I have had issues in the past with the flexibility of the auditbeat file_integrity module configuration. On one hand I want to monitor most changes under /etc
and similar directories, but on another hand I also want to monitor a few very specific changes under /home
.
I would like to benefit from the new detection rule for alerting on changes to ~/.ssh/authorized_keys
files but currently I have chosen to instead monitor everything under /etc
because it doesn't seem like there is a way to do both at one time using auditbeat.
Is there anyway of specifying a primary key for each auditbeat module configuration so that they don't conflict when there are multiple module configurations setup?
Basically I would like the following, but it doesn't seem to be supported right now:
# Monitor system paths using exclusions
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
- /root
exclude_files:
- '(?i)\.sw[nop]$'
- '~$'
- '/\.git($|/)'
# Monitor user directories using inclusions to only show .ssh file changes
- module: file_integrity
paths:
- /home
include_files:
- '/\.ssh($|/)'