29 January 2019 Engineering

Introducing the Auditbeat System Module

By Christoph Wurm

Do you know when the hostname of one of your servers has changed? What about the host ID? Do you know which process and user opened which network connection? Would you know if /etc/passwd was modified directly? (It won’t show up in /var/log/auth.log.) And finally, would you know what happened while your monitoring agent was down for maintenance?

These are just some of the questions you would be asking if your job is to secure hosts and networks. And while custom scripting has long allowed you to ingest virtually any kind of data into the Elastic Stack we are always working to make it easier for you. The new Auditbeat System Module in version 6.6 of the Elastic Stack comes with four datasets to help you collect system information from hosts.

Security is a fast-growing use case for our users (and not just since Slack is doing it), and we are happy to provide ever more out of the box functionality for it.

The Auditbeat System Module

The System Module is a new addition to Auditbeat that makes it easier to record relevant activity on a host. It is starting out with four datasets:

  1. Host
  2. Process
  3. Socket
  4. User

For now, the System Module is marked as experimental, so it is not recommended for production use. But we hope to change this soon.

Host dataset

The host dataset collects general information about a system: hostname, ID, uptime, timezone, IP and MAC addresses, and details of the operating system. It sends one event with all information when it first starts, and periodically thereafter (configurable using the state.period configuration parameter). Whenever it detects a change in any of the information (e.g. a changed IP address, kernel version, or a change in uptime caused by a restart) it sends an event right away.

A note on the host ID: Unlike other attributes such as a hostname or an IP address, the host ID should be able to uniquely and permanently identify a host. It’s currently implemented as a UUID, collected on the different platforms as follows:

  • On Linux, it is the unique machine ID in /etc/machine-id (machine-id(5)).
  • On Windows, it is the value of the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid.
  • On macOS, it is the Hardware UUID that you can also see under About this Mac -> System Report.

The host dataset is implemented for Linux, Windows, and macOS.

Process dataset

The process dataset sends one event per already-running process when it starts, and thereafter periodically. In addition, whenever a new process is detected or a previously running process is no longer running it sends an event immediately. Events contain information such as the PID, parent PID, executable, arguments, start time, and the working directory.

Because changes to processes are detected by periodically querying for all running processes and comparing the current to the previous list of processes, the frequency of querying matters. We recommend setting the value of period to as low as 1s.

The process dataset is implemented for Linux, Windows, and macOS.

Socket dataset

The socket dataset sends one event per currently open socket when it starts, and thereafter periodically. In addition, whenever a new socket is opened, or an existing one closes, an event is sent immediately. Events contain information about the source and destination IP addresses and ports as well as the network direction (inbound, outbound, or listening), the process that owns the socket, and the process user.

As with the process dataset, because changes to sockets are detected by periodically querying for all open sockets and comparing the current to the previous list of sockets, the frequency of querying matters. Here as well we recommend setting the value of period to as low as 1s.

The socket dataset is implemented for TCP sockets on Linux only.

User dataset

The user dataset sends one event per existing user on a system when it first starts, and periodically thereafter. In addition, whenever any user information changes, it sends an event immediately. Events contain all kinds of information about a user, including name, ID, groups, home directory, and password information (but not the password hash itself). The reported changes of user information include new users, removed users, password changes, or other changes to a user, e.g. group memberships.

The user dataset is implemented for Linux only.

Configuration

The recommended configuration on Linux would look like this in auditbeat.yml:

- module: system
  datasets:
    - host # General host information, e.g. uptime, IPs
    - user # User information
  period: 1m
  user.detect_password_changes: true

- module: system
  datasets:
    - process # Started and stopped processes
    - socket  # Opened and closed sockets
  period: 1s

Detecting process and socket changes with a period of 1s usually provides good accuracy while not consuming too many system resources, but please do monitor your usage nonetheless.

We hope you find this new module useful. Please do give it a try, and if you do, let us know how you get on. Any questions are best asked in the community forum, while any bugs or enhancement requests can also be reported directly in Github.

Reference

Auditbeat System Module documentation
Getting Started with Auditbeat