Introducing the Auditbeat System Module
Do you know when the hostname of one of your servers has changed? What about the host ID? Do you know which process and user opened which network connection? Would you know if /etc/passwd
was modified directly? (It won't show up in /var/log/auth.log
.) And finally, would you know what happened while your monitoring agent was down for maintenance?
These are just some of the questions you would be asking if your job is to secure hosts and networks. And while custom scripting has long allowed you to ingest virtually any kind of data into the Elastic Stack we are always working to make it easier for you. The new Auditbeat System Module in version 6.6 of the Elastic Stack comes with four datasets to help you collect system information from hosts.
Security is a fast-growing use case for our users (and not just since Slack is doing it), and we are happy to provide ever more out of the box functionality for it.
The Auditbeat System Module
The System Module is a new addition to Auditbeat that makes it easier to record relevant activity on a host. It is starting out with four datasets:
For now, the System Module is marked as experimental, so it is not recommended for production use. But we hope to change this soon.
Host dataset
The host
dataset collects general information about a system: hostname, ID, uptime, timezone, IP and MAC addresses, and details of the operating system. It sends one event with all information when it first starts, and periodically thereafter (configurable using the state.period
configuration parameter). Whenever it detects a change in any of the information (e.g. a changed IP address, kernel version, or a change in uptime caused by a restart) it sends an event right away.
A note on the host ID: Unlike other attributes such as a hostname or an IP address, the host ID should be able to uniquely and permanently identify a host. It's currently implemented as a UUID, collected on the different platforms as follows:
- On Linux, it is the unique machine ID in
/etc/machine-id
(machine-id(5)). - On Windows, it is the value of the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
. - On macOS, it is the Hardware UUID that you can also see under
About this Mac -> System Report
.
The host
dataset is implemented for Linux, Windows, and macOS.
Process dataset
The process
dataset sends one event per already-running process when it starts, and thereafter periodically. In addition, whenever a new process is detected or a previously running process is no longer running it sends an event immediately. Events contain information such as the PID, parent PID, executable, arguments, start time, and the working directory.
Because changes to processes are detected by periodically querying for all running processes and comparing the current to the previous list of processes, the frequency of querying matters. We recommend setting the value of period
to as low as 1s
.
The process
dataset is implemented for Linux, Windows, and macOS.
Socket dataset
The socket
dataset sends one event per currently open socket when it starts, and thereafter periodically. In addition, whenever a new socket is opened, or an existing one closes, an event is sent immediately. Events contain information about the source and destination IP addresses and ports as well as the network direction (inbound, outbound, or listening), the process that owns the socket, and the process user.
As with the process dataset, because changes to sockets are detected by periodically querying for all open sockets and comparing the current to the previous list of sockets, the frequency of querying matters. Here as well we recommend setting the value of period
to as low as 1s
.
The socket
dataset is implemented for TCP sockets on Linux only.
User dataset
The user
dataset sends one event per existing user on a system when it first starts, and periodically thereafter. In addition, whenever any user information changes, it sends an event immediately. Events contain all kinds of information about a user, including name, ID, groups, home directory, and password information (but not the password hash itself). The reported changes of user information include new users, removed users, password changes, or other changes to a user, e.g. group memberships.
The user
dataset is implemented for Linux only.
Configuration
The recommended configuration on Linux would look like this in auditbeat.yml
:
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
- user # User information
period: 1m
user.detect_password_changes: true
- module: system
datasets:
- process # Started and stopped processes
- socket # Opened and closed sockets
period: 1s
Detecting process and socket changes with a period of 1s
usually provides good accuracy while not consuming too many system resources, but please do monitor your usage nonetheless.
We hope you find this new module useful. Please do give it a try, and if you do, let us know how you get on. Any questions are best asked in the community forum, while any bugs or enhancement requests can also be reported directly in Github.
Reference
Auditbeat System Module documentationGetting Started with Auditbeat