diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 95e821e088ee..bae89e6716df 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -184,6 +184,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Auditbeat* +- Reference kubernetes manifests include configuration for auditd and enrichment with kubernetes metadata. {pull}17431[17431] - Reference kubernetes manifests mount data directory from the host, so data persist between executions in the same node. {pull}17429[17429] - Log to stderr when running using reference kubernetes manifests. {pull}17443[174443] - Fix syscall kprobe arguments for 32-bit systems in socket module. {pull}17500[17500] diff --git a/deploy/kubernetes/auditbeat-kubernetes.yaml b/deploy/kubernetes/auditbeat-kubernetes.yaml index f3b8597cf1c8..fb59982bc27e 100644 --- a/deploy/kubernetes/auditbeat-kubernetes.yaml +++ b/deploy/kubernetes/auditbeat-kubernetes.yaml @@ -31,6 +31,17 @@ data: processors: - add_cloud_metadata: + - add_process_metadata: + match_pids: ['process.pid'] + include_fields: ['container.id'] + - add_kubernetes_metadata: + host: ${NODE_NAME} + default_indexers.enabled: false + default_matchers.enabled: false + indexers: + - container: + matchers: + - fields.lookup_fields: ['container.id'] cloud.id: ${ELASTIC_CLOUD_ID} cloud.auth: ${ELASTIC_CLOUD_AUTH} @@ -65,6 +76,14 @@ data: max_file_size: 100 MiB hash_types: [sha1] recursive: true + - module: auditd + audit_rules: | + # Executions + -a always,exit -F arch=b64 -S execve,execveat -k exec + + # Unauthorized access attempts + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access --- # Deploy a auditbeat instance per node for node metrics retrieval apiVersion: apps/v1 @@ -86,6 +105,7 @@ spec: serviceAccountName: auditbeat terminationGracePeriodSeconds: 30 hostNetwork: true + hostPID: true # Required by auditd module dnsPolicy: ClusterFirstWithHostNet containers: - name: auditbeat @@ -113,6 +133,12 @@ spec: fieldPath: spec.nodeName securityContext: runAsUser: 0 + capabilities: + add: + # Capabilities needed for auditd module + - 'AUDIT_READ' + - 'AUDIT_WRITE' + - 'AUDIT_CONTROL' resources: limits: memory: 200Mi diff --git a/deploy/kubernetes/auditbeat/auditbeat-configmap.yaml b/deploy/kubernetes/auditbeat/auditbeat-configmap.yaml index 5c8c75e2a3f8..fe5f56da29f3 100644 --- a/deploy/kubernetes/auditbeat/auditbeat-configmap.yaml +++ b/deploy/kubernetes/auditbeat/auditbeat-configmap.yaml @@ -31,6 +31,17 @@ data: processors: - add_cloud_metadata: + - add_process_metadata: + match_pids: ['process.pid'] + include_fields: ['container.id'] + - add_kubernetes_metadata: + host: ${NODE_NAME} + default_indexers.enabled: false + default_matchers.enabled: false + indexers: + - container: + matchers: + - fields.lookup_fields: ['container.id'] cloud.id: ${ELASTIC_CLOUD_ID} cloud.auth: ${ELASTIC_CLOUD_AUTH} @@ -65,3 +76,11 @@ data: max_file_size: 100 MiB hash_types: [sha1] recursive: true + - module: auditd + audit_rules: | + # Executions + -a always,exit -F arch=b64 -S execve,execveat -k exec + + # Unauthorized access attempts + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access + -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access diff --git a/deploy/kubernetes/auditbeat/auditbeat-daemonset.yaml b/deploy/kubernetes/auditbeat/auditbeat-daemonset.yaml index 5e89bfed4a03..c45a9b21b92d 100644 --- a/deploy/kubernetes/auditbeat/auditbeat-daemonset.yaml +++ b/deploy/kubernetes/auditbeat/auditbeat-daemonset.yaml @@ -18,6 +18,7 @@ spec: serviceAccountName: auditbeat terminationGracePeriodSeconds: 30 hostNetwork: true + hostPID: true # Required by auditd module dnsPolicy: ClusterFirstWithHostNet containers: - name: auditbeat @@ -45,6 +46,12 @@ spec: fieldPath: spec.nodeName securityContext: runAsUser: 0 + capabilities: + add: + # Capabilities needed for auditd module + - 'AUDIT_READ' + - 'AUDIT_WRITE' + - 'AUDIT_CONTROL' resources: limits: memory: 200Mi