Auditbeat+Packetbeat的部署【Ansible自动化】
Ansible部署Roles.tasks文件【请根据实际情况修改完善】:
部署Auditbeat的tasks:
- name: Installed Auditbeat
yum:
name: https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-7.8.0-x86_64.rpm
state: present
- name: Copy Auditbeat.yml
template: src=auditbeat.yml.j2 dest=/etc/auditbeat/auditbeat.yml
- name: Configure Auditbeat
lineinfile:
path: /etc/auditbeat/auditbeat.yml
regexp: "{{ item.old }}"
line: "{{ item.new }}"
with_items:
- {old: ' host:',new: ' host: "http://192.168.169.88:5601/"' }
- {old: ' hosts:',new: ' hosts: ["192.168.169.88:9200"]' }
- name: Start Auditbeat Server
systemd: name=auditbeat state=started enabled=yes部署Auditbeat的templates:
## compatible with auditbeat 7.x
auditbeat.modules:
- module: auditd
enabled: false
audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
audit_rules: |
## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
-a always,exit -F arch=b32 -S all -F key=32bit-abi
## Executions.
#-a always,exit -F arch=b64 -S execve,execveat -k exec
## External access (warning: these can be expensive to audit).
#-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
## Identity changes.
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /tmp -p a -k tmp_file_excute
## Unauthorized access attempts.
# -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
# -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
- /home/coremail
exclude_files:
- 'region\.cf(\.bak)?$'
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
- login # User logins, logouts, and system boots.
- package # Installed, updated, and removed packages
- process # Started and stopped processes
# - socket # Opened and closed sockets
- user # User information
# How often datasets send state updates with the
# current state of the system (e.g. all currently
# running processes, all open sockets).
state.period: 12h
# Enabled by default. Auditbeat will read password fields in
# /etc/passwd and /etc/shadow and store a hash locally to
# detect any changes.
user.detect_password_changes: true
# File patterns of the login record files.
login.wtmp_file_pattern: /var/log/wtmp*
login.btmp_file_pattern: /var/log/btmp*
setup.template.name: "auditbeat"
setup.template.pattern: "auditbeat-*"
setup.template.settings:
index.number_of_shards: 3
#index.codec: best_compression
#_source.enabled: false
# Kibana
setup.kibana:
host: "http://192.168.169.88:5601/"
#space.id:
# Elasticsearch Output
output.elasticsearch:
hosts: ["192.168.169.88:9200"]
index: "auditbeat-%{+YYYY.MM.dd}"
# Configure processors to enhance or manipulate events generated by the beat.
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~
# Logging
logging.level: info
logging.to_files: true
logging.to_syslog: false
logging.files:
path: /var/log/auditbeat
name: auditbeat.log
keepfiles: 7
## X-Pack Monitoring
monitoring.enabled: true
#monitoring.cluster_uuid:
monitoring.elasticsearch:部署Packetbeat的tasks:
- name: Installed Packetbeat
yum:
name: https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-7.8.0-x86_64.rpm
state: present
- name: Copy Packetbeat.yml
template: src=packetbeat.yml.j2 dest=/etc/packetbeat/packetbeat.yml
- name: Configure Packetbeat
lineinfile:
path: /etc/packetbeat/packetbeat.yml
regexp: "{{ item.old }}"
line: "{{ item.new }}"
with_items:
- {old: ' host:',new: ' host: "http://192.168.169.88:5601"' }
- {old: ' hosts:',new: ' hosts: ["192.168.169.88:9200"]' }
- name: Start Packetbeat Server
systemd: name=packetbeat state=started enabled=yes部署Packetbeat的templates:
## compatible with packetbeat 7.x
packetbeat.interfaces.device: any
packetbeat.procs.enabled: true
packetbeat.flows:
enabled: true
timeout: 30s
period: 10s
packetbeat.protocols:
- type: icmp
enabled: false
- type: dns
ports: [53]
processors:
- drop_event:
when:
network:
destination.ip: ['114.114.114.114/32', '223.5.5.5/32']
- type: http
ports: [80, 8080, 8000, 5000, 8002]
hide_keywords: ["mailCipherPassword", "password", "repass", "current_password", "old_password", "oldpass", "encryptPassword", "savePassword", "newpass", "newpass2", "pass", "newPassword", "oldPassword"]
send_all_headers: true
send_request: true
send_response: true
real_ip_header: true
- type: mysql
ports: [3306, 3307, 3308]
- type: tls
ports:
- 443 # HTTPS
- 8443
## Template
setup.template.settings:
index.number_of_shards: 3
#index.codec: best_compression
#_source.enabled: false
## Kibana
setup.kibana:
host: "http://192.168.169.88:5601"
#space.id:
## Elasticsearch
output.elasticsearch:
hosts: ["192.168.169.88:9200"]
#protocol: "https"
## Processors
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~
## Logging
logging.level: info
logging.to_files: true
logging.to_syslog: false
logging.files:
path: /var/log/packetbeat
name: packetbeat.log
keepfiles: 7
## X-Pack Monitoring
monitoring.enabled: false
#monitoring.cluster_uuid:
monitoring.elasticsearch:手动部署教程:
Auditbeat安装部署
yum install -y https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-7.8.0-x86_64.rpm
vim /etc/auditbeat/auditbeat.yml修改配置文件【请勿直接copy,请灵活修改】:
## compatible with auditbeat 7.x
auditbeat.modules:
