Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Elastic Agent] Harden permissions and remove encrypted store #19678

Merged
merged 3 commits into from
Jul 7, 2020
Merged

[Elastic Agent] Harden permissions and remove encrypted store #19678

merged 3 commits into from
Jul 7, 2020

Conversation

blakerouse
Copy link
Contributor

What does this PR do?

Ensures that all the configurations that Elastic Agent writes is set to 0660 or higher. Removes the encrypted store reader/writer as it was just security by obscurity.

Why is it important?

When Elastic Agent is ran by a user that the permissions are always for that user, normally this is root or SYSTEM (on windows). Prevents users that should not access this data from reading any sensitive information.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

@blakerouse blakerouse self-assigned this Jul 6, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/ingest-management (Team:Ingest Management)

@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Jul 6, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented Jul 6, 2020
edited
Loading

💔 Build Failed

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #19678 updated]

  • Start Time: 2020-07-07T13:23:08.222+0000

  • Duration: 30 min 1 sec

Steps errors

Expand to view the steps failures

  • Name: Mage build unitTest

    • Description: mage build unitTest

    • Duration: 3 min 54 sec

    • Start Time: 2020-07-07T13:49:50.761+0000

    • log

Log output

Expand to view the last 100 lines of log output 

[2020-07-07T13:52:44.923Z] PASS
[2020-07-07T13:52:44.923Z] coverage: 64.7% of statements
[2020-07-07T13:52:44.923Z] ok  	github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/tokenbucket	3.165s	coverage: 64.7% of statements
[2020-07-07T13:52:44.923Z] FAIL
[2020-07-07T13:52:44.923Z] Error: running "go test -race -v -coverprofile build\coverage.out ./..." failed with exit code 1
[2020-07-07T13:52:45.017Z] Recording test results
[2020-07-07T13:52:46.292Z] None of the test reports contained any result
[2020-07-07T13:52:47.136Z] Stashed 0 file(s)
[2020-07-07T13:52:47.146Z] Archiving artifacts
[2020-07-07T13:52:48.090Z] java.lang.InterruptedException: no matches found within 10000
[2020-07-07T13:52:48.090Z] 	at hudson.FilePath$ValidateAntFileMask.hasMatch(FilePath.java:2826)
[2020-07-07T13:52:48.090Z] 	at hudson.FilePath$ValidateAntFileMask.invoke(FilePath.java:2705)
[2020-07-07T13:52:48.090Z] 	at hudson.FilePath$ValidateAntFileMask.invoke(FilePath.java:2686)
[2020-07-07T13:52:48.090Z] 	at hudson.FilePath$FileCallableWrapper.call(FilePath.java:3073)
[2020-07-07T13:52:48.090Z] Also:   hudson.remoting.Channel$CallSiteStackTrace: Remote call to JNLP4-connect connection from beats-ci-immutable-windows-2019-1594129429956228972.c.elastic-ci-prod.internal/10.224.0.113:49733
[2020-07-07T13:52:48.090Z] 		at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1788)
[2020-07-07T13:52:48.090Z] 		at hudson.remoting.UserRequest$ExceptionResponse.retrieve(UserRequest.java:356)
[2020-07-07T13:52:48.090Z] 		at hudson.remoting.Channel.call(Channel.java:998)
[2020-07-07T13:52:48.090Z] 		at hudson.FilePath.act(FilePath.java:1069)
[2020-07-07T13:52:48.090Z] 		at hudson.FilePath.act(FilePath.java:1058)
[2020-07-07T13:52:48.090Z] 		at hudson.FilePath.validateAntFileMask(FilePath.java:2684)
[2020-07-07T13:52:48.090Z] 		at hudson.tasks.ArtifactArchiver.perform(ArtifactArchiver.java:265)
[2020-07-07T13:52:48.090Z] 		at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:80)
[2020-07-07T13:52:48.090Z] 		at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:67)
[2020-07-07T13:52:48.090Z] 		at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47)
[2020-07-07T13:52:48.090Z] 		at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
[2020-07-07T13:52:48.090Z] 		at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[2020-07-07T13:52:48.090Z] 		at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[2020-07-07T13:52:48.090Z] 		at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[2020-07-07T13:52:48.090Z] Caused: hudson.FilePath$TunneledInterruptedException
[2020-07-07T13:52:48.090Z] 	at hudson.FilePath$FileCallableWrapper.call(FilePath.java:3075)
[2020-07-07T13:52:48.090Z] 	at hudson.remoting.UserRequest.perform(UserRequest.java:212)
[2020-07-07T13:52:48.090Z] 	at hudson.remoting.UserRequest.perform(UserRequest.java:54)
[2020-07-07T13:52:48.090Z] 	at hudson.remoting.Request$2.run(Request.java:369)
[2020-07-07T13:52:48.090Z] 	at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
[2020-07-07T13:52:48.090Z] 	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[2020-07-07T13:52:48.090Z] 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[2020-07-07T13:52:48.090Z] 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[2020-07-07T13:52:48.090Z] 	at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:93)
[2020-07-07T13:52:48.090Z] Caused: java.lang.InterruptedException: java.lang.InterruptedException: no matches found within 10000
[2020-07-07T13:52:48.090Z] 	at hudson.FilePath.act(FilePath.java:1071)
[2020-07-07T13:52:48.090Z] 	at hudson.FilePath.act(FilePath.java:1058)
[2020-07-07T13:52:48.090Z] 	at hudson.FilePath.validateAntFileMask(FilePath.java:2684)
