Add auditd example with Auditbeat in kubernetes manifests (#17431)

Add an example configuration of the auditd module in the Auditbeat
reference manifest, including the processors needed for enrichement of
events.

CHANGELOG.next.asciidoc

@@ -184,6 +184,7 @@ https:/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Auditbeat*
 
+- Reference kubernetes manifests include configuration for auditd and enrichment with kubernetes metadata. {pull}17431[17431]
 - Reference kubernetes manifests mount data directory from the host, so data persist between executions in the same node. {pull}17429[17429]
 - Log to stderr when running using reference kubernetes manifests. {pull}17443[174443]
 - Fix syscall kprobe arguments for 32-bit systems in socket module. {pull}17500[17500]

deploy/kubernetes/auditbeat-kubernetes.yaml

@@ -31,6 +31,17 @@ data:
 
  processors:
  - add_cloud_metadata:
+ - add_process_metadata:
+ match_pids: ['process.pid']
+ include_fields: ['container.id']
+ - add_kubernetes_metadata:
+ host: ${NODE_NAME}
+ default_indexers.enabled: false
+ default_matchers.enabled: false
+ indexers:
+ - container:
+ matchers:
+ - fields.lookup_fields: ['container.id']
 
  cloud.id: ${ELASTIC_CLOUD_ID}
  cloud.auth: ${ELASTIC_CLOUD_AUTH}
@@ -65,6 +76,14 @@ data:
  max_file_size: 100 MiB
  hash_types: [sha1]
  recursive: true
+ - module: auditd
+ audit_rules: |
+ # Executions
+ -a always,exit -F arch=b64 -S execve,execveat -k exec
+
+ # Unauthorized access attempts
+ -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
+ -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
 ---
 # Deploy a auditbeat instance per node for node metrics retrieval
 apiVersion: apps/v1
@@ -86,6 +105,7 @@ spec:
  serviceAccountName: auditbeat
  terminationGracePeriodSeconds: 30
  hostNetwork: true
+ hostPID: true # Required by auditd module
  dnsPolicy: ClusterFirstWithHostNet
  containers:
  - name: auditbeat
@@ -113,6 +133,12 @@ spec:
  fieldPath: spec.nodeName
  securityContext:
  runAsUser: 0
+ capabilities:
+ add:
+ # Capabilities needed for auditd module
+ - 'AUDIT_READ'
+ - 'AUDIT_WRITE'
+ - 'AUDIT_CONTROL'
  resources:
  limits:
  memory: 200Mi

deploy/kubernetes/auditbeat/auditbeat-configmap.yaml

@@ -31,6 +31,17 @@ data:
 
  processors:
  - add_cloud_metadata:
+ - add_process_metadata:
+ match_pids: ['process.pid']
+ include_fields: ['container.id']
+ - add_kubernetes_metadata:
+ host: ${NODE_NAME}
+ default_indexers.enabled: false
+ default_matchers.enabled: false
+ indexers:
+ - container:
+ matchers:
+ - fields.lookup_fields: ['container.id']
 
  cloud.id: ${ELASTIC_CLOUD_ID}
  cloud.auth: ${ELASTIC_CLOUD_AUTH}
@@ -65,3 +76,11 @@ data:
  max_file_size: 100 MiB
  hash_types: [sha1]
  recursive: true
+ - module: auditd
+ audit_rules: |
+ # Executions
+ -a always,exit -F arch=b64 -S execve,execveat -k exec
+
+ # Unauthorized access attempts
+ -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
+ -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access

deploy/kubernetes/auditbeat/auditbeat-daemonset.yaml

@@ -18,6 +18,7 @@ spec:
  serviceAccountName: auditbeat
  terminationGracePeriodSeconds: 30
  hostNetwork: true
+ hostPID: true # Required by auditd module
  dnsPolicy: ClusterFirstWithHostNet
  containers:
  - name: auditbeat
@@ -45,6 +46,12 @@ spec:
  fieldPath: spec.nodeName
  securityContext:
  runAsUser: 0
+ capabilities:
+ add:
+ # Capabilities needed for auditd module
+ - 'AUDIT_READ'
+ - 'AUDIT_WRITE'
+ - 'AUDIT_CONTROL'
  resources:
  limits:
  memory: 200Mi