Auditbeat tagging the events wrongly

OS : Centos 7
Version of Auditbeat : 6.4.0

Issue: When a file is modified, auditbeat used to tag it as "updated". But for some reason, it is updating as "created" only. Also file deletion events are not tagged too. Why is this happening.

Following is my auditbeat configuration
########################## Auditbeat Configuration #############################
#================================ General ======================================
queue:
mem:
events: 4096
flush:
min_events: 2048
max_procs: 1
max_start_delay: 10s
#================================= Paths ======================================
path:
home: "/usr/share/auditbeat"
config: "/etc/auditbeat"
data: "/var/lib/auditbeat"
logs: "/var/log/auditbeat/auditbeat.log"
#============================ Config Reloading ================================
config:
modules:
path: ${path.config}/conf.d/*.yml
reload:
period: 10s
enabled: False
#========================== Modules configuration =============================
auditbeat.modules:

#----------------------------- Auditd module -----------------------------------
- module: auditd
  resolve_ids: True
  failure_mode: silent
  backlog_limit: 8196
  rate_limit: 0
  include_raw_message: True
  include_warnings: True
  audit_rules: |
    -w /etc/group -p wa -k identity
    -w /etc/passwd -p wa -k identity
    -w /etc/gshadow -p wa -k identity
    -w /etc/shadow -p wa -k identity
    -w /etc/security/opasswd -p wa -k identity
    -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
    -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
    -a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
    -a always,exit -F arch=b64 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=elevated-privs
    -a always,exit -F arch=b32 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=elevated-privs
    -a always,exit -F arch=b64 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -F key=elevated-privs
    -a always,exit -F arch=b32 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -F key=elevated-privs
    -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=elevated-privs
    -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=elevated-privs

#----------------------------- File Integrity module -----------------------------------
- module: file_integrity
  paths:
    - /bin
    - /sbin
    - /usr/sbin
    - /usr/bin
    - /usr/local/bin
    - /usr/local/sbin
    - /opt/bin
    - /opt/sbin
    - /lib
    - /usr/lib
    - /usr/local/lib
    - /lib64
    - /usr/lib64
    - /etc/passwd
    - /etc/shadow
    - /etc/siemtest
    - /etc/auditbeat/auditbeat.yml
    - /etc/rsyslog.conf
    - /var/log/audit

  exclude_files:
    - (?i)\.sw[nop]$
    - ~$
    - /\.git($|/)
  scan_at_start: True
  scan_rate_per_sec: 50 MiB
  max_file_size: 100 MiB
  hash_types: [sha1]
  recursive: True
#-------------------------- Elasticsearch output -------------------------------
output.elasticsearch:
  enabled: True
  hosts:
    - x.x.x.x:9200
  compression_level: 0
  protocol: "http"
  worker: 1
  bulk_max_size: 50
  timeout: 90

I tested in the folder, "/lib" which is given in the file integrity module
Can somebody give insights on the same.

Hi,

Getting a created or updated event on an existing file depends on how the file is updated. Some editors delete the original file and then create it with the new contents. In this scenario, you will get a delete and create event instead of an update event.

Is that the case? Can you give an example scenario where you are observing wrong events?

Also file deletion events are not tagged too.

I don't understand what you mean here. Can you give an example?

Hi,
I understand what you said about the created/updated scenario.
So if we want to listen for files under a folder for the modification of files under them, how can we proceed?. Is file integrity the right module for the same?.
Or do we need to write auditd rules on that folder for auditbeat?.
Also, any other option we have here?

So if we want to listen for files under a folder for the modification of files under them, how can we proceed?. Is file integrity the right module for the same?.

Yes, file_integrity is the right module to use.

Can you share the debug logs (run auditbeat with -d '*' flag) of the case where you're not getting an update event? Describe how you updated the file.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.