[Heartbeat] Setuid to regular user / lower capabilities when possible

CHANGELOG.next.asciidoc

@@ -320,6 +320,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 - Fixed excessive memory usage introduced in 7.5 due to over-allocating memory for HTTP checks. {pull}15639[15639]
 - Fixed TCP TLS checks to properly validate hostnames, this broke in 7.x and only worked for IP SANs. {pull}17549[17549]
+- Fix broken seccomp filtering and improve security via `setcap` and `setuid` when running as root on linux in containers. {pull}27878[27878]
 
 *Journalbeat*
 

dev-tools/notice/overrides.json

@@ -11,3 +11,4 @@
 {"name": "github.com/munnerz/goautoneg", "licenceType": "BSD-3-Clause"}
 {"name": "github.com/pelletier/go-buffruneio", "licenceType": "MIT"}
 {"name": "github.com/urso/magetools", "licenceType": "Apache-2.0"}
+{"name": "kernel.org/pub/linux/libs/security/libcap/cap", "licenseFile": "License", "licenseType": "BSD-3-Clause", "note": "Dual licensed as BSD-3-Clause / GPL-2.0. See https://git.kernel.org/pub/scm/libs/libcap/libcap.git/tree/License"}

dev-tools/packaging/packages.yml

@@ -432,7 +432,7 @@ shared:
       dockerfile: 'Dockerfile.elastic-agent.tmpl'
       docker_entrypoint: 'docker-entrypoint.elastic-agent.tmpl'
       user: '{{ .BeatName }}'
-      linux_capabilities: ''
+      linux_capabilities: 'net_raw+eip'
     files:
       'elastic-agent.yml':
         source: 'elastic-agent.docker.yml'

dev-tools/packaging/templates/docker/Dockerfile.elastic-agent.tmpl

@@ -30,6 +30,7 @@ FROM {{ .from }}
 # Contains the elastic agent image variant, an empty string for the standard variant
 # or "complete" for the bigger one.
 ENV ELASTIC_AGENT_IMAGE_VARIANT={{.Variant}}
+ENV BEAT_SETUID_AS={{ .user }}
 
 {{- if contains .from "ubi-minimal" }}
 RUN for iter in {1..10}; do microdnf update -y && microdnf install -y shadow-utils jq &&  microdnf clean all && exit_code=0 && break || exit_code=$? && echo "microdnf error: retry $iter in 10s" && sleep 10; done; (exit $exit_code)

dev-tools/packaging/templates/docker/Dockerfile.tmpl

@@ -127,6 +127,7 @@ USER {{ .user }}
 {{- if (and (eq .BeatName "heartbeat") (not (contains .from "ubi-minimal")))  }}
 # Setup synthetics env vars
 ENV ELASTIC_SYNTHETICS_CAPABLE=true
+ENV BEAT_SETUID_AS={{ .user }}
 ENV SUITES_DIR={{ $beatHome }}/suites
 ENV NODE_VERSION=14.17.5
 ENV PATH="$NODE_PATH/node/bin:$PATH"

go.mod

@@ -192,6 +192,7 @@ require (
 	k8s.io/api v0.19.4
 	k8s.io/apimachinery v0.19.4
 	k8s.io/client-go v0.19.4
+	kernel.org/pub/linux/libs/security/libcap/cap v1.2.57
 )
 
 replace (

go.sum

@@ -1054,6 +1054,10 @@ k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H
 k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk=
 k8s.io/utils v0.0.0-20200729134348-d5654de09c73 h1:uJmqzgNWG7XyClnU/mLPBWwfKKF1K8Hf8whTseBgJcg=
 k8s.io/utils v0.0.0-20200729134348-d5654de09c73/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
+kernel.org/pub/linux/libs/security/libcap/cap v1.2.57 h1:2nmqI+aw7EQZuelYktkQHBE4jESD2tOR+lOJEnv/Apo=
+kernel.org/pub/linux/libs/security/libcap/cap v1.2.57/go.mod h1:uI99C3r4SXvJeuqoEtx/eWt7UbmfqqZ80H8q+9t/A7I=
+kernel.org/pub/linux/libs/security/libcap/psx v1.2.57 h1:NOFATXSf5z/cMR3HIwQ3Xrd3nwnWl5xThmNr5U/F0pI=
+kernel.org/pub/linux/libs/security/libcap/psx v1.2.57/go.mod h1:+l6Ee2F59XiJ2I6WR5ObpC1utCQJZ/VLsEbQCD8RG24=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.1 h1:YXTMot5Qz/X1iBRJhAt+vI+HVttY0WkSqqhKxQ0xVbA=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=

heartbeat/beater/heartbeat.go

@@ -20,6 +20,7 @@ package beater
 import (
 	"errors"
 	"fmt"
+	"syscall"
 	"time"
 
