Hi!
I'm setting up Auditbeat to run on amazon linux EC2 instance.
When I run the default install and config for auditbeat, everything works fine for auditbeat auditd module and I can configure my rules to be implemented.
BUT: When I attempt the same auditbeat.yml config for my docker setup I get the message that:
2021-09-16T08:06:51.167Z ERROR [auditd] auditd/audit_linux.go:171 Failure adding audit rules {"error": "Skipping rule configuration: Audit rules are locked", "errorVerbose": "Skipping rule configuration: Audit rules are locked\ngithub.com).addRules\n\t/go/src/github.com/elastic/beats/auditbeat/module/auditd/audit_linux.go:271\ngithub.com).Run\n\t/go/src/github.com/elastic/beats/auditbeat/module/auditd/audit_linux.go:169\ngithub.com).run\n\t/go/src/github.com/elastic/beats/metricbeat/mb/module/wrapper.go:203\ngithub.com - This website is for sale! - ngithub Resources and Information.).Start.func1\n\t/go/src/github.com/elastic/beats/metricbeat/mb/module/wrapper.go:147\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1371"}
[root@ip-10-243-224-144 ec2-user]#
My auditbeat.yml config is:
# =========================== Modules configuration ============================
auditbeat.modules:
- module: auditd
#
resolve_ids: true
failure_mode: silent
backlog_limit: 8196
rate_limit: 0
include_raw_message: false
include_warnings: false
backpressure_strategy: auto
#
#Load audit rules from separate files. Same format as audit.rules(7).
processors:
#Add additional procesors here
- add_fields:
target: tags
fields:
type: 'module: auditd'
#processors:
# The below only works if systemid is already stored as an env variable
- add_fields:
target: tags
fields:
systemid: ${systemid}
audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
#audit_rules: |
- module: system
datasets:
- host
- login
- user
period: 1m
state.period: 24h
user.detect_password_changes: true
- module: system
datasets:
- process
- socket
period: 1m
# ================================= Processors =================================
# Configure processors to enhance or manipulate events generated by the beat.
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_process_metadata:
# match_pids: [system.process.ppid]
# target: system.process.parent
My docker-compose config file is:
version: "3.8"
# https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-overview.html
# Does not look like Auditd is supported in Alpine linux: https://github.com/linuxkit/linuxkit/issues/52
services:
auditbeat:
user: root
pid: host
cap_add:
- AUDIT_CONTROL
- AUDIT_READ
- CAP_SYS_ADMIN # This is an insecure option for getting access to /sys and bind mount tracefs debugfs
- CAP_NET_ADMIN #This is needed in order for auditbeat to monitor using socket
container_name: auditbeat
hostname: auditbeat
restart: always
image: docker.elastic.co/beats/auditbeat:${ELASTIC_VERSION:-7.14.1}
volumes:
- /var/log:/var/log:ro
#Allows us to report on docker from the hosts information.
- /var/run/docker.sock:/var/run/docker.sock
- ./auditbeat_v5_docker_elk.yml:/usr/share/auditbeat/auditbeat.yml:ro
- ./klarna_auditd_conf.yaml:/usr/share/auditbeat/audit.rules.d/klarna_auditd_conf.yaml:ro
#- /Volumes/GoogleDrive/My Drive/Tools/Humio/Auditbeat/Lab_setup/docker/elk_version/auditbeat_v5_docker_elk.yml:/usr/share/auditbeat/auditbeat.yml:ro
#- /Volumes/GoogleDrive/My Drive/Tools/Humio/Auditbeat/Lab_setup/auditd/klarna_auditd_conf.yaml:/usr/share/auditbeat/audit.rules.d/klarna_auditd_conf.yaml:ro
#environment:
# - ELASTICSEARCH_HOST=${ELASTICSEARCH_HOST:-node1}
# - KIBANA_HOST=${KIBANA_HOST:-node1}
# - ELASTICSEARCH_USERNAME=${ELASTICSEARCH_USERNAME:-elastic}
# - ELASTICSEARCH_PASSWORD=${ELASTICSEARCH_PASSWORD:-changeme}
command: auditbeat -e -strict.perms=false
ulimits:
memlock:
soft: -1
hard: -1
stdin_open: true
tty: true
#network_mode: bridge
networks:
- auditbeat
deploy:
mode: global
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "50"
networks:
auditbeat:
external: true