From cdbd736eadc468e4a4566e589d9c902f0a4c67a7 Mon Sep 17 00:00:00 2001 From: Ryan Walter Date: Fri, 26 Aug 2022 14:35:56 -0500 Subject: [PATCH 1/2] Initial Gentoo support Signed-off-by: Ryan Walter --- README.md | 8 +++++++- defaults/main.yml | 4 ++++ tasks/main.yml | 9 +++++++++ 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 77e2206..d57951c 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ An Ansible role that replaces auditd with Auditbeat. Included modified version o Please test the rules properly before using on production. Some rules may cause performance impact depending on your setup. For more information on Auditbeat please visit the official [documentation](https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-overview.html) -Supported platfroms: +Supported platforms: - Ubuntu 20.04 - Ubuntu 18.04 - Ubuntu 16.04 @@ -22,6 +22,7 @@ Supported platfroms: - Debian 10 - Debian 9 - Debian 8 +- Gentoo \*\* - Windows 10\* - Windows Server 2019\* - Windows Server 2016\* @@ -30,6 +31,8 @@ Auditbeat should also work on Oracle Enterprise Linux but only with RHCK. \* Auditbeat on Windows supports different set of features. If you wish to achieve similar functionality use Sysmon + Winlogbeat +\*\* If you want to run auditbeat on Gentoo, you will need to create your own ebuild, if you want to use the `system` metricset, you will need to build auditbeat with x-pack folder with the elastic licence. + If you wish to run Auditbeat from docker container use the official docker [image](https://hub.docker.com/_/auditbeat) provided by Elastic. Requirements @@ -61,6 +64,9 @@ Ansible variables from `defaults/main.yml` - add_host_metadata: ~ - add_cloud_metadata: ~ - add_docker_metadata: ~ + auditbeat_portage: + package: =auditbeat-{{ auditbeat_service.version }} + getbinpkg: no The `auditbeat_service.install_rules` can be changed to false if you don't want to use the rules included. diff --git a/defaults/main.yml b/defaults/main.yml index 42e529d..97acb49 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -20,3 +20,7 @@ auditbeat_processors: | - add_host_metadata: ~ - add_cloud_metadata: ~ - add_docker_metadata: ~ + +auditbeat_portage: + package: =auditbeat-{{ auditbeat_service.version }} + getbinpkg: no diff --git a/tasks/main.yml b/tasks/main.yml index 0064dbf..0af6a35 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -37,6 +37,7 @@ when: - ansible_facts.services['auditd'] is defined - ansible_os_family != "Windows" + - ansible_os_family != "Gentoo" tags: install - name: (Debian/Ubuntu) Install auditbeat apt @@ -53,6 +54,14 @@ when: ansible_os_family == "RedHat" tags: install +# INFO: Based on where and how you generate your auditbeat portage package, you may need to change the package name +- name: (Gentoo) Install auditbeat portage + community.general.portage: + package: "{{ auditbeat_portage.package }}" + getbinpkg: "{{ auditbeat_portage.getbinpkg }}" + when: ansible_os_family == "Gentoo" + tags: install + - name: (Linux) Create auditbeat configuration file template: src: auditbeat.yml.j2 From 9558471f673987d1f239866fdec4840bad97f905 Mon Sep 17 00:00:00 2001 From: Ryan Walter Date: Fri, 9 Sep 2022 09:02:44 -0500 Subject: [PATCH 2/2] docs(readme): Added newly found KPROBE issue to readme Signed-off-by: Ryan Walter --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d57951c..217c411 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ Auditbeat should also work on Oracle Enterprise Linux but only with RHCK. \* Auditbeat on Windows supports different set of features. If you wish to achieve similar functionality use Sysmon + Winlogbeat -\*\* If you want to run auditbeat on Gentoo, you will need to create your own ebuild, if you want to use the `system` metricset, you will need to build auditbeat with x-pack folder with the elastic licence. +\*\* If you want to run auditbeat on Gentoo, you will need to create your own ebuild, if you want to use the `system` metricset, you will need to build auditbeat with x-pack folder with the elastic licence. If you want to use Sockets, you will need Kprobe enabled in your kernel's menuconfig If you wish to run Auditbeat from docker container use the official docker [image](https://hub.docker.com/_/auditbeat) provided by Elastic.