Skip to content

[Auditd Manager] Add Session Data option#11500

Merged
opauloh merged 4 commits intoelastic:mainfrom
opauloh:auditd-manager/sesion-viewer-1-8-2
Oct 24, 2024
Merged

[Auditd Manager] Add Session Data option#11500
opauloh merged 4 commits intoelastic:mainfrom
opauloh:auditd-manager/sesion-viewer-1-8-2

Conversation

@opauloh
Copy link
Contributor

@opauloh opauloh commented Oct 23, 2024
edited
Loading

Proposed commit message

  • Updating Auditd Manager manifest to include Session Data option starting from Kibana version 8.16.0.
  • Updated logic in the hbs file to append Session Data Audit Rules and Session Data Processors when Session Data is selected.
  • Updated documentation to include both manual and Toggle Switch options

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have added an entry to my package's changelog.yml file.
  • I have tested it in Serverless
  • I have added the necessary automated tests
  • I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

To test these changes, go to Kibana -> Integrations -> Create new integration -> upload it as a .zip; and upload the following package:

auditd_manager-1.18.2.zip

Related issues

Screenshots

Session Data Switcher

image

Docs

image

Policy Tests Included

image

@opauloh opauloh requested a review from a team as a code owner October 23, 2024 21:38
@andrewkroh andrewkroh added enhancement New feature or request Integration:auditd_manager Auditd Manager Team:Security-Linux Platform Linux Platform Security team [elastic/sec-linux-platform] labels Oct 23, 2024
@elasticmachine
Copy link

elasticmachine commented Oct 23, 2024

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Oct 23, 2024

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

elasticmachine commented Oct 23, 2024

💚 Build Succeeded

@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Oct 23, 2024

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

opauloh
opauloh commented Oct 23, 2024
View reviewed changes
packages/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs
Comment on lines +10 to +15
{{#if session_data}}
audit_rules: "{{escape_multiline_string "# Session data audit rules
-a always,exit -F arch=b64 -S execve,execveat -k exec
-a always,exit -F arch=b64 -S exit_group
-a always,exit -F arch=b64 -S setsid
"}}{{escape_multiline_string audit_rules}}"
Copy link
Contributor Author

@opauloh opauloh Oct 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@andrewkroh Unfortunately I couldn't manage to update the to_json method before the 8.16 Feature Freeze, so I kept the escape_multiline_string method for this version.

The Policy tests under the data_stream/auditd/_dev/test/policy folder use Kibana and Fleet to generate the Agent Policy output based on the policy variables, those tests also check if the Handlebars methods used in the auditd.yml.hbs file are available in kibana, such as the escape_multiline_string method and that they are generating the desired output in the agent policy.

@opauloh opauloh requested a review from mjwolf October 23, 2024 22:44
@mjwolf
Copy link
Contributor

mjwolf commented Oct 24, 2024

I've used this integration version to install the auditd_manager, and enabled session view with the toggle, and everything's working. Session data was collected and sessions were shown in Kibana with it.

@opauloh opauloh merged commit 9e62713 into elastic:main Oct 24, 2024
@opauloh opauloh deleted the auditd-manager/sesion-viewer-1-8-2 branch October 24, 2024 22:40
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Oct 24, 2024

Package auditd_manager - 1.18.2 containing this change is available at https://epr.elastic.co/search?package=auditd_manager

harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 4, 2025
@opauloh
[Auditd Manager] Add Session Data option (elastic#11500)
4de95bc 
* Add Session Data Option to manifest

* Updating docs

* Adding integration policy tests

* updating changelog PR number
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 5, 2025
@opauloh
[Auditd Manager] Add Session Data option (elastic#11500)
2bd1de5 
* Add Session Data Option to manifest

* Updating docs

* Adding integration policy tests

* updating changelog PR number
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mjwolf mjwolf mjwolf approved these changes

Assignees

No one assigned

Labels

enhancement New feature or request Integration:auditd_manager Auditd Manager Team:Security-Linux Platform Linux Platform Security team [elastic/sec-linux-platform]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@opauloh @elasticmachine @mjwolf @andrewkroh