├── .github
└── workflows
│ ├── linux.yml
│ └── linux_deploy.yml
├── .gitignore
├── .yamllint
├── LICENSE
├── README.md
├── defaults
└── main.yml
├── extras
├── layer.json
├── layer.svg
└── sigma-kibana-saved-searches
│ ├── lnx_auditd_masquerading_crond.json
│ ├── lnx_auditd_susp_cmds.json
│ ├── lnx_auditd_susp_exe_folders.json
│ ├── lnx_auditd_user_discovery.json
│ ├── lnx_data_compressed.json
│ └── lnx_network_sniffing.json
├── files
├── auditd-attack.conf
└── uninstall-service-auditbeat.ps1
├── handlers
└── main.yml
├── meta
└── main.yml
├── molecule
├── default
│ ├── Dockerfile.j2
│ ├── INSTALL.rst
│ ├── converge.yml
│ ├── molecule.yml
│ ├── prepare.yml
│ └── tests
│ │ └── test_default.py
└── windows
│ ├── Dockerfile.j2
│ ├── INSTALL.rst
│ ├── converge.yml
│ ├── molecule.yml
│ ├── prepare.yml
│ └── verify.yml
├── tasks
├── Debian.yml
├── RedHat.yml
├── Windows32bit.yml
├── Windows64bit.yml
└── main.yml
├── templates
├── auditbeat-windows.yml.j2
└── auditbeat.yml.j2
└── vars
└── main.yml
/.github/workflows/linux.yml:
--------------------------------------------------------------------------------
1 | name: Molecule test
2 | on:
3 | push:
4 | branches:
5 | - "*"
6 | - '!master'
7 | pull_request:
8 | branches: [ master ]
9 |
10 | jobs:
11 | test:
12 | runs-on: ubuntu-latest
13 | strategy:
14 | fail-fast: false
15 | matrix:
16 | image:
17 | - centos7
18 | - centos8
19 | - ubuntu1604
20 | - ubuntu1804
21 | - ubuntu2004
22 | - debian8
23 | - debian9
24 | - debian10
25 | steps:
26 | - name: Checkout
27 | uses: actions/checkout@v2
28 | with:
29 | path: "${{ github.repository }}"
30 | - name: Run molecule tests
31 | uses: robertdebock/molecule-action@2.6.1
32 | with:
33 | image: "${{ matrix.image }}"
34 | namespace: geerlingguy
35 |
--------------------------------------------------------------------------------
/.github/workflows/linux_deploy.yml:
--------------------------------------------------------------------------------
1 | name: Molecule test and deploy
2 | on:
3 | push:
4 | branches:
5 | - 'master'
6 | jobs:
7 | test:
8 | runs-on: ubuntu-latest
9 | strategy:
10 | fail-fast: false
11 | matrix:
12 | image:
13 | - centos7
14 | - centos8
15 | - ubuntu1604
16 | - ubuntu1804
17 | - ubuntu2004
18 | - debian8
19 | - debian9
20 | - debian10
21 | steps:
22 | - name: Checkout
23 | uses: actions/checkout@v2
24 | with:
25 | path: "${{ github.repository }}"
26 | - name: Run molecule tests
27 | uses: robertdebock/molecule-action@2.6.1
28 | with:
29 | image: "${{ matrix.image }}"
30 | namespace: geerlingguy
31 | deploy-galaxy:
32 | needs: test
33 | runs-on: ubuntu-latest
34 | steps:
35 | - name: Publish on Ansible Galaxy
36 | uses: robertdebock/galaxy-action@1.0.1
37 | with:
38 | galaxy_api_key: ${{ secrets.galaxy_api_key }}
39 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | *.retry
2 | */__pycache__
3 | *.pyc
4 |
--------------------------------------------------------------------------------
/.yamllint:
--------------------------------------------------------------------------------
1 | ---
2 | # Based on ansible-lint config
3 | extends: default
4 |
5 | rules:
6 | braces:
7 | max-spaces-inside: 1
8 | level: error
9 | brackets:
10 | max-spaces-inside: 1
11 | level: error
12 | colons:
13 | max-spaces-after: -1
14 | level: error
15 | commas:
16 | max-spaces-after: -1
17 | level: error
18 | comments: disable
19 | comments-indentation: disable
20 | document-start: disable
21 | empty-lines:
22 | max: 3
23 | level: error
24 | hyphens:
25 | level: error
26 | indentation: disable
27 | key-duplicates: enable
28 | line-length: disable
29 | new-line-at-end-of-file: disable
30 | new-lines:
31 | type: unix
32 | trailing-spaces: disable
33 | truthy: disable
34 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2019 Ján Trenčanský
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | ansible-role-auditbeat
2 | =========
3 |
4 | [](https://github.com/j91321/ansible-role-auditbeat/blob/master/LICENSE)
5 | [](https://github.com/j91321/ansible-role-auditbeat/commit/master)
6 | 
7 | [](https://twitter.com/j91321)
8 |
9 | An Ansible role that replaces auditd with Auditbeat. Included modified version of rules from [bfuzzy1/auditd-attack](https://github.com/bfuzzy1/auditd-attack).
10 |
11 | 
12 |
13 | Please test the rules properly before using on production. Some rules may cause performance impact depending on your setup. For more information on Auditbeat please visit the official [documentation](https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-overview.html)
14 |
15 | Supported platforms:
16 | - Ubuntu 20.04
17 | - Ubuntu 18.04
18 | - Ubuntu 16.04
19 | - CentOS 8
20 | - CentOS 7
21 | - CentOS 6
22 | - Debian 10
23 | - Debian 9
24 | - Debian 8
25 | - Gentoo \*\*
26 | - Windows 10\*
27 | - Windows Server 2019\*
28 | - Windows Server 2016\*
29 |
30 | Auditbeat should also work on Oracle Enterprise Linux but only with RHCK.
31 |
32 | \* Auditbeat on Windows supports different set of features. If you wish to achieve similar functionality use Sysmon + Winlogbeat
33 |
34 | \*\* If you want to run auditbeat on Gentoo, you will need to create your own ebuild, if you want to use the `system` metricset, you will need to build auditbeat with x-pack folder with the elastic licence. If you want to use Sockets, you will need Kprobe enabled in your kernel's menuconfig
35 |
36 | If you wish to run Auditbeat from docker container use the official docker [image](https://hub.docker.com/_/auditbeat) provided by Elastic.
37 |
38 | Requirements
39 | ------------
40 |
41 | None
42 |
43 | Role Variables
44 | --------------
45 | Ansible variables from `defaults/main.yml`
46 |
47 | auditbeat_service:
48 | install_path_windows64: "C:\\Program Files\\Elastic\\auditbeat"
49 | install_path_windows32: "C:\\Program Files\\Elastic\\auditbeat"
50 | version: "7.13.1"
51 | download: true
52 | config_path: /etc/auditbeat
53 | install_rules: true
54 | rule_file: auditd-attack.conf
55 |
56 | auditbeat_output:
57 | type: "elasticsearch"
58 | elasticsearch:
59 | hosts:
60 | - "localhost:9200"
61 | security:
62 | enabled: false
63 | auditbeat_processors: |
64 | - add_host_metadata: ~
65 | - add_cloud_metadata: ~
66 | - add_docker_metadata: ~
67 | auditbeat_portage:
68 | package: =auditbeat-{{ auditbeat_service.version }}
69 | getbinpkg: no
70 |
71 | The `auditbeat_service.install_rules` can be changed to false if you don't want to use the rules included.
72 |
73 | Variable `auditbeat_service.download` affects only Windows installations. If you don't want the clients to download the Windows zip package from the web, you can set it to `false` and place the Windows zip in `files/` folder. Please preserve the naming of the zip file e.g. `files/auditbeat-7.6.2-windows-x86.zip`.
74 |
75 | Specifies the output configuration to Elasticsearch without Security enabled.
76 |
77 | auditbeat_output:
78 | type: elasticsearch
79 | elasticsearch:
80 | hosts:
81 | - "localhost:9200"
82 | security:
83 | enabled: true
84 | username: auditbeat_writer
85 | password: pa$$word
86 | protocol: https
87 | ssl_verification_mode: certificate
88 | ssl_certificate_authorities:
89 | - "/etc/ca/my_ca.crt"
90 |
91 | Specifies the output configuration to Elasticsearch with security enabled, certificate authority must be present on server.
92 |
93 | Variable `auditbeat_output.type` takes three values either `logstash`, `elasticsearch` or `redis`. This is because if you have ansible `hash_behaviour` set to `merge` role would install both elasticsearch and logstash outputs when using logstash output type which is wrong.
94 |
95 | Example of Redis output:
96 |
97 | auditbeat_output:
98 | type: redis
99 | redis:
100 | hosts:
101 | - 192.168.100.4
102 | password: "redis_password"
103 | key: "auditbeat"
104 |
105 | Example of filtering high volume logs using processors
106 |
107 | auditbeat_processors: |
108 | - add_host_metadata: ~
109 | - add_cloud_metadata: ~
110 | - add_docker_metadata: ~
111 | - drop_event.when.and:
112 | - equals.event.action: "network_flow"
113 | - equals.server.port: 10050
114 | - equals.process.name: "zabbix_agentd"
115 |
116 | Ansible variables from `vars/main.yml`
117 |
118 | auditbeat_module:
119 | auditd:
120 | enabled: true
121 | file_integrity:
122 | enabled: true
123 | paths:
124 | - /bin
125 | - /usr/bin
126 | - /sbin
127 | - /usr/sbin
128 | - /etc
129 | system:
130 | enabled: true
131 | datasets:
132 | - host
133 | - login
134 | - package
135 | - process
136 | - socket
137 | - user
138 | auditbeat_module_windows:
139 | file_integrity:
140 | enabled: true
141 | paths:
142 | - C:\windows
143 | - C:\windows\system32
144 | - C:\Program Files
145 | - C:\Program Files (x86)
146 | system:
147 | enabled: true
148 | datasets:
149 | - host
150 | - process
151 |
152 | These variables are the auditbeat defaults and fit most common use-cases.
153 |
154 | Dependencies
155 | ------------
156 |
157 | None
158 |
159 | Example Playbook
160 | ----------------
161 |
162 | ```
163 | - name: Install auditbeat
164 | hosts:
165 | - linux
166 | - windows
167 | become: yes
168 | vars:
169 | auditbeat_service:
170 | install_path_windows32: "C:\\Program Files\\monitoring\\auditbeat"
171 | install_path_windows64: "C:\\Program Files\\monitoring\\auditbeat"
172 | version: "7.13.1"
173 | download: true
174 | install_rules: true
175 | rule_file: auditd-attack.conf
176 | auditbeat_template:
177 | enabled: false
178 | auditbeat_general:
179 | tags:
180 | - "auditbeat"
181 | auditbeat_output:
182 | type: "elasticsearch"
183 | elasticsearch:
184 | hosts:
185 | - "172.16.0.11:9200"
186 | - "172.16.0.12:9200"
187 | - "172.16.0.13:9200"
188 | security:
189 | enabled: true
190 | username: auditbeat
191 | password: auditbeatpassword
192 | protocol: http
193 | roles:
194 | - ansible-role-auditbeat
195 | ```
196 |
197 | Extras
198 | ------
199 |
200 | In the extras folder you can find several prepared Kibana saved searches based on [Sigma auditd rules](https://github.com/Neo23x0/sigma/tree/master/rules/linux/auditd). These saved searches will work with default index pattern auditbeat-\*. If you use different index pattern you must modify the saved objects with appropriate index pattern and field names.
