{ "name": "auditd_manager", "title": "Auditd Manager", "version": "1.20.0", "release": "ga", "description": "The Auditd Manager Integration receives audit events from the Linux Audit Framework that is a part of the Linux kernel.", "type": "integration", "download": "/epr/auditd_manager/auditd_manager-1.20.0.zip", "path": "/package/auditd_manager/1.20.0", "icons": [ { "src": "/img/linux.svg", "path": "/package/auditd_manager/1.20.0/img/linux.svg", "title": "linux", "size": "299x354", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.16.0 || ^9.0.0" } }, "owner": { "type": "elastic", "github": "elastic/sec-linux-platform" }, "categories": [ "security", "auditd" ], "signature_path": "/epr/auditd_manager/auditd_manager-1.20.0.zip.sig", "format_version": "3.0.0", "readme": "/package/auditd_manager/1.20.0/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/overview.png", "path": "/package/auditd_manager/1.20.0/img/overview.png", "title": "Overview Dashboard", "size": "1374x903", "type": "image/png" }, { "src": "/img/sockets.png", "path": "/package/auditd_manager/1.20.0/img/sockets.png", "title": "Sockets Dashboard", "size": "1362x1043", "type": "image/png" }, { "src": "/img/executions.png", "path": "/package/auditd_manager/1.20.0/img/executions.png", "title": "Executions Dashboard", "size": "1375x900", "type": "image/png" } ], "assets": [ "/package/auditd_manager/1.20.0/LICENSE.txt", "/package/auditd_manager/1.20.0/changelog.yml", "/package/auditd_manager/1.20.0/manifest.yml", "/package/auditd_manager/1.20.0/validation.yml", "/package/auditd_manager/1.20.0/docs/README.md", "/package/auditd_manager/1.20.0/img/executions.png", "/package/auditd_manager/1.20.0/img/linux.svg", "/package/auditd_manager/1.20.0/img/overview.png", "/package/auditd_manager/1.20.0/img/sockets.png", "/package/auditd_manager/1.20.0/kibana/tags.yml", "/package/auditd_manager/1.20.0/data_stream/auditd/manifest.yml", "/package/auditd_manager/1.20.0/data_stream/auditd/sample_event.json", "/package/auditd_manager/1.20.0/kibana/dashboard/auditd_manager-693a5f40-c243-11e7-8692-232bd1143e8a.json", "/package/auditd_manager/1.20.0/kibana/dashboard/auditd_manager-7de391b0-c1ca-11e7-8995-936807a28b16.json", "/package/auditd_manager/1.20.0/kibana/dashboard/auditd_manager-c0ac2c00-c1c0-11e7-8995-936807a28b16.json", "/package/auditd_manager/1.20.0/kibana/search/auditd_manager-0f10c430-c1c3-11e7-8995-936807a28b16.json", "/package/auditd_manager/1.20.0/kibana/search/auditd_manager-5438b030-c246-11e7-8692-232bd1143e8a.json", "/package/auditd_manager/1.20.0/kibana/search/auditd_manager-b4c93470-c240-11e7-8692-232bd1143e8a.json", "/package/auditd_manager/1.20.0/kibana/search/auditd_manager-d382f5b0-c1c6-11e7-8995-936807a28b16.json", "/package/auditd_manager/1.20.0/kibana/search/auditd_manager-e8734160-c24c-11e7-8692-232bd1143e8a.json", "/package/auditd_manager/1.20.0/data_stream/auditd/fields/base-fields.yml", "/package/auditd_manager/1.20.0/data_stream/auditd/fields/ecs.yml", "/package/auditd_manager/1.20.0/data_stream/auditd/fields/fields.yml", "/package/auditd_manager/1.20.0/data_stream/auditd/agent/stream/auditd.yml.hbs", "/package/auditd_manager/1.20.0/data_stream/auditd/elasticsearch/ingest_pipeline/default.yml" ], "policy_templates": [ { "name": "auditd", "title": "Auditd", "description": "Collect auditd events", "inputs": [ { "type": "audit/auditd", "title": "Collect auditd events", "description": "Collecting auditd events" } ], "multiple": true } ], "data_streams": [ { "type": "logs", "dataset": "auditd_manager.auditd", "title": "Auditd Manager", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "audit/auditd", "vars": [ { "name": "socket_type", "type": "select", "title": "Multicast socket type", "description": "This setting controls the socket type used to receive events. This setting should\nbe set to `unicast` when `elastic-agent` is the primary userspace daemon for receiving\naudit events and managing the rules. Only a single process can receive audit events\nwhen using unicast sockets, so any other daemons should be stopped (e.g. stop `auditd`).\n\nMulticast can be enabled with kernel versions 3.16 and newer. By setting it to\n`multicast` `elastic-agent` will receive an audit event broadcast that is not exclusive\nto a single process. This is ideal for situations where `auditd` is running and\nmanaging the rules.\n\nIf `auto` is selected, `elastic-agent` will attempt to use multicast sockets, falling\nback to unicast if multicast is not available.\n", "multi": false, "required": true, "show_user": true, "default": "" }, { "name": "session_data", "type": "bool", "title": "Session data", "description": "Turn this on to capture the extended process data required for Session View. \nSession View provides you a visual representation of session and process execution data.\n\nSession View data is organized according to the Linux process model to help you \ninvestigate process, user, and service activity on your Linux infrastructure.\n[Learn more](https://www.elastic.co/guide/en/security/current/session-view.html) \n", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "immutable", "type": "bool", "title": "Immutable", "description": "This boolean setting sets the audit config as immutable (`-e 2`).