diff --git a/modules/utilities/unix/logging/auditbeat/auditbeat.pp b/modules/utilities/unix/logging/auditbeat/auditbeat.pp
index 0212b454a..78dc8ca1a 100644
--- a/modules/utilities/unix/logging/auditbeat/auditbeat.pp
+++ b/modules/utilities/unix/logging/auditbeat/auditbeat.pp
@@ -1,46 +1,27 @@
$secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
$logstash_ip = $secgen_parameters['logstash_ip'][0]
$logstash_port = 0 + $secgen_parameters['logstash_port'][0]
+$files_to_audit = $secgen_parameters['files_to_audit']
+# TODO - check if we need this (or are account accesses automatically audited)?
+# Even if we don't need it - we will need to add the accounts to watch into the 'watchers' section when we reach that point.
+# $accounts_to_audit = $secgen_parameters['accounts_to_audit']
class { 'auditbeat':
modules => [
- {
- 'module' => 'file_integrity',
- 'enabled' => true,
- 'paths' => ['/bin', '/usr/bin', '/sbin', '/usr/sbin', '/etc'],
- },
# {
- # 'module' => 'auditd',
- # 'enabled' => true,
- # 'audit_rules' => '-a always,exit -F arch=b64 -S all -F key=64bit-abi',
- # TODO: this needs correctly configuring. see https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-module-auditd.html
+ # 'module' => 'file_integrity',
+ # 'enabled' => true,
+ # 'paths' => ['/bin', '/usr/bin', '/sbin', '/usr/sbin', '/etc'],
# },
+ {
+ 'module' => 'auditd',
+ 'enabled' => true,
+ 'audit_rules' => template('auditbeat/audit_rules.erb'),
+ },
],
outputs => {
'logstash' => {
'hosts' => ["$logstash_ip:$logstash_port"],
},
},
-}
-
-
-#
-# class { 'auditbeat':
-# modules => [
-# {
-# 'module' => 'file_integrity',
-# 'enabled' => true,
-# 'paths' => ['/bin', '/usr/bin', '/sbin', '/usr/sbin', '/etc'],
-# },
-# {
-# 'module' => 'auditd',
-# 'enabled' => true,
-# },
-# ],
-# outputs => {
-# 'elasticsearch' => {
-# 'hosts' => ['http://localhost:9200'],
-# 'index' => 'auditbeat-%{+YYYY.MM.dd}',
-# },
-# }
-# }
\ No newline at end of file
+}
\ No newline at end of file
diff --git a/modules/utilities/unix/logging/auditbeat/secgen_metadata.xml b/modules/utilities/unix/logging/auditbeat/secgen_metadata.xml
index 7da34bf59..14420750c 100644
--- a/modules/utilities/unix/logging/auditbeat/secgen_metadata.xml
+++ b/modules/utilities/unix/logging/auditbeat/secgen_metadata.xml
@@ -14,6 +14,7 @@
logstash_ip
logstash_port
+ files_to_audit
localhost
@@ -23,6 +24,11 @@
5044
+
+ /etc/shadow
+ /etc/passwd
+
+
update
diff --git a/modules/utilities/unix/logging/auditbeat/templates/audit_rules.erb b/modules/utilities/unix/logging/auditbeat/templates/audit_rules.erb
new file mode 100644
index 000000000..d7c4622c2
--- /dev/null
+++ b/modules/utilities/unix/logging/auditbeat/templates/audit_rules.erb
@@ -0,0 +1,7 @@
+<% audit_rules = ''
+
+ @files_to_audit.each {|file|
+ audit_rules << "-w #{file} -p rwa -k identity\n"
+ }
+-%>
+<%= audit_rules -%>
\ No newline at end of file
diff --git a/modules/utilities/unix/logging/logstash/logstash.pp b/modules/utilities/unix/logging/logstash/logstash.pp
index 78cfc41c6..c0762071e 100644
--- a/modules/utilities/unix/logging/logstash/logstash.pp
+++ b/modules/utilities/unix/logging/logstash/logstash.pp
@@ -5,40 +5,6 @@ $elasticsearch_port = 0 + $secgen_parameters['elasticsearch_port'][0]
include logstash
-# You must provide a valid pipeline configuration for the service to start.
logstash::configfile { 'my_ls_config':
content => template('logstash/configfile-template.erb'),
-}
-
-
-# TODO: Delete this if its a problem
-#
-# class { 'logstash':
-# settings => {
-# 'http.host' => $ip_address,
-# }
-# }
-
-# logstash::plugin { 'logstash-input-beats': }
-
-
-# $myconfig = @("MYCONFIG"/L)
-# input {
-# beats {
-# port => 5044
-# }
-# }
-# output {
-# elasticsearch {
-# hosts => "192.168.1.133:9200"
-# manage_template => false
-# index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
-# document_type => "%{[@metadata][type]}"
-# }
-# stdout { codec => rubydebug }
-# }
-# | MYCONFIG
-#
-# logstash::configfile { '02-beats-input.conf':
-# content => $myconfig,
-# }
\ No newline at end of file
+}
\ No newline at end of file