File: //proc/self/root/etc/auditbeat/auditbeat.yml
---
name: red40.hs.shared.masterhost.ru
fields_under_root: false
queue:
mem:
events: 4096
flush:
min_events: 0
timeout: 0s
logging:
level: info
selectors: :undef
to_syslog: false
to_eventlog: false
json: false
to_files: true
files:
path: "/var/log/auditbeat"
name: auditbeat
keepfiles: 7
rotateeverybytes: 10485760
permissions: '0600'
metrics:
enabled: true
period: 30s
output:
logstash:
enabled: true
hosts: logstash.infra.masterhost.ru:15112
loadbalance: true
processors:
- script:
lang: javascript
source: |
function process(event) {
event.Put("@metadata.ds_tag", "prod-auditlog");
}
- drop_event:
when:
not:
and:
- has_fields:
- tags
- or:
- contains:
tags: crit_alert
- contains:
tags: medium_alert
- contains:
tags: daily_alert
- contains:
tags: ssh_login
- contains:
tags: integrity
auditbeat:
modules:
- module: system
datasets:
- login
state:
period: 12h
processors:
- drop_event:
when:
not:
equals:
event.outcome: success
tags:
- ssh_login
- module: auditd
audit_rules: |-
-w /root/test-auditbeat-ping.txt -p wa -k crit_alert
-w /etc/ld.so.preload -p wa -k crit_alert
-w /etc/ld.so.conf -p wa -k crit_alert
-w /etc/ld.so.conf.d -p wa -k crit_alert
-w /lib/ld-linux.so.2 -p wa -k crit_alert
-w /lib64/ld-linux-x86-64.so.2 -p wa -k crit_alert
-w /lib/ld-musl-x86_64.so.1 -p wa -k crit_alert
-w /lib/ld-musl-i386.so.1 -p wa -k crit_alert
-w /etc/skel/ -p wa -k medium_alert
-w /usr/lib/systemd/system-generators/ -p wa -k medium_alert
-w /lib/systemd/system-generators/ -p wa -k medium_alert
-w /etc/init.d/ -p wa -k medium_alert
-w /etc/rcS.d/ -p wa -k medium_alert
-w /etc/rc0.d/ -p wa -k medium_alert
-w /etc/rc1.d/ -p wa -k medium_alert
-w /etc/rc2.d/ -p wa -k medium_alert
-w /etc/rc3.d/ -p wa -k medium_alert
-w /etc/rc4.d/ -p wa -k medium_alert
-w /etc/rc5.d/ -p wa -k medium_alert
-w /etc/rc6.d/ -p wa -k medium_alert
-w /lib/x86_64-linux-gnu/security/ -p wa -k medium_alert
-w /etc/systemd/system-preset/ -p wa -k medium_alert
-w /etc/inittab -p wa -k medium_alert
-w /etc/rc.local -p wa -k medium_alert
-w /etc/passwd -p wa -k medium_alert
-w /etc/shadow -p wa -k medium_alert
-w /etc/group -p wa -k medium_alert
-w /etc/gshadow -p wa -k medium_alert
-w /etc/ssh/sshd_config -p wa -k medium_alert
-w /etc/pam.conf -p wa -k medium_alert
-w /etc/pam.d -p wa -k medium_alert
-w /etc/crontab -p wa -k medium_alert
-w /etc/cron.d -p wa -k medium_alert
-w /etc/cron.daily -p wa -k medium_alert
-w /etc/cron.hourly -p wa -k medium_alert
-w /etc/cron.weekly -p wa -k medium_alert
-w /etc/cron.monthly -p wa -k medium_alert
-w /etc/cron.yearly -p wa -k medium_alert
-w /var/spool/cron/crontabs/root -p wa -k medium_alert
-w /var/spool/cron/crontabs/ctrlsh -p wa -k medium_alert
-w /var/spool/cron/crontabs/billing -p wa -k medium_alert
-w /var/spool/cron/crontabs/postgres -p wa -k medium_alert
-w /etc/at.allow -p wa -k medium_alert
-w /etc/at.deny -p wa -k medium_alert
-w /etc/nsswitch.conf -p wa -k medium_alert
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module -k daily_alert
-a always,exit -F arch=b32 -S init_module,finit_module,delete_module -k daily_alert