- module: auditd
enabled: false
audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
audit_rules: |
## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
-a always,exit -F arch=b32 -S all -F key=32bit-abi
## Executions.
#-a always,exit -F arch=b64 -S execve,execveat -k exec
## External access (warning: these can be expensive to audit).
#-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
## Identity changes.
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /tmp -p a -k tmp_file_excute
## Unauthorized access attempts.
# -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
# -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
- /home/coremail
exclude_files:
- 'region\.cf(\.bak)?$'
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
- login # User logins, logouts, and system boots.
- package # Installed, updated, and removed packages
- process # Started and stopped processes
# - socket # Opened and closed sockets
- user # User information
# How often datasets send state updates with the
# current state of the system (e.g. all currently
# running processes, all open sockets).
state.period: 12h
# Enabled by default. Auditbeat will read password fields in
# /etc/passwd and /etc/shadow and store a hash locally to
# detect any changes.
user.detect_password_changes: true
# File patterns of the login record files.
login.wtmp_file_pattern: /var/log/wtmp*
login.btmp_file_pattern: /var/log/btmp*
setup.template.name: "auditbeat"
setup.template.pattern: "auditbeat-*"
setup.template.settings:
index.number_of_shards: 3
#index.codec: best_compression
#_source.enabled: false
# Kibana
setup.kibana:
host: "http://192.168.169.88:5601/"
#space.id:
# Elasticsearch Output
output.elasticsearch:
hosts: ["192.168.169.88:9200"]
index: "auditbeat-%{+YYYY.MM.dd}"
# Configure processors to enhance or manipulate events generated by the beat.
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~
# Logging
logging.level: info
logging.to_files: true
logging.to_syslog: false
logging.files:
path: /var/log/auditbeat
name: auditbeat.log
keepfiles: 7
## X-Pack Monitoring
monitoring.enabled: true
#monitoring.cluster_uuid:
monitoring.elasticsearch:#启动Auditbeat
systemctl enable auditbeat && systemctl start auditbeatPacketbeat安装部署
yum install -y https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-7.8.0-x86_64.rpm
vim /etc/packetbeat/packetbeat.yml修改配置文件【请勿直接copy,请灵活修改】:
## compatible with packetbeat 7.x
packetbeat.interfaces.device: any
packetbeat.procs.enabled: true
packetbeat.flows:
enabled: true
timeout: 30s
period: 10s
packetbeat.protocols:
- type: icmp
enabled: false
- type: dns
ports: [53]
processors:
- drop_event:
when:
network:
destination.ip: ['114.114.114.114/32', '223.5.5.5/32']
- type: http
ports: [80, 8080, 8000, 5000, 8002]
hide_keywords: ["mailCipherPassword", "password", "repass", "current_password", "old_password", "oldpass", "encryptPassword", "savePassword", "newpass", "newpass2", "pass", "newPassword", "oldPassword"]
send_all_headers: true
send_request: true
send_response: true
real_ip_header: true
- type: mysql
ports: [3306, 3307, 3308]
- type: tls
ports:
- 443 # HTTPS
- 8443
## Template
setup.template.settings:
index.number_of_shards: 3
#index.codec: best_compression
#_source.enabled: false
## Kibana
setup.kibana:
host: "http://192.168.169.88:5601"
#space.id:
## Elasticsearch
output.elasticsearch:
hosts: ["192.168.169.88:9200"]
#protocol: "https"
## Processors
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~
## Logging
logging.level: info
logging.to_files: true
logging.to_syslog: false
logging.files:
path: /var/log/packetbeat
name: packetbeat.log
keepfiles: 7
## X-Pack Monitoring
monitoring.enabled: false
#monitoring.cluster_uuid:
monitoring.elasticsearch:#启动Packetbeat
systemctl enable packetbeat && systemctl start packetbeat
此处评论已关闭