Add auditbeat

9 files changed, 159 insertions, 0 deletions

diff --git a/playbook.yml b/playbook.yml
index 3e91d81..34f9f5c 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -44,3 +44,4 @@
   roles:
     - filebeat
     - packetbeat
+    - auditbeat
diff --git a/roles/auditbeat/README.md b/roles/auditbeat/README.md
new file mode 100644
index 0000000..da18eda
--- /dev/null
+++ b/roles/auditbeat/README.md
@@ -0,0 +1,3 @@
+# Role "auditbeat"
+
+The auditbeat role installs and configures the auditbeat reporting agent.
diff --git a/roles/auditbeat/handlers/main.yml b/roles/auditbeat/handlers/main.yml
new file mode 100644
index 0000000..cda733c
--- /dev/null
+++ b/roles/auditbeat/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+- name: restart auditbeat
+  service:
+    name: auditbeat
+    state: restarted
+  tags:
+    - role::auditbeat
diff --git a/roles/auditbeat/meta/main.yml b/roles/auditbeat/meta/main.yml
new file mode 100644
index 0000000..522f87c
--- /dev/null
+++ b/roles/auditbeat/meta/main.yml
@@ -0,0 +1,5 @@
+---
+dependencies:
+  - role: elasticsearch-repos
+    tags:
+      - role::auditbeat
diff --git a/roles/auditbeat/tasks/main.yml b/roles/auditbeat/tasks/main.yml
new file mode 100644
index 0000000..b928c4a
--- /dev/null
+++ b/roles/auditbeat/tasks/main.yml
@@ -0,0 +1,27 @@
+---
+- name: Install Auditbeat
+  apt:
+    pkg: auditbeat
+    state: present
+  tags:
+    - role::auditbeat
+
+- name: Configure Auditbeat
+  template:
+    src: auditbeat.yml.j2
+    dest: /etc/auditbeat/auditbeat.yml
+    mode: 0644
+    owner: root
+    group: root
+  tags:
+    - role::auditbeat
+  notify:
+    - restart auditbeat
+
+- name: Start and enable Auditbeat
+  service:
+    name: auditbeat
+    state: started
+    enabled: true
+  tags:
+    - role::auditbeat
diff --git a/roles/auditbeat/templates/auditbeat.yml.j2 b/roles/auditbeat/templates/auditbeat.yml.j2
new file mode 100644
index 0000000..b779a05
--- /dev/null
+++ b/roles/auditbeat/templates/auditbeat.yml.j2
@@ -0,0 +1,99 @@
+# You can find the full configuration reference here:
+# https://www.elastic.co/guide/en/beats/auditbeat/index.html
+
+# =========================== Modules configuration ============================
+auditbeat.modules:
+
+- module: auditd
+  # Load audit rules from separate files. Same format as audit.rules(7).
+  audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
+  audit_rules: |
+    ## Define audit rules here.
+    ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
+    ## examples or add your own rules.
+
+    ## If you are on a 64 bit platform, everything should be running
+    ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
+    ## because this might be a sign of someone exploiting a hole in the 32
+    ## bit API.
+    #-a always,exit -F arch=b32 -S all -F key=32bit-abi
+
+    ## Executions.
+    #-a always,exit -F arch=b64 -S execve,execveat -k exec
+
+    ## External access (warning: these can be expensive to audit).
+    #-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
+
+    ## Identity changes.
+    #-w /etc/group -p wa -k identity
+    #-w /etc/passwd -p wa -k identity
+    #-w /etc/gshadow -p wa -k identity
+
+    ## Unauthorized access attempts.
+    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
+    #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
+
+- module: file_integrity
+  paths:
+  - /bin
+  - /usr/bin
+  - /sbin
+  - /usr/sbin
+  - /etc
+
+- module: system
+  datasets:
+    - package # Installed, updated, and removed packages
+
+  period: 2m # The frequency at which the datasets check for changes
+
+- module: system
+  datasets:
+    - host    # General host information, e.g. uptime, IPs
+    - login   # User logins, logouts, and system boots.
+    - process # Started and stopped processes
+    - socket  # Opened and closed sockets
+    - user    # User information
+
+  # How often datasets send state updates with the
+  # current state of the system (e.g. all currently
+  # running processes, all open sockets).
+  state.period: 3h
+
+  # Enabled by default. Auditbeat will read password fields in
+  # /etc/passwd and /etc/shadow and store a hash locally to
+  # detect any changes.
+  user.detect_password_changes: true
+
+  # File patterns of the login record files.
+  login.wtmp_file_pattern: /var/log/wtmp*
+  login.btmp_file_pattern: /var/log/btmp*
+
+# ======================= Elasticsearch template setting =======================
+setup.template.settings:
+  index.number_of_shards: 1
+  #index.codec: best_compression
+  #_source.enabled: false
+
+# ================================== Outputs ===================================
+
+# Configure what output to use when sending the data collected by the beat.
+
+# ---------------------------- Elasticsearch Output ----------------------------
+output.elasticsearch:
+  # Array of hosts to connect to.
+  hosts: ["{{ auditbeat_elasticsearch_host }}"]
+
+  protocol: "https"
+  username: "{{ auditbeat_elastic_username }}"
+  password: "{{ auditbeat_elastic_password}}"
+
+  ssl:
+    enabled: true
+    ca_trusted_fingerprint: "{{ auditbeat_elastic_fingerprint }}"
+
+
+processors:
+  - add_host_metadata: ~
+  - add_cloud_metadata: ~
+  - add_docker_metadata: ~
diff --git a/roles/auditbeat/vars/main/vars.yml b/roles/auditbeat/vars/main/vars.yml
new file mode 100644
index 0000000..f7c6aa2
--- /dev/null
+++ b/roles/auditbeat/vars/main/vars.yml
@@ -0,0 +1,7 @@
+auditbeat_kibana_host: "http://10.5.0.0:5601"
+auditbeat_elasticsearch_host: "10.5.0.0:9200"
+
+auditbeat_elastic_username: "pydis"
+auditbeat_elastic_password: "{{ encrypted_auditbeat_elastic_password }}"
+auditbeat_elastic_fingerprint: >-
+  e75cfe8591cb5d30ce31f9a094053f4e0090ebd057a120ac9dcbbf5754fb5a73
diff --git a/roles/auditbeat/vars/main/vault.yml b/roles/auditbeat/vars/main/vault.yml
new file mode 100644
index 0000000..e2443a1
--- /dev/null
+++ b/roles/auditbeat/vars/main/vault.yml
@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+35633733373033323135653436373566666461363766646664313032316535313638353365333565
+6530393663656438653338333865396266306130613666630a633263373239626436633965346533
+66396166626231376564373462643065653261663362383762633234336234396566663937353864
+3733633736306237630a626639646437343735316331623361636333613932616439366336323035
+65636234366363663630363834633764613564366264663037386166633538303630343935383438
+38303838633632386164663265313430656535383761613936333861383138376139613533336264
+393131653033376537643138643635363765
diff --git a/roles/filebeat/templates/filebeat.yml.j2 b/roles/filebeat/templates/filebeat.yml.j2
index c2b48f7..5a84729 100644
--- a/roles/filebeat/templates/filebeat.yml.j2
+++ b/roles/filebeat/templates/filebeat.yml.j2
@@ -36,6 +36,8 @@ filebeat.inputs:
   #fields:
   #  level: debug
   #  review: 1
+- type: journald
+  id: everything
 
 # ============================== Filebeat modules ==============================