From 280ff11746913c59292c1eb9fe99b24261ffedb1 Mon Sep 17 00:00:00 2001
From: Kevin Carter <kevin@cloudnull.com>
Date: Tue, 26 Feb 2019 22:49:29 -0600
Subject: [PATCH] Update auditbeat config for the latest stable release

Change-Id: I468992009f562ca7d48fb88aab41edb552e23831
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
---
 .../templates/auditbeat.yml.j2                | 161 +++++++++++++++++-
 1 file changed, 157 insertions(+), 4 deletions(-)

diff --git a/elk_metrics_6x/roles/elastic_auditbeat/templates/auditbeat.yml.j2 b/elk_metrics_6x/roles/elastic_auditbeat/templates/auditbeat.yml.j2
index 11e61221..c0c164e2 100644
--- a/elk_metrics_6x/roles/elastic_auditbeat/templates/auditbeat.yml.j2
+++ b/elk_metrics_6x/roles/elastic_auditbeat/templates/auditbeat.yml.j2
@@ -44,6 +44,9 @@ auditbeat.modules:
   include_warnings: true
 
 {% if not apply_security_hardening | default(true) | bool %}
+  audit_rule_files:
+    - '${path.config}/audit.rules.d/*.conf'
+    - '/etc/audit/rules.d/*.rules'
   audit_rules: |
     ## Define audit rules here.
     ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
@@ -127,6 +130,32 @@ auditbeat.modules:
   # Detect changes to files included in subdirectories. Disabled by default.
   recursive: true
 
+# The system module collects security related information about a host.
+# All datasets send both periodic state information (e.g. all currently
+# running processes) and real-time changes (e.g. when a new process starts
+# or stops).
+- module: system
+  datasets:
+    - host    # General host information, e.g. uptime, IPs
+    - process # Started and stopped processes
+    - socket  # Opened and closed sockets
+    - user    # User information
+
+  # How often datasets send state updates with the
+  # current state of the system (e.g. all currently
+  # running processes, all open sockets).
+  state.period: 12h
+
+  # The state.period can be overridden for any dataset.
+  # host.state.period: 12h
+  # process.state.period: 12h
+  # socket.state.period: 12h
+  # user.state.period: 12h
+
+  # Enabled by default. Auditbeat will read password fields in
+  # /etc/passwd and /etc/shadow and store a hash locally to
+  # detect any changes.
+  user.detect_password_changes: true
 
 #================================ General ======================================
 
@@ -172,6 +201,66 @@ auditbeat.modules:
     # if the number of events stored in the queue is < min_flush_events.
     #flush.timeout: 1s
 
