SoFunction
Updated on 2025-03-09

A brief analysis of the problem of using Auditbeat module to monitor shell commands

Monitor shell commands using the Auditbeat module
The Auditbeat Audited module can be used to monitor shell commands executed by all users on the system. Monitoring is usually required on servers where end users only log in to occasionally.
This example was deployed on CentOS Linux 7.6 using the Auditbeat 7.4.2 RPM package and Elasticsearch Service (ESS)[/products/elasticsearch/service] 7.4.2.

You can refer to the ideas, configuration processes, etc., use the native ES, and do not use the Elasticsearch Service (ESS) cluster.

Disable Auditd

The system daemon auditd affects the normal use of the Auditbeat Audited module, so it must be disabled.

# Stop auditd:service auditd stop
# Disable the service:systemctl disable

If you must run the Audited process while using the Auditbeat Auditd module, then consider setting the socket_type: multicast parameter when the kernel version is 3.16 or higher. The default value is unicast. For more information on this parameter, see the Configuration Options section of the documentation [/guide/en/beats/auditbeat/master/#_configuration_options_14].

Configure Auditbeat

The Auditbeat daemon sends event data to an Elasticsearch Service (ESS) cluster. For more details, see the documentation Auditbeat[/guide/en/beats/auditbeat/master/]
The configuration section in .
To get a working example, you must configure the Auditbeat and parameters, see this document [/guide/en/beats/auditbeat/master/] for details.
Edit /etc/auditbeat/:

: <your_cloud_id>
: ingest_user:password

If you are sending data to an Elasticsearch cluster (such as a local instance), see this document: [/guide/en/beats/auditbeat/master/].

Auditbeat module rules

Audited module subscribes to the kernel to receive system events. Define rules to capture these events and use the format used by the Linux Auditctl process, see this document for details: [/man/8/auditctl].

# cat /etc/auditbeat//
-a exit,always -F arch=b64 -F euid=0 -S execve -k root_acct
-a exit,always -F arch=b32 -F euid=0 -S execve -k root_acct
-a exit,always -F arch=b64 -F euid>=1000 -S execve -k user_acct
-a exit,always -F arch=b32 -F euid>=1000 -S execve -k user_acct
  • euid is the valid ID of the user. 0 means that all activities of root user and other users with uid >=1000 or higher permissions will be obtained.
  • -k is used to assign any "key" to the event, which will be displayed in the tags field. It can also be used in Kibana to filter and classify events.

Auditbeat Setting Command

Run Auditbeat to load the index template, read node pipelines, index file cycle policies, and Kibana dashboard.
auditbeat -e setup
If you do not use ESS, please refer to this document [/guide/en/beats/auditbeat/current/] to set up your Kibana endpoint.

Get started

systemctl start auditbeat

# List the enabled rules:auditbeat show auditd-rules
-a never,exit -S all -F pid=23617
-a always,exit -F arch=b64 -S execve -F euid=root -F key=root_acct
-a always,exit -F arch=b32 -S execve -F euid=root -F key=root_acct
-a always,exit -F arch=b64 -S execve -F euid&gt;=vagrant -F key=user_acct
-a always,exit -F arch=b32 -S execve -F euid&gt;=vagrant -F key=user_acct

Monitor data

These events are found in kibana when the user executes some shell commands similar to whoami, ls and lsblk.

  • Kibana will display the selected fields , , and tags.
  • The fields filtered are: root and: execve.
  • Refresh data once a second.

TTY Audit

The Auditbeat Audited module can also receive TTY events when they occur in the system. Configure the system-auth PAM configuration file to enable TTY. Only the root user's TTY event will be recorded in real time. Events from other users are usually buffered until exit. TTY audits will capture system built-in commands like pwd, test, etc.
Append the following to /etc//system-auth to enable auditing for all users. For more information about pam_tty_audit, see this document: [/man/8/pam_tty_audit].
session required pam_tty_audit.so enable=*

test

$ sudo su -
Last login: Fri Nov 22 23:43:00 UTC 2019 on pts/0
$ helllloooo there!
-bash: helllloooo: command not found
$ exit

Kibana Discover

think

What else can Auditbeat do:

  • Events can be sent when a file is changed (created, updated, or deleted) on disk, thanks to the file_integrity module, please refer to this document for details: [/guide/en/beats/auditbeat/current/auditbeat-module-file_integrity.html].
  • Send metrics about the system through the system module. For details, refer to this document: [/guide/en/beats/auditbeat/current/]. The link also provides documentation related to Auditbeat, please refer to this document for details: [/guide/en/beats/auditbeat/current/].

Article reprinted from: /s/_-rtOq0KrzbatEVm2Yhsag

This is the article about using Auditbeat module monitoring shell commands. For more related Auditbeat module shell commands, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!