I use auditbeat for monitoring files and directories and works fine when access to file from "vim, nano, etc" . But if modify from script or cat (redirection) not capture the event.
Example:
vim /tmp/foo (edit and save) -> Detected
cat /etc/hosts > /tmp/foo -> Not detected
Can you helpme.
Redirection works correctly on my FIM setup (6.6.1)
Can you share the FIM portion of your config?
Hello,
I works with auditbeat, and my rule:
[root@elk ~]# grep lala /etc/auditbeat/auditbeat.yml
-w /tmp/lala -p wa -k change
Edit file with vim
And edit file (the same) with cat
Not detected process/command (only says bash)
Thanks.
Hi,
What I can observe is that the coreutils apps (https://en.wikipedia.org/wiki/List_of_GNU_Core_Utilities_commands) are identified under their execution process /usr/bin/bash
vim is detected as /usr/bin/vim while other linux coreutils (touch, echo, cat, etc) are /usr/bin/bash
Hello,
I solved. Put the directory under file_integrity module and the changes (cat, echo, etc) are detected .
Thanks for your help
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
