Use linux "auditd" to monitor /etc/passwd file and generate a key "password_access".
$ sudo apt install auditd
$ auditctl -w /etc/passwd -p wa -k passwd_access
Force logstash core dump any process that causes auditd to write the "password_access" key.
Install gdb (gcore):
sudo apt install gdb
Modify the output section of your /etc/logstash/conf.d/00-output.conf:
output {
if [key] == "password_access" {
stdout {codec => json}
exec { command => "gcore -o /tmp/dump-%{@timestamp} %{pid}"}
}
}
$ sudo apt install auditd
$ auditctl -w /etc/passwd -p wa -k passwd_access
Force logstash core dump any process that causes auditd to write the "password_access" key.
Install gdb (gcore):
sudo apt install gdb
Modify the output section of your /etc/logstash/conf.d/00-output.conf:
output {
if [key] == "password_access" {
stdout {codec => json}
exec { command => "gcore -o /tmp/dump-%{@timestamp} %{pid}"}
}
}
No comments:
Post a Comment