Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add auditd example with Auditbeat in kubernetes manifests #17431

Merged
merged 5 commits into from
Apr 6, 2020
Merged

Add auditd example with Auditbeat in kubernetes manifests #17431

merged 5 commits into from
Apr 6, 2020

Conversation

jsoriano
Copy link
Member

@jsoriano jsoriano commented Apr 2, 2020
edited
Loading

Add an example configuration of the auditd module in the Auditbeat
reference manifest, including the processors needed for enrichement of
events.

For enrichement it makes use of #15947, included in 7.7.

How to test?

  • Run Auditbeat in kubernetes with the reference configuration.
  • Exec a command inside a container, check that an event about this is collected.
  • Try to access or write to a file without permissions in a container, check that an event about this is collected.
  • Check that events collected about containers include the kubernetes metadata.

@jsoriano
Add auditd example with Auditbeat in kubernetes manifests
784454f 
Add an example configuration of the auditd module in the Auditbeat
reference manifest, including the processors needed for enrichement of
events.
@jsoriano jsoriano added review needs_backport PR is waiting to be backported to other branches. Auditbeat Team:SIEM [zube]: In Review v7.7.0 Team:Platforms Label for the Integrations - Platforms team labels Apr 2, 2020
@jsoriano jsoriano self-assigned this Apr 2, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations-platforms (Team:Platforms)

@jsoriano jsoriano added the v7.8.0 label Apr 2, 2020
jsoriano
jsoriano commented Apr 2, 2020
View reviewed changes
deploy/kubernetes/auditbeat-kubernetes.yaml
indexers:
- container:
matchers:
- fields.lookup_fields: ['container.id']
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could probably make these indexers and matchers the default ones for auditbeat.

Copy link
Contributor

@exekias exekias Apr 2, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

++ on doing this, I think it should also be default in Metricbeat

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issue created for this: #17432

@exekias exekias requested a review from andrewkroh April 2, 2020 10:33
@jsoriano jsoriano mentioned this pull request Apr 2, 2020
Closed
exekias
exekias approved these changes Apr 2, 2020
View reviewed changes
Copy link
Contributor

@exekias exekias left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changelog maybe?

@jsoriano
Copy link
Member Author

jsoriano commented Apr 3, 2020

Changelog entry added.

@jsoriano jsoriano added the test-plan Add this PR to be manual test plan label Apr 3, 2020
@jsoriano
Copy link
Member Author

jsoriano commented Apr 6, 2020

@andrewkroh @adriansr could any of you take a look to this PR? specially to the included auditd config. Thanks!

@jsoriano jsoriano merged commit 119f324 into elastic:master Apr 6, 2020
@jsoriano jsoriano deleted the auditbeat-kubernetes-auditd.yml branch April 6, 2020 17:23
jsoriano added a commit to jsoriano/beats that referenced this pull request Apr 6, 2020
@jsoriano
Add auditd example with Auditbeat in kubernetes manifests (elastic#17431
30a1734 
)

Add an example configuration of the auditd module in the Auditbeat
reference manifest, including the processors needed for enrichement of
events.

(cherry picked from commit 119f324)
@jsoriano jsoriano mentioned this pull request Apr 6, 2020
Merged
@jsoriano jsoriano removed the needs_backport PR is waiting to be backported to other branches. label Apr 6, 2020
jsoriano added a commit to jsoriano/beats that referenced this pull request Apr 6, 2020
@jsoriano
Add auditd example with Auditbeat in kubernetes manifests (elastic#17431
df104b0 
)

Add an example configuration of the auditd module in the Auditbeat
reference manifest, including the processors needed for enrichement of
events.

(cherry picked from commit 119f324)
@jsoriano jsoriano mentioned this pull request Apr 6, 2020
Merged
jsoriano added a commit that referenced this pull request Apr 7, 2020
@jsoriano
Add auditd example with Auditbeat in kubernetes manifests (#17431) (#…
a9125d6 
…17545)

Add an example configuration of the auditd module in the Auditbeat
reference manifest, including the processors needed for enrichement of
events.

(cherry picked from commit 119f324)
jsoriano added a commit that referenced this pull request Apr 7, 2020
@jsoriano
Add auditd example with Auditbeat in kubernetes manifests (#17431) (#…
9635f58 
…17546)

Add an example configuration of the auditd module in the Auditbeat
reference manifest, including the processors needed for enrichement of
events.

(cherry picked from commit 119f324)
@andresrc andresrc added the test-plan-added This PR has been added to the test plan label May 3, 2020
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
@jsoriano
Add auditd example with Auditbeat in kubernetes manifests (elastic#17431
cf9b21a 
) (elastic#17546)

Add an example configuration of the auditd module in the Auditbeat
reference manifest, including the processors needed for enrichement of
events.

(cherry picked from commit 32a11c9)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

@exekias exekias exekias approved these changes

Assignees

@jsoriano jsoriano

Labels
Auditbeat review Team:Platforms Label for the Integrations - Platforms team test-plan Add this PR to be manual test plan test-plan-added This PR has been added to the test plan v7.7.0 v7.8.0 [zube]: Done
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jsoriano @elasticmachine @exekias @andrewkroh @andresrc