201 |
202 | Installation steps:
203 |
204 | 1. Go to **Kibana->Management->Index Patterns**
205 | 2. Click **Create index pattern**
206 | 3. Into the **Index pattern field** write *auditbeat-** and click **Next step**
207 | 4. Select *@timestamp* as **Time Filter field name**
208 | 5. Click **Show advanced options**
209 | 6. Set **Custom index pattern** ID to *auditbeat-**
210 | 7. Click **Create index pattern**
211 |
212 | Next import the saved searches from this repository:
213 |
214 | 1. Go to **Kibana->Management->Saved Objects**
215 | 2. Click **Import**
216 | 3. Select the saved search json file which you want to import
217 | 4. Click **Import**
218 | 5. Repeat for all saved searches
219 |
220 | License
221 | -------
222 |
223 | MIT
224 |
225 | Author Information
226 | ------------------
227 |
228 | j91321
229 |
230 | Rules by: bfuzzy
231 |
232 | Notes
233 | -----
234 |
235 | Tests require some further improvements. Waiting for beats issue [#8280](https://github.com/elastic/beats/issues/8280) to be resolved for better tests.
236 |
--------------------------------------------------------------------------------
/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | auditbeat_service:
3 | install_path_windows64: "C:\\Program Files\\Elastic\\auditbeat"
4 | install_path_windows32: "C:\\Program Files\\Elastic\\auditbeat"
5 | version: "7.16.2"
6 | download: true
7 | config_path: /etc/auditbeat
8 | install_rules: true
9 | rule_file: auditd-attack.conf
10 |
11 | auditbeat_output:
12 | type: "elasticsearch"
13 | elasticsearch:
14 | hosts:
15 | - "localhost:9200"
16 | security:
17 | enabled: false
18 |
19 | auditbeat_processors: |
20 | - add_host_metadata: ~
21 | - add_cloud_metadata: ~
22 | - add_docker_metadata: ~
23 |
24 | auditbeat_portage:
25 | package: =auditbeat-{{ auditbeat_service.version }}
26 | getbinpkg: no
27 |
--------------------------------------------------------------------------------
/extras/layer.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "layer",
3 | "version": "2.2",
4 | "domain": "mitre-enterprise",
5 | "description": "",
6 | "filters": {
7 | "stages": [
8 | "act"
9 | ],
10 | "platforms": [
11 | "Linux"
12 | ]
13 | },
14 | "sorting": 0,
15 | "viewMode": 0,
16 | "hideDisabled": false,
17 | "techniques": [
18 | {
19 | "techniqueID": "T1156",
20 | "tactic": "persistence",
21 | "color": "#31a354",
22 | "comment": "",
23 | "enabled": true,
24 | "metadata": []
25 | },
26 | {
27 | "techniqueID": "T1087",
28 | "tactic": "discovery",
29 | "color": "#31a354",
30 | "comment": "",
31 | "enabled": true,
32 | "metadata": []
33 | },
34 | {
35 | "techniqueID": "T1139",
36 | "tactic": "credential-access",
37 | "color": "#31a354",
38 | "comment": "",
39 | "enabled": true,
40 | "metadata": []
41 | },
42 | {
43 | "techniqueID": "T1146",
44 | "tactic": "defense-evasion",
45 | "color": "#31a354",
46 | "comment": "",
47 | "enabled": true,
48 | "metadata": []
49 | },
50 | {
51 | "techniqueID": "T1059",
52 | "tactic": "execution",
53 | "color": "#31a354",
54 | "comment": "",
55 | "enabled": true,
56 | "metadata": []
57 | },
58 | {
59 | "techniqueID": "T1043",
60 | "tactic": "command-and-control",
61 | "color": "#31a354",
62 | "comment": "",
63 | "enabled": true,
64 | "metadata": []
65 | },
66 | {
67 | "techniqueID": "T1092",
68 | "tactic": "command-and-control",
69 | "color": "#31a354",
70 | "comment": "",
71 | "enabled": true,
72 | "metadata": []
73 | },
74 | {
75 | "techniqueID": "T1090",
76 | "tactic": "command-and-control",
77 | "color": "#31a354",
78 | "comment": "",
79 | "enabled": true,
80 | "metadata": []
81 | },
82 | {
83 | "techniqueID": "T1090",
84 | "tactic": "defense-evasion",
85 | "color": "#31a354",
86 | "comment": "",
87 | "enabled": true,
88 | "metadata": []
89 | },
90 | {
91 | "techniqueID": "T1081",
92 | "tactic": "credential-access",
93 | "color": "#31a354",
94 | "comment": "",
95 | "enabled": true,
96 | "metadata": []
97 | },
98 | {
99 | "techniqueID": "T1002",
100 | "tactic": "exfiltration",
101 | "color": "#31a354",
102 | "comment": "",
103 | "enabled": true,
104 | "metadata": []
105 | },
106 | {
107 | "techniqueID": "T1005",
108 | "tactic": "collection",
109 | "color": "#31a354",
110 | "comment": "",
111 | "enabled": true,
112 | "metadata": []
113 | },
114 | {
115 | "techniqueID": "T1089",
116 | "tactic": "defense-evasion",
117 | "color": "#31a354",
118 | "comment": "",
119 | "enabled": true,
120 | "metadata": []
121 | },
122 | {
123 | "techniqueID": "T1041",
124 | "tactic": "exfiltration",
125 | "color": "#31a354",
126 | "comment": "",
127 | "enabled": true,
128 | "metadata": []
129 | },
130 | {
131 | "techniqueID": "T1011",
132 | "tactic": "exfiltration",
133 | "color": "#31a354",
134 | "comment": "",
135 | "enabled": true,
136 | "metadata": []
137 | },
138 | {
139 | "techniqueID": "T1052",
140 | "tactic": "exfiltration",
141 | "color": "#31a354",
142 | "comment": "",
143 | "enabled": true,
144 | "metadata": []
145 | },
146 | {
147 | "techniqueID": "T1068",
148 | "tactic": "privilege-escalation",
149 | "color": "#31a354",
150 | "comment": "",
151 | "enabled": true,
152 | "metadata": []
153 | },
154 | {
155 | "techniqueID": "T1107",
156 | "tactic": "defense-evasion",
157 | "color": "#31a354",
158 | "comment": "",
159 | "enabled": true,
160 | "metadata": []
161 | },
162 | {
163 | "techniqueID": "T1222",
164 | "tactic": "defense-evasion",
165 | "color": "#31a354",
166 | "comment": "",
167 | "enabled": true,
168 | "metadata": []
169 | },
170 | {
171 | "techniqueID": "T1070",
172 | "tactic": "defense-evasion",
173 | "color": "#31a354",
174 | "comment": "",
175 | "enabled": true,
176 | "metadata": []
177 | },
178 | {
179 | "techniqueID": "T1215",
180 | "tactic": "persistence",
181 | "color": "#31a354",
182 | "comment": "",
183 | "enabled": true,
184 | "metadata": []
185 | },
186 | {
187 | "techniqueID": "T1168",
188 | "tactic": "persistence",
189 | "color": "#31a354",
190 | "comment": "",
191 | "enabled": true,
192 | "metadata": []
193 | },
194 | {
195 | "techniqueID": "T1168",
196 | "tactic": "execution",
197 | "color": "#31a354",
198 | "comment": "",
199 | "enabled": true,
200 | "metadata": []
201 | },
202 | {
203 | "techniqueID": "T1036",
204 | "tactic": "defense-evasion",
205 | "color": "#31a354",
206 | "comment": "",
207 | "enabled": true,
208 | "metadata": []
209 | },
210 | {
211 | "techniqueID": "T1026",
212 | "tactic": "command-and-control",
213 | "color": "#31a354",
214 | "comment": "",
215 | "enabled": true,
216 | "metadata": []
217 | },
218 | {
219 | "techniqueID": "T1079",
220 | "tactic": "command-and-control",
221 | "color": "#31a354",
222 | "comment": "",
223 | "enabled": true,
224 | "metadata": []
225 | },
226 | {
227 | "techniqueID": "T1040",
228 | "tactic": "credential-access",
229 | "color": "#31a354",
230 | "comment": "",
231 | "enabled": true,
232 | "metadata": []
233 | },
234 | {
235 | "techniqueID": "T1040",
236 | "tactic": "discovery",
237 | "color": "#31a354",
238 | "comment": "",
239 | "enabled": true,
240 | "metadata": []
241 | },
242 | {
243 | "techniqueID": "T1201",
244 | "tactic": "discovery",
245 | "color": "#31a354",
246 | "comment": "",
247 | "enabled": true,
248 | "metadata": []
249 | },
250 | {
251 | "techniqueID": "T1069",
252 | "tactic": "discovery",
253 | "color": "#31a354",
254 | "comment": "",
255 | "enabled": true,
256 | "metadata": []
257 | },
258 | {
259 | "techniqueID": "T1057",
260 | "tactic": "discovery",
261 | "color": "#31a354",
262 | "comment": "",
263 | "enabled": true,
264 | "metadata": []
265 | },
266 | {
267 | "techniqueID": "T1055",
268 | "tactic": "defense-evasion",
269 | "color": "#31a354",
270 | "comment": "",
271 | "enabled": true,
272 | "metadata": []
273 | },
274 | {
275 | "techniqueID": "T1055",
276 | "tactic": "privilege-escalation",
277 | "color": "#31a354",
278 | "comment": "",
279 | "enabled": true,
280 | "metadata": []
281 | },
282 | {
283 | "techniqueID": "T1108",
284 | "tactic": "defense-evasion",
285 | "color": "#31a354",
286 | "comment": "",
287 | "enabled": true,
288 | "metadata": []
289 | },
290 | {
291 | "techniqueID": "T1108",
292 | "tactic": "persistence",
293 | "color": "#31a354",
294 | "comment": "",
295 | "enabled": true,
296 | "metadata": []
297 | },
298 | {
299 | "techniqueID": "T1219",
300 | "tactic": "command-and-control",
301 | "color": "#31a354",
302 | "comment": "",
303 | "enabled": true,
304 | "metadata": []
305 | },
306 | {
307 | "techniqueID": "T1105",
308 | "tactic": "command-and-control",
309 | "color": "#31a354",
310 | "comment": "",
311 | "enabled": true,
312 | "metadata": []
313 | },
314 | {
315 | "techniqueID": "T1105",
316 | "tactic": "lateral-movement",
317 | "color": "#31a354",
318 | "comment": "",
319 | "enabled": true,
320 | "metadata": []
321 | },
322 | {
323 | "techniqueID": "T1021",
324 | "tactic": "lateral-movement",
325 | "color": "#31a354",
326 | "comment": "",
327 | "enabled": true,
328 | "metadata": []
329 | },
330 | {
331 | "techniqueID": "T1166",
332 | "tactic": "privilege-escalation",
333 | "color": "#31a354",
334 | "comment": "",
335 | "enabled": true,
336 | "metadata": []
337 | },
338 | {
339 | "techniqueID": "T1166",
340 | "tactic": "persistence",
341 | "color": "#31a354",
342 | "comment": "",
343 | "enabled": true,
344 | "metadata": []
345 | },
346 | {
347 | "techniqueID": "T1071",
348 | "tactic": "command-and-control",
349 | "color": "#31a354",
350 | "comment": "",
351 | "enabled": true,
352 | "metadata": []
353 | },
354 | {
355 | "techniqueID": "T1169",
356 | "tactic": "privilege-escalation",
357 | "color": "#31a354",
358 | "comment": "",
359 | "enabled": true,
360 | "metadata": []
361 | },
362 | {
363 | "techniqueID": "T1082",
364 | "tactic": "discovery",
365 | "color": "#31a354",
366 | "comment": "",
367 | "enabled": true,
368 | "metadata": []
369 | },
370 | {
371 | "techniqueID": "T1016",
372 | "tactic": "discovery",
373 | "color": "#31a354",
374 | "comment": "",
375 | "enabled": true,
376 | "metadata": []
377 | },
378 | {
379 | "techniqueID": "T1049",
380 | "tactic": "discovery",
381 | "color": "#31a354",
382 | "comment": "",
383 | "enabled": true,
384 | "metadata": []
385 | },
386 | {
387 | "techniqueID": "T1033",