\nThis option can only be used if socket type is not `multicast` since `elastic-agent`\nneeds to manage the rules to be able to set it.\n\nPlease note that with this setting enabled, after Elastic Agent restarts or\nupgrades, events will continue to be processed but the configuration won't\nbe updated until the system is restarted entirely.\n", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "resolve_ids", "type": "bool", "title": "Resolve IDs", "description": "Enables the resolution of UIDs and GIDs to their associated names.", "multi": false, "required": false, "show_user": true, "default": true }, { "name": "failure_mode", "type": "text", "title": "Failure mode", "description": "This determines the kernel's behavior on critical\nfailures such as errors sending events to `elastic-agent`, the backlog limit was\nexceeded, the kernel ran out of memory, or the rate limit was exceeded. The\noptions are `silent`, `log`, or `panic`. `silent` makes the kernel\nignore the errors, `log` makes the kernel write the audit messages using\n`printk` so they show up in system's syslog, and `panic` causes the kernel to\npanic to prevent use of the machine.\n", "multi": false, "required": true, "show_user": false, "default": "silent" }, { "name": "audit_rules", "type": "textarea", "title": "Audit rules", "description": "List of the audit rules that should be\ninstalled to the kernel. There should be one rule per line. Comments can be\nembedded in the string using `#` as a prefix. The format for rules is the same\nused by the Linux `auditctl` utility. `elastic-agent` supports adding file watches\n(`-w`) and syscall rules (`-a` or `-A`). For more information,\nsee the integration detail page.\n", "multi": false, "required": false, "show_user": true }, { "name": "audit_rule_files", "type": "text", "title": "Audit rule files", "description": "A list of files to load audit rules from. This files are loaded after the rules\ndeclared in `Audit rules` are loaded. Wildcards are supported and will expand in\nlexicographical order. The format is the same as that of the `Audit rules` field.\n", "multi": true, "required": false, "show_user": true }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "backlog_limit", "type": "text", "title": "Backlog limit", "description": "This controls the maximum number of audit messages that will be buffered by the kernel.", "multi": false, "required": true, "show_user": false, "default": 8192 }, { "name": "rate_limit", "type": "text", "title": "Rate limit", "description": "This sets a rate limit on the number of messages/sec\ndelivered by the kernel. The default is `0`, which disables rate limiting.\nChanging this value to anything other than zero can cause messages to be lost.\nThe preferred approach to reduce the messaging rate is be more selective in the\naudit ruleset.\n", "multi": false, "required": true, "show_user": false, "default": 0 }, { "name": "include_warnings", "type": "bool", "title": "Include warnings", "description": "Causes to include as warnings any issues that were encountered while parsing the raw\nmessages. The messages are written to the `error.message` field.\nWhen this setting is enabled the raw messages will be included\nin the event regardless of the `Preserve original event` config setting. This\nsetting is primarily used for debugging purposes.\n", "multi": false, "required": true, "show_user": false, "default": false }, { "name": "backpressure_strategy", "type": "text", "title": "Backpressure strategy", "description": "Specifies the strategy that used to\nprevent backpressure from propagating to the kernel and impacting audited\nprocesses.\n\nThe possible values are:\n\n* `auto`: uses the `kernel` strategy, if supported, or\nfalls back to the `userspace` strategy.\n* `kernel`: sets the `backlog_wait_time` in the kernel's\naudit framework to 0. This causes events to be discarded in the kernel if\nthe audit backlog queue fills to capacity. Requires a 3.14 kernel or\nnewer.\n* `userspace`: drops events when there is backpressure\nfrom the publishing pipeline. If no `Rate limit` is set, sets a rate\nlimit of `5000`. Users should test their setup and adjust the `Rate limit`\noption accordingly.\n* `both`: uses the `kernel` and `userspace` strategies at the same\ntime.\n* `none`: No backpressure mitigation measures are enabled.\n", "multi": false, "required": true, "show_user": false, "default": "auto" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": true, "show_user": false, "default": [ "auditd_manager-auditd" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata.\nThis executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "session_data_processors", "type": "yaml", "title": "Session data processors", "description": "These processors will be appended to the processors configuration if Session Data is enabled.\n", "multi": false, "required": false, "show_user": false, "default": " - add_session_metadata:\n backend: \"auto\"" } ], "template_path": "auditd.yml.hbs", "title": "Auditd events", "description": "Collect auditd events", "enabled": true } ], "package": "auditd_manager", "path": "auditd" } ], "agent": { "privileges": { "root": true } } }