## Data Shippers

#### Beats is the platform for single-purpose data shippers. They send data from hundreds or thousands of machines and systems to Logstash or Elasticsearch.

#### In this module we will guide the user through the installation of the beats listed below which allos the  collection of various types of host data:

* Filebeat
* Packetbeat
* Metricbeat
* Auditbeat
* Heartbeat

### Filebeat installation

In [None]:
%%bash
sudo apt install -y filebeat

### Disable default configuration

In [None]:
%%bash
sudo sed -i '28 s/^/#/' /etc/filebeat/filebeat.yml
sudo sed -i '117 s/^/#/' /etc/filebeat/filebeat.yml
sudo sed -i '148 s/^/#/' /etc/filebeat/filebeat.yml
sudo sed -i '150 s/^/#/' /etc/filebeat/filebeat.yml
sudo sed -i '176,178 s/^/#/' /etc/filebeat/filebeat.yml

### Enable Configuration to Communicate Filebeat with Logstash

##### As we want to establish a connection between filebeat and logstash, we must recall that we have secured all communication with logstash using ssl. Therefore, any beat that seeks to communicate with logstash must provide the certificate we have generated in the logstash node.

##### In this node, the certificate is located in "/etc/pki/tls/certs/logstash-forwarder.crt". Before setting up the necessary configuration for filebeat to connect with logstash, we will first validate if we can stablish a connection to logstash using the following command:

~~~
telnet <LOGSTASH-IP-ADDRESS> 5044
~~~

##### You will get a message stating "Connected to ....."  To exit press CTRL+] and then quit or CTRL+D

##### Now let us validate teh certificate by using the following command:

~~~
curl -v --cacert /etc/pki/tls/certs/logstash-forwarder.crt <LOGSTASH-IP-ADDRESS>:5044
~~~

##### Let us now proceed to set the log files we would like filebeat to track and ship to logstash, set the ip address and port in which logstash will receive our data, and define the location of our certificate that will be used to secure communication between filebeat and logstash.

In [None]:
%%bash

sudo sed -i "28i \ \ \ \ - /var/log/auth.log" /etc/filebeat/filebeat.yml
sudo sed -i "29i \ \ \ \ - /var/log/syslog" /etc/filebeat/filebeat.yml

sudo sed -i '160 s/^#//g' /etc/filebeat/filebeat.yml 

export ls_ip="<LOGSTASH-IP-ADDRESS>"

sudo sed -i "162i \ \ hosts: [\"$ls_ip:5044\"]" /etc/filebeat/filebeat.yml

sudo sed -i '167i \ \ ssl.certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]' /etc/filebeat/filebeat.yml

### Enabling the Filebeat's system module.

##### Filebeat supports different modules that allows us to collect and parse logs created by Ubuntu's system loggin service. To enable the system module, run the command below:

In [None]:
%%bash
sudo filebeat modules enable system

##### You can verify if the system module has been enables by using the following command:

~~~
sudo filebeat modules list
~~~

### Loading Index templates

##### An index is a collection of documents that share similar characteristics. We will load an index template for documents stored in filebeat indexes that will be applied automatically when a new index is created. Let us list the current templates in elasticsearch by using the following command:

~~~
curl -u elastic:elasticsiem -XGET '<ELASTICSEARCH-IP-ADDRESS>:9200/_template?filter_path=*.version&pretty'
~~~

In [None]:
%%bash
curl -u elastic:elasticsiem -XGET '<ELASTICSEARCH-IP-ADDRESS>:9200/_template?filter_path=*.version&pretty'

##### As we can observe, there are no templates defined for filebeat indexes. Let us load the filebeat template into elasticsearch by using the following command:

In [None]:
%%bash
cd ~
sudo /usr/share/filebeat/bin/filebeat export template > filebeat.template.json -c /etc/filebeat/filebeat.yml
curl -u elastic:elasticsiem -H 'Content-Type: application/json' -XPUT '<ELASTICSEARCH-IP-ADDRESS>:9200/_template/filebeat-7.3.0' -d@/home/ubuntu/filebeat.template.json
curl -u elastic:elasticsiem -XGET '<ELASTICSEARCH-IP-ADDRESS>:9200/_template/' | jq 'keys'
    

### Installing Kibana dashboards for Filebeat

In [None]:
%%bash
sudo filebeat setup -e \
  -E output.logstash.enabled=false \
  -E output.elasticsearch.hosts=['<ELASTICSEARCH-IP-ADDRESS>:9200'] \
  -E setup.kibana.host=<KIBANA-IP-ADDRESS>:5601 \
  -E output.elasticsearch.username=elastic \
  -E output.elasticsearch.password=elasticsiem

### Start Filebeat

In [None]:
%%bash
sudo systemctl start filebeat
sudo systemctl enable filebeat

### Alternatively, you can run Filebeat in debug mode by using the following command:

~~~
sudo /usr/share/filebeat/bin/filebeat -e -d "publish" -c /etc/filebeat/filebeat.yml
~~~

### Backloging in filebeat


##### In teh case that you change some of the filters that you set on logstash and would like to pre-process your data again, you will need to delete all indexes where your data was stored, stop filebeat, delete filebeat's registry file, and start filebeat again.

##### To delete filebeat registry, you can use the following command:

~~~
sudo rm -R /var/lib/filebeat/registry
~~~

##### Note: Whenever you process again your data, your receiving logs will have a timestamp stating the time the log was received by elasticsearch and not the time at which the log was generated. The timestamp can be replaced by adding a rule on logstash that takes the timestamp stated at the beggining of each log and replace teh default timestamp (receiving time) set by elasticsearch.


### Packetbeat Installation

In [None]:
%%bash
sudo apt install -y packetbeat

### Disable default configuration

##### The default packetbeat configuration enables monitoring certain transaction porotocols such as icmp, ampq, cassandra, among others. We will disable unwanted protocols by commenting the protocol and list of ports and monitor only the following: icmp, dhcpv4, dns, http, and tls.

In [None]:
%%bash
sudo sed -i 's/^\- type\: amqp/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\ \ ports\: \[5672\]/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\- type\: cassandra/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\ \ ports\: \[9042\]/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\- type\: memcache/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\ \ ports\: \[11211\]/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\- type\: mysql/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\ \ ports\: \[3306,3307\]/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\- type\: pgsql/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\ \ ports\: \[5432\]/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\- type\: redis/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\ \ ports\: \[6379\]/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\- type\: thrift/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\ \ ports\: \[9090\]/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\- type\: mongodb/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\ \ ports\: \[27017\]/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\- type\: nfs/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\ \ ports\: \[2049\]/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^output.elasticsearch\:/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\ \ hosts\: \[\"localhost\:9200\"\]/#&/' /etc/packetbeat/packetbeat.yml

### Enable communication with logstash

In [None]:
%%bash
export ls_ip="<LOGSTASH-IP-ADDRESS>"

#Enable Logstash output
sudo sed -i '/output.logstash\:/s/^#//g' /etc/packetbeat/packetbeat.yml

#Uncomment and Change Logstash IP ADDRESS
sudo sed -i "s/#hosts\: \[\"localhost\:5044\"\]/hosts\: \[\"$ls_ip\:5044\"\]/g" /etc/packetbeat/packetbeat.yml
sudo sed -i 's/#ssl\.certificate_authorities\: \["\/etc\/pki\/root\/ca\.pem"\]/ssl\.certificate\_authorities\: \["\/etc\/pki\/tls\/certs\/logstash\-forwarder\.crt"\]/g' /etc/packetbeat/packetbeat.yml


### Test Configuration and Connectivity to Logstash

In [None]:
%%bash
sudo /usr/share/packetbeat/bin/packetbeat test config -c /etc/packetbeat/packetbeat.yml
sudo /usr/share/packetbeat/bin/packetbeat test output -c /etc/packetbeat/packetbeat.yml

