Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add file integrity metricset to Auditbeat audit module #4562

Merged

Conversation

Projects
None yet
3 participants
@andrewkroh
Copy link
Member

commented Jun 27, 2017

This metricset monitors files or directories for changes. When a file is changed it will calculate a MD5, SHA1, and SHA256 hash.

auditbeat.modules:
- module: audit
  metricsets: [file]
  file.paths:
    binaries:
    - /usr/bin
    - /usr/sbin

This metricset is not driven by the Linux Audit Framework (that is a future possibility). It uses inotify (linux), fsevents (macos), and ReadDirectoryChangesW (windows) to watch for changes.

@andrewkroh andrewkroh force-pushed the andrewkroh:feature/ab/file-integrity-metricset branch from 7173af0 to fbea39c Jun 27, 2017

@exekias
Copy link
Member

left a comment

LGTM, you will need to rebase


m5 := md5.New()
s1 := sha1.New()
s256 := sha256.New()

This comment has been minimized.

Copy link
@exekias

exekias Jun 27, 2017

Member

I'm worried about performance, have you tested it somehow to check CPU usages? I guess RAM should be fine

This comment has been minimized.

Copy link
@tsg

tsg Jun 27, 2017

Collaborator

I asked something similar on the old PR: #4486 (comment)

This comment has been minimized.

Copy link
@andrewkroh

andrewkroh Jun 27, 2017

Author Member

I should setup benchmark to see what kind of CPU cost this has on some arbitrary file sizes. With the current implementation only being event driven I am not too concerned because I think it would be rare for the metricset to be hashing a lot of files at once.

But I think users are going to want the metricset report an initial event for every file the first time it runs. When we implement this feature then I think we will need to worry about throttling the work it's doing to prevent it from consuming lots of CPU and disk IO at startup.

Add file integrity metricset to Auditbeat audit module
This metricset monitors files or directories for changes. When a file is changed it will calculate a MD5, SHA1, and SHA256 hash.

```
auditbeat.modules:
- module: audit
  metricsets: [file]
  file.paths:
    binaries:
    - /usr/bin
    - /usr/sbin
```

This metricset is not driven by the Linux Audit Framework (that is a future possibility). It uses inotify (linux), fsevents (macos), and ReadDirectoryChangesW (windows) to watch for changes.

@andrewkroh andrewkroh force-pushed the andrewkroh:feature/ab/file-integrity-metricset branch from fbea39c to a185d1c Jun 27, 2017

@exekias exekias merged commit 84c0be2 into elastic:master Jun 28, 2017

6 checks passed

CLA Commit author has signed the CLA
Details
beats-ci Build finished.
Details
codecov/patch 74.26% of diff hit (target 63.08%)
Details
codecov/project 63.09% (+0.01%) compared to fbeba94
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@andrewkroh andrewkroh deleted the andrewkroh:feature/ab/file-integrity-metricset branch Jul 5, 2017

ramon-garcia added a commit to ramon-garcia/beats that referenced this pull request Dec 5, 2017

Add file integrity metricset to Auditbeat audit module (elastic#4562)
This metricset monitors files or directories for changes. When a file is changed it will calculate a MD5, SHA1, and SHA256 hash.

```
auditbeat.modules:
- module: audit
  metricsets: [file]
  file.paths:
    binaries:
    - /usr/bin
    - /usr/sbin
```

This metricset is not driven by the Linux Audit Framework (that is a future possibility). It uses inotify (linux), fsevents (macos), and ReadDirectoryChangesW (windows) to watch for changes.

athom added a commit to athom/beats that referenced this pull request Jan 25, 2018

Add file integrity metricset to Auditbeat audit module (elastic#4562)
This metricset monitors files or directories for changes. When a file is changed it will calculate a MD5, SHA1, and SHA256 hash.

```
auditbeat.modules:
- module: audit
  metricsets: [file]
  file.paths:
    binaries:
    - /usr/bin
    - /usr/sbin
```

This metricset is not driven by the Linux Audit Framework (that is a future possibility). It uses inotify (linux), fsevents (macos), and ReadDirectoryChangesW (windows) to watch for changes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.