[auditbeat] Add the immutable option to auditd module (#32381)

* Make the config immutable after all rules are set * Add option to the auditd module * Add pr number * Add unit tests * Fix linting issues * Improve doc explanation
elastic · Jul 19, 2022 · 0a2e67c · 0a2e67c
1 parent 093cbf4
commit 0a2e67c
Show file tree

Hide file tree

Showing 9 changed files with 191 additions and 82 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -88,6 +88,8 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
 
 *Auditbeat*
 
+- Add `immutable` option to the auditd module. {issue}8352[8352] {pull}32381[32381]
+
 
 *Filebeat*
 

diff --git a/auditbeat/docs/modules/auditd.asciidoc b/auditbeat/docs/modules/auditd.asciidoc
@@ -135,6 +135,7 @@ following example shows all configuration options with their default values.
   include_raw_message: false
   include_warnings: false
   backpressure_strategy: auto
+  immutable: false
 ----
 
 This module also supports the
@@ -159,6 +160,14 @@ than 3.16 {beatname_uc} will automatically revert to `unicast`.
 By default {beatname_uc} will use `multicast` if the kernel version is 3.16 or
 newer and no rules have been defined. Otherwise `unicast` will be used.
 
+*`immutable`*:: This boolean setting sets the audit config as immutable (`-e 2`).
+This option can only be used with the `socket_type: unicast` since {beatname_uc}
+needs to manage the rules to be able to set it.
++
+It is important to note that with this setting set, {beatname_uc} should never
+be stopped, as it won't be able to resume processing `auditd` events until the
+system is restarted.
+
 *`resolve_ids`*:: This boolean setting enables the resolution of UIDs and
 GIDs to their associated names. The default value is true.
 

diff --git a/auditbeat/module/auditd/_meta/docs.asciidoc b/auditbeat/module/auditd/_meta/docs.asciidoc
@@ -128,6 +128,7 @@ following example shows all configuration options with their default values.
   include_raw_message: false
   include_warnings: false
   backpressure_strategy: auto
+  immutable: false
 ----
 
 This module also supports the
@@ -152,6 +153,14 @@ than 3.16 {beatname_uc} will automatically revert to `unicast`.
 By default {beatname_uc} will use `multicast` if the kernel version is 3.16 or
 newer and no rules have been defined. Otherwise `unicast` will be used.
 
+*`immutable`*:: This boolean setting sets the audit config as immutable (`-e 2`).
+This option can only be used with the `socket_type: unicast` since {beatname_uc}
+needs to manage the rules to be able to set it.
++
+It is important to note that with this setting set, {beatname_uc} should never
+be stopped, as it won't be able to resume processing `auditd` events until the
+system is restarted.
+
 *`resolve_ids`*:: This boolean setting enables the resolution of UIDs and
 GIDs to their associated names. The default value is true.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -88,6 +88,8 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]

		Auditbeat

		- Add `immutable` option to the auditd module. {issue}8352[8352] {pull}32381[32381]


		Filebeat

Expand Down