### Add Kibana Dashboards for Packetbeat

In [None]:
%%bash
sudo packetbeat setup -e \
  -E output.logstash.enabled=false \
  -E output.elasticsearch.hosts=['<ELASTICSEARCH-IP-ADDRESS>:9200'] \
  -E setup.kibana.host=<KIBANA-IP-ADDRESS>:5601 \
  -E output.elasticsearch.username=elastic \
  -E output.elasticsearch.password=elasticsiem

### Add template from packetbeat to elasticsearch

In [None]:
%%bash

sudo packetbeat setup --index-management \
  -E output.logstash.enabled=false \
  -E 'output.elasticsearch.hosts=["<ELASTICSEARCH-IP-ADDRESS>:9200"]' \
  -E output.elasticsearch.username=elastic \
  -E output.elasticsearch.password=elasticsiem


### List Loaded Templates

In [None]:
%%bash
curl -u elastic:elasticsiem -XGET '<ELASTICSEARCH-IP-ADDRESS>:9200/_template/' | jq 'keys'

### Start Packetbeat

In [None]:
%%bash
sudo systemctl start packetbeat
sudo systemctl enable packetbeat

### Alternatively, you can run Filebeat in debug mode by using the following command:

~~~
sudo /usr/share/packetbeat/bin/packetbeat -e -d "publish" -c /etc/packetbeat/packetbeat.yml
~~~

### Metricbeat Installation

In [None]:
%%bash
sudo apt install -y metricbeat

### Disable default configuration

##### The default metricbeat configuration enables connectivity directly to elasticseach. We will disable this configuration to later enable communication to logstash.

In [None]:
%%bash
sudo sed -i 's/^output.elasticsearch\:/#&/' /etc/metricbeat/metricbeat.yml
sudo sed -i 's/^\ \ hosts\: \[\"localhost\:9200\"\]/#&/' /etc/metricbeat/metricbeat.yml

### Enable communication with logstash

In [None]:
%%bash
export ls_ip="<LOGSTASH-IP-ADDRESS>"

#Enable Logstash output
sudo sed -i '/output.logstash\:/s/^#//g' /etc/metricbeat/metricbeat.yml

#Uncomment and Change Logstash IP ADDRESS
sudo sed -i "s/#hosts\: \[\"localhost\:5044\"\]/hosts\: \[\"$ls_ip\:5044\"\]/g" /etc/metricbeat/metricbeat.yml
sudo sed -i 's/#ssl\.certificate_authorities\: \["\/etc\/pki\/root\/ca\.pem"\]/ssl\.certificate\_authorities\: \["\/etc\/pki\/tls\/certs\/logstash\-forwarder\.crt"\]/g' /etc/metricbeat/metricbeat.yml


### Enabling the Metricbeats's system module.

##### Metric supports different modules that allows us to collect Metrics from different services. In our case, we would like to enable the System Metric module to monitor the metrics of our Virtual Machine.

##### For more infomration about the available modules check the following link:
https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-modules.html

##### To enable the system module, run the command below:

In [None]:
%%bash
sudo metricbeat modules enable system

##### You can verify if the system module has been enables by using the following command:

~~~
sudo metricbeat modules list
~~~

### Test Configuration and Connectivity to Logstash

In [None]:
%%bash
sudo /usr/share/metricbeat/bin/metricbeat test config -c /etc/metricbeat/metricbeat.yml
sudo /usr/share/metricbeat/bin/metricbeat test output -c /etc/metricbeat/metricbeat.yml

### Add Kibana Dashboards for Metricbeat

In [None]:
%%bash
sudo metricbeat setup -e \
  -E output.logstash.enabled=false \
  -E output.elasticsearch.hosts=['<ELASTICSEARCH-IP-ADDRESS>:9200'] \
  -E setup.kibana.host=<KIBANA-IP-ADDRESS>:5601 \
  -E output.elasticsearch.username=elastic \
  -E output.elasticsearch.password=elasticsiem

