diff --git a/packages/auditd_manager/_dev/build/docs/README.md b/packages/auditd_manager/_dev/build/docs/README.md index db1c6c25fee8..494b70a489a5 100644 --- a/packages/auditd_manager/_dev/build/docs/README.md +++ b/packages/auditd_manager/_dev/build/docs/README.md @@ -5,11 +5,21 @@ is a part of the Linux kernel. This integration is available only for Linux. -## Session View powered by Auditd Manager [BETA] +## Session View powered by Auditd Manager -The `add_session_metadata` processor for Auditd Manager powers the [Session View](https://www.elastic.co/guide/en/security/current/session-view.html) utility for the Elastic Security Platform. +The Auditd Manager is one of the integrations that can power the [Session View](https://www.elastic.co/guide/en/security/current/session-view.html) utility for the Elastic Security Platform. This feature provides a visual representation of session and process execution data, organized according to the Linux process model to help you investigate process, user, and service activity on your Linux infrastructure. -To enable the `add_session_metadata` processor for Auditd Manager: +### Enabling Session Data Capture + +There are two ways to enable session data capture for the Session View feature: + +#### Method 1: Using the Toggle Switch (Recommended) + +1. Navigate to the Auditd Manager integration configuration in Kibana. +2. Locate the "Session data" toggle switch. +3. Turn the switch on to enable session data capture. + +#### Method 2: Manual Configuration 1. Navigate to the Auditd Manager integration configuration in Kibana. 2. Add the `add_session_metadata` processor configuration under the **Processors** section of Advanced options. @@ -29,6 +39,13 @@ To enable the `add_session_metadata` processor for Auditd Manager: Changes are applied automatically, and you do not have to restart the service. +### Important Notes + +- Using the toggle switch (Method 1) automatically applies these configurations, making it the simpler option for most users. +- When enabling session data capture, be aware that it will collect extended process data, which may have privacy and storage implications. +- You can disable session data capture at any time by turning off the toggle switch or removing the manual configurations. +- If you switch between methods or disable the feature, ensure that any conflicting configurations are removed to avoid unexpected behaviour. + ## How it works This integration establishes a subscription to the kernel to receive the events diff --git a/packages/auditd_manager/changelog.yml b/packages/auditd_manager/changelog.yml index 83ae927fa53d..5b465994b2d1 100644 --- a/packages/auditd_manager/changelog.yml +++ b/packages/auditd_manager/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.18.0" + changes: + - description: "Added Session data option" + type: enhancement + link: https://github.com/elastic/integrations/issues/11336 - version: "1.17.1" changes: - description: "Doc: Add doc for configuring Auditd Manager for Session View" diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-sudo-events.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-sudo-events.json index cafc4722f0c5..34b4685728ef 100644 --- a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-sudo-events.json +++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-sudo-events.json @@ -933,7 +933,7 @@ }, "event": { "action": "changed-role-to", - "category": "mac", + "category": ["network"], "kind": "event", "original": [ "type=USER_ROLE_CHANGE msg=audit(1610735886.822:436): pid=11793 uid=0 auid=1002 ses=15 msg='op=su acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success selected-context=1234'" diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-sudo-events.json-expected.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-sudo-events.json-expected.json index 712ad0783720..9ccd8dd5a669 100644 --- a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-sudo-events.json-expected.json +++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-sudo-events.json-expected.json @@ -1070,7 +1070,7 @@ }, "event": { "action": "changed-role-to", - "category": "mac", + "category": ["network"], "kind": "event", "original": "type=USER_ROLE_CHANGE msg=audit(1610735886.822:436): pid=11793 uid=0 auid=1002 ses=15 msg='op=su acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success selected-context=1234'", "outcome": "success", diff --git a/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs b/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs index 021d17f1e93c..e8a9d4984486 100644 --- a/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs +++ b/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs @@ -7,9 +7,18 @@ socket_type: '{{socket_type}}' immutable: {{immutable}} resolve_ids: {{resolve_ids}} failure_mode: {{failure_mode}} +{{#if session_data}} +audit_rules: "{{escape_multiline_string audit_rules}} +{{escape_multiline_string " +# Session data audit rules +-a always,exit -F arch=b64 -S execve,execveat -k exec +-a always,exit -F arch=b64 -S exit_group +-a always,exit -F arch=b64 -S setsid"}}" +{{else}} {{#if audit_rules}} audit_rules: {{escape_string audit_rules}} {{/if}} +{{/if}} {{#if audit_rule_files.length}} audit_rule_files: {{#each audit_rule_files as |file|}} @@ -33,4 +42,12 @@ publisher_pipeline.disable_host: true {{#if processors}} processors: {{processors}} +{{#if session_data}} +{{session_data_processors}} +{{/if}} +{{else}} +{{#if session_data}} +processors: +{{session_data_processors}} +{{/if}} {{/if}} \ No newline at end of file diff --git a/packages/auditd_manager/data_stream/auditd/manifest.yml b/packages/auditd_manager/data_stream/auditd/manifest.yml index e837b0889730..be2081749921 100644 --- a/packages/auditd_manager/data_stream/auditd/manifest.yml +++ b/packages/auditd_manager/data_stream/auditd/manifest.yml @@ -33,6 +33,19 @@ streams: If `auto` is selected, `elastic-agent` will attempt to use multicast sockets, falling back to unicast if multicast is not available. + - name: session_data + type: bool + title: Session data + show_user: true + multi: false + default: false + description: | + Turn this on to capture the extended process data required for Session View. + Session View provides you a visual representation of session and process execution data. + + Session View data is organized according to the Linux process model to help you + investigate process, user, and service activity on your Linux infrastructure. + [Learn more](https://www.elastic.co/guide/en/security/current/session-view.html) - name: immutable type: bool title: Immutable @@ -177,3 +190,14 @@ streams: description: | Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: session_data_processors + type: yaml + title: Session data processors + required: false + show_user: false + multi: false + description: | + These processors will be appended to the processors configuration if Session Data is enabled. + default: >2- + - add_session_metadata: + backend: "auto" diff --git a/packages/auditd_manager/docs/README.md b/packages/auditd_manager/docs/README.md index 4bbb26225ebd..6c70a8ca3876 100644 --- a/packages/auditd_manager/docs/README.md +++ b/packages/auditd_manager/docs/README.md @@ -5,11 +5,21 @@ is a part of the Linux kernel. This integration is available only for Linux. -## Session View powered by Auditd Manager [BETA] +## Session View powered by Auditd Manager -The `add_session_metadata` processor for Auditd Manager powers the [Session View](https://www.elastic.co/guide/en/security/current/session-view.html) utility for the Elastic Security Platform. +The Auditd Manager is one of the integrations that can power the [Session View](https://www.elastic.co/guide/en/security/current/session-view.html) utility for the Elastic Security Platform. This feature provides a visual representation of session and process execution data, organized according to the Linux process model to help you investigate process, user, and service activity on your Linux infrastructure. -To enable the `add_session_metadata` processor for Auditd Manager: +### Enabling Session Data Capture + +There are two ways to enable session data capture for the Session View feature: + +#### Method 1: Using the Toggle Switch (Recommended) + +1. Navigate to the Auditd Manager integration configuration in Kibana. +2. Locate the "Session data" toggle switch. +3. Turn the switch on to enable session data capture. + +#### Method 2: Manual Configuration 1. Navigate to the Auditd Manager integration configuration in Kibana. 2. Add the `add_session_metadata` processor configuration under the **Processors** section of Advanced options. @@ -29,6 +39,13 @@ To enable the `add_session_metadata` processor for Auditd Manager: Changes are applied automatically, and you do not have to restart the service. +### Important Notes + +- Using the toggle switch (Method 1) automatically applies these configurations, making it the simpler option for most users. +- When enabling session data capture, be aware that it will collect extended process data, which may have privacy and storage implications. +- You can disable session data capture at any time by turning off the toggle switch or removing the manual configurations. +- If you switch between methods or disable the feature, ensure that any conflicting configurations are removed to avoid unexpected behaviour. + ## How it works This integration establishes a subscription to the kernel to receive the events diff --git a/packages/auditd_manager/manifest.yml b/packages/auditd_manager/manifest.yml index b6122dffcc86..c6682aec75c1 100644 --- a/packages/auditd_manager/manifest.yml +++ b/packages/auditd_manager/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: auditd_manager title: "Auditd Manager" -version: "1.17.1" +version: "1.18.0" description: "The Auditd Manager Integration receives audit events from the Linux Audit Framework that is a part of the Linux kernel." type: integration categories: @@ -9,7 +9,7 @@ categories: - auditd conditions: kibana: - version: "^8.12.0" + version: "^8.16.0 || ^9.0.0" screenshots: - src: /img/overview.png title: Overview Dashboard