Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Auditbeat] Add command to show kernel audit rules and status #7114

Closed
andrewkroh opened this issue May 15, 2018 · 0 comments · Fixed by #7361
Closed

[Auditbeat] Add command to show kernel audit rules and status #7114

andrewkroh opened this issue May 15, 2018 · 0 comments · Fixed by #7361
Assignees
@adriansr
Labels
Auditbeat enhancement

Comments

@andrewkroh
Copy link
Member

As a user I would like to be able to inspect the current set of audit rules held by the kernel. And I would like to be able to inspect the kernel audit status. This is similar to auditd's auditctl -l and auditctl -s.

Perhaps we can add two new sub-commands to Auditbeat (I'm open to naming suggestions):

auditbeat show audit-status
auditbeat show audit-rules

For confirmed bugs, please report:
@adriansr adriansr self-assigned this Jun 6, 2018
@adriansr adriansr mentioned this issue Jun 19, 2018
Merged
adriansr added a commit to adriansr/beats that referenced this issue Jul 3, 2018
@adriansr
Auditbeat: Add commands to show kernel rules and status (elastic#7114)
d6ad50e 
Added the `show` command and two-subcommands to auditbeat:

$ ./auditbeat show
Show modules information

Usage:
  auditbeat show [command]

Available Commands:
  auditd-rules  Show currently installed auditd rules
  auditd-status Show kernel auditd status

$ ./auditbeat show audit-rules --help
Show currently installed auditd rules

Usage:
  auditbeat show auditd-rules [flags]

Aliases:
  auditd-rules, audit-rules, audit_rules, rules, auditdrules, auditrules

Flags:
  -h, --help         help for auditd-rules
  -z, --no-output    Don't generate output when the rule list is empty
  -n, --no-resolve   Don't resolve numeric IDs (UIDs, GIDs and file_type fields)

$ ./auditbeat show audit-status --help
Show kernel auditd status

Usage:
  auditbeat show auditd-status [flags]

Aliases:
  auditd-status, audit-status, audit_status, status, auditdstatus, auditrules

Flags:
  -h, --help          help for auditd-status
  -s, --single-line   Output status as a single line

$ sudo ./auditbeat show auditd-rules
-a never,exit -S all -F pid=3521
-a always,exit -F arch=b32 -S all -F key=32bit-abi
-a always,exit -F arch=b64 -S execve,execveat -F key=exec
-a always,exit -F arch=b64 -S connect,accept,bind -F key=external-access
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F key=access

$ sudo ./auditbeat show auditd-status
enabled 1
failure 0
pid 592
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 0
features 0x7f

Closes elastic#7114
andrewkroh pushed a commit that referenced this issue Jul 3, 2018
@adriansr @andrewkroh
Auditbeat: Add commands to show kernel rules and status (#7114)
8a03054 
Added the `show` command and two-subcommands to auditbeat:

$ ./auditbeat show
Show modules information

Usage:
  auditbeat show [command]

Available Commands:
  auditd-rules  Show currently installed auditd rules
  auditd-status Show kernel auditd status

$ ./auditbeat show audit-rules --help
Show currently installed auditd rules

Usage:
  auditbeat show auditd-rules [flags]

Aliases:
  auditd-rules, audit-rules, audit_rules, rules, auditdrules, auditrules

Flags:
  -h, --help         help for auditd-rules
  -z, --no-output    Don't generate output when the rule list is empty
  -n, --no-resolve   Don't resolve numeric IDs (UIDs, GIDs and file_type fields)

$ ./auditbeat show audit-status --help
Show kernel auditd status

Usage:
  auditbeat show auditd-status [flags]

Aliases:
  auditd-status, audit-status, audit_status, status, auditdstatus, auditrules

Flags:
  -h, --help          help for auditd-status
  -s, --single-line   Output status as a single line

$ sudo ./auditbeat show auditd-rules
-a never,exit -S all -F pid=3521
-a always,exit -F arch=b32 -S all -F key=32bit-abi
-a always,exit -F arch=b64 -S execve,execveat -F key=exec
-a always,exit -F arch=b64 -S connect,accept,bind -F key=external-access
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F key=access

$ sudo ./auditbeat show auditd-status
enabled 1
failure 0
pid 592
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 0
features 0x7f

Closes #7114
adriansr added a commit to adriansr/beats that referenced this issue Jul 23, 2018
@adriansr
Document the show command in auditbeat (elastic#7114)
aa38bf2 
This adds documentation for the `show auditd-status` and `show
auditd-rules` in the auditd module documentation.
andrewkroh pushed a commit that referenced this issue Jul 24, 2018
@adriansr @andrewkroh
Document the show command in auditbeat (#7114)
1d4eb23 
This adds documentation for the `show auditd-status` and `show
auditd-rules` in the auditd module documentation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adriansr adriansr

Labels
Auditbeat enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Auditbeat: Add commands to show kernel rules and status adriansr/beats
2 participants
@andrewkroh @adriansr