388 | "tactic": "discovery",
389 | "color": "#31a354",
390 | "comment": "",
391 | "enabled": true,
392 | "metadata": []
393 | },
394 | {
395 | "techniqueID": "T1072",
396 | "tactic": "execution",
397 | "color": "#31a354",
398 | "comment": "",
399 | "enabled": true,
400 | "metadata": []
401 | },
402 | {
403 | "techniqueID": "T1072",
404 | "tactic": "lateral-movement",
405 | "color": "#31a354",
406 | "comment": "",
407 | "enabled": true,
408 | "metadata": []
409 | },
410 | {
411 | "techniqueID": "T1099",
412 | "tactic": "defense-evasion",
413 | "color": "#31a354",
414 | "comment": "",
415 | "enabled": true,
416 | "metadata": []
417 | },
418 | {
419 | "techniqueID": "T1204",
420 | "tactic": "execution",
421 | "color": "#31a354",
422 | "comment": "",
423 | "enabled": true,
424 | "metadata": []
425 | },
426 | {
427 | "techniqueID": "T1078",
428 | "tactic": "defense-evasion",
429 | "color": "#31a354",
430 | "comment": "",
431 | "enabled": true,
432 | "metadata": []
433 | },
434 | {
435 | "techniqueID": "T1078",
436 | "tactic": "persistence",
437 | "color": "#31a354",
438 | "comment": "",
439 | "enabled": true,
440 | "metadata": []
441 | },
442 | {
443 | "techniqueID": "T1078",
444 | "tactic": "privilege-escalation",
445 | "color": "#31a354",
446 | "comment": "",
447 | "enabled": true,
448 | "metadata": []
449 | },
450 | {
451 | "techniqueID": "T1078",
452 | "tactic": "initial-access",
453 | "color": "#31a354",
454 | "comment": "",
455 | "enabled": true,
456 | "metadata": []
457 | },
458 | {
459 | "techniqueID": "T1100",
460 | "tactic": "persistence",
461 | "color": "#31a354",
462 | "comment": "",
463 | "enabled": true,
464 | "metadata": []
465 | },
466 | {
467 | "techniqueID": "T1100",
468 | "tactic": "privilege-escalation",
469 | "color": "#31a354",
470 | "comment": "",
471 | "enabled": true,
472 | "metadata": []
473 | },
474 | {
475 | "techniqueID": "T1014",
476 | "tactic": "defense-evasion",
477 | "color": "#31a354",
478 | "comment": "",
479 | "enabled": true,
480 | "metadata": []
481 | },
482 | {
483 | "techniqueID": "T1501",
484 | "tactic": "persistence",
485 | "color": "#31a354",
486 | "comment": "",
487 | "enabled": true,
488 | "metadata": []
489 | }
490 | ],
491 | "gradient": {
492 | "colors": [
493 | "#ff6666",
494 | "#ffe766",
495 | "#8ec843"
496 | ],
497 | "minValue": 0,
498 | "maxValue": 100
499 | },
500 | "legendItems": [],
501 | "metadata": [],
502 | "showTacticRowBackground": false,
503 | "tacticRowBackground": "#dddddd",
504 | "selectTechniquesAcrossTactics": true
505 | }
--------------------------------------------------------------------------------
/extras/layer.svg:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/extras/sigma-kibana-saved-searches/lnx_auditd_masquerading_crond.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "_id": "Masquerading-as-Linux-crond-process",
4 | "_type": "search",
5 | "_source": {
6 | "title": "Sigma: Masquerading as Linux crond process",
7 | "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.",
8 | "hits": 0,
9 | "columns": [],
10 | "sort": [
11 | "@timestamp",
12 | "desc"
13 | ],
14 | "version": 1,
15 | "kibanaSavedObjectMeta": {
16 | "searchSourceJSON": "{\"index\": \"auditbeat-*\", \"filter\": [], \"highlight\": {\"pre_tags\": [\"@kibana-highlighted-field@\"], \"post_tags\": [\"@/kibana-highlighted-field@\"], \"fields\": {\"*\": {}}, \"require_field_match\": false, \"fragment_size\": 2147483647}, \"query\": {\"query_string\": {\"query\": \"(auditd.data.syscall:\\\"execve\\\" AND process.name:\\\"cp\\\" AND process.args:(\\\\-i OR \\\\/bin\\\\/sh OR *\\\\/crond))\", \"analyze_wildcard\": true}}}"
17 | }
18 | }
19 | }
20 | ]
21 |
--------------------------------------------------------------------------------
/extras/sigma-kibana-saved-searches/lnx_auditd_susp_cmds.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "_id": "Detects-Suspicious-Commands-on-Linux-systems",
4 | "_type": "search",
5 | "_source": {
6 | "title": "Sigma: Detects Suspicious Commands on Linux systems",
7 | "description": "Detects relevant commands often related to malware or hacking activity",
8 | "hits": 0,
9 | "columns": [],
10 | "sort": [
11 | "@timestamp",
12 | "desc"
13 | ],
14 | "version": 1,
15 | "kibanaSavedObjectMeta": {
16 | "searchSourceJSON": "{\"index\": \"auditbeat-*\", \"filter\": [], \"highlight\": {\"pre_tags\": [\"@kibana-highlighted-field@\"], \"post_tags\": [\"@/kibana-highlighted-field@\"], \"fields\": {\"*\": {}}, \"require_field_match\": false, \"fragment_size\": 2147483647}, \"query\": {\"query_string\": {\"query\": \"(auditd.data.syscall:\\\"execve\\\" AND ((process.name:\\\"chmod\\\" AND process.args:\\\"777\\\") OR (process.name:\\\"chmod\\\" AND process.args:\\\"u\\\\+s\\\") OR (process.name:\\\"cp\\\" AND process.args:\\\"\\\\/bin\\\\/ksh\\\") OR (process.name:\\\"cp\\\" AND process.args:\\\"\\\\/bin\\\\/sh\\\")))\", \"analyze_wildcard\": true}}}"
17 | }
18 | }
19 | }
20 | ]
21 |
--------------------------------------------------------------------------------
/extras/sigma-kibana-saved-searches/lnx_auditd_susp_exe_folders.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "_id": "Program-Executions-in-Suspicious-Folders",
4 | "_type": "search",
5 | "_source": {
6 | "title": "Sigma: Program Executions in Suspicious Folders",
7 | "description": "Detects program executions in suspicious non-program folders related to malware or hacking activity",
8 | "hits": 0,
9 | "columns": [],
10 | "sort": [
11 | "@timestamp",
12 | "desc"
13 | ],
14 | "version": 1,
15 | "kibanaSavedObjectMeta": {
16 | "searchSourceJSON": "{\"index\": \"auditbeat-*\", \"filter\": [], \"highlight\": {\"pre_tags\": [\"@kibana-highlighted-field@\"], \"post_tags\": [\"@/kibana-highlighted-field@\"], \"fields\": {\"*\": {}}, \"require_field_match\": false, \"fragment_size\": 2147483647}, \"query\": {\"query_string\": {\"query\": \"(auditd.data.syscall:\\\"execve\\\" AND process.executable:(\\\\/tmp\\\\/* OR \\\\/var\\\\/www\\\\/* OR \\\\/home\\\\/*\\\\/public_html\\\\/* OR \\\\/usr\\\\/local\\\\/apache2\\\\/* OR \\\\/usr\\\\/local\\\\/httpd\\\\/* OR \\\\/var\\\\/apache\\\\/* OR \\\\/srv\\\\/www\\\\/* OR \\\\/home\\\\/httpd\\\\/html\\\\/* OR \\\\/srv\\\\/http\\\\/* OR \\\\/usr\\\\/share\\\\/nginx\\\\/html\\\\/* OR \\\\/var\\\\/lib\\\\/pgsql\\\\/data\\\\/* OR \\\\/usr\\\\/local\\\\/mysql\\\\/data\\\\/* OR \\\\/var\\\\/lib\\\\/mysql\\\\/* OR \\\\/var\\\\/vsftpd\\\\/* OR \\\\/etc\\\\/bind\\\\/* OR \\\\/var\\\\/named\\\\/*))\", \"analyze_wildcard\": true}}}"
17 | }
18 | }
19 | }
20 | ]
21 |
--------------------------------------------------------------------------------
/extras/sigma-kibana-saved-searches/lnx_auditd_user_discovery.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "_id": "System-Owner-or-User-Discovery",
4 | "_type": "search",
5 | "_source": {
6 | "title": "Sigma: System Owner or User Discovery",
7 | "description": "Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",
8 | "hits": 0,
9 | "columns": [],
10 | "sort": [
11 | "@timestamp",
12 | "desc"
13 | ],
14 | "version": 1,
15 | "kibanaSavedObjectMeta": {
16 | "searchSourceJSON": "{\"index\": \"auditbeat-*\", \"filter\": [], \"highlight\": {\"pre_tags\": [\"@kibana-highlighted-field@\"], \"post_tags\": [\"@/kibana-highlighted-field@\"], \"fields\": {\"*\": {}}, \"require_field_match\": false, \"fragment_size\": 2147483647}, \"query\": {\"query_string\": {\"query\": \"(auditd.data.syscall:\\\"execve\\\" AND process.name:(\\\"users\\\" OR \\\"w\\\" OR \\\"who\\\"))\", \"analyze_wildcard\": true}}}"
17 | }
18 | }
19 | }
20 | ]
21 |
--------------------------------------------------------------------------------
/extras/sigma-kibana-saved-searches/lnx_data_compressed.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "_id": "Data-Compressed",
4 | "_type": "search",
5 | "_source": {
6 | "title": "Sigma: Data Compressed",
7 | "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network",
8 | "hits": 0,
9 | "columns": [],
10 | "sort": [
11 | "@timestamp",
12 | "desc"
13 | ],
14 | "version": 1,
15 | "kibanaSavedObjectMeta": {
16 | "searchSourceJSON": "{\"index\": \"auditbeat-*\", \"filter\": [], \"highlight\": {\"pre_tags\": [\"@kibana-highlighted-field@\"], \"post_tags\": [\"@/kibana-highlighted-field@\"], \"fields\": {\"*\": {}}, \"require_field_match\": false, \"fragment_size\": 2147483647}, \"query\": {\"query_string\": {\"query\": \"(auditd.data.syscall:\\\"execve\\\" AND (process.name:\\\"zip\\\" OR (process.name:\\\"gzip\\\" AND process.args:\\\"\\\\-f\\\") OR (process.name:\\\"tar\\\" AND process.args:\\\\-*c*)))\", \"analyze_wildcard\": true}}}"
17 | }
18 | }
19 | }
20 | ]
21 |
--------------------------------------------------------------------------------
/extras/sigma-kibana-saved-searches/lnx_network_sniffing.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "_id": "Network-Sniffing",
4 | "_type": "search",
5 | "_source": {
6 | "title": "Sigma: Network Sniffing",
7 | "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.",
8 | "hits": 0,
9 | "columns": [],
10 | "sort": [
11 | "@timestamp",
12 | "desc"
13 | ],
14 | "version": 1,
15 | "kibanaSavedObjectMeta": {
16 | "searchSourceJSON": "{\"index\": \"auditbeat-*\", \"filter\": [], \"highlight\": {\"pre_tags\": [\"@kibana-highlighted-field@\"], \"post_tags\": [\"@/kibana-highlighted-field@\"], \"fields\": {\"*\": {}}, \"require_field_match\": false, \"fragment_size\": 2147483647}, \"query\": {\"query_string\": {\"query\": \"(auditd.data.syscall:\\\"execve\\\" AND process.args:(\\\\-c OR \\\\-*i) AND (process.name:\\\"tcpdump\\\" OR process.name:\\\"tshark\\\"))\", \"analyze_wildcard\": true}}}"
17 | }
18 | }
19 | }
20 | ]
21 |
--------------------------------------------------------------------------------
/files/auditd-attack.conf:
--------------------------------------------------------------------------------
1 | # auditd-attack
2 | # This is a modified version of https://github.com/bfuzzy/auditd-attack to work with Elastic auditbeat
3 | # A Linux Auditd configuration mapped to MITRE's Attack Framework
4 | # Most of my inspiration came from various individuals so I wont name them all, but you're work does not go
5 | # unnoticed!
