auditbeat-securityonion

Configuration files to ingest auditbeats into SecurityOnion

Preflight Checks

See if auditd is running:

service auditd status

Stop the auditd service:

service auditd stop

Disable auditd from starting on boot:

chkconfig auditd off

OR

sudo systemctl disable auditd

To save CPU usage and disk space, you can use this command to stop journald from listening to audit messages:

systemctl mask systemd-journald-audit.socket

From https://www.elastic.co/guide/en/beats/auditbeat/master/auditbeat-module-auditd.html

Install and Configure auditbeat on host

Download and install auditbeat:

sudo dpkg -i auditbeat-oss-8.3.3-amd64.deb

Connect to Logstash:

Set the connection information in auditbeat.yml:

sudo nano /etc/auditbeat/auditbeat.yml

Logstash Output

output.logstash:
# The Logstash hosts
hosts: ["192.168.4.105:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"

Configure Processors

Configure processor information in auditbeat.yml:

# Processors =================================
# Configure processors to enhance or manipulate events generated by the beat.
processors:
  - add_process_metadata:
      match_pids: [system.process.ppid]
      target: system.process.parent
  - add_fields:
      target: observer
      fields:
        name: auditbeat

Add Ruleset

Copy downloaded ruleset to /etc/auditbeat/audit.rules.d/audit.rules.conf

sudo apt install git
sudo git clone https://github.com/Neo23x0/auditd
sudo cp auditd/audit.rules /etc/auditbeat/audit.rules.d/audit.rules.conf

Test Config

sudo auditbeat test config

Remove Any Bad Rules

Manually remove, fix, or comment out any rules that fail when

sudo auditbeat test config is ran

{"file.name":"auditd/audit_linux.go","file.line":294},"message":"Failure adding audit rule",

View data in Security Onion SOC Console

* AND observer.name: "auditbeat" | groupby "event.category"

Configure SecurityOnion

Add Elastic pipeline for auditbeat

cp  /opt/so/saltstack/default/salt/elasticsearch/files/ingest/beats.common  /opt/so/saltstack/local/salt/elasticsearch/files/ingest/beats.common

Add auditbeat pipeline to the top line of beats.common pipeline as shown below

{
  "description" : "beats.common",
  "processors" : [
    { "pipeline":      { "if": "ctx.agent?.type == 'auditbeat'",   "name": "auditbeat"  }  },

Normalize data to match other host events

vi /opt/so/saltstack/local/salt/elasticsearch/files/ingest/auditbeat

Add auditbeat parsers as shown below:

{
  "description" : "auditbeat",
  "processors" : [
    { "set":           { "if": "ctx.event?.category != null",   "field": "event.dataset", "value":"{{{event.category}}}", "override": true }  },
    { "gsub":          { "field": "event.dataset",    "pattern": "[{0=}]", "replacement": ""  }},
    { "gsub":          { "field": "event.dataset",    "pattern": "\\d", "replacement": ""  }},
    { "set":           { "field": "event.category",   "value": "host", "override": true }  },
    { "rename":        { "field": "process.title",    "target_field": "process.command_line",  "ignore_missing": true  } },
    { "community_id": {} }
  ]
}

Create SOC Dashboards

cp /opt/so/saltstack/default/salt/soc/files/soc/dashboards.queries.json /opt/so/saltstack/local/salt/soc/files/soc/dashboards.queries.json

vi /opt/so/saltstack/local/salt/soc/files/soc/dashboards.queries.json

 { "name": "Auditbeat", "description": "Auditbeat logs", "query": "event.module:auditd | groupby event.module event.dataset | groupby event.dataset process.ex        ecutable process.command_line "},

Restart SOC

sudo so-soc-restart