 	"github.com/elastic/beats/v7/heartbeat/config"
@@ -33,6 +34,7 @@ import (
 	"github.com/elastic/beats/v7/libbeat/common/reload"
 	"github.com/elastic/beats/v7/libbeat/logp"
 	"github.com/elastic/beats/v7/libbeat/management"
+	"kernel.org/pub/linux/libs/security/libcap/cap"
 
 	_ "github.com/elastic/beats/v7/libbeat/processors/script"
 )
@@ -80,6 +82,8 @@ func New(b *beat.Beat, rawConfig *common.Config) (beat.Beater, error) {
 // Run executes the beat.
 func (bt *Heartbeat) Run(b *beat.Beat) error {
 	logp.Info("heartbeat is running! Hit CTRL-C to stop it.")
+	groups, _ := syscall.Getgroups()
+	logp.Info("Effective user/group ids: %d/%d, with groups: %v, and with capabilities: %s", syscall.Geteuid(), syscall.Getegid(), groups, cap.GetProc())
 
 	stopStaticMonitors, err := bt.RunStaticMonitors(b)
 	if err != nil {

x-pack/heartbeat/monitors/browser/browser.go

@@ -7,8 +7,8 @@ package browser
 import (
 	"fmt"
 	"os"
-	"os/user"
 	"sync"
+	"syscall"
 
 	"github.com/elastic/beats/v7/heartbeat/monitors/plugin"
 	"github.com/elastic/beats/v7/libbeat/common"
@@ -35,12 +35,10 @@ func create(name string, cfg *common.Config) (p plugin.Plugin, err error) {
 		logp.Info("Synthetic browser monitor detected! Please note synthetic monitors are a beta feature!")
 	})
 
-	curUser, err := user.Current()
-	if err != nil {
-		return plugin.Plugin{}, fmt.Errorf("could not determine current user for script monitor %w: ", err)
-	}
-	if curUser.Uid == "0" {
-		return plugin.Plugin{}, fmt.Errorf("script monitors cannot be run as root! Current UID is %s", curUser.Uid)
+	// We do not use user.Current() which does not reflect setuid changes!
+	if syscall.Geteuid() == 0 {
+		euid := syscall.Geteuid()
+		return plugin.Plugin{}, fmt.Errorf("script monitors cannot be run as root! Current EUID is %d", euid)
 	}
 
 	s, err := NewSuite(cfg)

x-pack/heartbeat/monitors/browser/source/local.go

@@ -11,6 +11,7 @@ import (
 	"os/exec"
 	"path"
 	"path/filepath"
+	"syscall"
 
 	"github.com/elastic/beats/v7/libbeat/logp"
 
@@ -142,6 +143,6 @@ func runSimpleCommand(cmd *exec.Cmd, dir string) error {
 	cmd.Dir = dir
 	logp.Info("Running %s in %s", cmd, dir)
 	output, err := cmd.CombinedOutput()
-	logp.Info("Ran %s got %s", cmd, string(output))
+	logp.Info("Ran %s (%d) got '%s': (%s) as (%d/%d)", cmd, cmd.ProcessState.ExitCode(), string(output), err, syscall.Getuid(), syscall.Geteuid())
 	return err
 }

x-pack/heartbeat/monitors/browser/source/zipurl.go

@@ -16,6 +16,7 @@ import (
 	"time"
 
 	"github.com/elastic/beats/v7/libbeat/common/transport/httpcommon"
+	"github.com/elastic/beats/v7/libbeat/logp"
 )
 
 type ZipURLSource struct {
@@ -112,8 +113,10 @@ func unzip(tf *os.File, targetDir string, folder string) error {
 	for _, f := range rdr.File {
 		err = unzipFile(targetDir, folder, f)
 		if err != nil {
-			// TODO: err handlers
-			os.RemoveAll(targetDir)
+			rmErr := os.RemoveAll(targetDir)
+			if rmErr != nil {
+				return fmt.Errorf("could not remove directory after encountering error unzipping file: %w, (original unzip error: %s)", rmErr, err)
+			}
 			return err
 		}
 	}
@@ -186,6 +189,7 @@ func retryingZipRequest(method string, z *ZipURLSource) (resp *http.Response, er
 		if err == nil {
 			resp.Body.Close()
 		}
+		logp.Info("attempt to download zip at %s failed: %s, will retry in 1s", z.URL, err)
 		time.Sleep(time.Second)
 	}
 	if resp != nil && resp.StatusCode > 300 {
@@ -195,7 +199,6 @@ func retryingZipRequest(method string, z *ZipURLSource) (resp *http.Response, er
 }
 
 func zipRequest(method string, z *ZipURLSource) (*http.Response, error) {
-
 	req, err := http.NewRequest(method, z.URL, nil)
 	if err != nil {
 		return nil, fmt.Errorf("could not issue request to: %s %w", z.URL, err)