From ab54de6c0064b00fd25f7409d59b225ef1cb66f2 Mon Sep 17 00:00:00 2001
From: Panos Koutsovasilis <panos.koutsovasilis@elastic.co>
Date: Thu, 2 May 2024 16:03:44 +0300
Subject: [PATCH] [Auditbeat/FIM/kprobes]:  allow extra syscalls by auditbeat
 required in FIM with kprobes (#39361)

* fix(auditbeat/fim/kprobes): allow appropriate syscalls for seccomp/apparmor policies

* fix(auditbeat/fim/kprobes): check correctly the "fsnotify_nameremove" symbol

* fix(auditbeat/fim/tests): remove check on absent key of the event for ebpf

* doc: update CHANGELOG.next.asciidoc
---
 CHANGELOG.next.asciidoc                       |  1 +
 .../kprobes/probes_fsnotify_nameremove.go     |  2 +-
 .../file_integrity/kprobes/seccomp_linux.go   | 44 +++++++++++++++++++
 auditbeat/tests/system/test_file_integrity.py |  1 -
 4 files changed, 46 insertions(+), 2 deletions(-)
 create mode 100644 auditbeat/module/file_integrity/kprobes/seccomp_linux.go

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 68eb43677ea..e9e5ec09236 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -96,6 +96,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Set field types to correctly match ECS in sessionmd processor {issue}38955[38955] {pull}38994[38994]
 - Fix failing to enrich process events in sessionmd processor {issue}38955[38955] {pull}39173[39173] {pull}39243[39243]
 - Prevent scenario of losing children-related file events in a directory for recursive fsnotify backend of auditbeat file integrity module {pull}39133[39133]
+- Allow extra syscalls by auditbeat required in FIM with kprobes back-end {pull}39361[39361]
 
 
 *Filebeat*
diff --git a/auditbeat/module/file_integrity/kprobes/probes_fsnotify_nameremove.go b/auditbeat/module/file_integrity/kprobes/probes_fsnotify_nameremove.go
index ecabb94c7d2..47fc5df9f0a 100644
--- a/auditbeat/module/file_integrity/kprobes/probes_fsnotify_nameremove.go
+++ b/auditbeat/module/file_integrity/kprobes/probes_fsnotify_nameremove.go
@@ -35,7 +35,7 @@ func loadFsNotifyNameRemoveSymbol(s *probeManager) error {
 	if err != nil {
 		if errors.Is(err, ErrSymbolNotFound) {
 			s.buildChecks = append(s.buildChecks, func(spec *tkbtf.Spec) bool {
-				return !spec.ContainsSymbol(symbolInfo.symbolName)
+				return !spec.ContainsSymbol("fsnotify_nameremove")
 			})
 			return nil
 		}
diff --git a/auditbeat/module/file_integrity/kprobes/seccomp_linux.go b/auditbeat/module/file_integrity/kprobes/seccomp_linux.go
new file mode 100644
index 00000000000..90336f66795
--- /dev/null
+++ b/auditbeat/module/file_integrity/kprobes/seccomp_linux.go
@@ -0,0 +1,44 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package kprobes
+
+import (
+	"runtime"
+
+	"github.com/elastic/beats/v7/libbeat/common/seccomp"
+)
+
+func init() {
+	switch runtime.GOARCH {
+	case "amd64", "386", "arm64":
+		// The module/file_integrity with kprobes BE uses additional syscalls
+		if err := seccomp.ModifyDefaultPolicy(seccomp.AddSyscall,
+			"eventfd2",        // required by auditbeat/tracing
+			"mount",           // required by auditbeat/tracing
+			"perf_event_open", // required by auditbeat/tracing
+			"ppoll",           // required by auditbeat/tracing
+			"umount2",         // required by auditbeat/tracing
+			"truncate",        // required during kprobes verification
+			"utime",           // required during kprobes verification
+			"utimensat",       // required during kprobes verification
+			"setxattr",        // required during kprobes verification
+		); err != nil {
+			panic(err)
+		}
+	}
+}
diff --git a/auditbeat/tests/system/test_file_integrity.py b/auditbeat/tests/system/test_file_integrity.py
index 64062dd0a77..c82f3187a60 100644
--- a/auditbeat/tests/system/test_file_integrity.py
+++ b/auditbeat/tests/system/test_file_integrity.py
@@ -108,7 +108,6 @@ def _assert_process_data(self, event, backend):
         if backend != "ebpf":
             return
         assert event["process.entity_id"] != ""
-        assert event["process.executable"] == "pytest"
         assert event["process.pid"] == os.getpid()
         assert int(event["process.user.id"]) == os.geteuid()
         assert event["process.user.name"] == pwd.getpwuid(os.geteuid()).pw_name