github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 01:13:23 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Infra UI] Log Rules for AuditD Filebeat Module (#28289)

Browse source 
* Adding AuditD rules for SYSCALL and MAC_IPSEC_EVENT events

* Adding catch all rule

* Adding catchall for events without msg

* Adding boolean to LogEntryDocumentFields

* Standardizing prefix format
This commit is contained in:
Chris Cowan 2019-01-11 11:14:35 -07:00 committed by GitHub
parent d5e6e012d9
commit 314dd4d23a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 235 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

150
x-pack/plugins/infra/server/lib/domains/log_entries_domain/builtin_rules/filebeat_auditd.test.ts Normal file
View file

@ -0,0 +1,150 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
import { compileFormattingRules } from '../message';
import { filebeatAuditdRules } from './filebeat_auditd';
const { format } = compileFormattingRules(filebeatAuditdRules);
describe('Filebeat Rules', () => {
test('auditd IPSEC rule', () => {
const event = {
'@timestamp': '2017-01-31T20:17:14.891Z',
'auditd.log.auid': '4294967295',
'auditd.log.dst': '192.168.0.0',
'auditd.log.dst_prefixlen': '16',
'auditd.log.op': 'SPD-delete',
'auditd.log.record_type': 'MAC_IPSEC_EVENT',
'auditd.log.res': '1',
'auditd.log.sequence': 18877201,
'auditd.log.ses': '4294967295',
'auditd.log.src': '192.168.2.0',
'auditd.log.src_prefixlen': '24',
'ecs.version': '1.0.0-beta2',
'event.dataset': 'auditd.log',
'event.module': 'auditd',
'fileset.name': 'log',
'input.type': 'log',
'log.offset': 0,
};
const message = format(event);
expect(message).toEqual([
{ constant: '[AuditD][' },
{ field: 'auditd.log.record_type', highlights: [], value: 'MAC_IPSEC_EVENT' },
{ constant: '] src:' },
{ field: 'auditd.log.src', highlights: [], value: '192.168.2.0' },
{ constant: ' dst:' },
{ field: 'auditd.log.dst', highlights: [], value: '192.168.0.0' },
{ constant: ' op:' },
{ field: 'auditd.log.op', highlights: [], value: 'SPD-delete' },
]);
});
test('AuditD SYSCALL rule', () => {
const event = {
'@timestamp': '2017-01-31T20:17:14.891Z',
'auditd.log.a0': '9',
'auditd.log.a1': '7f564b2672a0',
'auditd.log.a2': 'b8',
'auditd.log.a3': '0',
'auditd.log.arch': 'x86_64',
'auditd.log.auid': '4294967295',
'auditd.log.comm': 'charon',
'auditd.log.egid': '0',
'auditd.log.euid': '0',
'auditd.log.exe': '/usr/libexec/strongswan/charon (deleted)',
'auditd.log.exit': '184',
'auditd.log.fsgid': '0',
'auditd.log.fsuid': '0',
'auditd.log.gid': '0',
'auditd.log.items': '0',
'auditd.log.pid': '1281',
'auditd.log.ppid': '1240',
'auditd.log.record_type': 'SYSCALL',
'auditd.log.sequence': 18877199,
'auditd.log.ses': '4294967295',
'auditd.log.sgid': '0',
'auditd.log.success': 'yes',
'auditd.log.suid': '0',
'auditd.log.syscall': '44',
'auditd.log.tty': '(none)',
'auditd.log.uid': '0',
'ecs.version': '1.0.0-beta2',
'event.dataset': 'auditd.log',
'event.module': 'auditd',
'fileset.name': 'log',
'input.type': 'log',
'log.offset': 174,
};
const message = format(event);
expect(message).toEqual([
{ constant: '[AuditD][' },
{ field: 'auditd.log.record_type', highlights: [], value: 'SYSCALL' },
{ constant: '] exe:' },
{
field: 'auditd.log.exe',
highlights: [],
value: '/usr/libexec/strongswan/charon (deleted)',
},
{ constant: ' gid:' },
{ field: 'auditd.log.gid', highlights: [], value: '0' },
{ constant: ' uid:' },
{ field: 'auditd.log.uid', highlights: [], value: '0' },
{ constant: ' tty:' },
{ field: 'auditd.log.tty', highlights: [], value: '(none)' },
{ constant: ' pid:' },
{ field: 'auditd.log.pid', highlights: [], value: '1281' },
{ constant: ' ppid:' },
{ field: 'auditd.log.ppid', highlights: [], value: '1240' },
]);
});
test('AuditD events with msg rule', () => {
const event = {
'@timestamp': '2017-01-31T20:17:14.891Z',
'auditd.log.auid': '4294967295',
'auditd.log.record_type': 'EXAMPLE',
'auditd.log.msg': 'some kind of message',
'ecs.version': '1.0.0-beta2',
'event.dataset': 'auditd.log',
'event.module': 'auditd',
'fileset.name': 'log',
'input.type': 'log',
'log.offset': 174,
};
const message = format(event);
expect(message).toEqual([
{ constant: '[AuditD][' },
{ field: 'auditd.log.record_type', highlights: [], value: 'EXAMPLE' },
{ constant: '] ' },
{
field: 'auditd.log.msg',
highlights: [],
value: 'some kind of message',
},
]);
});
test('AuditD catchall rule', () => {
const event = {
'@timestamp': '2017-01-31T20:17:14.891Z',
'auditd.log.auid': '4294967295',
'auditd.log.record_type': 'EXAMPLE',
'ecs.version': '1.0.0-beta2',
'event.dataset': 'auditd.log',
'event.module': 'auditd',
'fileset.name': 'log',
'input.type': 'log',
'log.offset': 174,
};
const message = format(event);
expect(message).toEqual([
{ constant: '[AuditD][' },
{ field: 'auditd.log.record_type', highlights: [], value: 'EXAMPLE' },
{ constant: '] Event without message.' },
]);
});
});