6 |
7 | ### Special Thanks To
8 |
9 | #[Eric Gershman](https://github.com/EricGershman/auditd-examples)
10 | #[iase.disa.mil](https://iase.disa.mil/stigs/os/unix-linux/Pages/red-hat.aspx)
11 | #[cyb3rops](https://gist.github.com/Neo23x0/9fe88c0c5979e017a389b90fd19ddfee)
12 | #[ugurengin](https://gist.github.com/ugurengin/4d37ee83e87bc44291f8ae87a00504cd)
13 | #[checkraze](https://github.com/checkraze/auditd-rules/blob/master/auditd.rules)
14 | #[auditdBroFramework](https://github.com/set-element/auditdBroFramework/blob/master/system_config/audit.rules)
15 | #[@ForensicITGuy]
16 |
17 | # Self Auditing ---------------------------------------------------------------
18 |
19 | ## Audit the audit logs
20 | ### Successful and unsuccessful attempts to read information from the audit records
21 | -w /var/log/audit/ -k audit-log
22 |
23 | ## Auditd configuration
24 | ### Modifications to audit configuration that occur while the audit collection functions are operating
25 | -w /etc/audit/ -p wa -k audit_config
26 | -w /etc/libaudit.conf -p wa -k audit_config
27 | -w /etc/audisp/ -p wa -k audisp_config
28 | -w /etc/auditbeat/ -p wa -k auditbeat_config
29 |
30 | ## Monitor for use of audit management tools
31 | -w /sbin/auditctl -p x -k audittools
32 | -w /sbin/auditd -p x -k audittools
33 |
34 |
35 | # Filters ---------------------------------------------------------------------
36 |
37 | ### We put these early because audit is a first match wins system.
38 |
39 | ## Ignore SELinux AVC records
40 | ##-a always,exclude -F msgtype=AVC
41 |
42 | ## Ignore current working directory records
43 | -a always,exclude -F msgtype=CWD
44 |
45 | ## Ignore EOE records (End Of Event, not needed)
46 | -a always,exclude -F msgtype=EOE
47 |
48 | ## Cron jobs fill the logs with stuff we normally don't want (works with SELinux)
49 | -a never,user -F subj_type=crond_t
50 | -a exit,never -F subj_type=crond_t
51 |
52 | ## This prevents chrony from overwhelming the logs
53 | #-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t
54 |
55 | ## This is not very interesting and wastes a lot of space if the server is public facing
56 | -a always,exclude -F msgtype=CRYPTO_KEY_USER
57 |
58 | ## VMWare tools
59 | -a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2
60 | -a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2
61 |
62 | ## CentOS
63 | -a exit,never -F arch=b32 -S fork -F success=0 -F path=/etc/vmware-tools -F subj_type=initrc_t -F exit=-2
64 | -a exit,never -F arch=b64 -S fork -F success=0 -F path=/etc/vmware-tools -F subj_type=initrc_t -F exit=-2
65 |
66 | ### High Volume Event Filter (especially on Linux Workstations)
67 | -a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess
68 | -a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess
69 | -a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm
70 | -a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm
71 |
72 |
73 | # Rules -----------------------------------------------------------------------
74 |
75 | ## Kernel Related Events
76 | -w /etc/sysctl.conf -p wa -k sysctl
77 | -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k T1547.006_1
78 | -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k T1547.006_2
79 | -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k T1547.006_3
80 | -a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k T1547.006_4
81 | -a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k T1547.006_5
82 | -a always,exit -F arch=b64 -S kexec_load -k T1014_1
83 | -a always,exit -F arch=b32 -S sys_kexec_load -k T1014_2
84 | -w /etc/modprobe.conf -p wa -k T1547.006_6
85 |
86 | ## Time Related Events
87 | -a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k T1070.006_1
88 | -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k T1070.006_2
89 | -a always,exit -F arch=b32 -S clock_settime -k T1070.006_3
90 | -a always,exit -F arch=b64 -S clock_settime -k T1070.006_4
91 | -w /etc/localtime -p wa -k T1070.006_5
92 | -a always,exit -F arch=b32 -S utimes -k T1070.006_6
93 | -a always,exit -F arch=b64 -S utimes -k T1070.006_7
94 | -a always,exit -F arch=b32 -S utimensat -k T1070.006_8
95 | -a always,exit -F arch=b64 -S utimensat -k T1070.006_9
96 |
97 | ## Stunnel
98 | -w /usr/sbin/stunnel -p x -k T1573.002_1
99 |
100 | ## Cron configuration & scheduled jobs related events
101 | -w /etc/cron.allow -p wa -k T1053.003_1
102 | -w /etc/cron.deny -p wa -k T1053.003_2
103 | -w /etc/cron.d/ -p wa -k T1053.003_3
104 | -w /etc/cron.daily/ -p wa -k T1053.003_4
105 | -w /etc/cron.hourly/ -p wa -k T1053.003_5
106 | -w /etc/cron.monthly/ -p wa -k T1053.003_6
107 | -w /etc/cron.weekly/ -p wa -k T1053.003_7
108 | -w /etc/crontab -p wa -k T1053.003_8
109 | -w /var/spool/cron/crontabs/ -k T1053.003_9
110 | -w /etc/inittab -p wa -k T1037_1
111 | -w /etc/init.d/ -p wa -k T1037_2
112 | -w /etc/init/ -p wa -k T1037_3
113 | -w /sbin/init -k T1037_4
114 | -w /etc/at.allow -p wa -k T1053.001_14
115 | -w /etc/at.deny -p wa -k T1053.001_15
116 | -w /var/spool/at/ -p wa -k T1053.001_16
117 | -w /etc/anacrontab -p wa -k T1053.003_17
118 |
119 | ## Systemd service related events
120 | -w /etc/systemd/system/ -k T1543.002_1
121 | -w /usr/lib/systemd/system/ -k T1543.002_2
122 | -w /run/systemd/system/ -k T1543.002_3
123 |
124 | ## Account Related Events
125 | -w /etc/sudoers -p wa -k T1078.003_1
126 | -w /usr/bin/passwd -p x -k T1078.003_2
127 | -w /usr/sbin/groupadd -p x -k T1078.003_3
128 | -w /usr/sbin/groupmod -p x -k T1078.003_4
129 | -w /usr/sbin/addgroup -p x -k T1078.003_5
130 | -w /usr/sbin/useradd -p x -k T1078.003_6
131 | -w /usr/sbin/usermod -p x -k T1078.003_7
132 | -w /usr/sbin/adduser -p x -k T1078.003_8
133 |
134 | ## Privleged Command Execution Related Events
135 | -a exit,always -F arch=b64 -F euid=0 -F auid!=4294967295 -S execve -k T1078.003_9
136 | -a exit,always -F arch=b32 -F euid=0 -F auid!=4294967295 -S execve -k T1078.003_10
137 | -a always,exit -F path=/usr/sbin/userdel -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_11
138 | -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_12
139 | -a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_13
140 | -a always,exit -F path=/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_14
141 | -a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_15
142 | -a always,exit -F path=/bin/chgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_16
143 | -a always,exit -F path=/bin/ping6 -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_17
144 | -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_18
145 | -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_19
146 | -a always,exit -F path=/sbin/pwck -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_20
147 | -a always,exit -F path=/usr/sbin/suexec -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_21
148 | -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_22
149 | -a always,exit -F path=/usr/sbin/newusers -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_23
150 | -a always,exit -F path=/usr/sbin/groupdel -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_24
151 | -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_25
152 | -a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_26
153 | -a always,exit -F path=/usr/sbin/ccreds_validate -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_27
154 | -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_28
155 | ##-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F "auid>=500" -F auid!=4294967295 -k T1078.003_29
156 | -a always,exit -F path=/usr/bin/Xorg -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_30
157 | -a always,exit -F path=/usr/bin/rlogin -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_31
158 | -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_32
159 | -a always,exit -F path=/usr/bin/at -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_33
160 | -a always,exit -F path=/usr/bin/rsh -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_34
161 | -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_35
162 | -a always,exit -F path=/usr/bin/kgrantpty -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_36
163 | -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_37
164 | -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_38
165 | -a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_39
166 | -a always,exit -F path=/usr/bin/rcp -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_40
167 | -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_41
168 | -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_42
169 | -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_43
170 | -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_44
171 | -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_45
172 | -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_46
173 | -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_47
174 | -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_48
175 | -a always,exit -F path=/usr/bin/newrole -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_49
176 | -a always,exit -F path=/usr/bin/kpac_dhcp_helper -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_50
177 |
178 | -a always,exit -F path=/usr/bin/sleep -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_52
179 |
180 | -a always,exit -F path=/usr/bin/pgrep -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_54
181 | -a always,exit -F path=/usr/bin/grep -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_55
182 | -a always,exit -F path=/usr/bin/lspci -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_56
183 |
184 | -a always,exit -F path=/usr/bin/udevadm -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_58
185 | -a always,exit -F path=/usr/bin/findmnt -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_59
186 | -a always,exit -F path=/usr/bin/netstat -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_60
187 | -a always,exit -F path=/usr/bin/pkla -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_61
188 | -a always,exit -F path=/usr/bin/gawk -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_62
189 | -a always,exit -F path=/usr/bin/awk -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_63
190 | -a always,exit -F path=/usr/bin/sed -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078.003_64
191 |
192 | #Tactic -- Execution --
193 | -a always,exit -F path=/usr/bin/bash -F perm=x -F auid>=500 -F auid!=4294967295 -k T1059.004_1
194 | -a always,exit -F path=/usr/bin/bash -F perm=x -F auid=0 -F auid!=4294967295 -k T1059.004_2
195 | -a always,exit -F path=/usr/bin/python -F perm=x -F auid>=500 -F auid!=4294967295 -k T1059.006_1
196 | -a always,exit -F path=/usr/bin/python -F perm=x -F auid=0 -F auid!=4294967295 -k T1059.006_2
197 | -a always,exit -F path=/usr/bin/python2 -F perm=x -F auid>=500 -F auid!=4294967295 -k T1059.006_3
198 | -a always,exit -F path=/usr/bin/python2 -F perm=x -F auid=0 -F auid!=4294967295 -k T1059.006_4
199 | -a always,exit -F exe=/usr/bin/python2.7 -F auid=4294967295 -k T1059.006_5
200 |
201 | ## Media Export Related Events
202 | -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k T1052.001_1
203 | -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k T1052.001_2
204 |
205 | ## Session Related Events
206 | -w /var/run/utmp -p wa -k T1136.001_1
207 | -w /var/log/wtmp -p wa -k T1136.001_2
208 | -w /var/log/btmp -p wa -k T1136.001_3
209 |
210 | ## Login Related Events
211 | -w /var/log/faillog -p wa -k T1078.001_1
212 | -w /var/log/lastlog -p wa -k T1078.001_2
213 | -w /var/log/tallylog -p wa -k T1078.001_3
214 | -w /var/log/secure -p wa -k T1078.001_4
215 |
216 | ## Pam Related Events
217 | -w /etc/pam.d/ -p wa -k T1071
218 | -w /etc/security/limits.conf -p wa -k T1078.001_5
219 | -w /etc/security/pam_env.conf -p wa -k T1078.001_6
220 | -w /etc/security/namespace.conf -p wa -k T1078.001_7
221 | -w /etc/security/namespace.init -p wa -k T1078.001_8
222 | -w /etc/pam.d/common-password -p wa -k T1201
223 |
224 | ## Priv Escalation Related Events
225 | -w /bin/su -p x -k T1548.003_1
226 | -w /usr/bin/sudo -p x -k T1548.003_2
227 | -w /etc/sudoers -p rw -k T1548.003_3
228 | -a always,exit -S setresuid -F a0=0 -F exe=/usr/bin/sudo -k T1548.003_4
229 | -a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -k T1548.003_5
230 | -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k T1548.001_1
231 | -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k T1548.001_2
232 | -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k T1548.001_3
233 | -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k T1548.001_4
234 | -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k T1548.001_5
235 | -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k T1548.001_6
236 | -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k T1548.001_7
237 | -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k T1548.001_8
238 | -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k T1548.001_9
239 | -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k T1548.001_10
240 | -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k T1548.001_11
241 | -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k T1548.001_12
242 | -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k T1548.001_13
243 | -a always,exit -F arch=b64 -S chmod -F auid>=500 -F auid!=4294967295 -k T1548.001_14
244 | -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k T1548.001_15
245 | -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k T1548.001_16
246 | -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k T1548.001_17
247 | -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k T1548.001_18
248 | -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k T1548.001_19
249 | -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k T1548.001_20
250 | -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k T1548.001_21
251 | -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k T1548.001_22
252 | -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k T1548.001_23
253 | -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k T1548.001_24
254 | -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k T1548.001_25
255 | -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k T1548.001_26
256 | -a always,exit -F arch=b64 -C auid!=uid -S execve -k T1548.001_27
257 | -a always,exit -F arch=b32 -C auid!=uid -S execve -k T1548.001_28
258 | -a always,exit -F arch=b64 -S setuid -S setgid -S setreuid -S setregid -k T1548.001_29
259 | -a always,exit -F arch=b32 -S setuid -S setgid -S setreuid -S setregid -k T1548.001_30
260 | -a always,exit -F arch=b64 -S setuid -S setgid -S setreuid -S setregid -F exit=EPERM -k T1548.001_31
261 | -a always,exit -F arch=b32 -S setuid -S setgid -S setreuid -S setregid -F exit=EPERM -k T1548.001_32
262 | #-w /usr/bin/ -p wa -k T1068
263 | -a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k T1068_1
264 | -a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k T1068_2
265 | -a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k T1068_3
266 | -a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k T1068_4
267 | -a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k T1068_5
268 | -a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k T1068_6
269 | -a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k T1068_7
270 | -a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k T1068_8
271 |
272 | ## Recon Related Events
273 | -w /etc/group -p wa -k T1087.001_1
274 | -w /etc/passwd -p wa -k T1087.001_2
275 | -w /etc/gshadow -k T1087.001_3
276 | -w /etc/shadow -p r -k T1087.001_4
277 | -w /etc/security/opasswd -k T1087.001_5
278 | -w /usr/sbin/nologin -k T1087.001_6
279 | -w /sbin/nologin -k T1087.001_7
280 | -w /usr/bin/whoami -p x -k T1033
281 | -w /etc/hostname -p r -k T1082_1
282 | -w /sbin/iptables -p x -k T1082_2
283 | -w /sbin/ifconfig -p x -k T1082_3
284 | -w /etc/login.defs -p wa -k T1082_4
285 | #-a exit,always -F name=/etc/resolv.conf -F auid>=1000 -F auid!=4294967295 -k T1016_0
286 | #-w /etc/resolv.conf -k T1016_1
287 | -w /etc/hosts.allow -k T1016_2
288 | -w /etc/hosts.deny -k T1016_3
289 | -w /etc/securetty -p wa -k T1082_5
290 | -w /var/log/faillog -p wa -k T1082_6
291 | -w /var/log/lastlog -p wa -k T1082_7
292 | -w /var/log/tallylog -p wa -k T1082_8
293 | -w /usr/sbin/tcpdump -p x -k T1049_1
294 | -w /usr/sbin/traceroute -p x -k T1049_2
295 | -w /usr/bin/wireshark -p x -k T1049_3
296 | -w /usr/bin/rawshark -p x -k T1049_4
297 | -w /usr/bin/grep -p x -k T1552.001
298 | -w /usr/bin/egrep -p x -k T1552.001
299 | #-w /usr/bin/ps -p x -k T1057_1
300 | #-w /bin/ps -p x -k T1057_2
301 | -a always,exit -F path=/usr/bin/ps -F perm=x -k T1057_1
302 | -a always,exit -F exe=/bin/ps -F perm=x -k T1057_2
303 |
304 |
305 | ## Data Copy(Local)
306 | -w /usr/bin/cp -p x -k T1005_1
307 | -w /usr/bin/dd -p x -k T1005_2
308 |
309 | ## Remote Access Related Events
310 | -w /usr/bin/wget -p x -k T1219_1
311 | -w /usr/bin/curl -p x -k T1219_2
312 | -w /usr/bin/base64 -p x -k T1219_3
313 | -w /bin/nc -p x -k T1219_4
314 | -w /bin/nc.traditional -p x -k T1219_5
315 | -w /bin/netcat -p x -k T1219_6
316 | -w /usr/bin/ncat -p x -k T1219_7
317 | -w /usr/bin/ssh -p x -k T1219_8
318 | -w /usr/bin/socat -p x -k T1219_9
319 | -w /usr/bin/rdesktop -p x -k T1219_10
320 |
321 | ##Third Party Software
322 | # RPM (Redhat/CentOS)
323 | -w /usr/bin/rpm -p x -k T1072_1
324 | -w /usr/bin/yum -p x -k T1072_2
325 |
326 | # YAST/Zypper/RPM (SuSE)
327 | -w /sbin/yast -p x -k T1072_3
328 | -w /sbin/yast2 -p x -k T1072_4
329 | -w /bin/rpm -p x -k T1072_5
330 | -w /usr/bin/zypper -k T1072_6
331 |
332 | # DPKG / APT-GET (Debian/Ubuntu)
333 | -w /usr/bin/dpkg -p x -k T1072_7
334 | -w /usr/bin/apt-add-repository -p x -k T1072_8
335 | -w /usr/bin/apt-get -p x -k T1072_9
336 | -w /usr/bin/aptitude -p x -k T1072_10
337 |
338 | ## Code injection Related Events
339 | -a always,exit -F arch=b32 -S ptrace -k T1055.008_1
340 | -a always,exit -F arch=b64 -S ptrace -k T1055.008_2
341 | -a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k T1055.008_3
342 | -a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k T1055.008_4
343 | -a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k T1055.008_5
344 | -a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k T1055.008_6
345 | -a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k T1055.008_7
346 | -a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k T1055.008_8
347 | -w /etc/ld.so.preload -k T1548.001_33
348 |
349 | ## Shell configuration Persistence Related Events
350 | -a exit,always -F dir=/etc/profile.d -F perm=w -k T1546.004_1
351 | #-w /etc/profile.d/ -k T1546.004_1
352 | -w /etc/profile -k T1546.004_2
353 | #-a exit,always -F name=/etc/shells -F auid>=1000 -F auid!=4294967295 -k T1546.004_3
354 | ##-w /etc/shells -k T1546.004_3
355 | -w /etc/bashrc -k T1546.004_4
356 | -w /etc/csh.cshrc -k T1546.004_5
357 | -w /etc/csh.login -k T1546.004_6
358 | -w /root/.bash_profile -p w -k T1546.004_7
359 | -w /root/.bashrc -p w -k T1546.004_8
360 | -w /etc/ssh/sshd_config -p w -k T1098.004_9
361 |
362 | #Log all commands (Noisy)
363 | #-a exit,always -F arch=b64 -S execve -k T1059_1
364 | #-a exit,always -F arch=b32 -S execve -k T1059_2
365 |
366 | #Remote File Copy
367 | -w /usr/bin/ftp -p x -k T1105
368 |
369 | ## File Deletion by User Related Events
370 | -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k T1070.004_1
371 | -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k T1070.004_2
372 | -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k T1070.004_3
373 | -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k T1070.004_4
374 |
375 | # Make the configuration immutable --------------------------------------------
376 | ##-e 2
377 |
--------------------------------------------------------------------------------
/files/uninstall-service-auditbeat.ps1:
--------------------------------------------------------------------------------
1 | # Delete and stop the service if it already exists.
2 | if (Get-Service auditbeat -ErrorAction SilentlyContinue) {
3 | $service = Get-WmiObject -Class Win32_Service -Filter "name='auditbeat'"
4 | $service.StopService()
5 | Start-Sleep -s 1
6 | $service.delete()
7 | }
8 |
--------------------------------------------------------------------------------
/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: yum-clean-metadata
3 | command: yum clean metadata
4 | args:
5 | warn: no
6 | - name: restart-auditbeat
7 | service:
8 | name: auditbeat
9 | state: restarted
10 | - name: restart-auditbeat-windows
11 | win_shell: Restart-Service auditbeat
12 |
--------------------------------------------------------------------------------
/meta/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | galaxy_info:
3 | role_name: auditbeat
4 | author: Ján Trenčanský
5 | description: Install Auditbeat for security monitoring, supplied ruleset.
6 | company: None
7 |
8 | # If the issue tracker for your role is not on github, uncomment the
9 | # next line and provide a value
10 | # issue_tracker_url: http://example.com/issue/tracker
11 |
12 | # Some suggested licenses:
13 | # - BSD (default)
14 | # - MIT
15 | # - GPLv2
16 | # - GPLv3
17 | # - Apache
18 | # - CC-BY
19 | license: MIT
20 |
21 | min_ansible_version: 2.0
22 |
23 | # If this a Container Enabled role, provide the minimum Ansible Container version.
24 | # min_ansible_container_version:
25 |
26 | # Optionally specify the branch Galaxy will use when accessing the GitHub
27 | # repo for this role. During role install, if no tags are available,
28 | # Galaxy will use this branch. During import Galaxy will access files on
29 | # this branch. If Travis integration is configured, only notifications for this
30 | # branch will be accepted. Otherwise, in all cases, the repo's default branch
31 | # (usually master) will be used.
32 | # github_branch:
33 |
34 | #
35 | # platforms is a list of platforms, and each platform has a name and a list of versions.
36 | #
37 | platforms:
38 | - name: EL
39 | versions:
40 | - 6
41 | - 7
42 | - 8
43 | - name: Ubuntu
44 | versions:
45 | - xenial
46 | - bionic
47 | - focal
48 | - name: Debian
49 | versions:
50 | - jessie
51 | - stretch
52 | - buster
53 | - name: Windows
54 | versions:
55 | - 2016
56 | - 2019
57 |
58 | galaxy_tags:
59 | - security
60 | - linux
61 | - windows
62 | - elastic
63 | - logging
64 | - monitoring
65 |
66 | # List tags for your role here, one per line. A tag is a keyword that describes
67 | # and categorizes the role. Users find roles by searching for tags. Be sure to
68 | # remove the '[]' above, if you add tags to this list.
