Configure module Auditd with Kubectl [Auditbeat 7.9.2]

RdrgPorto · March 12, 2021, 7:50am

Hi, everyone

I have been working with module Audit Module in order to log any execution of kubectl.

Here you are my config:

auditbeat.modules:
- module: auditd
  audit_rules: |
    -a always,exit -F exe=/usr/bin/kubectl -F arch=b64 -S execve -k kubectl

logging.level: warning
logging.to_files: true
logging.files:
  path: /var/log/auditbeat
  name: auditbeat
  keepfiles: 3

output.kafka:
  hosts: ["<ip>:<port>"]
  topic: "<topic-name>"

It logs any execution of kubectl, however it logs more things, like when I do sudo. Is it normal this behaviour ?

Thanks in advance,

Rodrigo

andrewkroh · March 15, 2021, 2:19pm

That's normal. Auditbeat receives all of the audit messages from the kernel. So in addition to messages caused by your rules you'll be getting messages from apps that publish audit messages (like sshd and sudo).

You can write rules to drop these messages in the kernel if you don't want them (e.g. -a always,exclude -F msgtype=FOO). Or you could use a beats drop_event processor to drop them after Auditbeat receives it from kernel.

system · April 12, 2021, 4:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Auditbeat logs write to /var/log/messages Beats auditbeat	4	534	October 14, 2022
Multiple "-module: auditd" stanzas in config file lead to problems Beats auditbeat	1	306	September 18, 2021
Auditbeat, filebeat and journalbeat in kubernetes Beats elastic-stack-security , filebeat , elastic-agent	2	468	January 12, 2022
Config Auditbeat Beats auditbeat	1	380	March 14, 2023
Dec 2nd, 2019: [EN][Auditbeat] Monitoring Linux Command Execution Advent Calendar	1	2700	November 4, 2022

Configure module Auditd with Kubectl [Auditbeat 7.9.2]

Related Topics