[auditd_manager] New auditd manager package

.github/CODEOWNERS

@@ -15,6 +15,7 @@
 /packages/atlassian_confluence @elastic/security-external-integrations
 /packages/atlassian_jira @elastic/security-external-integrations
 /packages/auditd @elastic/security-external-integrations
+/packages/auditd_manager @elastic/security-external-integrations
 /packages/auth0 @elastic/security-external-integrations
 /packages/aws_logs @elastic/obs-cloud-monitoring
 /packages/aws @elastic/obs-cloud-monitoring

packages/auditd/_dev/build/docs/README.md

@@ -1,18 +1,14 @@
-# Auditd Integration
+# Auditd Logs Integration
 
-The Auditd integration collects and parses logs from the audit daemon (`auditd`).
+The Auditd Logs integration collects and parses logs from the audit daemon (`auditd`).
 
 ## Compatibility
 
 The integration was tested with logs from `auditd` on OSes like CentOS 6 and CentOS 7.
 
 This integration is not available for Windows.
 
-## Logs
-
-### Auditd log
-
-This is the Auditd `log` dataset.
+## Auditd Logs
 
 {{event "log"}}
 

packages/auditd/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.1.0"
+  changes:
+    - description: Change title to Auditd Logs
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2763
 - version: "3.0.0"
   changes:
     - description: Migrate map visualisation from tile_map to map object

packages/auditd/docs/README.md

@@ -1,18 +1,14 @@
-# Auditd Integration
+# Auditd Logs Integration
 
-The Auditd integration collects and parses logs from the audit daemon (`auditd`).
+The Auditd Logs integration collects and parses logs from the audit daemon (`auditd`).
 
 ## Compatibility
 
 The integration was tested with logs from `auditd` on OSes like CentOS 6 and CentOS 7.
 
 This integration is not available for Windows.
 
-## Logs
-
-### Auditd log
-
-This is the Auditd `log` dataset.
+## Auditd Logs
 
 An example event for `log` looks as following:
 

packages/auditd/manifest.yml

@@ -1,6 +1,6 @@
 name: auditd
-title: Auditd
-version: 3.0.0
+title: Auditd Logs
+version: 3.1.0
 release: ga
 description: Collect logs from Linux audit daemon with Elastic Agent.
 type: integration

packages/auditd_manager/_dev/build/build.yml

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: git@8.2

packages/auditd_manager/_dev/build/docs/README.md

@@ -0,0 +1,112 @@
+# Auditd Manager Integration
+
+The Auditd Manager Integration receives audit events from the Linux Audit Framework that
+is a part of the Linux kernel.
+
+This integration is available only for Linux.
+
+## How it works
+
+This integration establishes a subscription to the kernel to receive the events
+as they occur.
+
+The Linux Audit Framework can send multiple messages for a single auditable
+event. For example, a `rename` syscall causes the kernel to send eight separate
+messages. Each message describes a different aspect of the activity that is
+occurring (the syscall itself, file paths, current working directory, process
+title). This integration will combine all of the data from each of the messages
+into a single event.
+
+Messages for one event can be interleaved with messages from another event. This
+module will buffer the messages in order to combine related messages into a
+single event even if they arrive interleaved or out of order.
+
+## Useful commands
+
+When running this integration, you might find that other monitoring tools interfere with it.
+
+For example, you might encounter errors if another process, such as `auditd`, is
+registered to receive data from the Linux Audit Framework. You can use these
+commands to see if the `auditd` service is running and stop it:
+
+* See if `auditd` is running:
+
+```shell
+service auditd status
+```
+
+* Stop the `auditd` service:
+
+```shell
+service auditd stop
+```
+
+* Disable `auditd` from starting on boot:
+
+```shell
+chkconfig auditd off
+```
+
+To save CPU usage and disk space, you can use this command to stop `journald`
+from listening to audit messages:
+
+```shell
+systemctl mask systemd-journald-audit.socket
+```
+
+## Audit rules
+
+The audit rules are where you configure the activities that are audited. These
+rules are configured as either syscalls or files that should be monitored. For
+example you can track all `connect` syscalls or file system writes to
+`/etc/passwd`.
+
+Auditing a large number of syscalls can place a heavy load on the system so
+consider carefully the rules you define and try to apply filters in the rules
+themselves to be as selective as possible.
+
+The kernel evaluates the rules in the order in which they were defined so place
+the most active rules first in order to speed up evaluation.
+
+You can assign keys to each rule for better identification of the rule that
+triggered an event and easier filtering later in Elasticsearch.
+
+Defining any audit rules in the config causes `elastic-agent` to purge all
+existing audit rules prior to adding the rules specified in the config.
+Therefore it is unnecessary and unsupported to include a `-D` (delete all) rule.
+
+Examples:
+
+```sh
+## If you are on a 64 bit platform, everything should be running
+## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
+## because this might be a sign of someone exploiting a hole in the 32
+## bit API.
+-a always,exit -F arch=b32 -S all -F key=32bit-abi
+
+## Executions.
+-a always,exit -F arch=b64 -S execve,execveat -k exec
+
+## External access (warning: these can be expensive to audit).
+-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
+
+## Unauthorized access attempts.
+-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
+-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
+
+# Things that affect identity.
+-w /etc/group -p wa -k identity
+-w /etc/passwd -p wa -k identity
+-w /etc/gshadow -p wa -k identity
+-w /etc/shadow -p wa -k identity
+
+# Unauthorized access attempts to files (unsuccessful).
+-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
+```
+
+{{event "auditd"}}
+
+{{fields "auditd"}}

