env-cs-westus-devtest-66-csos-logs-es-master-0",
        "hostname": "env-cs-westus-devtest-66-csos-logs-es-master-0",
        "version": "6.4.0"
      },
      "host": {
        "name": "env-cs-westus-devtest-66-csos-logs-es-master-0"
      },
      "event": {
        "module": "auditd"
      }
    }

Also there was an error line like below:
Failure receiving audit events {"error": "failed to set audit PID. An audit process is already running (PID 68504)"}

Machine details

NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

Audibeat Configuration File

#================================ General ======================================
fields_under_root: False
queue:
  mem:
    events: 4096
    flush:
      min_events: 2048
      timeout: 1s
max_procs: 1
max_start_delay: 10s
#================================= Paths ======================================
path:
  home: "/usr/share/auditbeat"
  config: "/etc/auditbeat"
  data: "/var/lib/auditbeat"
  logs: "/var/log/auditbeat/auditbeat.log"
#============================  Config Reloading ================================
config:
  modules:
    path: ${path.config}/conf.d/*.yml
    reload:
      period: 10s
      enabled: False
#==========================  Modules configuration =============================
auditbeat.modules:
#----------------------------- Auditd module -----------------------------------
- module: auditd
  resolve_ids: True
  failure_mode: silent
  backlog_limit: 8196
  rate_limit: 0
  include_raw_message: True
  include_warnings: True
  audit_rules: |
    -w /etc/group -p wa -k identity
    -w /etc/passwd -p wa -k identity
    -w /etc/gshadow -p wa -k identity
    -w /etc/shadow -p wa -k identity
    -w /etc/security/opasswd -p wa -k identity
    -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
    -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
    -a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
    -a always,exit -F arch=b64 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=elevated-privs
    -a always,exit -F arch=b32 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=elevated-privs
    -a always,exit -F arch=b64 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -F key=elevated-privs
    -a always,exit -F arch=b32 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -F key=elevated-privs
    -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=elevated-privs
    -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=elevated-privs
#----------------------------- File Integrity module -----------------------------------
- module: file_integrity
  paths:
    - /bin
    - /usr/bin
    - /sbin
    - /usr/sbin
    - /etc
    - /home/jenkins
  exclude_files:
    - (?i)\.sw[nop]$
    - ~$
    - /\.git($|/)
  scan_at_start: True
  scan_rate_per_sec: 50 MiB
  max_file_size: 100 MiB
  hash_types: [sha1]
  recursive: False
#================================ Outputs ======================================
#-------------------------- Elasticsearch output -------------------------------
output.elasticsearch:
  enabled: True
  hosts:
    - x.x.x:9200
  compression_level: 0
  protocol: "http"
  worker: 1
  bulk_max_size: 50
  timeout: 90
#================================ Logging ======================================
logging:
  level: "info"
  selectors: ["*"]
  to_syslog: False
  to_eventlog: False
  metrics:
    enabled: True
    period: 30s
  to_files: True
  files:
    path: /var/log/auditbeat
    name: "auditbeat"
    rotateeverybytes: 10485760
    keepfiles: 7
    permissions: 0600
  json: False

Version of Auditbeat
auditbeat version 6.4.0 (amd64), libbeat 6.4.0

Have anyone faced a similar issue and got a resolution?.

cwurm · January 18, 2019, 12:58pm

@arunpmohan It seems you are running auditd or some other process already using the audit framework with PID 68504? The way the Linux kernel audit framework works is that only one process can subscribe, and so auditd would be blocking Auditbeat.

You can check if it's auditd by running service auditd status and turning it off if it is (see also for further commands: https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-module-auditd.html#_useful_commands).

If you don't want to turn off auditd you can't use the Auditbeat auditd module, but you could use Filebeat to collect the logs from auditd: https://www.elastic.co/guide/en/beats/filebeat/6.5/filebeat-module-auditd.html

andrewkroh · January 18, 2019, 10:38pm

The socket_type docs have some details about the limitation you have encountered on CentOS 7 (kernel 3.10 IIRC) with auditd + auditbeat.

arunpmohan · January 19, 2019, 10:09am

Thanks for the information.
I tried by stopping auditd, and it worked!.
But I am not sure of the implications of turning auditd service off and might switch to Filebeat based approach.

system · February 9, 2019, 10:18am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.