We have been doing some diligent testing against auditbeat and auditd. This is a very strong solution that doesn't require too much of the host system(with the right rules). We have expanded our testing to make sure that we aren't missing context for ANY FIM events.
What we are coming to find, is that auditd will miss shell built-ins. This is even if you are collecting all execve. If the built-in manipulates a process, you should get a related syscall. But if someone is using the built-in to establish persistence, you may not see it. You might see it in "-S write" but that's not very scalable.
Does anyone have any suggestions on how to address this? It seems like pam_tty_audit.so may be a solution but output is not real time, spawning another shell can continue to delay output. Is auditbeat able to consume the output of aureport -tty?