-w /usr/lib/x86_64-linux-gnu/ -p wa -k daily_alert
-w /lib/i386-linux-gnu -p wa -k daily_alert
-w /etc/udev -p wa -k daily_alert
-w /etc/security/limits.conf -p wa -k daily_alert
-w /bin -p wa -k daily_alert
-w /usr/bin -p wa -k daily_alert
-w /sbin -p wa -k daily_alert
-w /usr/sbin -p wa -k daily_alert
-w /usr/local/bin -p wa -k daily_alert
-w /usr/local/sbin -p wa -k daily_alert
-w /lib/systemd/system -p wa -k daily_alert
-w /usr/lib/systemd/system -p wa -k daily_alert
-w /run/systemd/system -p wa -k daily_alert
-w /run/systemd/system.control -p wa -k daily_alert
-w /run/systemd/generator -p wa -k daily_alert
-w /lib/udev -p wa -k daily_alert
-w /usr/lib/udev -p wa -k daily_alert
-w /etc/selinux -p wa -k daily_alert
-w /usr/share/selinux -p wa -k daily_alert
-w /usr/libexec/selinux -p wa -k daily_alert
-w /etc/apparmor.d -p wa -k daily_alert
-w /usr/lib/apparmor -p wa -k daily_alert
-w /usr/share/apparmor -p wa -k daily_alert
-w /usr/share/apparmor-features -p wa -k daily_alert
-w /lib/modules -p wa -k daily_alert
-w /lib/x86_64-linux-gnu -p w -k daily_alert
-w /etc/modprobe.conf -p wa -k daily_alert
-w /etc/modprobe.d -p wa -k daily_alert
-w /etc/profile -p wa -k daily_alert
-w /etc/profile.d -p wa -k daily_alert
-w /etc/environment -p wa -k daily_alert
-w /root/.bashrc -p wa -k daily_alert
-w /root/.profile -p wa -k daily_alert
-w /home/billing/.profile -p wa -k daily_alert
-w /home/billing/.bashrc -p wa -k daily_alert
-w /var/spool/cron/atjobs -p wa -k daily_alert
-w /etc/systemd/system/ -p wa -k daily_alert
- module: file_integrity
tags:
- integrity
scan_at_start: false
paths:
- "/etc/passwd"
- "/etc/shadow"
- "/etc/group"
- "/etc/gshadow"
- "/etc/nsswitch.conf"
- "/etc/login.defs"
- "/etc/sudoers"
- "/etc/sudoers.d"
- "/etc/pam.conf"
- "/etc/pam.d"
- "/etc/security"
- "/etc/security/limits.conf"
- "/etc/ssh/sshd_config"
- "/etc/ssh/sshd_config.d"
- "/etc/ld.so.preload"
- "/etc/ld.so.conf"
- "/etc/ld.so.conf.d"
- "/etc/profile"
- "/etc/profile.d"
- "/etc/environment"
- "/root/.bashrc"
- "/root/.profile"
- "/bin"
- "/usr/bin"
- "/sbin"
- "/usr/sbin"
- "/usr/local/bin"
- "/usr/local/sbin"
- "/etc/systemd/system"
- "/etc/systemd/system.control"
- "/lib/systemd/system"
- "/usr/lib/systemd/system"
- "/etc/udev"
- "/etc/crontab"
- "/etc/cron.d"
- "/etc/cron.daily"
- "/etc/cron.hourly"
- "/etc/cron.weekly"
- "/etc/cron.monthly"
- "/etc/cron.yearly"
- "/var/spool/cron/crontabs/root"
- "/var/spool/cron/crontabs/ctrlsh"
- "/var/spool/cron/crontabs/billing"
- "/var/spool/cron/crontabs/postgres"
- "/etc/modprobe.conf"
- "/lib/modules"
- "/etc/selinux"
- "/etc/apparmor.d"
- "/lib/x86_64-linux-gnu"
- "/etc/auditbeat/"
- "/etc/modprobe.d"
- "/lib/i386-linux-gnu"
- "/etc/inittab"
- "/etc/rc.local"
- "/etc/init.d"
- "/etc/rcS.d"
- "/etc/rc0.d"
- "/etc/rc1.d"
- "/etc/rc2.d"
- "/etc/rc3.d"
- "/etc/rc4.d"
- "/etc/rc5.d"
- "/etc/rc6.d"
- "/lib/systemd/system-generators"
- "/usr/lib/systemd/system-generators"
- "/lib/x86_64-linux-gnu/security"
shutdown_timeout: 5s
registry:
path: "/var/lib/auditbeat"
file_permissions: '0600'
flush: 0s
http:
enabled: false