Dec 2nd, 2019: [EN][Auditbeat] Monitoring Linux Command Execution

The Auditbeat Auditd module can be used to capture all shell commands executed on system for all users. Monitoring shell commands is often desired on servers where end user shell activity is normally minimal.

This example was assembled on CentOS Linux 7.6 using the Auditbeat 7.4.2 RPM package and Elastic Stack 7.4.2 on the Elasticsearch Service (ESS).

You can start your own ESS deployment 14-day trial through this page, for free.

Most of the steps detailed in this article are applicable on a self-hosted Elasticsearch & Kibana deployment.

Disable System Auditd

The system auditd daemon will interfere with the Auditbeat Auditd module and must be disabled.

Stop auditd:

service auditd stop

Disable the service:

systemctl disable auditd.service

If running Auditd is required while using the Auditbeat Auditd module, consider setting socket_type: multicast if the kernel version is 3.16 or newer. The default is unicast. See the configuration options section of the documentation for more information.

Configure Auditbeat

My Auditbeat daemon ships event data to an Elasticsearch Service (ESS) cluster. See the Configuring Auditbeat documentation for more details. Auditbeat settings cloud.id and cloud.auth are required to get the example working (documentation).

Edit /etc/auditbeat/auditbeat.yml:

cloud.id: <your_cloud_id>
cloud.auth: ingest_user:password

In case you want to send the data to your Elasticsearch cluster (e.g. a local instance), please check this documentation page.

Auditbeat Auditd Module Rules

The Auditd module subscribes to the kernel to receive system events. Rules are defined to capture these events and are in the same format used by the Linux auditctl utility (more details here).

/etc/auditbeat/audit.rules.d/rules.conf:

-a exit,always -F arch=b64 -F euid=0 -S execve -k root_acct
-a exit,always -F arch=b32 -F euid=0 -S execve -k root_acct
-a exit,always -F arch=b64 -F euid>=1000 -S execve -k user_acct
-a exit,always -F arch=b32 -F euid>=1000 -S execve -k user_acct
  • euid is the effective user id. 0 will capture all activities for the root user and >=1000 for all other users with a uid of 1000 or higher.
  • -k <key> is used to assign an arbitrary "key" to the event and it will show up in the tags field. It can be used in Kibana to filter and categorize events.

Auditbeat Setup Command

Run Auditbeat setup to load index templates, ingest node pipelines, the index filecycle policy and the Kibana dashboards.

auditbeat -e setup

In case you're not using ESS, we invite you to check the documentation in order to setup the Kibana endpoint

Start Auditbeat

systemctl start auditbeat

List enabled rules:

auditbeat show auditd-rules
-a never,exit -S all -F pid=23617
-a always,exit -F arch=b64 -S execve -F euid=root -F key=root_acct
-a always,exit -F arch=b32 -S execve -F euid=root -F key=root_acct
-a always,exit -F arch=b64 -S execve -F euid>=vagrant -F key=user_acct
-a always,exit -F arch=b32 -S execve -F euid>=vagrant -F key=user_acct

Watch for Data

Issue some shell commands like whoami, ls, and lsblk as a user and monitor Kibana Discover for new events.

  • Kibana shown with user.name, process.executable, process.args and tags fields selected.
  • Filter is user.name: root and auditd.data.syscall: execve.
  • Data refresh is every second.

TTY Auditing

The Auditbeat Auditd module can also pick up TTY events as they occur on the system. Configure the system-auth PAM configuration file to enable TTY audting. Only root TTY events will be logged in real-time. User events are normally buffered until exit. TTY auditing is required to capture builtin shell commands like pwd, test, etc.

Append the following to /etc/pam.d/system-auth to enable auditing for all users (more details about pam_tty_audit can be found here):

session	  required   pam_tty_audit.so enable=*

Test

$ sudo su -
Last login: Fri Nov 22 23:43:00 UTC 2019 on pts/0
$ helllloooo there!
-bash: helllloooo: command not found
$ exit

Kibana Discover

Final thoughts

Auditbeat is also able to:

  • Send events when a file is changed (created, updated, or deleted) on disk thanks to the file_integrity module (documentation)
  • Send metrics regarding the system thanks to the system module (documentation)

The Auditbeat documentation is available at this link.

3 Likes