Skip to content

Commit

Permalink
[Auditd Manager] Add docs to support add_session_metadata processor (e…
Browse files Browse the repository at this point in the history
…lastic#10544)

Adds documentation for enabling and configuring the add_session_metadata processor for the Auditd Manager integration. The add_session_metadata processor powers the Session View utility in Elastic Security.

---------

Co-authored-by: Michael Wolf <[email protected]>
  • Loading branch information
karenzone and mjwolf authored Aug 21, 2024
1 parent 07bf7ed commit 05bcf86
Show file tree
Hide file tree
Showing 4 changed files with 80 additions and 29 deletions.
51 changes: 37 additions & 14 deletions packages/auditd_manager/_dev/build/docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,30 @@ is a part of the Linux kernel.

This integration is available only for Linux.

## Session View powered by Auditd Manager [BETA]

The `add_session_metadata` processor for Auditd Manager powers the [Session View](https://www.elastic.co/guide/en/security/current/session-view.html) utility for the Elastic Security Platform.

To enable the `add_session_metadata` processor for Auditd Manager:

1. Navigate to the Auditd Manager integration configuration in Kibana.
2. Add the `add_session_metadata` processor configuration under the **Processors** section of Advanced options.

```
- add_session_metadata:
backend: "auto"
```

3. Add these rules to the **Audit Rules** section of the configuration:

```
-a always,exit -F arch=b64 -S execve,execveat -k exec
-a always,exit -F arch=b64 -S exit_group
-a always,exit -F arch=b64 -S setsid
```

Changes are applied automatically, and you do not have to restart the service.

## How it works

This integration establishes a subscription to the kernel to receive the events
Expand All @@ -31,28 +55,27 @@ commands to see if the `auditd` service is running and stop it:

* See if `auditd` is running:

```shell
service auditd status
```
```shell
service auditd status
```

* Stop the `auditd` service:

```shell
service auditd stop
```
```shell
service auditd stop
```

* Disable `auditd` from starting on boot:

```shell
chkconfig auditd off
```
```shell
`chkconfig auditd off`
```

To save CPU usage and disk space, you can use this command to stop `journald`
from listening to audit messages:
* Stop `journald` from listening to audit messages (to save CPU usage and disk space):

```shell
systemctl mask systemd-journald-audit.socket
```
```shell
systemctl mask systemd-journald-audit.socket
```

## Audit rules

Expand Down
5 changes: 5 additions & 0 deletions packages/auditd_manager/changelog.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.17.1"
changes:
- description: "Doc: Add doc for configuring Auditd Manager for Session View"
type: enhancement
link: https://github.com/elastic/integrations/issues/10499
- version: "1.17.0"
changes:
- description: "Allow @custom pipeline access to event.original without setting preserve_original_event."
Expand Down
51 changes: 37 additions & 14 deletions packages/auditd_manager/docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,30 @@ is a part of the Linux kernel.

This integration is available only for Linux.

## Session View powered by Auditd Manager [BETA]

The `add_session_metadata` processor for Auditd Manager powers the [Session View](https://www.elastic.co/guide/en/security/current/session-view.html) utility for the Elastic Security Platform.

To enable the `add_session_metadata` processor for Auditd Manager:

1. Navigate to the Auditd Manager integration configuration in Kibana.
2. Add the `add_session_metadata` processor configuration under the **Processors** section of Advanced options.

```
- add_session_metadata:
backend: "auto"
```

3. Add these rules to the **Audit Rules** section of the configuration:

```
-a always,exit -F arch=b64 -S execve,execveat -k exec
-a always,exit -F arch=b64 -S exit_group
-a always,exit -F arch=b64 -S setsid
```

Changes are applied automatically, and you do not have to restart the service.

## How it works

This integration establishes a subscription to the kernel to receive the events
Expand All @@ -31,28 +55,27 @@ commands to see if the `auditd` service is running and stop it:

* See if `auditd` is running:

```shell
service auditd status
```
```shell
service auditd status
```

* Stop the `auditd` service:

```shell
service auditd stop
```
```shell
service auditd stop
```

* Disable `auditd` from starting on boot:

```shell
chkconfig auditd off
```
```shell
`chkconfig auditd off`
```

To save CPU usage and disk space, you can use this command to stop `journald`
from listening to audit messages:
* Stop `journald` from listening to audit messages (to save CPU usage and disk space):

```shell
systemctl mask systemd-journald-audit.socket
```
```shell
systemctl mask systemd-journald-audit.socket
```

## Audit rules

Expand Down
2 changes: 1 addition & 1 deletion packages/auditd_manager/manifest.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: "3.0.0"
name: auditd_manager
title: "Auditd Manager"
version: "1.17.0"
version: "1.17.1"
description: "The Auditd Manager Integration receives audit events from the Linux Audit Framework that is a part of the Linux kernel."
type: integration
categories:
Expand Down

0 comments on commit 05bcf86

Please sign in to comment.