From d6e8d56c06eb9fed3ebb964ab26dcce373fdac28 Mon Sep 17 00:00:00 2001 From: Paulo Silva Date: Thu, 10 Oct 2024 17:35:54 -0700 Subject: [PATCH] [Auditd Manager] Add Session Data option (#11336) * update doc * update version and kibana minimum version * add session_data to manifest * update handlebars rules * add changelog * fixing event.category to array * updating event category to allowed values * adjusting indentation --- .../auditd_manager/_dev/build/docs/README.md | 23 +++++++++++++++--- packages/auditd_manager/changelog.yml | 5 ++++ .../_dev/test/pipeline/test-sudo-events.json | 2 +- .../test-sudo-events.json-expected.json | 2 +- .../auditd/agent/stream/auditd.yml.hbs | 17 +++++++++++++ .../data_stream/auditd/manifest.yml | 24 +++++++++++++++++++ packages/auditd_manager/docs/README.md | 23 +++++++++++++++--- packages/auditd_manager/manifest.yml | 4 ++-- 8 files changed, 90 insertions(+), 10 deletions(-) diff --git a/packages/auditd_manager/_dev/build/docs/README.md b/packages/auditd_manager/_dev/build/docs/README.md index db1c6c25fee..494b70a489a 100644 --- a/packages/auditd_manager/_dev/build/docs/README.md +++ b/packages/auditd_manager/_dev/build/docs/README.md @@ -5,11 +5,21 @@ is a part of the Linux kernel. This integration is available only for Linux. -## Session View powered by Auditd Manager [BETA] +## Session View powered by Auditd Manager -The `add_session_metadata` processor for Auditd Manager powers the [Session View](https://www.elastic.co/guide/en/security/current/session-view.html) utility for the Elastic Security Platform. +The Auditd Manager is one of the integrations that can power the [Session View](https://www.elastic.co/guide/en/security/current/session-view.html) utility for the Elastic Security Platform. This feature provides a visual representation of session and process execution data, organized according to the Linux process model to help you investigate process, user, and service activity on your Linux infrastructure. -To enable the `add_session_metadata` processor for Auditd Manager: +### Enabling Session Data Capture + +There are two ways to enable session data capture for the Session View feature: + +#### Method 1: Using the Toggle Switch (Recommended) + +1. Navigate to the Auditd Manager integration configuration in Kibana. +2. Locate the "Session data" toggle switch. +3. Turn the switch on to enable session data capture. + +#### Method 2: Manual Configuration 1. Navigate to the Auditd Manager integration configuration in Kibana. 2. Add the `add_session_metadata` processor configuration under the **Processors** section of Advanced options. @@ -29,6 +39,13 @@ To enable the `add_session_metadata` processor for Auditd Manager: Changes are applied automatically, and you do not have to restart the service. +### Important Notes + +- Using the toggle switch (Method 1) automatically applies these configurations, making it the simpler option for most users. +- When enabling session data capture, be aware that it will collect extended process data, which may have privacy and storage implications. +- You can disable session data capture at any time by turning off the toggle switch or removing the manual configurations. +- If you switch between methods or disable the feature, ensure that any conflicting configurations are removed to avoid unexpected behaviour. + ## How it works This integration establishes a subscription to the kernel to receive the events diff --git a/packages/auditd_manager/changelog.yml b/packages/auditd_manager/changelog.yml index 83ae927fa53..5b465994b2d 100644 --- a/packages/auditd_manager/changelog.yml +++ b/packages/auditd_manager/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.18.0" + changes: + - description: "Added Session data option" + type: enhancement + link: https://github.com/elastic/integrations/issues/11336 - version: "1.17.1" changes: - description: "Doc: Add doc for configuring Auditd Manager for Session View" diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-sudo-events.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-sudo-events.json index cafc4722f0c..34b4685728e 100644 --- a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-sudo-events.json +++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-sudo-events.json @@ -933,7 +933,7 @@ }, "event": { "action": "changed-role-to", - "category": "mac", + "category": ["network"], "kind": "event", "original": [ "type=USER_ROLE_CHANGE msg=audit(1610735886.822:436): pid=11793 uid=0 auid=1002 ses=15 msg='op=su acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success selected-context=1234'" diff --git a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-sudo-events.json-expected.json b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-sudo-events.json-expected.json index 712ad078372..9ccd8dd5a66 100644 --- a/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-sudo-events.json-expected.json +++ b/packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/test-sudo-events.json-expected.json @@ -1070,7 +1070,7 @@ }, "event": { "action": "changed-role-to", - "category": "mac", + "category": ["network"], "kind": "event", "original": "type=USER_ROLE_CHANGE msg=audit(1610735886.822:436): pid=11793 uid=0 auid=1002 ses=15 msg='op=su acct=\"root\" exe=\"/bin/su\" hostname=localhost addr=127.0.0.1 terminal=/dev/pts/1 res=success selected-context=1234'", "outcome": "success", diff --git a/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs b/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs index 021d17f1e93..e8a9d498448 100644 --- a/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs +++ b/packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs @@ -7,9 +7,18 @@ socket_type: '{{socket_type}}' immutable: {{immutable}} resolve_ids: {{resolve_ids}} failure_mode: {{failure_mode}} +{{#if session_data}} +audit_rules: "{{escape_multiline_string audit_rules}} +{{escape_multiline_string " +# Session data audit rules +-a always,exit -F arch=b64 -S execve,execveat -k exec +-a always,exit -F arch=b64 -S exit_group +-a always,exit -F arch=b64 -S setsid"}}" +{{else}} {{#if audit_rules}} audit_rules: {{escape_string audit_rules}} {{/if}} +{{/if}} {{#if audit_rule_files.length}} audit_rule_files: {{#each audit_rule_files as |file|}} @@ -33,4 +42,12 @@ publisher_pipeline.disable_host: true {{#if processors}} processors: {{processors}} +{{#if session_data}} +{{session_data_processors}} +{{/if}} +{{else}} +{{#if session_data}} +processors: +{{session_data_processors}} +{{/if}} {{/if}} \ No newline at end of file diff --git a/packages/auditd_manager/data_stream/auditd/manifest.yml b/packages/auditd_manager/data_stream/auditd/manifest.yml index e837b088973..be208174992 100644 --- a/packages/auditd_manager/data_stream/auditd/manifest.yml +++ b/packages/auditd_manager/data_stream/auditd/manifest.yml @@ -33,6 +33,19 @@ streams: If `auto` is selected, `elastic-agent` will attempt to use multicast sockets, falling back to unicast if multicast is not available. + - name: session_data + type: bool + title: Session data + show_user: true + multi: false + default: false + description: | + Turn this on to capture the extended process data required for Session View. + Session View provides you a visual representation of session and process execution data. + + Session View data is organized according to the Linux process model to help you + investigate process, user, and service activity on your Linux infrastructure. + [Learn more](https://www.elastic.co/guide/en/security/current/session-view.html) - name: immutable type: bool title: Immutable @@ -177,3 +190,14 @@ streams: description: | Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: session_data_processors + type: yaml + title: Session data processors + required: false + show_user: false + multi: false + description: | + These processors will be appended to the processors configuration if Session Data is enabled. + default: >2- + - add_session_metadata: + backend: "auto" diff --git a/packages/auditd_manager/docs/README.md b/packages/auditd_manager/docs/README.md index 4bbb26225eb..6c70a8ca387 100644 --- a/packages/auditd_manager/docs/README.md +++ b/packages/auditd_manager/docs/README.md @@ -5,11 +5,21 @@ is a part of the Linux kernel. This integration is available only for Linux. -## Session View powered by Auditd Manager [BETA] +## Session View powered by Auditd Manager -The `add_session_metadata` processor for Auditd Manager powers the [Session View](https://www.elastic.co/guide/en/security/current/session-view.html) utility for the Elastic Security Platform. +The Auditd Manager is one of the integrations that can power the [Session View](https://www.elastic.co/guide/en/security/current/session-view.html) utility for the Elastic Security Platform. This feature provides a visual representation of session and process execution data, organized according to the Linux process model to help you investigate process, user, and service activity on your Linux infrastructure. -To enable the `add_session_metadata` processor for Auditd Manager: +### Enabling Session Data Capture + +There are two ways to enable session data capture for the Session View feature: + +#### Method 1: Using the Toggle Switch (Recommended) + +1. Navigate to the Auditd Manager integration configuration in Kibana. +2. Locate the "Session data" toggle switch. +3. Turn the switch on to enable session data capture. + +#### Method 2: Manual Configuration 1. Navigate to the Auditd Manager integration configuration in Kibana. 2. Add the `add_session_metadata` processor configuration under the **Processors** section of Advanced options. @@ -29,6 +39,13 @@ To enable the `add_session_metadata` processor for Auditd Manager: Changes are applied automatically, and you do not have to restart the service. +### Important Notes + +- Using the toggle switch (Method 1) automatically applies these configurations, making it the simpler option for most users. +- When enabling session data capture, be aware that it will collect extended process data, which may have privacy and storage implications. +- You can disable session data capture at any time by turning off the toggle switch or removing the manual configurations. +- If you switch between methods or disable the feature, ensure that any conflicting configurations are removed to avoid unexpected behaviour. + ## How it works This integration establishes a subscription to the kernel to receive the events diff --git a/packages/auditd_manager/manifest.yml b/packages/auditd_manager/manifest.yml index b6122dffcc8..c6682aec75c 100644 --- a/packages/auditd_manager/manifest.yml +++ b/packages/auditd_manager/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: auditd_manager title: "Auditd Manager" -version: "1.17.1" +version: "1.18.0" description: "The Auditd Manager Integration receives audit events from the Linux Audit Framework that is a part of the Linux kernel." type: integration categories: @@ -9,7 +9,7 @@ categories: - auditd conditions: kibana: - version: "^8.12.0" + version: "^8.16.0 || ^9.0.0" screenshots: - src: /img/overview.png title: Overview Dashboard