Allow minimal auditbeat deploy on LXC containers

Auditbeat currently cannot be deployed on containers, as the auditd module requires auditd, which is not available on LXC containers. However, the other modules - file_integrity, system do not have auditd as a dependency. As a result, Auditbeat can be deployed more minimally on containers if the auditd module is not used, providing filesystem integrity checks, login, user, host and other data. The system socket dataset also must be disabled, as this requires data not accessible from the container. This commit disables the auditd and system socket modules if the host is containerised, allowing Auditbeat to be deployed to containers. Change-Id: I96c92d2ce31d111ba5d7645b959ca287afbebd0b
2020-05-04 15:11:30 +01:00 · 2020-05-04 15:11:30 +01:00 · 9d182c270c
commit 9d182c270c
parent 7f747d0875
2 changed files with 12 additions and 1 deletions
--- a/elk_metrics_7x/roles/elastic_auditbeat/tasks/main.yml
+++ b/elk_metrics_7x/roles/elastic_auditbeat/tasks/main.yml
@ -25,6 +25,14 @@
  tags:
    - always

+- name: Update facts if containerised
+  set_fact:
+    auditbeat_distro_packages:
+      - auditbeat
+    containerised: true
+  when:
+    - ansible_virtualization_type in ["systemd-nspawn", "lxc", "lxd", "podman", "docker", "systemd_container", "container"]
+
 - name: Ensure beat is installed (x86_64)
  package:
    name: "{{ auditbeat_distro_packages }}"
--- a/elk_metrics_7x/roles/elastic_auditbeat/templates/auditbeat.yml.j2
+++ b/elk_metrics_7x/roles/elastic_auditbeat/templates/auditbeat.yml.j2
@ -29,7 +29,7 @@ auditbeat.max_start_delay: 10s

 #==========================  Modules configuration =============================
 auditbeat.modules:
-
+{% if not (containerised | default(false)) %}
 # The auditd module collects events from the audit framework in the Linux
 # kernel. You need to specify audit rules for the events that you want to audit.
 - module: auditd
@ -74,6 +74,7 @@ auditbeat.modules:
    -a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

 {% endif %}
+{% endif %}

 # The file integrity module sends events when files are changed (created,
 # updated, deleted). The events contain file metadata and hashes.
@ -140,7 +141,9 @@ auditbeat.modules:
    - login   # User logins, logouts, and system boots.
    - package # Installed, updated, and removed packages
    - process # Started and stopped processes
+{% if not (containerised | default(false)) %}
    - socket  # Opened and closed sockets
+{% endif  %}
    - user    # User information

  # How often datasets send state updates with the