[Auditbeat] Allow setting kernel audit config immutable #8352
Comments
andrewkroh
changed the title
|
+1 for allowing auditbeat to set |
|
+1 to auditbeat setting -e 2 |
This workaround does not work for systems that don't support Multicast sockets for audit data
ExecStartPre=/usr/sbin/augenrules --load
Now, Why didn't it work?auditbeat can't register as the pid handling audit events after the rules have been made immutable. You'll get the error from Dug down and found the why here. |
Workaround for unicast-only systemsAlong the same lines as the previous workaround, modify ExecStartPost=/bin/sh -c "/usr/bin/sleep 15;/usr/sbin/augenrules --load"The key here is the sleep. When I did just I'd also suggest throwing |
|
Pinging @elastic/siem (Team:SIEM) |
|
This really needs to be implemented. |
|
Is there any plan to implement this in the near future? |
|
@andrewkroh thank you! This can be closed. elastic/go-libaudit@ba0bbab |
|
I did add support for this feature in the go-libaudit library, but Auditbeat still needs updated to use the feature and also to provide helpful errors when certain actions cannot be performed due to the kernel being immutable. |
|
This is still a problem on 7.10.1 auditbeat. Not sure if this will come up as highest priority. |
|
Does anyone know when this change might occur? |
|
@dmlary does this workaround work on RHEL 7 servers? Specifically one's with the C2S profile applied? I'm not having much luck with either workaround. |
|
@boomcubist over the past few years, this has evolved into something a little more complicated. With the version of auditbeat I'm running (6.8.1), I would see auditbeat crash at startup on occasion, which prevents the audit data from being correctly captured after the rules have been set immutable (you can't change the destination pid). To work around this, I pulled the immutable flag from the audit rules, and moved it into a separate service entirely. This service will only start after auditbeat service is up and running. It will check if auditbeat has been running for more than 60 seconds, and if so, it will set the audit rules immutable. audit-rules-immutable.service: [Unit]
Description=Make audit rules immutable
After=auditbeat.service
[Service]
ExecStart=/bin/bash -xc '[[ $(ps -o etimes= -C auditbeat) -ge 60 ]] && auditctl -e 2'
Restart=on-failure
RestartSec=15
[Install]
WantedBy=multi-user.target |
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
I don't believe auditbeat supports any type of tamper feature of this type. Specifically, this is to prevent an attacker from disabling the system that would be used to alert to intrusion.
The closest thing I can find is failure_mode: log
Although I haven't tested yet.
There is also an auditd immutability mode (-e) that auditbeat will not allow in the accepted config. I do like that an attacker would likely go after auditd first (with auditctl -l), see rules, and then attempt auditctl -D. That (and any other recon) would be logged.
The text was updated successfully, but these errors were encountered: