From 05bcf864dc915ef62a4d9ceb7c0d20954578f031 Mon Sep 17 00:00:00 2001 From: Karen Metts <35154725+karenzone@users.noreply.github.com> Date: Wed, 21 Aug 2024 11:31:22 -0400 Subject: [PATCH] [Auditd Manager] Add docs to support add_session_metadata processor (#10544) Adds documentation for enabling and configuring the add_session_metadata processor for the Auditd Manager integration. The add_session_metadata processor powers the Session View utility in Elastic Security. --------- Co-authored-by: Michael Wolf --- .../auditd_manager/_dev/build/docs/README.md | 51 ++++++++++++++----- packages/auditd_manager/changelog.yml | 5 ++ packages/auditd_manager/docs/README.md | 51 ++++++++++++++----- packages/auditd_manager/manifest.yml | 2 +- 4 files changed, 80 insertions(+), 29 deletions(-) diff --git a/packages/auditd_manager/_dev/build/docs/README.md b/packages/auditd_manager/_dev/build/docs/README.md index b330276b185..db1c6c25fee 100644 --- a/packages/auditd_manager/_dev/build/docs/README.md +++ b/packages/auditd_manager/_dev/build/docs/README.md @@ -5,6 +5,30 @@ is a part of the Linux kernel. This integration is available only for Linux. +## Session View powered by Auditd Manager [BETA] + +The `add_session_metadata` processor for Auditd Manager powers the [Session View](https://www.elastic.co/guide/en/security/current/session-view.html) utility for the Elastic Security Platform. + +To enable the `add_session_metadata` processor for Auditd Manager: + +1. Navigate to the Auditd Manager integration configuration in Kibana. +2. Add the `add_session_metadata` processor configuration under the **Processors** section of Advanced options. + +``` + - add_session_metadata: + backend: "auto" +``` + +3. Add these rules to the **Audit Rules** section of the configuration: + +``` + -a always,exit -F arch=b64 -S execve,execveat -k exec + -a always,exit -F arch=b64 -S exit_group + -a always,exit -F arch=b64 -S setsid +``` + +Changes are applied automatically, and you do not have to restart the service. + ## How it works This integration establishes a subscription to the kernel to receive the events @@ -31,28 +55,27 @@ commands to see if the `auditd` service is running and stop it: * See if `auditd` is running: -```shell -service auditd status -``` + ```shell + service auditd status + ``` * Stop the `auditd` service: -```shell -service auditd stop -``` + ```shell + service auditd stop + ``` * Disable `auditd` from starting on boot: -```shell -chkconfig auditd off -``` + ```shell + `chkconfig auditd off` + ``` -To save CPU usage and disk space, you can use this command to stop `journald` -from listening to audit messages: +* Stop `journald` from listening to audit messages (to save CPU usage and disk space): -```shell -systemctl mask systemd-journald-audit.socket -``` + ```shell + systemctl mask systemd-journald-audit.socket + ``` ## Audit rules diff --git a/packages/auditd_manager/changelog.yml b/packages/auditd_manager/changelog.yml index a62d0ade046..83ae927fa53 100644 --- a/packages/auditd_manager/changelog.yml +++ b/packages/auditd_manager/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.17.1" + changes: + - description: "Doc: Add doc for configuring Auditd Manager for Session View" + type: enhancement + link: https://github.com/elastic/integrations/issues/10499 - version: "1.17.0" changes: - description: "Allow @custom pipeline access to event.original without setting preserve_original_event." diff --git a/packages/auditd_manager/docs/README.md b/packages/auditd_manager/docs/README.md index 9dc3a59de4d..7365bd032e5 100644 --- a/packages/auditd_manager/docs/README.md +++ b/packages/auditd_manager/docs/README.md @@ -5,6 +5,30 @@ is a part of the Linux kernel. This integration is available only for Linux. +## Session View powered by Auditd Manager [BETA] + +The `add_session_metadata` processor for Auditd Manager powers the [Session View](https://www.elastic.co/guide/en/security/current/session-view.html) utility for the Elastic Security Platform. + +To enable the `add_session_metadata` processor for Auditd Manager: + +1. Navigate to the Auditd Manager integration configuration in Kibana. +2. Add the `add_session_metadata` processor configuration under the **Processors** section of Advanced options. + +``` + - add_session_metadata: + backend: "auto" +``` + +3. Add these rules to the **Audit Rules** section of the configuration: + +``` + -a always,exit -F arch=b64 -S execve,execveat -k exec + -a always,exit -F arch=b64 -S exit_group + -a always,exit -F arch=b64 -S setsid +``` + +Changes are applied automatically, and you do not have to restart the service. + ## How it works This integration establishes a subscription to the kernel to receive the events @@ -31,28 +55,27 @@ commands to see if the `auditd` service is running and stop it: * See if `auditd` is running: -```shell -service auditd status -``` + ```shell + service auditd status + ``` * Stop the `auditd` service: -```shell -service auditd stop -``` + ```shell + service auditd stop + ``` * Disable `auditd` from starting on boot: -```shell -chkconfig auditd off -``` + ```shell + `chkconfig auditd off` + ``` -To save CPU usage and disk space, you can use this command to stop `journald` -from listening to audit messages: +* Stop `journald` from listening to audit messages (to save CPU usage and disk space): -```shell -systemctl mask systemd-journald-audit.socket -``` + ```shell + systemctl mask systemd-journald-audit.socket + ``` ## Audit rules diff --git a/packages/auditd_manager/manifest.yml b/packages/auditd_manager/manifest.yml index cbc55daeeb2..b6122dffcc8 100644 --- a/packages/auditd_manager/manifest.yml +++ b/packages/auditd_manager/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: auditd_manager title: "Auditd Manager" -version: "1.17.0" +version: "1.17.1" description: "The Auditd Manager Integration receives audit events from the Linux Audit Framework that is a part of the Linux kernel." type: integration categories: