{"id":11067,"date":"2021-12-09T22:42:02","date_gmt":"2021-12-09T19:42:02","guid":{"rendered":"https:\/\/kifarunix.com\/?p=11067"},"modified":"2024-03-18T07:50:29","modified_gmt":"2024-03-18T04:50:29","slug":"detect-changes-to-critical-files-in-linux-using-auditbeat-and-elk","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/detect-changes-to-critical-files-in-linux-using-auditbeat-and-elk\/","title":{"rendered":"Detect Changes to Critical Files in Linux using Auditbeat and ELK"},"content":{"rendered":"\n

In this tutorial, you will learn how to detect changes to critical files in Linux using Auditbeat and ELK. Auditbeat is one of the elastic beats that according to Elastic page<\/a>, collects Linux audit framework data and monitor the integrity of the files. It ships these events in real time to the rest of the Elastic Stack for further analysis<\/em>. It enables you to find out who was the actor?<\/em> What action did they perform and when?<\/em>.<\/p>\n\n\n\n

Detecting Changes to Critical Files in Linux using Auditbeat and ELK<\/h2>\n\n\n\n

Install and Setup ELK Stack<\/h3>\n\n\n\n

To begin with, you need to have a running ELK stack. We use Debian 11 in this setup. Hence, you can follow the link below setup ELK;<\/p>\n\n\n\n

Install ELK Stack on Debian 11<\/a><\/p>\n\n\n\n

Install Auditbeat on the Host<\/h3>\n\n\n\n

In this tutorial, we will use two hosts, Ubuntu and Rocky Linux vms as our remote hosts to monitor for any changes in the critical files.<\/p>\n\n\n\n

Installing Auditbeat on Ubuntu\/Debian based sytems<\/h4>\n\n\n\n

Run the commands below to install Auditbeat on Ubuntu\/Debian based systems;<\/p>\n\n\n\n

apt install gnupg2 apt-transport-https -y<\/code><\/pre>\n\n\n\n
wget -qO - https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch | gpg --dearmor > \/etc\/apt\/trusted.gpg.d\/elastic.gpg<\/code><\/pre>\n\n\n\n
echo \"deb https:\/\/artifacts.elastic.co\/packages\/7.x\/apt stable main\" > \/etc\/apt\/sources.list.d\/elastic-7.x.list<\/code><\/pre>\n\n\n\n
apt update<\/code><\/pre>\n\n\n\n
apt install auditbeat -y<\/code><\/pre>\n\n\n\n
Installing Auditbeat on RHEL based sytems<\/h5>\n\n\n\n
Run the commands below to install Auditbeat on RHEL based systems;<\/p>\n\n\n\n
rpm --import https:\/\/packages.elastic.co\/GPG-KEY-elasticsearch<\/code><\/pre>\n\n\n\n
\ncat > \/etc\/yum.repos.d\/elastic.repo << EOL\n[elastic-7.x]\nname=Elastic repository for 7.x packages\nbaseurl=https:\/\/artifacts.elastic.co\/packages\/7.x\/yum\ngpgcheck=1\ngpgkey=https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch\nenabled=0\nautorefresh=1\ntype=rpm-md\nEOL\n<\/code><\/pre>\n\n\n\n
yum --enablerepo=elastic-7.x install auditbeat -y<\/code><\/pre>\n\n\n\n
Configure Auditbeat Elasticsearch connection<\/h3>\n\n\n\n
Once the installation is done, open the Auditbeat configuration file for editing;<\/p>\n\n\n\n
<\/p>\n\n\n\n
Navigate to Elasticsearch Output configuration section;<\/p>\n\n\n\n
...\n...\n# ---------------------------- Elasticsearch Output ----------------------------\noutput.elasticsearch:\n  # Array of hosts to connect to.\n  hosts: [\"localhost:9200\"]\n\n  # Protocol - either `http` (default) or `https`.\n  #protocol: \"https\"\n\n  # Authentication credentials - either API key or username\/password.\n  #api_key: \"id:api_key\"\n  #username: \"elastic\"\n  #password: \"changeme\"\n...\n<\/code><\/pre>\n\n\n\n
Set the output configurations depending on how your Elasticsearch is configured. In my setup, i just need to update the Elasticsearch IP address and port by replacing localhost:9200<\/code><\/strong> with my Elasticsearch connection details; 192.168.58.22:9200<\/code><\/strong>.<\/p>\n\n\n\n
...\n...\n# ---------------------------- Elasticsearch Output ----------------------------\noutput.elasticsearch:\n  # Array of hosts to connect to.\n  hosts: [\"192.168.58.22:9200\"]<\/strong>\n\n  # Protocol - either `http` (default) or `https`.\n  #protocol: \"https\"\n\n  # Authentication credentials - either API key or username\/password.\n  #api_key: \"id:api_key\"\n  #username: \"elastic\"\n  #password: \"changeme\"\n...\n<\/code><\/pre>\n\n\n\n
Save the changes and exit the configuration file.<\/p>\n\n\n\n
Ensure the Elasticsearch port is opened and you can connect to it;<\/p>\n\n\n\n
nc -nvz 192.168.58.22 9200<\/code><\/pre>\n\n\n\n
Next, test the Auditbeat connection to Elasticsearch (Ensure auditbeat service is not running before you ran this command<\/em>);<\/p>\n\n\n\n
auditbeat test output<\/code><\/pre>\n\n\n\n
elasticsearch: http:\/\/192.168.58.22:9200...\n  parse url... OK\n  connection...\n    parse host... OK\n    dns lookup... OK\n    addresses: 192.168.58.22\n    dial up... OK\n  TLS... WARN secure connection disabled\n  talk to server... OK\n  version: 7.16.0\n\n<\/code><\/pre>\n\n\n\n
Configure Auditbeat to Collect Audit Data<\/h3>\n\n\n\n
Next, you need to configure Auditbeat to collect system audit data that needs to be shipped to Elasticsearch.<\/p>\n\n\n\n
In the default Auditbeat configuration file, \/etc\/auditbeat\/auditbeat.yml<\/strong><\/code>, the default configurations for Auditbeat is as shown below;<\/p>\n\n\n\n
# =========================== Modules configuration ============================\nauditbeat.modules:\n\n- module: auditd\n  # Load audit rules from separate files. Same format as audit.rules(7).\n  audit_rule_files: [ '${path.config}\/audit.rules.d\/*.conf' ]\n  audit_rules: |\n    ## Define audit rules here.\n    ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these\n    ## examples or add your own rules.\n\n    ## If you are on a 64 bit platform, everything should be running\n    ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls\n    ## because this might be a sign of someone exploiting a hole in the 32\n    ## bit API.\n    #-a always,exit -F arch=b32 -S all -F key=32bit-abi\n\n    ## Executions.\n    #-a always,exit -F arch=b64 -S execve,execveat -k exec\n\n    ## External access (warning: these can be expensive to audit).\n    #-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access\n\n    ## Identity changes.\n    #-w \/etc\/group -p wa -k identity\n    #-w \/etc\/passwd -p wa -k identity\n    #-w \/etc\/gshadow -p wa -k identity\n\n    ## Unauthorized access attempts.\n    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access\n    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access\n\n- module: file_integrity\n  paths:\n  - \/bin\n  - \/usr\/bin\n  - \/sbin\n  - \/usr\/sbin\n  - \/etc\n\n- module: system\n  datasets:\n    - package # Installed, updated, and removed packages\n\n  period: 2m # The frequency at which the datasets check for changes\n\n- module: system\n  datasets:\n    - host    # General host information, e.g. uptime, IPs\n    - login   # User logins, logouts, and system boots.\n    - process # Started and stopped processes\n    - socket  # Opened and closed sockets\n    - user    # User information\n\n  # How often datasets send state updates with the\n  # current state of the system (e.g. all currently\n  # running processes, all open sockets).\n  state.period: 12h\n\n  # Enabled by default. Auditbeat will read password fields in\n  # \/etc\/passwd and \/etc\/shadow and store a hash locally to\n  # detect any changes.\n  user.detect_password_changes: true\n\n  # File patterns of the login record files.\n  login.wtmp_file_pattern: \/var\/log\/wtmp*\n  login.btmp_file_pattern: \/var\/log\/btmp*\n<\/code><\/pre>\n\n\n\n
Auditbeat supports different modules that simplifies the collection, parsing, and visualization of various audit data.<\/p>\n\n\n\n
These modules include:<\/p>\n\n\n\n