+  # The spool queue will store events in a local spool file, before
+  # forwarding the events to the outputs.
+  #
+  # Beta: spooling to disk is currently a beta feature. Use with care.
+  #
+  # The spool file is a circular buffer, which blocks once the file/buffer is full.
+  # Events are put into a write buffer and flushed once the write buffer
+  # is full or the flush_timeout is triggered.
+  # Once ACKed by the output, events are removed immediately from the queue,
+  # making space for new events to be persisted.
+  #spool:
+    # The file namespace configures the file path and the file creation settings.
+    # Once the file exists, the `size`, `page_size` and `prealloc` settings
+    # will have no more effect.
+    #file:
+      # Location of spool file. The default value is ${path.data}/spool.dat.
+      #path: "${path.data}/spool.dat"
+
+      # Configure file permissions if file is created. The default value is 0600.
+      #permissions: 0600
+
+      # File size hint. The spool blocks, once this limit is reached. The default value is 100 MiB.
+      #size: 100MiB
+
+      # The files page size. A file is split into multiple pages of the same size. The default value is 4KiB.
+      #page_size: 4KiB
+
+      # If prealloc is set, the required space for the file is reserved using
+      # truncate. The default value is true.
+      #prealloc: true
+
+    # Spool writer settings
+    # Events are serialized into a write buffer. The write buffer is flushed if:
+    # - The buffer limit has been reached.
+    # - The configured limit of buffered events is reached.
+    # - The flush timeout is triggered.
+    #write:
+      # Sets the write buffer size.
+      #buffer_size: 1MiB
+
+      # Maximum duration after which events are flushed, if the write buffer
+      # is not full yet. The default value is 1s.
+      #flush.timeout: 1s
+
+      # Number of maximum buffered events. The write buffer is flushed once the
+      # limit is reached.
+      #flush.events: 16384
+
+      # Configure the on-disk event encoding. The encoding can be changed
+      # between restarts.
+      # Valid encodings are: json, ubjson, and cbor.
+      #codec: cbor
+    #read:
+      # Reader flush timeout, waiting for more events to become available, so
+      # to fill a complete batch, as required by the outputs.
+      # If flush_timeout is 0, all available events are forwarded to the
+      # outputs immediately.
+      # The default value is 0s.
+      #flush.timeout: 0s
+
 # Sets the maximum number of CPUs that can be executing simultaneously. The
 # default is the number of logical CPUs available in the system.
 #max_procs:
@@ -185,8 +274,8 @@ auditbeat.modules:
 #
 #   event -> filter1 -> event1 -> filter2 ->event2 ...
 #
-# The supported processors are drop_fields, drop_event, include_fields, and
-# add_cloud_metadata.
+# The supported processors are drop_fields, drop_event, include_fields,
+# decode_json_fields, and add_cloud_metadata.
 #
 # For example, you can use the following processors to keep the fields that
 # contain CPU load percentages, but remove the fields that contain CPU ticks
@@ -206,6 +295,22 @@ auditbeat.modules:
 #       equals:
 #           http.code: 200
 #
+# The following example renames the field a to b:
+#
+#processors:
+#- rename:
+#    fields:
+#       - from: "a"
+#         to: "b"
+#
+# The following example tokenizes the string into fields:
+#
+#processors:
+#- dissect:
+#    tokenizer: "%{key1} - %{key2}"
+#    field: "message"
+#    target_prefix: "dissect"
+#
 # The following example enriches each event with metadata from the cloud
 # provider about the host machine. It works on EC2, GCE, DigitalOcean,
 # Tencent Cloud, and Alibaba Cloud.
@@ -232,6 +337,7 @@ auditbeat.modules:
 #    match_source_index: 4
 #    match_short_id: false
 #    cleanup_timeout: 60
+#    labels.dedot: false
 #    # To connect to Docker over TLS you must specify a client and CA certificate.
 #    #ssl:
 #    #  certificate_authority: "/etc/pki/root/ca.pem"
@@ -244,6 +350,31 @@ auditbeat.modules:
 #
 #processors:
 #- add_docker_metadata: ~
+#
+# The following example enriches each event with host metadata.
+#
+#processors:
+#- add_host_metadata:
+#   netinfo.enabled: false
+#
+# The following example enriches each event with process metadata using
+# process IDs included in the event.
+#
+#processors:
+#- add_process_metadata:
+#    match_pids: ["system.process.ppid"]
+#    target: system.process.parent
+#
+# The following example decodes fields containing JSON strings
+# and replaces the strings with valid JSON objects.
+#
+#processors:
+#- decode_json_fields:
+#    fields: ["field1", "field2", ...]
+#    process_array: false
+#    max_depth: 1
+#    target: ""
+#    overwrite_keys: false
 processors:
 - add_host_metadata: ~
 
@@ -603,6 +734,14 @@ processors:
   # Boolean flag to enable or disable the output module.
   #enabled: true
 
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty print json event
+    #pretty: false
+
+    # Configure escaping html symbols in strings.
+    #escape_html: true
+
   # Path to the directory where to save the generated files. The option is
   # mandatory.
   #path: "/tmp/auditbeat"
@@ -630,8 +769,13 @@ processors:
   # Boolean flag to enable or disable the output module.
   #enabled: true
 
-  # Pretty print json event
-  #pretty: false
+  # Configure JSON encoding
+  #codec.json:
+    # Pretty print json event
+    #pretty: false
+
+    # Configure escaping html symbols in strings.
+    #escape_html: true
 
 #================================= Paths ======================================
 
@@ -659,6 +803,10 @@ processors:
 # the default for the logs path is a logs subdirectory inside the home path.
 #path.logs: ${path.home}/logs
 
+#================================ Keystore ==========================================
+# Location of the Keystore containing the keys and their sensitive values.
+#keystore.path: "${path.config}/beats.keystore"
+
 #============================== Dashboards =====================================
 {{ elk_macros.setup_dashboards('auditbeat') }}
 
@@ -690,3 +838,8 @@ processors:
 
 # Port on which the HTTP endpoint will bind. Default is 5066.
 #http.port: 5066
+
+#============================= Process Security ================================
+
+# Enable or disable seccomp system call filtering on Linux. Default is enabled.
+#seccomp.enabled: true