Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auditbeat doesn't recognize that a path in an audit record might be in an inaccessible namespace. #25777

Closed
barrylustig opened this issue May 18, 2021 · 4 comments
Closed

auditbeat doesn't recognize that a path in an audit record might be in an inaccessible namespace. #25777

barrylustig opened this issue May 18, 2021 · 4 comments
Labels
Auditbeat enhancement Stalled

Comments

@barrylustig
Copy link

Describe the enhancement:
auditbeat will blindly try and hash an executable during process enrichment (func (ms *MetricSet) enrichProcess(process *Process)) even if that path is unreachable because it resides in a different namespace. For example, auditbeat gets an audit record for an exec that occurs inside a container. The exec is for a file path that only resides inside the container. Auditbeat, running on the host, tries to hash the file. It will always fail the os.Stat call and log and error at the warning level. It would be useful for auditbeat to recognize that the audit record is coming from a container and that it might not have access to that namespace.

Describe a specific use case for the enhancement or feature:
Eliminate a number of unnecessary function calls, a stat failure and an extraneous log message. As it is now, we have to set auditbeat's logging level to error, so that we don't swamp our system logs.
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label May 18, 2021
@barrylustig barrylustig changed the title auditbeat doesn't recognize that a path in an audit record might be in a inaccessible namespace. auditbeat doesn't recognize that a path in an audit record might be in an inaccessible namespace. May 19, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label May 19, 2021
@barrylustig
Copy link
Author

barrylustig commented May 19, 2021
edited
Loading

I think this could be easily address if "enrichProcess" has info that the record comes from a container, then the failed stat call might be better logged at the debug level. It should only be a warning if there is an expectation that the file exists in the host namespace.

@xavigpich xavigpich mentioned this issue Jan 4, 2022
Closed
@efd6 efd6 mentioned this issue Jan 11, 2022
Merged
5 tasks
@efd6
Copy link
Contributor

efd6 commented Jan 19, 2022

@barrylustig are you happy that #29786 has fixed this for you?

@botelastic
Copy link

botelastic bot commented Jan 20, 2023

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Jan 20, 2023
@botelastic botelastic bot closed this as completed Jul 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Auditbeat enhancement Stalled
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@barrylustig @elasticmachine @jamiehynds @efd6