### Add template from metricbeat to elasticsearch

In [None]:
%%bash

sudo metricbeat setup --index-management \
  -E output.logstash.enabled=false \
  -E 'output.elasticsearch.hosts=["<ELASTICSEARCH-IP-ADDRESS>:9200"]' \
  -E output.elasticsearch.username=elastic \
  -E output.elasticsearch.password=elasticsiem


### List Loaded Templates

In [None]:
%%bash
curl -u elastic:elasticsiem -XGET '<ELASTICSEARCH-IP-ADDRESS>:9200/_template/' | jq 'keys'

### Start Metricbeat

In [None]:
%%bash
sudo systemctl start metricbeat
sudo systemctl enable metricbeat

### Alternatively, you can run Metricbeat in debug mode by using the following command:

~~~
sudo /usr/share/metriceat/bin/metricbeat -e -d "publish" -c /etc/metricbeat/metricbeat.yml
~~~

### Auditbeat Installation

In [None]:
%%bash
sudo apt install -y auditbeat

### Disable default configuration

##### The default metricbeat configuration enables connectivity directly to elasticseach. We will disable this configuration to later enable communication to logstash.

In [None]:
%%bash
sudo sed -i 's/^output.elasticsearch\:/#&/' /etc/auditbeat/auditbeat.yml
sudo sed -i 's/^\ \ hosts\: \[\"localhost\:9200\"\]/#&/' /etc/auditbeat/auditbeat.yml

### Enable communication with logstash

In [None]:
%%bash
export ls_ip="<LOGSTASH-IP-ADDRESS>"

#Enable Logstash output
sudo sed -i '/output.logstash\:/s/^#//g' /etc/auditbeat/auditbeat.yml

#Uncomment and Change Logstash IP ADDRESS
sudo sed -i "s/#hosts\: \[\"localhost\:5044\"\]/hosts\: \[\"$ls_ip\:5044\"\]/g" /etc/auditbeat/auditbeat.yml
sudo sed -i 's/#ssl\.certificate_authorities\: \["\/etc\/pki\/root\/ca\.pem"\]/ssl\.certificate\_authorities\: \["\/etc\/pki\/tls\/certs\/logstash\-forwarder\.crt"\]/g' /etc/auditbeat/auditbeat.yml


### Change timefram to obtain and update on the system's state

In [None]:
%%bash
sudo sed -i "s/state\.period\: 12h/state\.period\: 1h/g" /etc/auditbeat/auditbeat.yml

### Enabling the Auditbeats's system module.

##### In the configuration file, two modules are configured by default 1) Auditd 2) File_Integrity and 3) System with the details presented below.
##### As you can see, there are no rules defined for auditd. In addition, auditd is not installed in our system.

~~~
- module: auditd
  # Load audit rules from separate files. Same format as audit.rules(7).
  audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
  audit_rules: |
  
- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc
  
- module: system
  datasets:
    - host    # General host information, e.g. uptime, IPs
    - process # Started and stopped processes
    - socket  # Opened and closed sockets
    - user    # User information
~~~

##### You can check available modules in teh link below if you seed to audit additional data:
https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-modules.html

##### We proceed to install auditd on Ubuntu 18.04 and to enable module in auditbeat.

### Install auditd in ubuntu 18.04:

In [None]:
%%bash
sudo apt install -y auditd audispd-plugins

### Create rules for Auditd

##### For reference information for each rule please visit the following site:

https://gist.githubusercontent.com/Neo23x0/9fe88c0c5979e017a389b90fd19ddfee/raw/f37173a62e2d54325b0e5d496ac51c37dfb4e37f/audit.rules

In [None]:
%%bash
# Remove any existing rules
sudo auditctl -D

# Buffer Size
## Feel free to increase this if the machine panic's
sudo auditctl -b 8192

# Failure Mode
## Possible values: 0 (silent), 1 (printk, print a failure message), 2 (panic, halt the system)
sudo auditctl -f 1

