如何在Auditbeat 6.4.0中捕获sudo事件报告?

时间:2019-01-24 14:33:25

标签: elasticsearch elastic-stack audit-logging elastic-beats

这是系统报告的事件,当非sudo用户尝试执行sudo命令(使用的命令为sudo su

Jan 24 14:02:49 hostn-1212 sudo: test-arun-user : user NOT in sudoers ; TTY=pts/2 ; PWD=/home/test-arun-user ; USER=root ; COMMAND=/bin/bash

但是Auditbeat未捕获此事件。 我的Auditbeat配置文件如下:

queue:
  mem:
    events: 4096
    flush:
      min_events: 2048
      timeout: 1s
max_procs: 1
max_start_delay: 10s
#================================= Paths ======================================
path:
  home: "/usr/share/auditbeat"
  config: "/etc/auditbeat"
  data: "/var/lib/auditbeat"
  logs: "/var/log/auditbeat/auditbeat.log"

#============================  Config Reloading ================================
config:
  modules:
    path: ${path.config}/conf.d/*.yml
    reload:
      period: 10s
      enabled: False
#==========================  Modules configuration =============================
auditbeat.modules:
- module: auditd
  resolve_ids: True
  failure_mode: silent
  backlog_limit: 8196
  rate_limit: 0
  include_raw_message: True
  include_warnings: True
  audit_rules: |
    -w /etc/group -p wa -k identity
    -w /etc/passwd -p wa -k identity
    -w /etc/gshadow -p wa -k identity
    -w /etc/shadow -p wa -k identity
    -w /etc/security/opasswd -p wa -k identity
    -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
    -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
    -a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
    -a always,exit -F arch=b64 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=elevated-privs
    -a always,exit -F arch=b32 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=elevated-privs
    -a always,exit -F arch=b64 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -F key=elevated-privs
    -a always,exit -F arch=b32 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -F key=elevated-privs
    -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=elevated-privs
    -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=elevated-privs

#----------------------------- File Integrity module -----------------------------------
- module: file_integrity
  paths:
    - /bin
    - /sbin
    - /usr/sbin
  exclude_files:
    - (?i)\.sw[nop]$
    - ~$
    - /\.git($|/)
  scan_at_start: True
  scan_rate_per_sec: 50 MiB
  max_file_size: 100 MiB
  hash_types: [sha1]
  recursive: False
#================================ Outputs ======================================
output.elasticsearch:
  enabled: True
  hosts:
    - localhost:9200
  compression_level: 0
  protocol: "http"
  worker: 1
  bulk_max_size: 50
  timeout: 90

我得到了大多数事件,但是未捕获到如上所示在日志中报告的事件。我想知道是否可以对配置进行任何操作。请帮忙。

0 个答案:

没有答案
相关问题
最新问题