Auditbeat: set "-e 2" on startup?

I'm trying to completely replace auditd on a number of systems that have quite specific security requirements for auditd, namely that the enabled flag is set to immutable (-e 2) on startup.

Copying the existing audit rules into the audit module rules at /etc/auditbeat/audit.rules.d produces a startup error when it reaches -e 2 and I don't see anywhere else I can set this flag in the auditbeat config.

The only way I've been able to set this is inside auditbeat.service for systemd, however this requires quite a long sleep to allow auditbeat start up completely before making the config immutable. As this is a race condition, it can't really go into production like this, because if the flag is set before auditbeat is ready, then nothing can connect to the kernel socket without rebooting the machine.

Is there any other way? Would it be possible for auditbeat to honour the -e 2 rule and set this after it's loaded all the audit module rules? I'd prefer that auditbeat set the immutable flag once it's completely started up rather than rely on something else to do this for me.

There's an open feature request for this at https://github.com/elastic/beats/issues/8352.

It would be a good one to add to Auditbeat. I don't think there's any good workaround.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.