I have had issues in the past with the flexibility of the auditbeat file_integrity module configuration. On one hand I want to monitor most changes under
/etc and similar directories, but on another hand I also want to monitor a few very specific changes under
I would like to benefit from the new detection rule for alerting on changes to
~/.ssh/authorized_keys files but currently I have chosen to instead monitor everything under
/etc because it doesn't seem like there is a way to do both at one time using auditbeat.
Is there anyway of specifying a primary key for each auditbeat module configuration so that they don't conflict when there are multiple module configurations setup?
Basically I would like the following, but it doesn't seem to be supported right now:
# Monitor system paths using exclusions - module: file_integrity paths: - /bin - /usr/bin - /sbin - /usr/sbin - /etc - /root exclude_files: - '(?i)\.sw[nop]$' - '~$' - '/\.git($|/)' # Monitor user directories using inclusions to only show .ssh file changes - module: file_integrity paths: - /home include_files: - '/\.ssh($|/)'