# Ignore errors
## e.g. caused by users or files not found in the local environment  
sudo auditctl -i 

# Self Auditing ---------------------------------------------------------------

## Audit the audit logs
### Successful and unsuccessful attempts to read information from the audit records
sudo auditctl -w /var/log/audit/ -k auditlog

## Auditd configuration
### Modifications to audit configuration that occur while the audit collection functions are operating
sudo auditctl -w /etc/audit/ -p wa -k auditconfig
sudo auditctl -w /etc/libaudit.conf -p wa -k auditconfig
sudo auditctl -w /etc/audisp/ -p wa -k audispconfig

## Monitor for use of audit management tools
sudo auditctl -w /sbin/auditctl -p x -k audittools
sudo auditctl -w /sbin/auditd -p x -k audittools

# Filters ---------------------------------------------------------------------

### We put these early because audit is a first match wins system.

## Ignore SELinux AVC records
sudo auditctl -a always,exclude -F msgtype=AVC

## Ignore current working directory records
sudo auditctl -a always,exclude -F msgtype=CWD

## Ignore EOE records (End Of Event, not needed)
sudo auditctl -a always,exclude -F msgtype=EOE

## Cron jobs fill the logs with stuff we normally don't want (works with SELinux)
sudo auditctl -a never,user -F subj_type=crond_t
sudo auditctl -a exit,never -F subj_type=crond_t

## This prevents chrony from overwhelming the logs
sudo auditctl -a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony -F subj_type=chronyd_t

## This is not very interesting and wastes a lot of space if the server is public facing
sudo auditctl -a always,exclude -F msgtype=CRYPTO_KEY_USER

## VMWare tools
sudo auditctl -a exit,never -F arch=b32 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2
sudo auditctl -a exit,never -F arch=b64 -S fork -F success=0 -F path=/usr/lib/vmware-tools -F subj_type=initrc_t -F exit=-2

### High Volume Event Filter (especially on Linux Workstations)
sudo auditctl -a exit,never -F arch=b32 -F dir=/dev/shm -k sharedmemaccess
sudo auditctl -a exit,never -F arch=b64 -F dir=/dev/shm -k sharedmemaccess
sudo auditctl -a exit,never -F arch=b32 -F dir=/var/lock/lvm -k locklvm
sudo auditctl -a exit,never -F arch=b64 -F dir=/var/lock/lvm -k locklvm

## More information on how to filter events
### https://access.redhat.com/solutions/2482221

# Rules -----------------------------------------------------------------------

## Kernel parameters
sudo auditctl -w /etc/sysctl.conf -p wa -k sysctl

## Kernel module loading and unloading
sudo auditctl -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/insmod -k modules
sudo auditctl -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/modprobe -k modules
sudo auditctl -a always,exit -F perm=x -F auid!=-1 -F path=/sbin/rmmod -k modules
sudo auditctl -a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules
sudo auditctl -a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules
## Modprobe configuration
sudo auditctl -w /etc/modprobe.conf -p wa -k modprobe

## KExec usage (all actions)
sudo auditctl -a always,exit -F arch=b64 -S kexec_load -k KEXEC
sudo auditctl -a always,exit -F arch=b32 -S sys_kexec_load -k KEXEC

## Special files
sudo auditctl -a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles
sudo auditctl -a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles

## Mount operations (only attributable)
sudo auditctl -a always,exit -F arch=b64 -S mount -S umount2 -F auid!=-1 -k mount
sudo auditctl -a always,exit -F arch=b32 -S mount -S umount -S umount2 -F auid!=-1 -k mount

# Change swap (only attributable)
sudo auditctl -a always,exit -F arch=b64 -S swapon -S swapoff -F auid!=-1 -k swap
sudo auditctl -a always,exit -F arch=b32 -S swapon -S swapoff -F auid!=-1 -k swap

## Time
sudo auditctl -a exit,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k time
sudo auditctl -a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time
### Local time zone
sudo auditctl -w /etc/localtime -p wa -k localtime

