x-pack/auditbeat/module/system/socket: get full length path and arg from /proc when not available from kprobe #29410
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
efd6
added
bug
Team:Security-External Integrations
backport-v8.0.0
botelastic
bot
added
needs_team
efd6
force-pushed
the
auditd/pathlength
branch
from
24541e3 to
7e6b8fe
Compare
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
efd6
force-pushed
the
auditd/pathlength
branch
2 times, most recently
from
864276f to
1580ebe
Compare
|
/test |
efd6
force-pushed
the
auditd/pathlength
branch
2 times, most recently
from
f89c00b to
58d387c
Compare
…from /proc when not available from kprobe Also use first arg from sysinfo.Processes in place of Name to avoid process name truncation.
efd6
force-pushed
the
auditd/pathlength
branch
from
99bd2e6 to
ec35892
Compare
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
|
@adriansr I'm wondering if we could (in a separate PR) also add container ID enrichment here to address #22238. To avoid unwanted work on non-containerised systems we would check during init whether we are in a container and only try to get the ID if we are. This should alleviate the timing issues with deferring the enrichment until later without too much additional cost in the general case. |
|
@efd6 I think it's worth to investigate the container ID enrichment in a separate PR, as you said. I think there's a few issues to solve, afaik the |
|
This pull request is now in conflicts. Could you fix it? 🙏 |
efd6
added a commit
that referenced
this pull request
Jan 4, 2022
…rom /proc when not available from kprobe (#29410) (#29668) Also use first arg from sysinfo.Processes in place of Name to avoid process name truncation. (cherry picked from commit d46bb5f) Co-authored-by: Dan Kortschak <[email protected]>
|
Is there any chance this can be backported to the 7.x series, too? Many users will not be in a position to upgrade immediately to the 8.x series. |
|
@kesslerm Started. |
efd6
added a commit
that referenced
this pull request
Jan 24, 2022
…rom /proc when not available from kprobe (#29410) (#29958) Also use first arg from sysinfo.Processes in place of Name to avoid process name truncation. (cherry picked from commit d46bb5f) Co-authored-by: Dan Kortschak <[email protected]>
v1v
added a commit
that referenced
this pull request
Jan 28, 2022
* upstream/7.17: (30 commits) [7.17](backport #29966) Add the Elastic product origin header when talking to Elasticsearch or Kibana. (#30000) [Heartbeat] Change size of data on ICMP packet (#29948) (#29978) Add clarification about enableing dashboard loading (#29985) (#29989) Improve aws-s3 gzip file detection to avoid false negatives (#29969) (#29974) ci: docker login step for pulling then pushing (#29960) (#29963) x-pack/auditbeat/module/system/socket: get full length path and arg from /proc when not available from kprobe (#29410) (#29958) [Automation] Update elastic stack version to 7.17.0-ab4975a2 for testing (#29956) [Automation] Update elastic stack version to 7.17.0-1bd58b32 for testing (#29938) [7.17](backport #29913) [Metricbeat] gcp.gke: fix overview dashboard (#29914) [7.17](backport #29605) Fix annotation enrichment (#29834) [Automation] Update elastic stack version to 7.17.0-e1efbe3a for testing (#29922) [Automation] Update elastic stack version to 7.17.0-68da5d12 for testing (#29904) [7.17][Heartbeat] Defer monitor / ICMP errors to monitor runtime / ES (backport #29413) (#29896) Merge pull request from GHSA-rj4h-hqvq-cc6q [7.17](backport #29681) Change docker image from CentOS 7 to Ubuntu 20.04 (#29817) Fix YAML indentation in `parsers` examples (#29663) (#29894) [Automation] Update elastic stack version to 7.17.0-079761a0 for testing (#29864) Fix Filebeat dissect processor field tokenization in documentation (#29680) (#29883) Enable require_alias for Bulk requests for all actions when target is a write alias (#29879) Update Index template loading guide to use the correct endpoint (#29869) (#29877) ...
leweafan
pushed a commit
to leweafan/beats
that referenced
this pull request
Apr 28, 2023
* upstream/7.17: (30 commits) [7.17](backport elastic#29966) Add the Elastic product origin header when talking to Elasticsearch or Kibana. (elastic#30000) [Heartbeat] Change size of data on ICMP packet (elastic#29948) (elastic#29978) Add clarification about enableing dashboard loading (elastic#29985) (elastic#29989) Improve aws-s3 gzip file detection to avoid false negatives (elastic#29969) (elastic#29974) ci: docker login step for pulling then pushing (elastic#29960) (elastic#29963) x-pack/auditbeat/module/system/socket: get full length path and arg from /proc when not available from kprobe (elastic#29410) (elastic#29958) [Automation] Update elastic stack version to 7.17.0-ab4975a2 for testing (elastic#29956) [Automation] Update elastic stack version to 7.17.0-1bd58b32 for testing (elastic#29938) [7.17](backport elastic#29913) [Metricbeat] gcp.gke: fix overview dashboard (elastic#29914) [7.17](backport elastic#29605) Fix annotation enrichment (elastic#29834) [Automation] Update elastic stack version to 7.17.0-e1efbe3a for testing (elastic#29922) [Automation] Update elastic stack version to 7.17.0-68da5d12 for testing (elastic#29904) [7.17][Heartbeat] Defer monitor / ICMP errors to monitor runtime / ES (backport elastic#29413) (elastic#29896) Merge pull request from GHSA-rj4h-hqvq-cc6q [7.17](backport elastic#29681) Change docker image from CentOS 7 to Ubuntu 20.04 (elastic#29817) Fix YAML indentation in `parsers` examples (elastic#29663) (elastic#29894) [Automation] Update elastic stack version to 7.17.0-079761a0 for testing (elastic#29864) Fix Filebeat dissect processor field tokenization in documentation (elastic#29680) (elastic#29883) Enable require_alias for Bulk requests for all actions when target is a write alias (elastic#29879) Update Index template loading guide to use the correct endpoint (elastic#29869) (elastic#29877) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This uses path and arg information from /proc in cases where the kprobe details are truncated.
Why is it important?
Currently filepaths, executable names and argument lists may be truncated due to kernel limitations.
Checklist
- [ ] I have made corresponding changes to the documentation- [ ] I have made corresponding change to the default configuration filesCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Author's Checklist
No specific recommendation.
How to test this PR locally
Standard testing on linux.
Related issues
Use cases
N/A
Screenshots
N/A
Logs
N/A