[Auditbeat] Opt-in to detecting password changes#9461
Merged
cwurm merged 11 commits intoelastic:feature-auditbeat-hostfrom Dec 11, 2018
Merged
[Auditbeat] Opt-in to detecting password changes#9461cwurm merged 11 commits intoelastic:feature-auditbeat-hostfrom
cwurm merged 11 commits intoelastic:feature-auditbeat-hostfrom
Conversation
Contributor
|
Pinging @elastic/secops |
andrewkroh
reviewed
Dec 10, 2018
Member
andrewkroh
left a comment
andrewkroh
left a comment
There was a problem hiding this comment.
I took a quick look at this. Didn’t notice anything major.
If someone else has time to review that would be good too.
adriansr
approved these changes
Dec 11, 2018
Contributor
adriansr
left a comment
adriansr
left a comment
There was a problem hiding this comment.
Two minor questions otherwise LGTM
tsg
approved these changes
Dec 11, 2018
Contributor
tsg
left a comment
tsg
left a comment
There was a problem hiding this comment.
Good from my side. Just a question mark on if this should be on or off by default
tsg
reviewed
Dec 11, 2018
x-pack/auditbeat/auditbeat.yml
Outdated
Contributor
There was a problem hiding this comment.
If we want to do off in the code, but on in the config, this would be the place to change it.
added 11 commits
December 11, 2018 13:50
cwurm
force-pushed
the
shadow_optional
branch
from
28dc51e to
6908ef7
Compare
cwurm
pushed a commit
to cwurm/beats
that referenced
this pull request
Dec 16, 2018
Introduces a `user.detect_password_changes` config parameter that defaults to true in the config, but false in the code. Only if it is set to true will the code read the password field in /etc/passwd and /etc/shadow to detect password changes. The read password field values are put through 10 round of SHA-512 hashing before being locally stored.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This introduces a
user.detect_password_changesconfig parameter to the system module. Its default isfalse, and without it being explicitly turned on, the code will not read thepasswordfield in/etc/passwdnor/etc/shadowand so will not emit anypassword_changedevents.In addition, when detecting passwords is turned on, we will now do 10 rounds of SHA-512 hashing before storing a hash of the password field value.