Configure module Auditd with Kubectl [Auditbeat 7.9.2]

Elastic Stack Beats
#1

Hi, everyone

I have been working with module Audit Module in order to log any execution of kubectl.

Here you are my config:

auditbeat.modules:
- module: auditd
  audit_rules: |
    -a always,exit -F exe=/usr/bin/kubectl -F arch=b64 -S execve -k kubectl

logging.level: warning
logging.to_files: true
logging.files:
  path: /var/log/auditbeat
  name: auditbeat
  keepfiles: 3

output.kafka:
  hosts: ["<ip>:<port>"]
  topic: "<topic-name>"

It logs any execution of kubectl, however it logs more things, like when I do sudo. Is it normal this behaviour ?

auditbeat-kubectl
auditbeat-kubectl1567×562 35 KB

Thanks in advance,

Rodrigo

2 Likes
#2

That's normal. Auditbeat receives all of the audit messages from the kernel. So in addition to messages caused by your rules you'll be getting messages from apps that publish audit messages (like sshd and sudo).

You can write rules to drop these messages in the kernel if you don't want them (e.g. -a always,exclude -F msgtype=FOO). Or you could use a beats drop_event processor to drop them after Auditbeat receives it from kernel.

1 Like
#3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.