tyler.durden/icingabeat
1
0
Fork 0
mirror of https://github.com/Icinga/icingabeat.git synced 2025-09-26 11:19:10 +02:00
Code Issues Packages Projects Releases Wiki Activity
icingabeat/vendor/github.com/elastic/beats/auditbeat/docs/modules/audit.asciidoc
Blerim Sheqa dd3104e1c6 Update to libbeat 6.1
2017-12-19 13:16:39 +01:00

76 lines
2.1 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

////
This file is generated! See scripts/docs_collector.py
////
[id="{beatname_lc}-module-audit"]
== Audit Module
The `audit` module reports security-relevant information based on data captured
from the operating system (OS) or services running on the OS. Although this
feature doesnt provide additional security to your system, it does make it
easier for you to discover and track security policy violations.
[float]
=== Example configuration
The Audit module supports the common configuration options that are
described under <<configuration-{beatname_lc},configuring {beatname_uc}>>. Here
is an example configuration:
[source,yaml]
----
auditbeat.modules:
- module: audit
metricsets: [kernel]
kernel.audit_rules: |
## Define audit rules here.
## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
## examples or add your own rules.
## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
#-a always,exit -F arch=b32 -S all -F key=32bit-abi
## Executions.
#-a always,exit -F arch=b64 -S execve,execveat -k exec
## External access.
#-a always,exit -F arch=b64 -S accept,bind,connect,recvfrom -F key=external-access
## Identity changes.
#-w /etc/group -p wa -k identity
#-w /etc/passwd -p wa -k identity
#-w /etc/gshadow -p wa -k identity
## Unauthorized access attempts.
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- module: audit
metricsets: [file]
file.paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
----
[float]
=== Metricsets
The following metricsets are available:
* <<{beatname_lc}-metricset-audit-file,file>>
* <<{beatname_lc}-metricset-audit-kernel,kernel>>
include::audit/file.asciidoc[]
include::audit/kernel.asciidoc[]
Reference in New Issue View Git Blame Copy Permalink