Elasticsearch
Auditbeat 排除 /usr/sbin/cron
我將嘗試從執行的 cron 作業中排除事件,該作業可以通過 KQL 請求找到:auditd.summary.how :"/usr/sbin/cron"
我的主機沒有執行 SE Linux,所以我發現的規則(如下所示)不起作用:
-a never,user -F subj_type=crond_t -a exit,never -F subj_type=crond_t我會試試這個:
-a never,user -F exe=/usr/sbin/cron也不工作。
感謝幫助。
因此,經過更多搜尋後,我會發現它可以正常工作:
- module: auditd # Load audit rules from separate files. Same format as audit.rules(7). audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ] audit_rules: | ## Define audit rules here. ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these ## examples or add your own rules. ## If you are on a 64 bit platform, everything should be running ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls ## because this might be a sign of someone exploiting a hole in the 32 ## bit API. #-a always,exit -F arch=b32 -S all -F key=32bit-abi ## Executions. #-a always,exit -F arch=b64 -S execve,execveat -k exec ## External access (warning: these can be expensive to audit). #-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access ## Identity changes. -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity ## Unauthorized access attempts. -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access processors: - drop_event: when: equals: process.executable: "/usr/sbin/cron"有趣的部分是:
processors: - drop_event: when: equals: process.executable: "/usr/sbin/cron"當它由程序“/usr/sbin/cron”執行時,我會要求 auditbeat 刪除該事件