From c7763083f60ff8e5f0bbac65a168b2fd4b20b63a Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 2 Dec 2020 19:39:58 +0100 Subject: [PATCH 1/3] system/socket: Add ip_local_out alternative (#22787) This commit adds a new function alternative, `__ip_local_out` for selecting a proper ip_local_out function, and fixes `guess_ip_local_out` logic in order to account for this new function. The new order of precedence is: - ip_local_out_sk (kernels before 3.16) - __ip_local_out (for kernels where ip_local_out calls are inlined) - ip_local_out (all others). Relates #18755 (cherry picked from commit b627fb742e2154f0fbc882548a18c92c9f4845c8) --- .../module/system/socket/guess/iplocalout.go | 21 +++++++++++++------ .../module/system/socket/template.go | 2 +- 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/x-pack/auditbeat/module/system/socket/guess/iplocalout.go b/x-pack/auditbeat/module/system/socket/guess/iplocalout.go index d78140bda134..a06571391781 100644 --- a/x-pack/auditbeat/module/system/socket/guess/iplocalout.go +++ b/x-pack/auditbeat/module/system/socket/guess/iplocalout.go @@ -17,14 +17,22 @@ import ( "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" ) -// Guess how to get a struct sock* from an ip_local_out() call. +// Guess how to get a struct sock* and an sk_buff* from an ip_local_out() call. // This function has three forms depending on kernel version: // - ip_local_out(struct sk_buff *skb) // 2.x//<3.13 // - ip_local_out_sk(struct sock *sk, struct sk_buff *skb) // 3.13..4.3 // - ip_local_out(struct net *net, struct sock *sk, struct sk_buff *skb) // 4.4+ // -// what it does is set a probe on tcp_sendmsg (guaranteed to have a *sock) -// and in ip_local_out, which will be called by tcp_sendmsg. +// To make things more complicated, in some 5.x+ kernels, ip_local_out is never +// triggered although it exists, but __ip_local_out always works, so +// this guess expects the template variable IP_LOCAL_OUT to be set to the +// first of these functions that is available for tracing: +// [ "ip_local_out_sk", "__ip_local_out", "ip_local_out" ] +// +// ---- +// +// What it guess does is set a probe on tcp_sendmsg (guaranteed to have a *sock) +// and in .IP_LOCAL_OUT, which will be called by tcp_sendmsg. // It dumps the first param (which can be a struct net* or a struct sk_buff) // and gets the second param. Either the second param is the sock, or is it // found at some point in the dumped first param. @@ -98,8 +106,8 @@ func (g *guessIPLocalOut) Probes() ([]helper.ProbeDef, error) { Probe: tracing.Probe{ Name: "ip_local_out_sock_guess", Address: "{{.IP_LOCAL_OUT}}", - Fetchargs: "arg={{if eq .IP_LOCAL_OUT \"ip_local_out\"}}{{.P2}}{{else}}{{.P1}}{{end}} dump=" + - helper.MakeMemoryDump("{{if eq .IP_LOCAL_OUT \"ip_local_out\"}}{{.P1}}{{else}}{{.P2}}{{end}}", 0, skbuffDumpSize), + Fetchargs: "arg={{if ne .IP_LOCAL_OUT \"ip_local_out_sk\"}}{{.P2}}{{else}}{{.P1}}{{end}} dump=" + + helper.MakeMemoryDump("{{if ne .IP_LOCAL_OUT \"ip_local_out_sk\"}}{{.P1}}{{else}}{{.P2}}{{end}}", 0, skbuffDumpSize), }, Decoder: helper.NewStructDecoder(func() interface{} { return new(skbuffSockGuess) }), }, @@ -149,7 +157,8 @@ func (g *guessIPLocalOut) Extract(ev interface{}) (common.MapStr, bool) { // No tcp_sendmsg received? return nil, false } - isIpLocalOut := g.ctx.Vars["IP_LOCAL_OUT"] == "ip_local_out" + // Special handling for ip_local_out_sk + isIpLocalOut := g.ctx.Vars["IP_LOCAL_OUT"] != "ip_local_out_sk" if v.Arg == g.sock { if isIpLocalOut { return common.MapStr{ diff --git a/x-pack/auditbeat/module/system/socket/template.go b/x-pack/auditbeat/module/system/socket/template.go index 2066d60cdcf7..425692c76818 100644 --- a/x-pack/auditbeat/module/system/socket/template.go +++ b/x-pack/auditbeat/module/system/socket/template.go @@ -35,7 +35,7 @@ var baseTemplateVars = common.MapStr{ // These functions names vary between kernel versions. The first available one // will be selected during setup. var functionAlternatives = map[string][]string{ - "IP_LOCAL_OUT": {"ip_local_out", "ip_local_out_sk"}, + "IP_LOCAL_OUT": {"ip_local_out_sk", "__ip_local_out", "ip_local_out"}, "RECV_UDP_DATAGRAM": {"__skb_recv_udp", "__skb_recv_datagram", "skb_recv_datagram"}, "SYS_EXECVE": syscallAlternatives("execve"), "SYS_GETTIMEOFDAY": syscallAlternatives("gettimeofday"), From 39ec6d8edca25f533f422c50c11ecc25b973409b Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 2 Dec 2020 18:50:09 +0100 Subject: [PATCH 2/3] Changelog entry --- CHANGELOG.next.asciidoc | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 255030a3a85d..d8859e2170df 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -171,6 +171,21 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - auditd: Fix an error condition causing a lot of `audit_send_reply` kernel threads being created. {pull}22673[22673] - system/socket: Fixed start failure when run under config reloader. {issue}20851[20851] {pull}21693[21693] - file_integrity: stop monitoring excluded paths {issue}21278[21278] {pull}21282[21282] +- system/socket: Fixed startup error with some 5.x kernels. {issue}18755[18755] {pull}22787[22787] + +*Filebeat* + +- Fix mapping of fortinet.firewall.mem as integer. {pull}19335[19335] +- Ensure all zeek timestamps include millisecond precision. {issue}14599[14599] {pull}16766[16766] +- Fix s3 input hanging with GetObjectRequest API call by adding context_timeout config. {issue}15502[15502] {pull}15590[15590] +- Add shared_credential_file to cloudtrail config {issue}15652[15652] {pull}15656[15656] +- Fix typos in zeek notice fileset config file. {issue}15764[15764] {pull}15765[15765] +- Fix mapping error when zeek weird logs do not contain IP addresses. {pull}15906[15906] +- Improve `elasticsearch/audit` fileset to handle timestamps correctly. {pull}15942[15942] +- Prevent Elasticsearch from spewing log warnings about redundant wildcards when setting up ingest pipelines for the `elasticsearch` module. {issue}15840[15840] {pull}15900[15900] +- Fix mapping error for cloudtrail additionalEventData field {pull}16088[16088] +- Fix a connection error in httpjson input. {pull}16123[16123] +- Fix integer overflow in S3 offsets when collecting very large files. {pull}22523[22523] *Filebeat* From c2473d6805ab213e3a84ffda9b59ecdd493ec7c3 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Wed, 2 Dec 2020 20:44:21 +0100 Subject: [PATCH 3/3] Fix changelog --- CHANGELOG.next.asciidoc | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index d8859e2170df..e688b2e31a5c 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -175,20 +175,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Filebeat* -- Fix mapping of fortinet.firewall.mem as integer. {pull}19335[19335] -- Ensure all zeek timestamps include millisecond precision. {issue}14599[14599] {pull}16766[16766] -- Fix s3 input hanging with GetObjectRequest API call by adding context_timeout config. {issue}15502[15502] {pull}15590[15590] -- Add shared_credential_file to cloudtrail config {issue}15652[15652] {pull}15656[15656] -- Fix typos in zeek notice fileset config file. {issue}15764[15764] {pull}15765[15765] -- Fix mapping error when zeek weird logs do not contain IP addresses. {pull}15906[15906] -- Improve `elasticsearch/audit` fileset to handle timestamps correctly. {pull}15942[15942] -- Prevent Elasticsearch from spewing log warnings about redundant wildcards when setting up ingest pipelines for the `elasticsearch` module. {issue}15840[15840] {pull}15900[15900] -- Fix mapping error for cloudtrail additionalEventData field {pull}16088[16088] -- Fix a connection error in httpjson input. {pull}16123[16123] -- Fix integer overflow in S3 offsets when collecting very large files. {pull}22523[22523] - -*Filebeat* - - cisco/asa fileset: Fix parsing of 302021 message code. {pull}14519[14519] - Fix filebeat azure dashboards, event category should be `Alert`. {pull}14668[14668] - Fixed dashboard for Cisco ASA Firewall. {issue}15420[15420] {pull}15553[15553]