auditbeat.config

files:
  "/etc/auditbeat/auditbeat.yml":
    mode: "000755"
    owner: root
    group: root
    content: |
        output.elasticsearch:
          hosts: ['${ELK_HOSTNAME}:9200']
          username: '${ELK_USERNAME}'
          password: '${ELK_PASSWORD}'
        setup.kibana:
            host: '${ELK_HOSTNAME}:5601'
            username: '${ELK_USERNAME}'
            password: '${ELK_PASSWORD}'
        auditbeat.modules:
        - module: file_integrity
          paths:
          - /bin
          - /usr/bin
          - /sbin
          - /usr/sbin
          - /etc  
        - module: auditd
          audit_rules: |
            -a exit,always -F arch=b64 -S clock_settime -k changetime
            -w /etc/passwd -p wra -k passwd
        fields:
            environment: ${ENVIRONMENT_TYPE}
            application: ${APPLICATION_NAME}

commands:
  1_download_auditbeat:
    command: "curl -L -O https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-oss-6.8.0-x86_64.rpm"
    cwd: /home/ec2-user
  2_install_auditbeat:
    command: "rpm -e -ivh --replacepkgs --replacefiles auditbeat-oss-6.8.0-x86_64.rpm"
    cwd: /home/ec2-user
  3_enable_simple_rules:
    command: "mv /etc/auditbeat/audit.rules.d/sample-rules.conf.disabled /etc/auditbeat/audit.rules.d/sample-rules.conf"