Monday, October 5, 2020

Beginning Elastic - Installing and Providing Basic Security to Auditbeat - Elastic Stack 7.9 on Ubuntu 20.04

Continuing this journey where we install and configure the different components of Elastic Stack. In the first post, we installed Elasticsearc. The second post we installed Kibana. In the third post we provided basic security to Elastic and Kibana. In the fourth post, we installed, configured and secured Metricbeat. In this the fifth post, we are installing, configuring and securing Auditbeat.

Selecting Auditbeat from the list of logs sources and follow the directions.


Below I choose to Install Auditbeat from the repository.

root@securitynik-monitoring:~# apt-get install auditbeat
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  auditbeat
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 26.7 MB of archives.
After this operation, 92.4 MB of additional disk space will be used.
Get:1 https://artifacts.elastic.co/packages/7.x/apt stable/main amd64 auditbeat amd64 7.9.2 [26.7 MB]
Fetched 26.7 MB in 1s (19.8 MB/s)
Selecting previously unselected package auditbeat.
(Reading database ... 176029 files and directories currently installed.)
Preparing to unpack .../auditbeat_7.9.2_amd64.deb ...
Unpacking auditbeat (7.9.2) ...
Setting up auditbeat (7.9.2) ...
Processing triggers for systemd (245.4-4ubuntu3.2) ...

Make a copy of the original "auditbeat.yml" file.

root@securitynik-monitoring:~# cd /etc/auditbeat/
root@securitynik-monitoring:/etc/auditbeat# cp auditbeat.yml auditbeat.yml.ORIGINAL

Make the necessary configuration changes. 

root@securitynik-monitoring:~# cat /etc/auditbeat/auditbeat.yml | grep --perl-regexp "^\s+host|^\s+username|^\s+password|^\s+protocol"
  host: "https://10.0.0.1:5601"
  hosts: ["https://10.0.0.1:9200"]
  protocol: "https"
  username: "elastic"
  password: "WelcomeToSecurityNikElastic"

Using a shortcut, let's ake the last 8 lines of the "metricbeat.yml" file and insert them into the "auditbeat.yml" file

root@securitynik-monitoring:~# tail --lines 8 /etc/metricbeat/metricbeat.yml >> /etc/auditbeat/auditbeat.yml

root@securitynik-monitoring:~#  tail --lines 8 /etc/auditbeat/auditbeat.yml
# SSL Configuration enabled by Nik
ssl.enabled: true
output.elasticsearch.hosts: ["https://10.0.0.1:9200"]
output.elasticsearch.ssl.certificate_authorities: ["/etc/kibana/SecurityNik-CA.pem"]

setup.kibana.ssl.enabled: true
setup.kibana.ssl.certificate_authorities: ["/etc/kibana/SecurityNik-CA.pem"]

Before loading up, we test that all is well with the configuration.

root@securitynik-monitoring:~# auditbeat test config
Config OK

Looking at "auditd-status

securitynik@securitynik-monitoring:~$ sudo auditbeat show auditd-status
[sudo] password for securitynik:

enabled 0
failure 1
pid 0
rate_limit 0
backlog_limit 64
lost 0
backlog 0
backlog_wait_time 15000
features 0x7f

Looking at "auditd-rules", we see no rules defined.

securitynik@securitynik-monitoring:~$ sudo auditbeat show auditd-rules
No rules

Guess we should ensure a few rules are defined, so that we have something to monitor. For simplicity sake, let's use the rules in the "auditbeat.yml" file. To do this, I uncommented the rules as they were previously commented. Below represents those changes.

securitynik@securitynik-monitoring:~$ sudo cat /etc/auditbeat/auditbeat.yml | grep "audit_rules:" --after-context=20
  audit_rules: |
    ## Define audit rules here.
    ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
    ## examples or add your own rules.