69 | #
70 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
71 | # Maximum 20 tags per role.
72 |
73 | dependencies: []
74 | # List your role dependencies here, one per line. Be sure to remove the '[]' above,
75 | # if you add dependencies to this list.
76 |
--------------------------------------------------------------------------------
/molecule/default/Dockerfile.j2:
--------------------------------------------------------------------------------
1 | # Molecule managed
2 |
3 | {% if item.registry is defined %}
4 | FROM {{ item.registry.url }}/{{ item.image }}
5 | {% else %}
6 | FROM {{ item.image }}
7 | {% endif %}
8 |
9 | {% if item.env is defined %}
10 | {% for var, value in item.env.items() %}
11 | {% if value %}
12 | ENV {{ var }} {{ value }}
13 | {% endif %}
14 | {% endfor %}
15 | {% endif %}
16 |
17 | RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates iproute2 && apt-get clean; \
18 | elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python3 sudo python3-devel python*-dnf bash iproute && dnf clean all; \
19 | elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash iproute && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
20 | elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml iproute2 && zypper clean -a; \
21 | elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \
22 | elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates iproute2 && xbps-remove -O; fi
23 |
--------------------------------------------------------------------------------
/molecule/default/INSTALL.rst:
--------------------------------------------------------------------------------
1 | *******
2 | Docker driver installation guide
3 | *******
4 |
5 | Requirements
6 | ============
7 |
8 | * Docker Engine
9 |
10 | Install
11 | =======
12 |
13 | Please refer to the `Virtual environment`_ documentation for installation best
14 | practices. If not using a virtual environment, please consider passing the
15 | widely recommended `'--user' flag`_ when invoking ``pip``.
16 |
17 | .. _Virtual environment: https://virtualenv.pypa.io/en/latest/
18 | .. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
19 |
20 | .. code-block:: bash
21 |
22 | $ pip install 'molecule[docker]'
23 |
--------------------------------------------------------------------------------
/molecule/default/converge.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Converge
3 | hosts: all
4 | roles:
5 | - role: ansible-role-auditbeat
6 |
--------------------------------------------------------------------------------
/molecule/default/molecule.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependency:
3 | name: galaxy
4 | driver:
5 | name: docker
6 | lint: |
7 | set -e
8 | ansible-lint
9 | platforms:
10 | - name: ${image:-ubuntu1804}-instance
11 | image: ${namespace:-geerlingguy}/docker-${image:-ubuntu1804}-ansible:${tag:-latest}
12 | pid_mode: host
13 | capabilities:
14 | - AUDIT_CONTROL
15 | - AUDIT_READ
16 | volumes:
17 | - /sys/fs/cgroup:/sys/fs/cgroup:ro
18 | privileged: true
19 | pre_build_image: true
20 | provisioner:
21 | name: ansible
22 | verifier:
23 | name: testinfra
24 | lint:
25 | name: flake8
26 |
--------------------------------------------------------------------------------
/molecule/default/prepare.yml:
--------------------------------------------------------------------------------
1 | - name: Prepare
2 | hosts: all
3 | tasks:
4 | - name: (Debian/Ubuntu) apt-get update
5 | apt:
6 | update_cache: yes
7 | when: ansible_os_family == "Debian"
8 |
--------------------------------------------------------------------------------
/molecule/default/tests/test_default.py:
--------------------------------------------------------------------------------
1 | import os
2 |
3 | import testinfra.utils.ansible_runner
4 |
5 | testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
6 | os.environ['MOLECULE_INVENTORY_FILE']
7 | ).get_hosts('all')
8 |
9 |
10 | def test_auditbeat_package(host):
11 | package_auditbeat = host.package('auditbeat')
12 | assert package_auditbeat.is_installed
13 |
14 |
15 | def test_auditbeat_config(host):
16 | config = host.file("/etc/auditbeat/auditbeat.yml")
17 | assert config.exists
18 | assert config.is_file
19 |
20 |
21 | def test_auditbeat_rules(host):
22 | rules = host.file("/etc/auditbeat/audit.rules.d/auditd-attack.conf")
23 | assert rules.exists
24 | assert rules.is_file
25 |
26 |
27 | # def test_auditbeat_rules_installation(host):
28 | # list_rules = host.run("auditbeat show auditd-rules")
29 | # assert len(list_rules.stdout) > 10
30 |
--------------------------------------------------------------------------------
/molecule/windows/Dockerfile.j2:
--------------------------------------------------------------------------------
1 | FROM mcr.microsoft.com/windows:1903
2 | RUN powershell.exe -Command \
3 | wget https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1 -Outfile c:\remoting.ps1; \
4 | powershell.exe -ExecutionPolicy ByPass -File c:\remoting.ps1 ; \
5 | $password = ConvertTo-SecureString "Password123" -AsPlainText -Force; \
6 | Set-LocalUser -Name Administrator -Password $password; \
7 | Enable-LocalUser -Name "Administrator"; \
8 | Dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase
9 | EXPOSE 5986
10 |
--------------------------------------------------------------------------------
/molecule/windows/INSTALL.rst:
--------------------------------------------------------------------------------
1 | *******
2 | Docker driver installation guide
3 | *******
4 |
5 | Requirements
6 | ============
7 |
8 | * Docker Engine
9 |
10 | Install
11 | =======
12 |
13 | Please refer to the `Virtual environment`_ documentation for installation best
14 | practices. If not using a virtual environment, please consider passing the
15 | widely recommended `'--user' flag`_ when invoking ``pip``.
16 |
17 | .. _Virtual environment: https://virtualenv.pypa.io/en/latest/
18 | .. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
19 |
20 | .. code-block:: bash
21 |
22 | $ python3 -m pip install 'molecule[docker]'
23 |
--------------------------------------------------------------------------------
/molecule/windows/converge.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Converge
3 | hosts: all
4 | tasks:
5 | - name: "Include ansible-role-auditbeat"
6 | include_role:
7 | name: "ansible-role-auditbeat"
8 |
--------------------------------------------------------------------------------
/molecule/windows/molecule.yml:
--------------------------------------------------------------------------------
1 | ---
2 | dependency:
3 | name: galaxy
4 | driver:
5 | name: docker
6 | lint: |
7 | set -e
8 | ansible-lint
9 | platforms:
10 | - name: windows-os-base
11 | image: windows-local/windows-os-base:latest
12 | dockerfile: Dockerfile.j2
13 | pull: False
14 | docker_host: tcp://localhost:2375
15 | command: ping -t localhost
16 | published_ports:
17 | - "5986:5986/tcp"
18 | provisioner:
19 | name: ansible
20 | inventory:
21 | host_vars:
22 | windows-os-base:
23 | ansible_host: 127.0.0.1
24 | ansible_user: Administrator
25 | ansible_password: Password123
26 | ansible_connection: winrm
27 | ansible_winrm_transport: basic
28 | ansible_winrm_server_cert_validation: ignore
29 | ansible_shell_type: powershell
30 | verifier:
31 | name: ansible
32 |
--------------------------------------------------------------------------------
/molecule/windows/prepare.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: Prepare
3 | hosts: all
4 | gather_facts: no
5 | tasks:
6 | - name: Wait for published winrm port to be available
7 | wait_for_connection:
8 |
--------------------------------------------------------------------------------
/molecule/windows/verify.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # This is an example playbook to execute Ansible tests.
3 |
4 | - name: Verify
5 | hosts: all
6 | tasks:
7 | - name: Example assertion
8 | assert:
9 | that: true
10 |
--------------------------------------------------------------------------------
/tasks/Debian.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: (Debian/Ubuntu) Install dependencies
3 | apt:
4 | name:
5 | - gnupg
6 | - apt-transport-https
7 | state: present
8 |
9 | - name: (Debian/Ubuntu) Add Elasticsearch repository GPG key
10 | apt_key:
11 | url: "https://artifacts.elastic.co/GPG-KEY-elasticsearch"
12 | state: present
13 | tags: install
14 |
15 | - name: (Debian/Ubuntu) Add Elasticsearch 7.X repository
16 | apt_repository:
17 | repo: deb https://artifacts.elastic.co/packages/7.x/apt stable main
18 | filename: elastic-repo.list
19 | update_cache: yes
20 | state: present
21 | tags: install
22 |
--------------------------------------------------------------------------------
/tasks/RedHat.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: (REHL/CentOS) Add Elasticsearch 7.X repository
3 | yum_repository:
4 | name: "elastic-7.x"
5 | description: "Elastic repository for 7.x packages"
6 | baseurl: "https://artifacts.elastic.co/packages/7.x/yum"
7 | gpgkey: "https://packages.elastic.co/GPG-KEY-elasticsearch"
8 | state: present
9 | notify: yum-clean-metadata
10 | tags: install
11 |
--------------------------------------------------------------------------------
/tasks/Windows32bit.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: (Windows x86) Create 32-bit install directory
3 | win_file:
4 | path: "{{ auditbeat_service.install_path_32 }}"
5 | state: directory
6 |
7 | - name: (Windows x86) Check if auditbeat service is installed
8 | win_service:
9 | name: auditbeat
10 | register: auditbeat_installed
11 |
12 | - name: (Windows x86) Check if auditbeat is using current version
13 | win_stat:
14 | path: "{{ auditbeat_service.install_path_windows32 }}\\auditbeat-{{ auditbeat_service.version }}-windows-x86"
15 | register: auditbeat_folder
16 |
17 | - name: (Windows x86) Copy auditbeat uninstall script
18 | win_copy:
19 | src: files/uninstall-service-auditbeat.ps1
20 | dest: "{{ auditbeat_service.install_path_windows32 }}\\uninstall-service-auditbeat.ps1"
21 | force: yes
22 | when: auditbeat_installed.exists and not auditbeat_folder.stat.exists
23 |
24 | - name: (Windows x86) Uninstall auditbeat
25 | win_shell: .\uninstall-service-auditbeat.ps1
26 | args:
27 | chdir: "{{ auditbeat_service.install_path_windows32 }}"
28 | when: auditbeat_installed.exists and not auditbeat_folder.stat.exists
29 |
30 | - name: (Windows x86) Download auditbeat
31 | win_get_url:
32 | url: "https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-{{ winlogbeat_service.version }}-windows-x86.zip"
33 | dest: "{{ auditbeat_service.install_path_windows32 }}\\auditbeat.zip"
34 | when: auditbeat_service.download and not auditbeat_folder.stat.exists
35 |
