Add file integrity metricset to Metricbeat audit module [WIP] #4486
Conversation
This metricset monitors files or directories for changes. When a file is changed it will calculate a MD5, SHA1, and SHA256 hash.
```
metricbeat.modules:
- module: audit
metricsets: [file]
file.paths:
binaries:
- /usr/bin
- /usr/sbin
```
andrewkroh
added
enhancement
in progress
|
|
||
| m5 := md5.New() | ||
| s1 := sha1.New() | ||
| s256 := sha256.New() |
There was a problem hiding this comment.
Are all three, at the same time, useful/needed?
There was a problem hiding this comment.
Maybe it depends on how you are using this info. The threat intel that I see is usually inconsistent in the hashing algorithms used. So you might get a hashes reported from one source that always provides SHA1 and another source that always provides SHA256. So for this hash matching use case it is useful to have all three.
| import ( | ||
| "time" | ||
|
|
||
| "github.com/fsnotify/fsnotify" |
There was a problem hiding this comment.
I like that we get experience with this 👍
|
Cool, just to make sure, this is not based on the Audit framework, but uses fsnotify to know when a file changes, right? |
|
That's correct, this is based on inotify (linux), fsevents (macos), and ReadDirectoryChangesW (windows). I plan to re-open this PR against auditbeat after it's merged, but I'll leave this open until then in case anyone has comments. |
|
Closed in favor of #4562 |
This metricset monitors files or directories for changes. When a file is changed it will calculate a MD5, SHA1, and SHA256 hash.
Tested on darwin, linux, and windows.