## Stunnel
sudo auditctl -w /usr/sbin/stunnel -p x -k stunnel

## Cron configuration & scheduled jobs
sudo auditctl -w /etc/cron.allow -p wa -k cron
sudo auditctl -w /etc/cron.deny -p wa -k cron
sudo auditctl -w /etc/cron.d/ -p wa -k cron
sudo auditctl -w /etc/cron.daily/ -p wa -k cron
sudo auditctl -w /etc/cron.hourly/ -p wa -k cron
sudo auditctl -w /etc/cron.monthly/ -p wa -k cron
sudo auditctl -w /etc/cron.weekly/ -p wa -k cron
sudo auditctl -w /etc/crontab -p wa -k cron
sudo auditctl -w /var/spool/cron/crontabs/ -k cron

## User, group, password databases
sudo auditctl -w /etc/group -p wa -k etcgroup
sudo auditctl -w /etc/passwd -p wa -k etcpasswd
sudo auditctl -w /etc/gshadow -k etcgroup
sudo auditctl -w /etc/shadow -k etcpasswd
sudo auditctl -w /etc/security/opasswd -k opasswd

## Sudoers file changes
sudo auditctl -w /etc/sudoers -p wa -k actions

## Passwd
sudo auditctl -w /usr/bin/passwd -p x -k passwd_modification

## Tools to change group identifiers
sudo auditctl -w /usr/sbin/groupadd -p x -k group_modification
sudo auditctl -w /usr/sbin/groupmod -p x -k group_modification
sudo auditctl -w /usr/sbin/addgroup -p x -k group_modification
sudo auditctl -w /usr/sbin/useradd -p x -k user_modification
sudo auditctl -w /usr/sbin/usermod -p x -k user_modification
sudo auditctl -w /usr/sbin/adduser -p x -k user_modification

## Login configuration and information
sudo auditctl -w /etc/login.defs -p wa -k login
sudo auditctl -w /etc/securetty -p wa -k login
sudo auditctl -w /var/log/faillog -p wa -k login
sudo auditctl -w /var/log/lastlog -p wa -k login
sudo auditctl -w /var/log/tallylog -p wa -k login

## Network Environment
### Changes to hostname
sudo auditctl -a always,exit -F arch=b32 -S sethostname -S setdomainname -k network_modifications
sudo auditctl -a always,exit -F arch=b64 -S sethostname -S setdomainname -k network_modifications
### Changes to other files
sudo auditctl -w /etc/hosts -p wa -k network_modifications
sudo auditctl -w /etc/sysconfig/network -p wa -k network_modifications
sudo auditctl -w /etc/network/ -p wa -k network
sudo auditctl -a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -k network_modifications
sudo auditctl -w /etc/sysconfig/network -p wa -k network_modifications
### Changes to issue
sudo auditctl -w /etc/issue -p wa -k etcissue
sudo auditctl -w /etc/issue.net -p wa -k etcissue

## System startup scripts
sudo auditctl -w /etc/inittab -p wa -k init
sudo auditctl -w /etc/init.d/ -p wa -k init
sudo auditctl -w /etc/init/ -p wa -k init

## Library search paths
sudo auditctl -w /etc/ld.so.conf -p wa -k libpath

## Pam configuration
sudo auditctl -w /etc/pam.d/ -p wa -k pam
sudo auditctl -w /etc/security/limits.conf -p wa  -k pam
sudo auditctl -w /etc/security/pam_env.conf -p wa -k pam
sudo auditctl -w /etc/security/namespace.conf -p wa -k pam
sudo auditctl -w /etc/security/namespace.init -p wa -k pam

## Postfix configuration
sudo auditctl -w /etc/aliases -p wa -k mail
sudo auditctl -w /etc/postfix/ -p wa -k mail

## SSH configuration
sudo auditctl -w /etc/ssh/sshd_config -k sshd

# Systemd
sudo auditctl -w /bin/systemctl -p x -k systemd 
sudo auditctl -w /etc/systemd/ -p wa -k systemd

## SELinux events that modify the system's Mandatory Access Controls (MAC)
sudo auditctl -w /etc/selinux/ -p wa -k mac_policy

