Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[auditbeat] fim: implement ebpf backend #37223

Merged
merged 2 commits into from
Feb 13, 2024
Merged

[auditbeat] fim: implement ebpf backend #37223

merged 2 commits into from
Feb 13, 2024

Conversation

mmat11
Copy link
Contributor

@mmat11 mmat11 commented Nov 28, 2023
edited by andrewkroh
Loading

Proposed commit message

This PR adds an additional opt-in eBPF backend to the file_integrity module. See related issues for more context.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

How to test this PR locally

Enable the eBPF backend in the file_integrity module config by specifying force_backend: ebpf and observe file events after running auditbeat.

Related issues

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Nov 28, 2023
@mmat11 mmat11 added Team:Security-Linux Platform Linux Platform Team in Security Solution and removed needs_team Indicates that the issue/PR needs a Team:* label labels Nov 28, 2023
@mergify mergify bot assigned mmat11 Nov 28, 2023
@mmat11 mmat11 force-pushed the matt/fim-ebpf branch 12 times, most recently from 8204ed0 to 9c9cac4 Compare December 4, 2023 16:18
@elastic elastic deleted a comment from mergify bot Dec 7, 2023
@elastic elastic deleted a comment from elasticmachine Dec 7, 2023
@elastic elastic deleted a comment from elasticmachine Dec 7, 2023
@elastic elastic deleted a comment from elasticmachine Dec 7, 2023
@elastic elastic deleted a comment from elasticmachine Dec 7, 2023
@elastic elastic deleted a comment from elasticmachine Dec 7, 2023
@elastic elastic deleted a comment from elasticmachine Dec 7, 2023
@elastic elastic deleted a comment from elasticmachine Dec 7, 2023
@elastic elastic deleted a comment from elasticmachine Dec 7, 2023
@elastic elastic deleted a comment from elasticmachine Dec 7, 2023
@elastic elastic deleted a comment from elasticmachine Dec 7, 2023
@elastic elastic deleted a comment from elasticmachine Dec 7, 2023
@elastic elastic deleted a comment from elasticmachine Dec 7, 2023
@elastic elastic deleted a comment from mergify bot Dec 7, 2023
@mmat11
Copy link
Contributor Author

mmat11 commented Feb 5, 2024

/test auditbeat integTest

@mmat11
Copy link
Contributor Author

mmat11 commented Feb 5, 2024

/test auditbeat integTest arm

@mergify Mergify
Copy link
Contributor

mergify bot commented Feb 6, 2024

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b matt/fim-ebpf upstream/matt/fim-ebpf
git merge upstream/main
git push upstream matt/fim-ebpf

@mmat11 mmat11 force-pushed the matt/fim-ebpf branch 3 times, most recently from 136b45c to 3e7db0b Compare February 8, 2024 16:53
@mmat11
Copy link
Contributor Author

mmat11 commented Feb 8, 2024

/test auditbeat integTest arm

@mmat11
Copy link
Contributor Author

mmat11 commented Feb 8, 2024

/test auditbeat integTest arm

andrewkroh
andrewkroh approved these changes Feb 9, 2024
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few minor comments, I don't think anything that requires another look.

For future reference, in these larger changesets I would prefer if we didn't force push after the first peer review comments come in. Being able to view the changes since you last reviewed is valuable. At least in this repo, you are required to squash at merge so you still have an opportunity to clean up the commit message.

auditbeat/module/file_integrity/metricset.go Show resolved Hide resolved
auditbeat/module/file_integrity/schema/Source.go Outdated Show resolved Hide resolved
@mmat11 mmat11 requested a review from a team as a code owner February 9, 2024 17:23
@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

History

cc @mmat11

@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

History

cc @mmat11

@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

History

cc @mmat11

@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

History

cc @mmat11

@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

History

cc @mmat11

@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

History

cc @mmat11

@mmat11 mmat11 enabled auto-merge (squash) February 9, 2024 20:27
pkoutsovasilis
pkoutsovasilis approved these changes Feb 9, 2024
View reviewed changes
Copy link
Contributor

@pkoutsovasilis pkoutsovasilis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@mmat11 mmat11 merged commit ba01271 into main Feb 13, 2024
149 checks passed
@mmat11 mmat11 deleted the matt/fim-ebpf branch February 13, 2024 18:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mjwolf mjwolf mjwolf left review comments

@andrewkroh andrewkroh andrewkroh approved these changes

@cmacknz cmacknz cmacknz approved these changes

@pkoutsovasilis pkoutsovasilis pkoutsovasilis approved these changes

@ycombinator ycombinator Awaiting requested review from ycombinator ycombinator was automatically assigned from elastic/elastic-agent-data-plane

@fearful-symmetry fearful-symmetry Awaiting requested review from fearful-symmetry fearful-symmetry was automatically assigned from elastic/elastic-agent-data-plane

Assignees

@mmat11 mmat11

Labels
Auditbeat enhancement Team:Security-Linux Platform Linux Platform Team in Security Solution
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@mmat11 @elasticmachine @jamiehynds @mjwolf @cmacknz @andrewkroh @pkoutsovasilis