如何解决Auditbeat-删除dockerd子进程规则
我已经安装了Auditbeat,以便从VM发送有关ELK的信息。
Rules configuration:
# Identity changes.
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
## Unauthorized access attempts.
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-a always,open_by_handle_at -F exit=-EPERM -k access
## All elevation of privileges is logged
-a always,exit -F arch=b64 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=elevated-privs
-a always,exit -F arch=b64 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -F key=elevated-privs
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=elevated-privs
## Log all user commands
-a exit,always -F arch=b64 -F euid=0 -S execve -k user-commands
## Log all processes executed
-a always,exit -S execve,execveat -k executed-process
但是我在ELK中收到了所有进程,但我想从dockerd中过滤掉进程和子进程(如下所示)。
root 1074 1 3 Aug15 ? 1-11:17:28 /usr/bin/dockerd -H unix://
root 1312 1074 0 Aug15 ? 05:10:11 \_ containerd --config /var/run/docker/containerd/containerd.toml --log-level info
root 2612 1312 0 Aug15 ? 00:01:36 | \_ containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/8d0656e69919ad21390a8763552114a
root 2632 2612 0 Aug15 ? 00:00:00 | | \_ /pause
root 2718 1312 0 Aug15 ? 00:01:38 | \_ containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/3be9a09164477a5ddad974a9b7d0cdc
nfsnobo+ 2735 2718 0 Aug15 ? 00:14:13 | | \_ /tiller
root 3943 1312 0 Aug15 ? 00:01:26 | \_ containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/56966f53cb30a304add50370f298a19
root 3961 3943 0 Aug15 ? 00:00:00 | | \_ /pause
是否可以通过规则从主流程中过滤出子流程?
谢谢
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
