Hi, I am having problems with how auditbeat pushes documents to elasticsearch. I want auditbeat to monitor openat
system calls on a directory (or, alternatively on the files within that directory). To that end I have the following auditctl rules set up in the file /etc/auditbeat/audit.rules.d/blueprint-buckeye.conf
:
-a exit,always -F arch=b64 -S openat -F dir=/root -F euid=root -k binary-exploitation -k 2362e5 -k flag-captured
The problem I am facing is that auditbeat pushes a huge number of documents with very weird file.path
fields every time someone uses the linux find
command. E.g. if I run find / -name flag{* 2>&1 | grep flag
on the machine that is running auditbeat. I see a lot of documents that contain one-character file.path
's:
"file" : {
"owner" : "root",
"group" : "root",
"path" : "d",
"device" : "00:00",
"inode" : "526947",
"mode" : "0700",
"uid" : "0",
"gid" : "0"
},
According to the elasticsearch documents exported fields, this field should be an absolute path to a filename. However, there is no file on the filesystem with the one-character filename 'd' and it certainly is not a full path name. Furthermore, this command is issued outside of the /root
directory and should not be caught by the above rule unless 'd' is a file within the /root
directory, which again, it is not.
Another issue that is unrelated to the find command is if I issue the command ls -al
while in some directory, e.g. /home/kate_libby/
and in that directory there is a file named neuromancer
. The file.path
field in elasticsearch will then contain neuromancer
, which again is not an absolute path. In this case I would have the auditctl rules as: -a exit,always -F arch=b64 -S stat,lstat,fstat -F path=/home/kate_libby/neuromancer -F euid=kate_libby -k binary_exploitation_flag -k discovery
.
I have auditbeat set up according to the configuration file below:
---
auditbeat:
modules:
- audit_rule_files:
- /etc/auditbeat/audit.rules.d/*.conf
module: auditd
include_warnings: true
resolve_ids: true
include_raw_message: true
http:
enabled: true
host: x.x.x.x
port: '5067'
logging:
level: debug
metrics:
enabled: false
to_eventlog: false
to_files: false
to_stderr: true
to_syslog: false
monitoring:
cluster_uuid: ZK15biAITP-jB5O8Y5XuQQ
enabled: false
name: blueprint-buckeye-auditbeat
output:
elasticsearch:
enabled: true
hosts:
- https://x.x.x.x:9200
- https://x.x.x.x:9200
- https://x.x.x.x:9200
password: ${OUTPUT_PASS}
ssl:
certificate: /etc/auditbeat/certs//beats.crt
certificate_authorities: /etc/auditbeat/certs//ca.crt
enabled: true
key: /etc/auditbeat/certs//beats.p1
key_passphrase: ${OUTPUT_CERT_KEY_PASSPHRASE}
verification_mode: none
username: ${OUTPUT_USER}
path:
config: /etc/auditbeat
data: /var/lib/auditbeat
home: /usr/share/auditbeat
logs: /var/log/auditbeat
processors:
- add_id: null
- add_locale: null
- community_id: null
- add_process_metadata:
match_pids:
- system.process.ppid
restricted_fields: true
- add_fields:
fields:
world: blueprint
target: ''
- add_observer_metadata:
geo:
name: blueprint
setup:
ilm:
check_exists: false
enabled: true
overwrite: false
pattern: '{now/d}-000001'
rollover_alias: auditbeat-%{[agent.version]}
template:
settings:
index:
number_of_shards: 1
I also list the important aspect of the index template below:
"path": {
"type": "keyword",
"fields": {
"text": {
"type": "text",
"norms": false
}
},
"ignore_above": 1024
},