Can I run Auditbeat as a non-root user?

Hi

I'm setting up the Beats. For each one I followed the following process:

  1. Created and user called elastic in the host

  2. Created a systemd unit file like this:

[Unit]
Description=Auditbeat
After=syslog.target network.target

[Service]
PIDFile=/run/auditbeat.pid
ExecStart=/u/elastic/auditbeat/auditbeat -c /u/elastic/auditbeat/auditbeat.yml
ExecStop=/bin/kill -s QUIT $MAINPID
User=elastic
Group=elastic

[Install]
WantedBy=multi-user.target
  1. But when I try to run Auditbeat, I get this
$ ./auditbeat -e
2020-04-29T10:41:48.012-0300	ERROR	instance/beat.go:933	Exiting: 1 error: 1 error: unable to create DNS sniffer: failed creating af_packet sniffer: operation not permitted
Exiting: 1 error: 1 error: unable to create DNS sniffer: failed creating af_packet sniffer: operation not permitted

So, can I run Auditbeat as a non-root user?

What about the other Beats? Filebeat, for instance, also looks like not, if it's configured to index /var/log/messages for example...

Thank you

So, can I run Auditbeat as a non-root user?

It should be possible, but only if you give it the appropriate capabilities to process and set the config file permissions/owner. Those permissions will depend on what features you are using. It's needs a lot of permissions to be able to monitor everything.

For the auditd module it needs AUDIT_CONTROL and AUDIT_READ. https://www.elastic.co/guide/en/beats/auditbeat/7.x/running-on-docker.html#_special_requirements

For file integrity, it needs to be able read any files that it's monitoring.

For the system module it's a little more complicated. The system/network dataset requires several permissions. The error you posted should be addressed by adding CAP_SETPCAP capability. Then the modules uses perf to monitor the network and processes so it probably needs CAP_SYSADMIN.

For adding capabilties with systemd see https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Capabilities.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.