36 | - name: (Windows x86) Copy auditbeat
37 | win_copy:
38 | src: "files/auditbeat-{{ auditbeat_service.version }}-windows-x86.zip"
39 | dest: "{{ auditbeat_service.install_path_windows32 }}\\auditbeat.zip"
40 | when: not auditbeat_service.download and not auditbeat_folder.stat.exists
41 |
42 | - name: (Windows x86) Unzip auditbeat
43 | win_unzip:
44 | src: "{{ auditbeat_service.install_path_windows32 }}\\auditbeat.zip"
45 | dest: "{{ auditbeat_service.install_path_windows32 }}\\"
46 | delete_archive: yes
47 | when: not auditbeat_folder.stat.exists
48 |
49 | - name: (Windows x86) Configure auditbeat
50 | win_template:
51 | src: auditbeat-windows.yml.j2
52 | dest: "{{ auditbeat_service.install_path_windows32 }}\\auditbeat-{{ auditbeat_service.version }}-windows-x86\\auditbeat.yml"
53 | notify: restart-auditbeat-windows
54 |
55 | - name: (Windows x86) Install auditbeat
56 | win_shell: .\install-service-auditbeat.ps1
57 | args:
58 | chdir: "{{ auditbeat_service.install_path_windows32 }}\\auditbeat-{{ auditbeat_service.version }}-windows-x86\\"
59 | when: not auditbeat_folder.stat.exists
60 | notify: restart-auditbeat-windows
61 |
62 | - name: (Windows x86) Remove other auditbeat installations
63 | win_shell: |
64 | $version="{{ auditbeat_service.version }}"
65 | Get-ChildItem -Path "{{ auditbeat_service.install_path_windows32 }}" | Where-Object {$_.Name -CNotMatch $version} | Remove-Item -Recurse
66 | when: not auditbeat_folder.stat.exists
67 |
--------------------------------------------------------------------------------
/tasks/Windows64bit.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: (Windows x64) Create 64-bit install directory
3 | win_file:
4 | path: "{{ auditbeat_service.install_path_windows64 }}"
5 | state: directory
6 |
7 | - name: (Windows x64) Check if auditbeat service is installed
8 | win_service:
9 | name: auditbeat
10 | register: auditbeat_installed
11 |
12 | - name: (Windows x64) Check if auditbeat is using current version
13 | win_stat:
14 | path: "{{ auditbeat_service.install_path_windows64 }}\\auditbeat-{{ auditbeat_service.version }}-windows-x86_64"
15 | register: auditbeat_folder
16 |
17 | - name: (Windows x64) Copy auditbeat uninstall script
18 | win_copy:
19 | src: files/uninstall-service-auditbeat.ps1
20 | dest: "{{ auditbeat_service.install_path_windows64 }}\\uninstall-service-auditbeat.ps1"
21 | force: yes
22 | when: auditbeat_installed.exists and not auditbeat_folder.stat.exists
23 |
24 | - name: (Windows x64) Uninstall auditbeat
25 | win_shell: .\uninstall-service-auditbeat.ps1
26 | args:
27 | chdir: "{{ auditbeat_service.install_path_windows64 }}"
28 | when: auditbeat_installed.exists and not auditbeat_folder.stat.exists
29 |
30 | - name: (Windows x64) Download auditbeat
31 | win_get_url:
32 | url: "https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-{{ auditbeat_service.version }}-windows-x86_64.zip"
33 | dest: "{{ auditbeat_service.install_path_windows64 }}\\auditbeat.zip"
34 | when: auditbeat_service.download and not auditbeat_folder.stat.exists
35 |
36 | - name: (Windows x64) Copy auditbeat
37 | win_copy:
38 | src: "files/auditbeat-{{ auditbeat_service.version }}-windows-x86_64.zip"
39 | dest: "{{ auditbeat_service.install_path_windows64 }}\\auditbeat.zip"
40 | when: not auditbeat_service.download and not auditbeat_folder.stat.exists
41 |
42 | - name: (Windows x64) Unzip auditbeat
43 | win_unzip:
44 | src: "{{ auditbeat_service.install_path_windows64 }}\\auditbeat.zip"
45 | dest: "{{ auditbeat_service.install_path_windows64 }}\\"
46 | delete_archive: yes
47 | when: not auditbeat_folder.stat.exists
48 |
49 | - name: (Windows x64) Configure auditbeat
50 | win_template:
51 | src: auditbeat-windows.yml.j2
52 | dest: "{{ auditbeat_service.install_path_windows64 }}\\auditbeat-{{ auditbeat_service.version }}-windows-x86_64\\auditbeat.yml"
53 | notify: restart-auditbeat-windows
54 |
55 | - name: (Windows x64) Install auditbeat
56 | win_shell: .\install-service-auditbeat.ps1
57 | args:
58 | chdir: "{{ auditbeat_service.install_path_windows64 }}\\auditbeat-{{ auditbeat_service.version }}-windows-x86_64\\"
59 | when: not auditbeat_folder.stat.exists
60 | notify: restart-auditbeat-windows
61 |
62 | - name: (Windows x64) Remove other auditbeat installations
63 | win_shell: |
64 | $version="{{ auditbeat_service.version }}"
65 | Get-ChildItem -Path "{{ auditbeat_service.install_path_windows64 }}" | Where-Object {$_.Name -CNotMatch $version} | Remove-Item -Recurse
66 | when: not auditbeat_folder.stat.exists
67 |
--------------------------------------------------------------------------------
/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - import_tasks: "Windows32bit.yml"
3 | when:
4 | - ansible_os_family == "Windows"
5 | - ansible_architecture == "32-bit"
6 |
7 | - import_tasks: "Windows64bit.yml"
8 | when:
9 | - ansible_os_family == "Windows"
10 | - ansible_architecture == "64-bit"
11 |
12 | - import_tasks: "RedHat.yml"
13 | when: ansible_os_family == "RedHat"
14 |
15 | - import_tasks: "Debian.yml"
16 | when: ansible_os_family == "Debian"
17 |
18 | # Following plays are Linux only specific, all Windows plays are in Windows32bit.yml and Windows64bit.yml
19 | - name: (Linux) Collect service facts
20 | service_facts:
21 | when:
22 | - ansible_os_family != "Windows"
23 | #This is necessary, systemd won't allow auditd to be stopped and Ansible has bug when it doesn't use the service binary even if explicitly told
24 | - name: (Linux) Stop auditd
25 | command:
26 | cmd: service auditd stop
27 | warn: False
28 | when:
29 | - ansible_facts.services['auditd'] is defined
30 | - ansible_os_family != "Windows"
31 | tags: install
32 |
33 | - name: (Linux) Remove auditd from starting on boot
34 | command:
35 | cmd: chkconfig auditd off
36 | warn: False
37 | when:
38 | - ansible_facts.services['auditd'] is defined
39 | - ansible_os_family != "Windows"
40 | - ansible_os_family != "Gentoo"
41 | tags: install
42 |
43 | - name: (Debian/Ubuntu) Install auditbeat apt
44 | apt:
45 | name: auditbeat={{ auditbeat_service.version }}
46 | state: present
47 | when: ansible_os_family == "Debian"
48 | tags: install
49 |
50 | - name: (REHL/CentOS) Install auditbeat yum
51 | yum:
52 | name: auditbeat-{{ auditbeat_service.version }}
53 | state: present
54 | when: ansible_os_family == "RedHat"
55 | tags: install
56 |
57 | # INFO: Based on where and how you generate your auditbeat portage package, you may need to change the package name
58 | - name: (Gentoo) Install auditbeat portage
59 | community.general.portage:
60 | package: "{{ auditbeat_portage.package }}"
61 | getbinpkg: "{{ auditbeat_portage.getbinpkg }}"
62 | when: ansible_os_family == "Gentoo"
63 | tags: install
64 |
65 | - name: (Linux) Create auditbeat configuration file
66 | template:
67 | src: auditbeat.yml.j2
68 | dest: "{{ auditbeat_service.config_path }}/auditbeat.yml"
69 | when: ansible_os_family != "Windows"
70 | notify: restart-auditbeat
71 | tags: configure
72 |
73 | - name: (Linux) Install auditing rules for auditbeat
74 | copy:
75 | src: files/{{ auditbeat_service.rule_file }}
76 | dest: "{{ auditbeat_service.config_path }}/audit.rules.d/"
77 | owner: root
78 | group: root
79 | mode: '0644'
80 | tags: configure
81 | when:
82 | - ansible_os_family != "Windows"
83 | - auditbeat_service.install_rules
84 | notify: restart-auditbeat
85 |
--------------------------------------------------------------------------------
/templates/auditbeat-windows.yml.j2:
--------------------------------------------------------------------------------
1 | # Managed by Ansible
2 | #========================== Modules configuration =============================
3 | auditbeat.modules:
4 | {% if auditbeat_module_windows.file_integrity.enabled | bool %}
5 | - module: file_integrity
6 | paths:
7 | {{ auditbeat_module_windows.file_integrity.paths | to_nice_yaml | trim | indent(4) }}
8 | {% endif %}
9 | {% if auditbeat_module_windows.system.enabled | bool %}
10 | - module: system
11 | datasets:
12 | {{ auditbeat_module_windows.system.datasets | to_nice_yaml | trim | indent(4) }}
13 |
14 | # How often datasets send state updates with the
15 | # current state of the system (e.g. all currently
16 | # running processes, all open sockets).
17 | state.period: {{ auditbeat_module_windows.system.state_period | default('12h') }}
18 |
19 | {% endif %}
20 | #==================== Elasticsearch template setting ==========================
21 | setup.template.enabled: {{ auditbeat_template.enabled | default(true) }}
22 | setup.template.settings:
23 | index.number_of_shards: {{ auditbeat_template.number_of_shards | default(1) }}
24 |
25 | #================================ General =====================================
26 |
27 | {% if auditbeat_general.tags is defined %}
28 | tags: {{ auditbeat_general.tags | to_json }}
29 | {% endif %}
30 |
31 | {% if auditbeat_cloud is defined %}
32 | #============================= Elastic Cloud ==================================
33 |
34 | # These settings simplify using Auditbeat with the Elastic Cloud (https://cloud.elastic.co/).
35 |
36 | # The cloud.id setting overwrites the `output.elasticsearch.hosts` and
37 | # `setup.kibana.host` options.
38 | # You can find the `cloud.id` in the Elastic Cloud web UI.
39 | cloud.id: {{ auditbeat_cloud.id }}
40 |
41 | # The cloud.auth setting overwrites the `output.elasticsearch.username` and
42 | # `output.elasticsearch.password` settings. The format is `:`.
43 | cloud.auth: {{ auditbeat_cloud.auth }}
44 | {% endif %}
45 |
46 | {% if auditbeat_ilm is defined %}
47 | #=================================== ILM ======================================
48 | setup.ilm.enabled: {{ auditbeat_ilm.enabled | default("auto") }}
49 | {% if auditbeat_ilm.enabled != "false" %}
50 | setup.ilm.rollover_alias: {{ auditbeat_ilm.rollover_alias | default("auditbeat-%{[agent.version]}") }}
51 | setup.ilm.pattern: {{ auditbeat_ilm.pattern | default("%{now/d}-000001") }}
52 | setup.ilm.policy_name: {{ auditbeat_ilm.policy_name | default("auditbeat-%{[agent.version]}") }}
53 | setup.ilm.check_exists: {{ auditbeat_ilm.check_exists | default(true) }}
54 | {% endif %}
55 | {% endif %}
56 | #================================ Outputs =====================================
57 |
58 | # Configure what output to use when sending the data collected by the beat.
59 |
60 | {% if auditbeat_output.type == "elasticsearch" %}
61 | #-------------------------- Elasticsearch output ------------------------------
62 | output.elasticsearch:
63 | # Array of hosts to connect to.
64 | hosts: {{ auditbeat_output.elasticsearch.hosts | to_json }}
65 |
66 | {% if auditbeat_output.elasticsearch.security.enabled | bool %}
67 | # Optional protocol and basic auth credentials.
