-
Notifications
You must be signed in to change notification settings - Fork 24
Configuration Guide
- The auditd daemon must be enabled and running:
systemctl enable --now auditd - The
AF UNIXaudisp plugin must be set to active in/etc/audisp/plugins.d/af_unix.conf. Changing this setting requires a restart of the service:systemctl restart auditd(orservice auditd restart, depending on OS).
The following system calls should be active in the auditd configuration: execve, execveat, fork, vfork, clone, connect, bind, open, openat.
This can be achieved using the command line:
syscall_name_list=(execve execveat fork vfork clone connect bind open openat)
for syscall_name in "${syscall_name_list[@]}" ; do
echo "Enabling: ${syscall_name}"
sudo auditctl -a exit,always -F arch=b64 -S "${syscall_name}"
done
or, to make the settings permanent, with a 10-zeek_agent.rules file within the /etc/audit/rules.d folder:
-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b64 -S execveat
-a exit,always -F arch=b64 -S fork
-a exit,always -F arch=b64 -S vfork
-a exit,always -F arch=b64 -S clone
-a exit,always -F arch=b64 -S connect
-a exit,always -F arch=b64 -S bind
-a exit,always -F arch=b64 -S open
-a exit,always -F arch=b64 -S openat
If you have built the Zeek Agent with osquery support, configure & start osqueryd as described in the manual. (Note that you can install osquery through their standard binary packages, no need to install the version used to compile the agent).
Here's an example on how to start osqueryd:
osqueryd --verbose --disable_extensions=false --extensions_socket=/var/osquery/osquery.em
The above settings can also be specified in the osquery flagfile.
The configuration file is expected at the following location: /etc/zeek-agent/config.json. Note that comments are NOT supported inside the actual file and should be removed; see the example config further below.
{
// Address of the Zeek instance
"server_address": "127.0.0.1",
"server_port": 9999,
// Local folder for the Zeek Agent logs
"log_folder": "/var/log/zeek",
// Maximum amount of rows that can be queued for each table.
// The queue is emptied whenever the table is queried by the
// Zeek instance. Once the limit is reached, older items are
// dropped to make room for the new ones.
"max_queued_row_count": 10000,
// If osquery support is enabled, this is the Thrift socket for
// extensions. Inside osquery, it can be configured with the
// following flag: --extensions_socket=/path/to/socket
"osquery_extensions_socket": "/var/osquery/osquery.em",
// List of Zeek groups that are joined on startup
"group_list": [],
// Authentication settings for connecting to Zeek
"authentication": {
"certificate_authority": "/path/to/certificate_authority.crt",
"client_certificate": "/path/to/client_certificate.crt",
"client_key": "/path/to/client_key.key"
}
}
Sample configuration
{
"server_address": "127.0.0.1",
"server_port": 9999,
"log_folder": "/var/log/zeek",
"max_queued_row_count": 5000,
"osquery_extensions_socket": "/var/osquery/osquery.em",
"group_list": []
}
Follow the install instructions found at the following repository: Zeek Agent Framework
If osquery support was enabled at build time, then it should also be started (see above). Make sure the extensions socket passed to osquery matches the path set in the Zeek Agent configuration. Then just execute the zeek-agent binary and Zeek should begin receiving endpoint data. (Note that zeek-agent needs to run as root).
When running on Linux, the auditd daemon should be running for the Zeek Agent to capture process and socket events. If osquery is also being used, keep Audit events disabled.
No special instructions are needed, but when running on macOS then the application must be signed to run properly. If you plan on building the agent yourself, check out the build guide for more information.