[Auditbeat] Add option to disable/flush audit subsystem/rules on shutdown

[SIGUSRBACON]

Describe the enhancement:
Auditbeat will enable the audit subsystem and configure rules on startup however it does not currently have the ability to disable the audit subsystem and flush rules on shutdown (at least as far as I've been able to find).

This means that on a system that does not have /sbin/auditctl, there is no easy way to disable auditing nor delete rules.

Describe a specific use case for the enhancement or feature:
There are many cases where one might want to flush rules or disable auditing. One specific example use case is for evaluating the performance impact of an audit rule.

This request is similar to: #8280 but different enough that I elected to submit it anyway.

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[andrewkroh]

As a workaround, if you have auditd installed, you could create a systemd file to execute auditctl -D when auditbeat stops. For example, create this file:

# /etc/systemd/system/auditbeat.service.d/local.conf
[Service]
ExecStopPost=/usr/bin/auditctl -D

Then use systemctl daemon-reload to pick up the file. Then restart auditbeat with systemctl restart auditbeat.service. Then test it by stopping the service and checking if the rules where cleared from the kernel.

Or going a step further, I think you could disable auditing entirely with auditctl -e 0.

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.