ansible-role-auditbeat

This is an Ansible role that replaces the traditional auditd tool with Auditbeat. It comes with modified rules taken from bfuzzy1/auditd-attack.

Please test the rules thoroughly before using them in a production environment, as some rules might affect performance based on your system configuration. For more details about Auditbeat, check the official documentation.

Supported platforms:

• Ubuntu 20.04
• Ubuntu 18.04
• Ubuntu 16.04
• CentOS 8
• CentOS 7
• CentOS 6
• Debian 10
• Debian 9
• Debian 8
• Gentoo **
• Windows 10*
• Windows Server 2019*
• Windows Server 2016*

Auditbeat may also work on Oracle Enterprise Linux, but only with RHCK.

* Note that Auditbeat on Windows has a different set of features. To achieve similar functionality, use Sysmon + Winlogbeat.

** For Gentoo users, you will need to create your own ebuild. If you want to use the system metricset, you need to build Auditbeat with an x-pack folder under the Elastic license. For Sockets, Kprobe must be enabled in your kernel’s menuconfig.

If you prefer to run Auditbeat in a Docker container, you can use the official Docker image provided by Elastic.

Requirements

None

Role Variables

Ansible variables are defined in defaults/main.yml

auditbeat_service:
  install_path_windows64: "C:\\Program Files\\Elastic\\auditbeat"
  install_path_windows32: "C:\\Program Files\\Elastic\\auditbeat"
  version: "7.13.1"
  download: true
  config_path: /etc/auditbeat
  install_rules: true
  rule_file: auditd-attack.conf 

auditbeat_output:
  type: "elasticsearch"
  elasticsearch:
    hosts:
      - "localhost:9200"
    security:
      enabled: false
        
auditbeat_processors: |
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~

auditbeat_portage:
  package: =auditbeat-{{ auditbeat_service.version }}
  getbinpkg: no

You can change auditbeat_service.install_rules to false if you don’t want to use the included rules.

The variable auditbeat_service.download only applies to Windows installations. If you do not want clients to download the Windows zip package online, set it to false and place the zip file in the files/ directory, keeping the original naming (e.g., files/auditbeat-7.6.2-windows-x86.zip).

Here is how to configure the output to Elasticsearch without Security enabled:

auditbeat_output:
  type: elasticsearch
  elasticsearch:
    hosts:
      - "localhost:9200"
    security:
      enabled: true
      username: auditbeat_writer
      password: pa$$word
      protocol: https
      ssl_verification_mode: certificate
      ssl_certificate_authorities:
        - "/etc/ca/my_ca.crt"

This specifies the output to Elasticsearch with security enabled; a certificate authority must be available on the server.

The auditbeat_output.type can be set to logstash, elasticsearch, or redis. If you have the ansible hash_behaviour set to merge, the role may incorrectly install both elasticsearch and logstash outputs when using logstash as output type.

Example of Redis output:

auditbeat_output:
  type: redis
  redis:
    hosts:
      - 192.168.100.4
    password: "redis_password"
    key: "auditbeat"

Example to filter out high-volume logs using processors:

auditbeat_processors: |
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - drop_event.when.and:
    - equals.event.action: "network_flow"
    - equals.server.port: 10050
    - equals.process.name: "zabbix_agentd"

Ansible variables from vars/main.yml:

auditbeat_module:
  auditd:
    enabled: true
  file_integrity:
    enabled: true
    paths:
      - /bin
      - /usr/bin
      - /sbin
      - /usr/sbin
      - /etc
  system:
    enabled: true
    datasets:
      - host
      - login
      - package
      - process
      - socket
      - user
auditbeat_module_windows:
  file_integrity:
    enabled: true
    paths:
      - C:\windows
      - C:\windows\system32
      - C:\Program Files
      - C:\Program Files (x86)
  system:
    enabled: true
    datasets:
      - host
      - process

These variables are the default settings for Auditbeat and cover most common use cases.

Dependencies

None

Example Playbook

- name: Install auditbeat
  hosts:
    - linux
    - windows
  become: yes
  vars:
    auditbeat_service:
      install_path_windows32: "C:\\Program Files\\monitoring\\auditbeat"
      install_path_windows64: "C:\\Program Files\\monitoring\\auditbeat"
      version: "7.13.1"
      download: true
      install_rules: true
      rule_file: auditd-attack.conf
    auditbeat_template:
      enabled: false
    auditbeat_general:
      tags:
        - "auditbeat"
    auditbeat_output:
      type: "elasticsearch"
      elasticsearch:
        hosts:
          - "172.16.0.11:9200"
          - "172.16.0.12:9200"
          - "172.16.0.13:9200"
        security:
          enabled: true
          username: auditbeat
          password: auditbeatpassword
          protocol: http
  roles:
  - ansible-role-auditbeat

Extras

In the extras folder, you will find several prepared Kibana saved searches based on Sigma auditd rules. These saved searches work with the default index pattern auditbeat-*. If you use a different index pattern, you will need to edit the saved objects to match your index pattern and field names.

Installation steps:

1. Go to Kibana->Management->Index Patterns
2. Click Create index pattern
3. In the Index pattern field, type *auditbeat-** and click Next step
4. Choose @timestamp as the Time Filter field name
5. Click Show advanced options
6. Set the Custom index pattern ID to *auditbeat-**
7. Click Create index pattern

Then, import the saved searches from this repository:

1. Go to Kibana->Management->Saved Objects
2. Click Import
3. Select the JSON file for the saved search you want to import
4. Click Import
5. Repeat for all saved searches

License

MIT

Author Information

j91321

Rules by: bfuzzy

Notes

Testing needs some enhancements. We are waiting for a solution to beats issue #8280 for better test results.