Skip to content

Commit

Permalink
[Auditbeat/FIM/kprobes]: allow extra syscalls by auditbeat required i…
Browse files Browse the repository at this point in the history
…n FIM with kprobes (#39361)

* fix(auditbeat/fim/kprobes): allow appropriate syscalls for seccomp/apparmor policies

* fix(auditbeat/fim/kprobes): check correctly the "fsnotify_nameremove" symbol

* fix(auditbeat/fim/tests): remove check on absent key of the event for ebpf

* doc: update CHANGELOG.next.asciidoc
  • Loading branch information
pkoutsovasilis authored May 2, 2024
1 parent ffcd181 commit ab54de6
Show file tree
Hide file tree
Showing 4 changed files with 46 additions and 2 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
- Set field types to correctly match ECS in sessionmd processor {issue}38955[38955] {pull}38994[38994]
- Fix failing to enrich process events in sessionmd processor {issue}38955[38955] {pull}39173[39173] {pull}39243[39243]
- Prevent scenario of losing children-related file events in a directory for recursive fsnotify backend of auditbeat file integrity module {pull}39133[39133]
- Allow extra syscalls by auditbeat required in FIM with kprobes back-end {pull}39361[39361]


*Filebeat*
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ func loadFsNotifyNameRemoveSymbol(s *probeManager) error {
if err != nil {
if errors.Is(err, ErrSymbolNotFound) {
s.buildChecks = append(s.buildChecks, func(spec *tkbtf.Spec) bool {
return !spec.ContainsSymbol(symbolInfo.symbolName)
return !spec.ContainsSymbol("fsnotify_nameremove")
})
return nil
}
Expand Down
44 changes: 44 additions & 0 deletions auditbeat/module/file_integrity/kprobes/seccomp_linux.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.

package kprobes

import (
"runtime"

"github.com/elastic/beats/v7/libbeat/common/seccomp"
)

func init() {
switch runtime.GOARCH {
case "amd64", "386", "arm64":
// The module/file_integrity with kprobes BE uses additional syscalls
if err := seccomp.ModifyDefaultPolicy(seccomp.AddSyscall,
"eventfd2", // required by auditbeat/tracing
"mount", // required by auditbeat/tracing
"perf_event_open", // required by auditbeat/tracing
"ppoll", // required by auditbeat/tracing
"umount2", // required by auditbeat/tracing
"truncate", // required during kprobes verification
"utime", // required during kprobes verification
"utimensat", // required during kprobes verification
"setxattr", // required during kprobes verification
); err != nil {
panic(err)
}
}
}
1 change: 0 additions & 1 deletion auditbeat/tests/system/test_file_integrity.py
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,6 @@ def _assert_process_data(self, event, backend):
if backend != "ebpf":
return
assert event["process.entity_id"] != ""
assert event["process.executable"] == "pytest"
assert event["process.pid"] == os.getpid()
assert int(event["process.user.id"]) == os.geteuid()
assert event["process.user.name"] == pwd.getpwuid(os.geteuid()).pw_name
Expand Down

0 comments on commit ab54de6

Please sign in to comment.