68 | username: {{ auditbeat_output.elasticsearch.security.username }}
69 | password: {{ auditbeat_output.elasticsearch.security.password }}
70 | protocol: {{ auditbeat_output.elasticsearch.security.protocol }}
71 | {% if auditbeat_output.elasticsearch.security.ssl_certificate_authorities is defined %}
72 | ssl.certificate_authorities: {{ auditbeat_output.elasticsearch.security.ssl_certificate_authorities | to_json }}
73 | {% endif %}
74 | {% if 'https' == auditbeat_output.elasticsearch.security.protocol %}
75 | ssl.verification_mode: {{ auditbeat_output.elasticsearch.security.ssl_verification_mode | default("full") }}
76 | {% endif %}
77 | {% endif %}
78 | {% endif %}
79 | {% if auditbeat_output.type == "logstash" %}
80 | #----------------------------- Logstash output --------------------------------
81 | output.logstash:
82 | # The Logstash hosts
83 | hosts: {{ auditbeat_output.logstash.hosts | to_json }}
84 |
85 | {% if auditbeat_output.logstash.security.ssl_certificate_authorities is defined %}}
86 | # Optional SSL. By default is off.
87 | # List of root certificates for HTTPS server verifications
88 | ssl.certificate_authorities: {{ auditbeat_output.logstash.security.ssl_certificate_authorities | to_json }}
89 | {% endif %}
90 |
91 | {% endif %}
92 | {% if auditbeat_output.type == "redis" %}
93 | #------------------------------ Redis output ---------------------------------
94 | output.redis:
95 | hosts: {{ auditbeat_output.redis.hosts | to_json }}
96 | {% if auditbeat_output.redis.password is defined %}
97 | password: {{ auditbeat_output.redis.password }}
98 | {% endif %}
99 | key: {{ auditbeat_output.redis.key }}
100 | {% if auditbeat_output.redis.timeout is defined %}
101 | timeout: {{ auditbeat_output.redis.timeout }}
102 | {% endif %}
103 | {% endif %}
104 | #================================ Processors =====================================
105 |
106 | # Configure processors to enhance or manipulate events generated by the beat.
107 |
108 | {% if auditbeat_processors is defined %}
109 | processors:
110 | {{ auditbeat_processors | indent( width=2 ) }}
111 | {% endif %}
112 |
113 | #============================== X-Pack Monitoring ===============================
114 | # auditbeat can export internal metrics to a central Elasticsearch monitoring
115 | # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
116 | # reporting is disabled by default.
117 |
118 | # Set to true to enable the monitoring reporter.
119 | #monitoring.enabled: false
120 |
121 | # Sets the UUID of the Elasticsearch cluster under which monitoring data for this
122 | # Auditbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
123 | # is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
124 | #monitoring.cluster_uuid:
125 |
126 | # Uncomment to send the metrics to Elasticsearch. Most settings from the
127 | # Elasticsearch output are accepted here as well.
128 | # Note that the settings should point to your Elasticsearch *monitoring* cluster.
129 | # Any setting that is not set is automatically inherited from the Elasticsearch
130 | # output configuration, so if you have the Elasticsearch output configured such
131 | # that it is pointing to your Elasticsearch monitoring cluster, you can simply
132 | # uncomment the following line.
133 | #monitoring.elasticsearch:
134 | {% if auditbeat_migration is defined %}
135 | #================================= Migration ==================================
136 |
137 | # This allows to enable 6.7 migration aliases
138 | migration.6_to_7.enabled: {{ auditbeat_migration }}
139 | {% endif %}
140 |
--------------------------------------------------------------------------------
/templates/auditbeat.yml.j2:
--------------------------------------------------------------------------------
1 | # Managed by Ansible
2 | #========================== Modules configuration =============================
3 | auditbeat.modules:
4 |
5 | {% if auditbeat_module.auditd.enabled | bool %}
6 | - module: auditd
7 | # Load audit rules from separate files. Same format as audit.rules(7).
8 | audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
9 | {% endif %}
10 | {% if auditbeat_module.file_integrity.enabled | bool %}
11 | - module: file_integrity
12 | paths:
13 | {{ auditbeat_module.file_integrity.paths | to_nice_yaml | trim | indent(4) }}
14 | {% endif %}
15 | {% if auditbeat_module.system.enabled | bool %}
16 | - module: system
17 | datasets:
18 | {{ auditbeat_module.system.datasets | to_nice_yaml | trim | indent(4) }}
19 |
20 | # How often datasets send state updates with the
21 | # current state of the system (e.g. all currently
22 | # running processes, all open sockets).
23 | state.period: {{ auditbeat_module.system.state_period | default('12h') }}
24 |
25 | # Enabled by default. Auditbeat will read password fields in
26 | # /etc/passwd and /etc/shadow and store a hash locally to
27 | # detect any changes.
28 | user.detect_password_changes: {{ auditbeat_module.system.user_detect_password_changes | default(true) }}
29 |
30 | # File patterns of the login record files.
31 | login.wtmp_file_pattern: {{ auditbeat_module.system.login_wtmp_pattern | default('/var/log/wtmp*') }}
32 | login.btmp_file_pattern: {{ auditbeat_module.system.login_btmp_pattern | default('/var/log/btmp*') }}
33 | {% endif %}
34 | #==================== Elasticsearch template setting ==========================
35 | setup.template.enabled: {{ auditbeat_template.enabled | default(true) }}
36 | setup.template.settings:
37 | index.number_of_shards: {{ auditbeat_template.number_of_shards | default(1) }}
38 |
39 | #================================ General =====================================
40 |
41 | {% if auditbeat_general.tags is defined %}
42 | tags: {{ auditbeat_general.tags | to_json }}
43 | {% endif %}
44 |
45 | {% if auditbeat_cloud is defined %}
46 | #============================= Elastic Cloud ==================================
47 |
48 | # These settings simplify using Auditbeat with the Elastic Cloud (https://cloud.elastic.co/).
49 |
50 | # The cloud.id setting overwrites the `output.elasticsearch.hosts` and
51 | # `setup.kibana.host` options.
52 | # You can find the `cloud.id` in the Elastic Cloud web UI.
53 | cloud.id: {{ auditbeat_cloud.id }}
54 |
55 | # The cloud.auth setting overwrites the `output.elasticsearch.username` and
56 | # `output.elasticsearch.password` settings. The format is `:`.
57 | cloud.auth: {{ auditbeat_cloud.auth }}
58 | {% endif %}
59 |
60 | {% if auditbeat_ilm is defined %}
61 | #=================================== ILM ======================================
62 | setup.ilm.enabled: {{ auditbeat_ilm.enabled | default("auto") }}
63 | {% if auditbeat_ilm.enabled != "false" %}
64 | setup.ilm.rollover_alias: {{ auditbeat_ilm.rollover_alias | default("auditbeat-%{[agent.version]}") }}
65 | setup.ilm.pattern: {{ auditbeat_ilm.pattern | default("%{now/d}-000001") }}
66 | setup.ilm.policy_name: {{ auditbeat_ilm.policy_name | default("auditbeat-%{[agent.version]}") }}
67 | setup.ilm.check_exists: {{ auditbeat_ilm.check_exists | default(true) }}
68 | {% endif %}
69 | {% endif %}
70 | #================================ Outputs =====================================
71 |
72 | # Configure what output to use when sending the data collected by the beat.
73 |
74 | {% if auditbeat_output.type == "elasticsearch" %}
75 | #-------------------------- Elasticsearch output ------------------------------
76 | output.elasticsearch:
77 | # Array of hosts to connect to.
78 | hosts: {{ auditbeat_output.elasticsearch.hosts | to_json }}
79 |
80 | {% if auditbeat_output.elasticsearch.security.enabled | bool %}
81 | # Optional protocol and basic auth credentials.
82 | username: {{ auditbeat_output.elasticsearch.security.username }}
83 | password: {{ auditbeat_output.elasticsearch.security.password }}
84 | protocol: {{ auditbeat_output.elasticsearch.security.protocol }}
85 | {% if auditbeat_output.elasticsearch.security.ssl_certificate_authorities is defined %}
86 | ssl.certificate_authorities: {{ auditbeat_output.elasticsearch.security.ssl_certificate_authorities | to_json }}
87 | {% endif %}
88 | {% if 'https' == auditbeat_output.elasticsearch.security.protocol %}
89 | ssl.verification_mode: {{ auditbeat_output.elasticsearch.security.ssl_verification_mode | default("full") }}
90 | {% endif %}
91 | {% endif %}
92 | {% endif %}
93 | {% if auditbeat_output.type == "logstash" %}
94 | #----------------------------- Logstash output --------------------------------
95 | output.logstash:
96 | # The Logstash hosts
97 | hosts: {{ auditbeat_output.logstash.hosts | to_json }}
98 |
99 | {% if auditbeat_output.logstash.security.ssl_certificate_authorities is defined %}
100 | # Optional SSL. By default is off.
101 | # List of root certificates for HTTPS server verifications
102 | ssl.certificate_authorities: {{ auditbeat_output.logstash.security.ssl_certificate_authorities | to_json }}
103 | {% endif %}
104 | {% endif %}
105 | {% if auditbeat_output.type == "redis" %}
106 | #------------------------------ Redis output ---------------------------------
107 | output.redis:
108 | hosts: {{ auditbeat_output.redis.hosts | to_json }}
109 | {% if auditbeat_output.redis.password is defined %}
110 | password: {{ auditbeat_output.redis.password }}
111 | {% endif %}
112 | key: {{ auditbeat_output.redis.key }}
113 | {% if auditbeat_output.redis.timeout is defined %}
114 | timeout: {{ auditbeat_output.redis.timeout }}
115 | {% endif %}
116 | {% endif %}
117 | #================================ Processors =====================================
118 |
119 | # Configure processors to enhance or manipulate events generated by the beat.
120 |
121 | {% if auditbeat_processors is defined %}
122 | processors:
123 | {{ auditbeat_processors | indent( width=2 ) }}
124 | {% endif %}
125 |
126 | #============================== X-Pack Monitoring ===============================
127 | # auditbeat can export internal metrics to a central Elasticsearch monitoring
128 | # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
129 | # reporting is disabled by default.
130 |
131 | # Set to true to enable the monitoring reporter.
132 | #monitoring.enabled: false
133 |
134 | # Sets the UUID of the Elasticsearch cluster under which monitoring data for this
135 | # Auditbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
136 | # is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
137 | #monitoring.cluster_uuid:
138 |
139 | # Uncomment to send the metrics to Elasticsearch. Most settings from the
140 | # Elasticsearch output are accepted here as well.
141 | # Note that the settings should point to your Elasticsearch *monitoring* cluster.
142 | # Any setting that is not set is automatically inherited from the Elasticsearch
143 | # output configuration, so if you have the Elasticsearch output configured such
144 | # that it is pointing to your Elasticsearch monitoring cluster, you can simply
145 | # uncomment the following line.
146 | #monitoring.elasticsearch:
147 | {% if auditbeat_migration is defined %}
148 | #================================= Migration ==================================
149 |
150 | # This allows to enable 6.7 migration aliases
151 | migration.6_to_7.enabled: {{ auditbeat_migration }}
152 | {% endif %}
153 |
--------------------------------------------------------------------------------
/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for ansible-role-auditbeat
3 | auditbeat_module:
4 | auditd:
5 | enabled: true
6 | file_integrity:
7 | enabled: true
8 | paths:
9 | - /bin
10 | - /usr/bin
11 | - /sbin
12 | - /usr/sbin
13 | - /etc
14 | system:
15 | enabled: true
16 | datasets:
17 | - host
18 | - login
19 | - package
20 | - process
21 | - socket
22 | - user
23 | auditbeat_module_windows:
24 | file_integrity:
25 | enabled: true
26 | paths:
27 | - C:\windows
28 | - C:\windows\system32
29 | - C:\Program Files
30 | - C:\Program Files (x86)
31 | system:
32 | enabled: true
33 | datasets:
34 | - host
35 | - process
36 |
--------------------------------------------------------------------------------