The Auditbeat Auditd module can be used to capture all shell commands executed on system for all users. Monitoring shell commands is often desired on servers where end user shell activity is normally minimal.
This example was assembled on CentOS Linux 7.6 using the Auditbeat 7.4.2 RPM package and Elastic Stack 7.4.2 on the Elasticsearch Service (ESS).
You can start your own ESS deployment 14-day trial through this page, for free.
Most of the steps detailed in this article are applicable on a self-hosted Elasticsearch & Kibana deployment.
Disable System Auditd
auditd daemon will interfere with the Auditbeat Auditd module and must be disabled.
service auditd stop
Disable the service:
systemctl disable auditd.service
If running Auditd is required while using the Auditbeat Auditd module, consider setting
socket_type: multicast if the kernel version is 3.16 or newer. The default is
unicast. See the configuration options section of the documentation for more information.
My Auditbeat daemon ships event data to an Elasticsearch Service (ESS) cluster. See the Configuring Auditbeat documentation for more details. Auditbeat settings
cloud.auth are required to get the example working (documentation).
cloud.id: <your_cloud_id> cloud.auth: ingest_user:password
In case you want to send the data to your Elasticsearch cluster (e.g. a local instance), please check this documentation page.
Auditbeat Auditd Module Rules
The Auditd module subscribes to the kernel to receive system events. Rules are defined to capture these events and are in the same format used by the Linux
auditctl utility (more details here).
-a exit,always -F arch=b64 -F euid=0 -S execve -k root_acct -a exit,always -F arch=b32 -F euid=0 -S execve -k root_acct -a exit,always -F arch=b64 -F euid>=1000 -S execve -k user_acct -a exit,always -F arch=b32 -F euid>=1000 -S execve -k user_acct
euidis the effective user id.
0will capture all activities for the root user and
>=1000for all other users with a uid of 1000 or higher.
-k <key>is used to assign an arbitrary "key" to the event and it will show up in the
tagsfield. It can be used in Kibana to filter and categorize events.
Auditbeat Setup Command
Run Auditbeat setup to load index templates, ingest node pipelines, the index filecycle policy and the Kibana dashboards.
auditbeat -e setup
In case you're not using ESS, we invite you to check the documentation in order to setup the Kibana endpoint
systemctl start auditbeat
List enabled rules:
auditbeat show auditd-rules -a never,exit -S all -F pid=23617 -a always,exit -F arch=b64 -S execve -F euid=root -F key=root_acct -a always,exit -F arch=b32 -S execve -F euid=root -F key=root_acct -a always,exit -F arch=b64 -S execve -F euid>=vagrant -F key=user_acct -a always,exit -F arch=b32 -S execve -F euid>=vagrant -F key=user_acct
Watch for Data
Issue some shell commands like
lsblk as a user and monitor Kibana Discover for new events.
- Kibana shown with
- Filter is
- Data refresh is every second.
The Auditbeat Auditd module can also pick up TTY events as they occur on the system. Configure the
system-auth PAM configuration file to enable TTY audting. Only root TTY events will be logged in real-time. User events are normally buffered until
exit. TTY auditing is required to capture builtin shell commands like
Append the following to
/etc/pam.d/system-auth to enable auditing for all users (more details about
pam_tty_audit can be found here):
session required pam_tty_audit.so enable=*
$ sudo su - Last login: Fri Nov 22 23:43:00 UTC 2019 on pts/0 $ helllloooo there! -bash: helllloooo: command not found $ exit
Auditbeat is also able to:
- Send events when a file is changed (created, updated, or deleted) on disk thanks to the
- Send metrics regarding the system thanks to the
The Auditbeat documentation is available at this link.