[2020-07-07T13:52:48.091Z] 	at hudson.tasks.ArtifactArchiver.perform(ArtifactArchiver.java:265)
[2020-07-07T13:52:48.091Z] 	at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:80)
[2020-07-07T13:52:48.091Z] 	at org.jenkinsci.plugins.workflow.steps.CoreStep$Execution.run(CoreStep.java:67)
[2020-07-07T13:52:48.091Z] 	at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47)
[2020-07-07T13:52:48.091Z] 	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
[2020-07-07T13:52:48.091Z] 	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[2020-07-07T13:52:48.091Z] 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[2020-07-07T13:52:48.091Z] 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[2020-07-07T13:52:48.091Z] 	at java.lang.Thread.run(Thread.java:748)
[2020-07-07T13:52:48.091Z] No artifacts found that match the file pattern "**\build\TEST*.out". Configuration error?
[2020-07-07T13:52:49.408Z] Failed in branch Elastic Agent x-pack Windows
[2020-07-07T13:52:49.544Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19678/src/github.com/elastic/beats
[2020-07-07T13:52:49.848Z] + find . -type f -name TEST*.xml -path */build/* -delete
[2020-07-07T13:52:49.859Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19678/src/github.com/elastic/beats/Lint
[2020-07-07T13:52:49.937Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19678/src/github.com/elastic/beats/Elastic-Agent-x-pack
[2020-07-07T13:52:50.023Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19678/src/github.com/elastic/beats/Elastic-Agent-Mac-OS-X
[2020-07-07T13:52:50.103Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19678/src/github.com/elastic/beats/Elastic-Agent-x-pack-Windows
[2020-07-07T13:52:50.466Z] + cat
[2020-07-07T13:52:50.466Z] + /usr/local/bin/runbld ./runbld-script
[2020-07-07T13:52:50.466Z] Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
[2020-07-07T13:52:57.072Z] runbld>>> runbld started
[2020-07-07T13:52:57.072Z] runbld>>> 1.6.12/f45d832f2ba0aa2722ab4ec1fda8ad140f027f8b
[2020-07-07T13:52:58.015Z] runbld>>> The following profiles matched the job 'Beats/beats-beats-mbp/PR-19678' in order of occurrence in the config (last value wins).
[2020-07-07T13:52:59.402Z] runbld>>> Debug logging enabled.
[2020-07-07T13:52:59.402Z] runbld>>> Storing result
[2020-07-07T13:52:59.402Z] runbld>>> Store result: created {:total 2, :successful 2, :failed 0} 1
[2020-07-07T13:52:59.402Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200707135259-3D4DDC11
[2020-07-07T13:52:59.402Z] runbld>>> Adding system facts.
[2020-07-07T13:53:00.349Z] runbld>>> Adding vcs info for the latest commit:  3d5511e7c20169120a6df0b8522319ba59c9d83a
[2020-07-07T13:53:00.349Z] runbld>>> >>>>>>>>>>>> SCRIPT EXECUTION BEGIN >>>>>>>>>>>>
[2020-07-07T13:53:00.349Z] runbld>>> Adding /usr/lib/jvm/java-8-openjdk-amd64/bin to the path.
[2020-07-07T13:53:00.349Z] + echo 'Processing JUnit reports with runbld...'
[2020-07-07T13:53:00.349Z] Processing JUnit reports with runbld...
[2020-07-07T13:53:00.920Z] runbld>>> <<<<<<<<<<<< SCRIPT EXECUTION END <<<<<<<<<<<<
[2020-07-07T13:53:00.920Z] runbld>>> DURATION: 23ms
[2020-07-07T13:53:00.920Z] runbld>>> STDOUT: 40 bytes
[2020-07-07T13:53:00.920Z] runbld>>> STDERR: 49 bytes
[2020-07-07T13:53:00.920Z] runbld>>> WRAPPED PROCESS: SUCCESS (0)
[2020-07-07T13:53:00.920Z] runbld>>> Searching for build metadata in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19678/src/github.com/elastic/beats
[2020-07-07T13:53:01.871Z] runbld>>> Storing build metadata: 
[2020-07-07T13:53:01.871Z] runbld>>> Adding test report.
[2020-07-07T13:53:01.871Z] runbld>>> Searching for junit test output files with the pattern: TEST-.*\.xml$ in: /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19678/src/github.com/elastic/beats
[2020-07-07T13:53:02.442Z] runbld>>> Found 0 test output files
[2020-07-07T13:53:02.442Z] runbld>>> Test output logs contained: Errors: 0 Failures: 0 Tests: 0 Skipped: 0
[2020-07-07T13:53:02.702Z] runbld>>> Storing result
[2020-07-07T13:53:02.702Z] runbld>>> Store result: updated {:total 2, :successful 2, :failed 0} 2
[2020-07-07T13:53:02.702Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200707135259-3D4DDC11
[2020-07-07T13:53:02.962Z] runbld>>> Email notification disabled by environment variable.
[2020-07-07T13:53:02.962Z] runbld>>> Slack notification disabled by environment variable.
[2020-07-07T13:53:08.773Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19678
[2020-07-07T13:53:09.011Z] [INFO] getVaultSecret: Getting secrets
[2020-07-07T13:53:09.070Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-07-07T13:53:09.789Z] + chmod 755 generate-build-data.sh
[2020-07-07T13:53:09.789Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-19678/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-19678/runs/3 FAILURE 1801307
[2020-07-07T13:53:09.789Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-19678/runs/3/steps/?limit=10000 -o steps-info.json
[2020-07-07T13:53:10.040Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-19678/runs/3/tests/?status=FAILED -o tests-errors.json
[2020-07-07T13:53:10.290Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-19678/runs/3/log/ -o pipeline-log.txt