packages/auditd_manager/changelog.yml

@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "1.0.0"
+  changes:
+    - description: Initial release
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2763

packages/auditd_manager/data_stream/auditd/_dev/deploy/agent/custom-agent.yml

@@ -0,0 +1,8 @@
+version: "2.3"
+services:
+  docker-custom-agent:
+    pid: host
+    cap_add:
+      - AUDIT_CONTROL
+      - AUDIT_READ
+    user: root

packages/auditd_manager/data_stream/auditd/_dev/test/pipeline/auditlogin-events.json

@@ -0,0 +1,185 @@
+{
+    "events": [
+        {
+            "auditd": {
+                "data": {
+                    "old-ses": "4294967295",
+                    "tty": "(none)"
+                },
+                "message_type": "login",
+                "result": "success",
+                "sequence": 1414,
+                "session": "58",
+                "summary": {
+                    "actor": {
+                        "primary": "unset",
+                        "secondary": "root"
+                    },
+                    "object": {
+                        "primary": "1000",
+                        "type": "user-session"
+                    }
+                }
+            },
+            "event": {
+                "action": "changed-login-id-to",
+                "category": [
+                    "authentication"
+                ],
+                "kind": "event",
+                "original": [
+                    "type=LOGIN msg=audit(1611244872.857:1414): pid=27681 uid=0 old-auid=4294967295 auid=1000 tty=(none) old-ses=4294967295 ses=58 res=1"
+                ],
+                "outcome": "success",
+                "type": [
+                    "start"
+                ]
+            },
+            "process": {
+                "pid": 27681
+            },
+            "related": {
+                "user": [
+                    "vagrant"
+                ]
+            },
+            "service": {
+                "type": "auditd"
+            },
+            "user": {
+                "audit": {
+                    "id": "1000",
+                    "name": "vagrant"
+                },
+                "effective": {
+                    "id": "1000",
+                    "name": "vagrant"
+                }
+            }
+        },
+        {
+            "auditd": {
+                "data": {
+                    "old-ses": "58",
+                    "tty": "pts2"
+                },
+                "message_type": "login",
+                "result": "success",
+                "sequence": 1465,
+                "session": "59",
+                "summary": {
+                    "actor": {
+                        "primary": "vagrant",
+                        "secondary": "root"
+                    },
+                    "object": {
+                        "primary": "1001",
+                        "type": "user-session"
+                    }
+                }
+            },
+            "event": {
+                "action": "changed-login-id-to",
+                "category": [
+                    "authentication"
+                ],
+                "kind": "event",
+                "original": [
+                    "type=LOGIN msg=audit(1611244909.293:1465): pid=27768 uid=0 old-auid=1000 auid=1001 tty=pts2 old-ses=58 ses=59 res=1"
+                ],
+                "outcome": "success",
+                "type": [
+                    "start"
+                ]
+            },
+            "process": {
+                "pid": 27768
+            },
+            "related": {
+                "user": [
+                    "alice",
+                    "vagrant"
+                ]
+            },
+            "service": {
+                "type": "auditd"
+            },
+            "user": {
+                "audit": {
+                    "id": "1001",
+                    "name": "alice"
+                },
+                "effective": {
+                    "id": "1001",
+                    "name": "alice"
+                },
+                "id": "1000",
+                "name": "vagrant",
+                "old-auid": {
+                    "id": "1000",
+                    "name": "vagrant"
+                }
+            }
+        },
+        {
+            "auditd": {
+                "data": {
+                    "new_ses": "1172",
+                    "old_ses": "4294967295"
+                },
+                "message_type": "login",
+                "result": "unknown",
+                "sequence": 7734,
+                "session": "",
+                "summary": {
+                    "actor": {
+                        "primary": "4294967295",
+                        "secondary": "root"
+                    },
+                    "object": {
+                        "primary": "0",
+                        "type": "user-session"
+                    }
+                }
+            },
+            "event": {
+                "action": "changed-login-id-to",
+                "category": [
+                    "authentication"
+                ],
+                "kind": "event",
+                "original": [
+                    "type=LOGIN msg=audit(1234877011.799:7734): login pid=26125 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=1172"
+                ],
+                "outcome": "unknown",
+                "type": [
+                    "start"
+                ]
+            },
+            "process": {
+                "pid": 26125
+            },
+            "related": {
+                "user": [
+                    "root"
+                ]
+            },
+            "service": {
+                "type": "auditd"
+            },
+            "user": {
+                "effective": {
+                    "id": "0",
+                    "name": "root"
+                },
+                "new_auid": {
+                    "id": "0",
+                    "name": "root"
+                },
+                "old_auid": {
+                    "id": "4294967295"
+                }
+            }
+        }
+    ]
+}