[Auditbeat] New system/socket dataset using kprobes tracing events (#…

…13058)

This patch replaces the original `system/socket` dataset which used
netlink to periodically poll the system for open sockets.

In the new implementation, kprobe-based tracing is used to receive
events of interest related to function calls and their arguments
inside the kernel tcp/ip stack. From this stream of information the
dataset constructs a model of all the network sockets in use and the
processes running in the system at any given time.

This allows the dataset to produce flow-like events with information
like packets and bytes counters, originator process and user, with
little impact to system performance and without missing short-lived
sockets or processes.

The dataset is in beta.

NOTICE.txt

@@ -758,6 +758,40 @@ License type (autodetected): Apache-2.0
 Apache License 2.0
 
 
+--------------------------------------------------------------------
+Dependency: github.com/elastic/go-perf
+Revision: 9bc9b58a3de9e63a1a8e27241ae3c61d3449782b
+License type (autodetected): BSD-3-Clause
+./vendor/github.com/elastic/go-perf/LICENSE:
+--------------------------------------------------------------------
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 --------------------------------------------------------------------
 Dependency: github.com/elastic/go-seccomp-bpf
 Version: v1.1.0

auditbeat/module/auditd/_meta/audit.rules.d/sample-rules-linux-32bit.conf

@@ -1,9 +1,6 @@
 ## Executions.
 -a always,exit -F arch=b32 -S execve,execveat -k exec
 
-## External access (warning: these can be expensive to audit).
--a always,exit -F arch=b32 -S accept4,bind,connect -F key=external-access
-
 ## Identity changes.
 -w /etc/group -p wa -k identity
 -w /etc/passwd -p wa -k identity

auditbeat/module/auditd/_meta/audit.rules.d/sample-rules-linux-64bit.conf

@@ -7,9 +7,6 @@
 ## Executions.
 -a always,exit -F arch=b64 -S execve,execveat -k exec
 
-## External access (warning: these can be expensive to audit).
--a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
-
 ## Identity changes.
 -w /etc/group -p wa -k identity
 -w /etc/passwd -p wa -k identity