@blakerouse blakerouse merged commit b8c49e0 into elastic:master Jul 7, 2020
@blakerouse blakerouse deleted the agent-perms-check branch July 7, 2020 15:30
blakerouse added a commit to blakerouse/beats that referenced this pull request Jul 7, 2020
@blakerouse
[Elastic Agent] Harden permissions and remove encrypted store (elasti…
136bf24 
…c#19678)

* Harden permissions, remove encrypted store.

* Add changelog.

* Fix issues with DiskStore error handling.

(cherry picked from commit b8c49e0)
@blakerouse blakerouse mentioned this pull request Jul 7, 2020
Merged
4 tasks
blakerouse added a commit that referenced this pull request Jul 9, 2020
@blakerouse
Cherry-pick #19678 to 7.x: [Elastic Agent] Harden permissions and rem…
044c3fe 
…ove encrypted store (#19707)

* [Elastic Agent] Harden permissions and remove encrypted store (#19678)

* Harden permissions, remove encrypted store.

* Add changelog.

* Fix issues with DiskStore error handling.

(cherry picked from commit b8c49e0)

* Run mage fmt
melchiormoulin pushed a commit to melchiormoulin/beats that referenced this pull request Oct 14, 2020
@blakerouse @melchiormoulin
[Elastic Agent] Harden permissions and remove encrypted store (elasti…
7e9972d 
…c#19678)

* Harden permissions, remove encrypted store.

* Add changelog.

* Fix issues with DiskStore error handling.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ph ph ph approved these changes

Assignees

@blakerouse blakerouse

Labels
v7.9.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Elastic Agent] Ensure that agent data and config is only accessible by user/group not world
3 participants
@blakerouse @elasticmachine @ph