## Critical elements access failures 
sudo auditctl -a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileaccess
sudo auditctl -a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileaccess
sudo auditctl -a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileaccess
sudo auditctl -a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileaccess
sudo auditctl -a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileaccess
sudo auditctl -a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileaccess
sudo auditctl -a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileaccess
sudo auditctl -a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileaccess

## Process ID change (switching accounts) applications
sudo auditctl -w /bin/su -p x -k priv_esc
sudo auditctl -w /usr/bin/sudo -p x -k priv_esc
sudo auditctl -w /etc/sudoers -p rw -k priv_esc

## Power state
sudo auditctl -w /sbin/shutdown -p x -k power
sudo auditctl -w /sbin/poweroff -p x -k power
sudo auditctl -w /sbin/reboot -p x -k power
sudo auditctl -w /sbin/halt -p x -k power

## Session initiation information
sudo auditctl -w /var/run/utmp -p wa -k session
sudo auditctl -w /var/log/btmp -p wa -k session
sudo auditctl -w /var/log/wtmp -p wa -k session

## Discretionary Access Control (DAC) modifications
sudo auditctl -a always,exit -F arch=b32 -S chmod -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b32 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b32 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b32 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b32 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b32 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b32 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b32 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b32 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b32 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b32 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b32 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b32 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b64 -S chmod  -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b64 -S chown -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b64 -S fchmod -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b64 -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b64 -S fchown -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b64 -S fchownat -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b64 -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b64 -S fsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b64 -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b64 -S lremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b64 -S lsetxattr -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b64 -S removexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
sudo auditctl -a always,exit -F arch=b64 -S setxattr -F auid>=500 -F auid!=4294967295 -k perm_mod

# Special Rules ---------------------------------------------------------------

## 32bit API Exploitation
### If you are on a 64 bit platform, everything _should_ be running
### in 64 bit mode. This rule will detect any use of the 32 bit syscalls
### because this might be a sign of someone exploiting a hole in the 32
### bit API.
sudo auditctl -a always,exit -F arch=b32 -S all -k 32bit_api

## Reconnaissance
sudo auditctl -w /usr/bin/whoami -p x -k recon
sudo auditctl -w /etc/issue -p r -k recon
sudo auditctl -w /etc/hostname -p r -k recon

## Suspicious activity
sudo auditctl -w /usr/bin/wget -p x -k susp_activity
sudo auditctl -w /usr/bin/curl -p x -k susp_activity
sudo auditctl -w /usr/bin/base64 -p x -k susp_activity
sudo auditctl -w /bin/nc -p x -k susp_activity
sudo auditctl -w /bin/netcat -p x -k susp_activity
sudo auditctl -w /usr/bin/ncat -p x -k susp_activity
sudo auditctl -w /usr/bin/ssh -p x -k susp_activity
sudo auditctl -w /usr/bin/socat -p x -k susp_activity
sudo auditctl -w /usr/bin/wireshark -p x -k susp_activity
sudo auditctl -w /usr/bin/rawshark -p x -k susp_activity
sudo auditctl -w /usr/bin/rdesktop -p x -k sbin_susp

## Sbin suspicious activity
sudo auditctl -w /sbin/iptables -p x -k sbin_susp 
sudo auditctl -w /sbin/ifconfig -p x -k sbin_susp
sudo auditctl -w /usr/sbin/tcpdump -p x -k sbin_susp
sudo auditctl -w /usr/sbin/traceroute -p x -k sbin_susp

## Injection 
### These rules watch for code injection by the ptrace facility.
### This could indicate someone trying to do something bad or just debugging
sudo auditctl -a always,exit -F arch=b32 -S ptrace -k tracing
sudo auditctl -a always,exit -F arch=b64 -S ptrace -k tracing
sudo auditctl -a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k code_injection
sudo auditctl -a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k code_injection
sudo auditctl -a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k data_injection
sudo auditctl -a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k data_injection
sudo auditctl -a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k register_injection
sudo auditctl -a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k register_injection

