From 32bb52b03dff3f8d93c74414f64f293d2242b5ef Mon Sep 17 00:00:00 2001
From: ts <thomashaw@localhost.localdomain>
Date: Fri, 14 Sep 2018 16:14:54 +0100
Subject: [PATCH] Auditbeat audit_rules.erb template added

---
 .../unix/logging/auditbeat/auditbeat.pp       | 45 ++++++-------------
 .../logging/auditbeat/secgen_metadata.xml     |  6 +++
 .../auditbeat/templates/audit_rules.erb       |  7 +++
 .../unix/logging/logstash/logstash.pp         | 36 +--------------
 4 files changed, 27 insertions(+), 67 deletions(-)
 create mode 100644 modules/utilities/unix/logging/auditbeat/templates/audit_rules.erb

diff --git a/modules/utilities/unix/logging/auditbeat/auditbeat.pp b/modules/utilities/unix/logging/auditbeat/auditbeat.pp
index 0212b454a..78dc8ca1a 100644
--- a/modules/utilities/unix/logging/auditbeat/auditbeat.pp
+++ b/modules/utilities/unix/logging/auditbeat/auditbeat.pp
@@ -1,46 +1,27 @@
 $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
 $logstash_ip = $secgen_parameters['logstash_ip'][0]
 $logstash_port = 0 + $secgen_parameters['logstash_port'][0]
+$files_to_audit = $secgen_parameters['files_to_audit']
+# TODO - check if we need this (or are account accesses automatically audited)?
+# Even if we don't need it - we will need to add the accounts to watch into the 'watchers' section when we reach that point.
+# $accounts_to_audit = $secgen_parameters['accounts_to_audit']
 
 class { 'auditbeat':
   modules => [
-    {
-      'module'  => 'file_integrity',
-      'enabled' => true,
-      'paths'   => ['/bin', '/usr/bin', '/sbin', '/usr/sbin', '/etc'],
-    },
     # {
-      # 'module'  => 'auditd',
-      # 'enabled' => true,
-      # 'audit_rules' => '-a always,exit -F arch=b64 -S all -F key=64bit-abi',
-       # TODO: this needs correctly configuring. see https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-module-auditd.html
+    #   'module'  => 'file_integrity',
+    #   'enabled' => true,
+    #   'paths'   => ['/bin', '/usr/bin', '/sbin', '/usr/sbin', '/etc'],
     # },
+    {
+      'module'  => 'auditd',
+      'enabled' => true,
+      'audit_rules' => template('auditbeat/audit_rules.erb'),
+    },
   ],
   outputs => {
     'logstash' => {
       'hosts' => ["$logstash_ip:$logstash_port"],
     },
   },
-}
-
-
-#
-# class { 'auditbeat':
-#   modules => [
-#     {
-#       'module'  => 'file_integrity',
-#       'enabled' => true,
-#       'paths'   => ['/bin', '/usr/bin', '/sbin', '/usr/sbin', '/etc'],
-#     },
-#     {
-#       'module'      => 'auditd',
-#       'enabled'     => true,
-#     },
-#   ],
-#   outputs => {
-#     'elasticsearch' => {
-#       'hosts' => ['http://localhost:9200'],
-#       'index' => 'auditbeat-%{+YYYY.MM.dd}',
-#     },
-#   }
-# }
\ No newline at end of file
+}
\ No newline at end of file
diff --git a/modules/utilities/unix/logging/auditbeat/secgen_metadata.xml b/modules/utilities/unix/logging/auditbeat/secgen_metadata.xml
index 7da34bf59..14420750c 100644
--- a/modules/utilities/unix/logging/auditbeat/secgen_metadata.xml
+++ b/modules/utilities/unix/logging/auditbeat/secgen_metadata.xml
@@ -14,6 +14,7 @@
 
   <read_fact>logstash_ip</read_fact>
   <read_fact>logstash_port</read_fact>
+  <read_fact>files_to_audit</read_fact>
 
   <default_input into="logstash_ip">
     <value>localhost</value>
@@ -23,6 +24,11 @@
     <value>5044</value>
   </default_input>
 
+  <default_input into="files_to_audit">
+    <value>/etc/shadow</value>
+    <value>/etc/passwd</value>
+  </default_input>
+
   <requires>
     <type>update</type>
   </requires>
diff --git a/modules/utilities/unix/logging/auditbeat/templates/audit_rules.erb b/modules/utilities/unix/logging/auditbeat/templates/audit_rules.erb
new file mode 100644
index 000000000..d7c4622c2
--- /dev/null
+++ b/modules/utilities/unix/logging/auditbeat/templates/audit_rules.erb
@@ -0,0 +1,7 @@
+<% audit_rules = ''
+
+   @files_to_audit.each {|file|
+     audit_rules << "-w #{file} -p rwa -k identity\n"
+   }
+-%>
+<%= audit_rules -%>
\ No newline at end of file
diff --git a/modules/utilities/unix/logging/logstash/logstash.pp b/modules/utilities/unix/logging/logstash/logstash.pp
index 78cfc41c6..c0762071e 100644
--- a/modules/utilities/unix/logging/logstash/logstash.pp
+++ b/modules/utilities/unix/logging/logstash/logstash.pp
@@ -5,40 +5,6 @@ $elasticsearch_port = 0 + $secgen_parameters['elasticsearch_port'][0]
 
 include logstash
 
-# You must provide a valid pipeline configuration for the service to start.
 logstash::configfile { 'my_ls_config':
   content => template('logstash/configfile-template.erb'),
-}
-
-
-# TODO: Delete this if its a problem
-#
-# class { 'logstash':
-#   settings => {
-#     'http.host' => $ip_address,
-#   }
-# }
-
-# logstash::plugin { 'logstash-input-beats': }
-
-
-#   $myconfig =  @("MYCONFIG"/L)
-# input {
-#   beats {
-#     port => 5044
-#   }
-# }
-# output {
-#   elasticsearch {
-#     hosts => "192.168.1.133:9200"
-#     manage_template => false
-#     index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
-#     document_type => "%{[@metadata][type]}"
-#   }
-#   stdout { codec => rubydebug }
-# }
-# | MYCONFIG
-#
-# logstash::configfile { '02-beats-input.conf':
-#   content => $myconfig,
-# }
\ No newline at end of file
+}
\ No newline at end of file