82
x-pack/plugins/infra/server/lib/domains/log_entries_domain/builtin_rules/filebeat_auditd.ts Normal file
View file

@ -0,0 +1,82 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
export const filebeatAuditdRules = [
// IPSEC_EVENT Rule
{
when: {
exists: ['auditd.log.record_type', 'auditd.log.src', 'auditd.log.dst', 'auditd.log.op'],
values: {
'auditd.log.record_type': 'MAC_IPSEC_EVENT',
},
},
format: [
{ constant: '[AuditD][' },
{ field: 'auditd.log.record_type' },
{ constant: '] src:' },
{ field: 'auditd.log.src' },
{ constant: ' dst:' },
{ field: 'auditd.log.dst' },
{ constant: ' op:' },
{ field: 'auditd.log.op' },
],
},
// SYSCALL Rule
{
when: {
exists: [
'auditd.log.record_type',
'auditd.log.exe',
'auditd.log.gid',
'auditd.log.uid',
'auditd.log.tty',
'auditd.log.pid',
'auditd.log.ppid',
],
values: {
'auditd.log.record_type': 'SYSCALL',
},
},
format: [
{ constant: '[AuditD][' },
{ field: 'auditd.log.record_type' },
{ constant: '] exe:' },
{ field: 'auditd.log.exe' },
{ constant: ' gid:' },
{ field: 'auditd.log.gid' },
{ constant: ' uid:' },
{ field: 'auditd.log.uid' },
{ constant: ' tty:' },
{ field: 'auditd.log.tty' },
{ constant: ' pid:' },
{ field: 'auditd.log.pid' },
{ constant: ' ppid:' },
{ field: 'auditd.log.ppid' },
],
},
// Events with `msg` Rule
{
when: {
exists: ['auditd.log.record_type', 'auditd.log.msg'],
},
format: [
{ constant: '[AuditD][' },
{ field: 'auditd.log.record_type' },
{ constant: '] ' },
{ field: 'auditd.log.msg' },
],
},
// Events with `msg` Rule
{
when: {
exists: ['auditd.log.record_type'],
},
format: [
{ constant: '[AuditD][' },
{ field: 'auditd.log.record_type' },
{ constant: '] Event without message.' },
],
},
];

2
x-pack/plugins/infra/server/lib/domains/log_entries_domain/builtin_rules/index.ts
View file

@ -5,6 +5,7 @@
*/
import { filebeatApache2Rules } from './filebeat_apache2';
import { filebeatAuditdRules } from './filebeat_auditd';
import { filebeatNginxRules } from './filebeat_nginx';
import { filebeatRedisRules } from './filebeat_redis';
import { filebeatSystemRules } from './filebeat_system';
@ -15,6 +16,7 @@ export const builtinRules = [
...filebeatNginxRules,
...filebeatRedisRules,
...filebeatSystemRules,
...filebeatAuditdRules,
...genericRules,
{
when: {

2
x-pack/plugins/infra/server/lib/domains/log_entries_domain/log_entries_domain.ts
View file

@ -164,7 +164,7 @@ export interface LogEntryDocument {
}
export interface LogEntryDocumentFields {
[fieldName: string]: string | number | null;
[fieldName: string]: string | number | boolean | null;
}
const convertLogDocumentToEntry = (