    ## If you are on a 64 bit platform, everything should be running
    ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
    ## because this might be a sign of someone exploiting a hole in the 32

    ## bit API.
    -a always,exit -F arch=b32 -S all -F key=32bit-abi

    ## Executions.
    -a always,exit -F arch=b64 -S execve,execveat -k exec

    ## External access (warning: these can be expensive to audit).
    -a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access

    ## Identity changes.
    -w /etc/group -p wa -k identity
    -w /etc/passwd -p wa -k identity
    -w /etc/gshadow -p wa -k identity

With the above now configured, let's execute 

Verify we can connect to Elastic

root@securitynik-monitoring:~# auditbeat test output
elasticsearch: https://10.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.9.2

Next up, load the index template and appropriate dashboards, etc.

root@securitynik-monitoring:~# auditbeat setup
Overwriting ILM policy is disabled. Set `setup.ilm.overwrite:true` for enabling.

Index setup finished.
Loading dashboards (Kibana must be running and reachable)
Loaded dashboards

Enable and startup Auditbeat.

root@securitynik-monitoring:~# systemctl enable --now auditbeat.service
Synchronizing state of auditbeat.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable auditbeat
Created symlink /etc/systemd/system/multi-user.target.wants/auditbeat.service → /lib/systemd/system/auditbeat.service.

root@securitynik-monitoring:~# systemctl status auditbeat.service
● auditbeat.service - Audit the activities of users and processes on your system.
     Loaded: loaded (/lib/systemd/system/auditbeat.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2020-08-14 13:48:43 EDT; 2s ago
       Docs: https://www.elastic.co/products/beats/auditbeat
   Main PID: 35398 (auditbeat)
      Tasks: 11 (limit: 4563)
     Memory: 22.6M
     CGroup: /system.slice/auditbeat.service
             └─35398 /usr/share/auditbeat/bin/auditbeat -environment systemd -c /etc/auditbeat/auditbeat.yml -path.home /usr/share/auditbeat -path.config /etc/auditbeat ->

Verifying that data is coming into to Elastic.

   

We also verify now that we have some working rules.

root@securitynik-monitoring:~# vi /etc/metricbeat/metricbeat.yml^C
root@securitynik-monitoring:~# auditbeat show auditd-rules
-a never,exit -S all -F pid=707
-a always,exit -F arch=b32 -S all -F key=32bit-abi
-a always,exit -F arch=b64 -S execve,execveat -F key=exec
-a always,exit -F arch=b64 -S connect,accept,bind -F key=external-access
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F key=access

Looking at some actual data now in Elastic


Ok. Let's move on to install, configure and secure Filebeat.

Posts in this series:

Security On The Cheap - Beginning Elastic Stack - Installing Elastic 7.9 on Ubuntu 20.04
Security On The Cheap - Beginning Elastic Stack - Installing Kibana 7.9 on Ubuntu 20.04
Security On The Cheap - Beginning Elastic Stack - Providing Basic Security to Elastic and Kibana 7.9 communication on Ubuntu 20.04
Security On The Cheap - Beginning Elastic - Installing and Providing Basic Security to Metricbeat - Elastic Stack 7.9 on Ubuntu 20.04
Security On The Cheap - Beginning Elastic - Installing and Providing Basic Security to Auditbeat - Elastic Stack 7.9 on Ubuntu 20.04
Security On The Cheap - Beginning Elastic - Installing and Providing Basic Security to Filebeat - Elastic Stack 7.9 on Ubuntu 20.04
Beginning Elastic - Installing, Configuring and Providing Basic Security to Packetbeat
Security On The Cheap - Beginning Elastic - Installing and Providing Basic Security to Winlogbeat

References:

https://www.elastic.co/downloads/beats/auditbeat
https://www.elastic.co/guide/en/beats/auditbeat/7.9/setup-repositories.html#_apt
https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-overview.html
https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-module-auditd.html
https://logz.io/blog/linux-auditbeat-elk/

No comments:

Post a Comment