## Privilege Abuse
### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir.
sudo auditctl -a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -k power_abuse

# Software Management ---------------------------------------------------------

# DPKG / APT-GET (Debian/Ubuntu)
sudo auditctl -w /usr/bin/dpkg -p x -k software_mgmt
sudo auditctl -w /usr/bin/apt-add-repository -p x -k software_mgmt
sudo auditctl -w /usr/bin/apt-get -p x -k software_mgmt
sudo auditctl -w /usr/bin/aptitude -p x -k software_mgmt

# High volume events ----------------------------------------------------------

## Remove them if the cause to much volumen in your einvironment

## Root command executions 
sudo auditctl -a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd
sudo auditctl -a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd

## File Deletion Events by User
sudo auditctl -a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
sudo auditctl -a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete

## File Access
### Unauthorized Access (unsuccessful)
sudo auditctl -a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k file_access
sudo auditctl -a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k file_access
sudo auditctl -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k file_access
sudo auditctl -a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k file_access

### Unsuccessful Creation
sudo auditctl -a always,exit -F arch=b32 -S creat,link,mknod,mkdir,symlink,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation
sudo auditctl -a always,exit -F arch=b64 -S mkdir,creat,link,symlink,mknod,mknodat,linkat,symlinkat -F exit=-EACCES -k file_creation
sudo auditctl -a always,exit -F arch=b32 -S link,mkdir,symlink,mkdirat -F exit=-EPERM -k file_creation
sudo auditctl -a always,exit -F arch=b64 -S mkdir,link,symlink,mkdirat -F exit=-EPERM -k file_creation

### Unsuccessful Modification
sudo auditctl -a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification
sudo auditctl -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EACCES -k file_modification
sudo auditctl -a always,exit -F arch=b32 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification
sudo auditctl -a always,exit -F arch=b64 -S rename -S renameat -S truncate -S chmod -S setxattr -S lsetxattr -S removexattr -S lremovexattr -F exit=-EPERM -k file_modification

# Make the configuration immutable --------------------------------------------
##-e 2

### Disable jornald from listening to audit messages

In [None]:
%%bash
systemctl mask systemd-journald-audit.socket

### Test Configuration and Connectivity to Logstash

In [None]:
%%bash
sudo /usr/share/auditbeat/bin/auditbeat test config -c /etc/auditbeat/auditbeat.yml
sudo /usr/share/auditbeat/bin/auditbeat test output -c /etc/auditbeat/auditbeat.yml

### Add Kibana Dashboards for Auditbeat

In [None]:
%%bash
sudo auditbeat setup -e \
  -E output.logstash.enabled=false \
  -E output.elasticsearch.hosts=['<ELASTICSEARCH-IP-ADDRESS>:9200'] \
  -E setup.kibana.host=<KIBANA-IP-ADDRESS>:5601 \
  -E output.elasticsearch.username=elastic \
  -E output.elasticsearch.password=elasticsiem

### Add template from Auditbeat to elasticsearch

In [None]:
%%bash

sudo auditbeat setup --index-management \
  -E output.logstash.enabled=false \
  -E 'output.elasticsearch.hosts=["<ELASTICSEARCH-IP-ADDRESS>:9200"]' \
  -E output.elasticsearch.username=elastic \
  -E output.elasticsearch.password=elasticsiem


### List Loaded Templates

In [None]:
%%bash
curl -u elastic:elasticsiem -XGET '<ELASTICSEARCH-IP-ADDRESS>:9200/_template/' | jq 'keys'

### Start Auditbeat

In [None]:
%%bash
sudo systemctl start auditbeat
sudo systemctl enable auditbeat

### Alternatively, you can run Metricbeat in debug mode by using the following command:

~~~
sudo /usr/share/auditbeat/bin/metricbeat -e -d "publish" -c /etc/auditbeat/metricbeat.yml
~~~