问题描述
我已经安装了Auditbeat,以便从VM发送有关ELK的信息。
Rules configuration:
# Identity changes.
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
## Unauthorized access attempts.
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-a always,open_by_handle_at -F exit=-EPERM -k access
## All elevation of privileges is logged
-a always,exit -F arch=b64 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=elevated-privs
-a always,exit -F arch=b64 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -F key=elevated-privs
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=elevated-privs
## Log all user commands
-a exit,always -F arch=b64 -F euid=0 -S execve -k user-commands
## Log all processes executed
-a always,exit -S execve,execveat -k executed-process
但是我在ELK中收到了所有进程,但我想从dockerd中过滤掉进程和子进程(如下所示)。
root 1074 1 3 Aug15 ? 1-11:17:28 /usr/bin/dockerd -H unix://
root 1312 1074 0 Aug15 ? 05:10:11 \_ containerd --config /var/run/docker/containerd/containerd.toml --log-level info
root 2612 1312 0 Aug15 ? 00:01:36 | \_ containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/8d0656e69919ad21390a8763552114a
root 2632 2612 0 Aug15 ? 00:00:00 | | \_ /pause
root 2718 1312 0 Aug15 ? 00:01:38 | \_ containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/3be9a09164477a5ddad974a9b7d0cdc
nfsnobo+ 2735 2718 0 Aug15 ? 00:14:13 | | \_ /tiller
root 3943 1312 0 Aug15 ? 00:01:26 | \_ containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/56966f53cb30a304add50370f298a19
root 3961 3943 0 Aug15 ? 00:00:00 | | \_ /pause
是否可以通过规则从主流程中过滤出子流程?
谢谢
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)