[Filebeat] [auditd]: Support EXECVE events with truncated argument list #30382
+275
−18
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This modifies Filebeat's auditd pipeline to support parsing of EXECVE records with truncated argument lists. When such a log is found, the arguments will be appended to process.args with a leading entry informing about the truncation. This is to prevent a mapping explosion in Filebeat when a lot of these logs are ingested with the previous pipeline version.
botelastic
bot
added
the
needs_team
|
This pull request does not have a backport label. Could you fix it @adriansr? 🙏
NOTE: |
mergify
bot
added
the
backport-skip
adriansr
added
backport-7.17
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
botelastic
bot
removed
the
needs_team
mergify
bot
removed
the
backport-skip
adriansr
added
the
needs_integration_sync
💔 Tests Failed
Expand to view the summary
Build stats
Test stats 🧪
Test errors
Expand to view the tests failures
|
andrewkroh
approved these changes
Feb 16, 2022
|
Tests failed due to flaky test, fixed here #30453 |
mergify bot
pushed a commit
that referenced
this pull request
Feb 17, 2022
…st (#30382) This modifies Filebeat's auditd pipeline to support parsing of EXECVE records with truncated argument lists. When such a log is found, the arguments will be appended to process.args with a leading entry informing about the truncation. This is to prevent a mapping explosion in Filebeat when a lot of these logs are ingested with the previous pipeline version. (cherry picked from commit 79229e7) # Conflicts: # filebeat/module/auditd/log/ingest/pipeline.yml
mergify bot
pushed a commit
that referenced
this pull request
Feb 17, 2022
…st (#30382) This modifies Filebeat's auditd pipeline to support parsing of EXECVE records with truncated argument lists. When such a log is found, the arguments will be appended to process.args with a leading entry informing about the truncation. This is to prevent a mapping explosion in Filebeat when a lot of these logs are ingested with the previous pipeline version. (cherry picked from commit 79229e7)
mergify bot
pushed a commit
that referenced
this pull request
Feb 17, 2022
…st (#30382) This modifies Filebeat's auditd pipeline to support parsing of EXECVE records with truncated argument lists. When such a log is found, the arguments will be appended to process.args with a leading entry informing about the truncation. This is to prevent a mapping explosion in Filebeat when a lot of these logs are ingested with the previous pipeline version. (cherry picked from commit 79229e7)
adriansr
added a commit
that referenced
this pull request
Feb 17, 2022
…h truncated argument list (#30457) * [Filebeat] [auditd]: Support EXECVE events with truncated argument list (#30382) This modifies Filebeat's auditd pipeline to support parsing of EXECVE records with truncated argument lists. When such a log is found, the arguments will be appended to process.args with a leading entry informing about the truncation. This is to prevent a mapping explosion in Filebeat when a lot of these logs are ingested with the previous pipeline version. (cherry picked from commit 79229e7) Co-authored-by: Adrian Serrano <[email protected]>
adriansr
added a commit
that referenced
this pull request
Feb 17, 2022
…h truncated argument list (#30456) * [Filebeat] [auditd]: Support EXECVE events with truncated argument list (#30382) This modifies Filebeat's auditd pipeline to support parsing of EXECVE records with truncated argument lists. When such a log is found, the arguments will be appended to process.args with a leading entry informing about the truncation. This is to prevent a mapping explosion in Filebeat when a lot of these logs are ingested with the previous pipeline version. (cherry picked from commit 79229e7) Co-authored-by: Adrian Serrano <[email protected]>
v1v
added a commit
to v1v/beats
that referenced
this pull request
Feb 21, 2022
…nd-k8s-env * upstream/main: fix typos and improve sentences (elastic#30432) Add drop and explicit tests to avoid duplicate ingest of elasticsearch logs (elastic#30440) {,x-pack/}auditbeat: replace uses of github.com/pkg/errors with stdlib equivalents (elastic#30321) Spelling fix (elastic#30439) packetbeat/beater: make sure Npcap installation runs before interfaces are needed in all cases (elastic#30438) Add BC about Homebrew no longer being available in 8.0 (elastic#30419) Install gawk as a replacement for mawk in Docker containers. (elastic#30452) Clean up python-related system tests (elastic#30415) Fix TestNewModuleRegistry flakiness (elastic#30453) [Filebeat] [auditd]: Support EXECVE events with truncated argument list (elastic#30382) Set `log.offset` to the start of the reported line in filestream (elastic#30445) clarify SelectedPackageTypes meaning and improve its usage (elastic#30142) [elasticsearch module] serialize shards properties (elastic#30408) Add docs about hints and templates autodiscovery priority (elastic#30343)
v1v
added a commit
to v1v/beats
that referenced
this pull request
Feb 22, 2022
…ckaging-docker * upstream/main: (26 commits) Update docker/distribution to 2.8.0 (elastic#30462) Add `parsers` examples to `filestream` reference configuration (elastic#30529) extend documentation about setting orchestrator.cluster fields (elastic#30518) Forward-port 8.0.1 changelog to main (elastic#30522) Switch skip to use `CI` (elastic#30512) packetbeat/beater: don't attempt to install npcap when already installed (elastic#30509) Fix Docker module: rename fields on dashboards (elastic#30500) fix typos and improve sentences (elastic#30432) Add drop and explicit tests to avoid duplicate ingest of elasticsearch logs (elastic#30440) {,x-pack/}auditbeat: replace uses of github.com/pkg/errors with stdlib equivalents (elastic#30321) Spelling fix (elastic#30439) packetbeat/beater: make sure Npcap installation runs before interfaces are needed in all cases (elastic#30438) Add BC about Homebrew no longer being available in 8.0 (elastic#30419) Install gawk as a replacement for mawk in Docker containers. (elastic#30452) Clean up python-related system tests (elastic#30415) Fix TestNewModuleRegistry flakiness (elastic#30453) [Filebeat] [auditd]: Support EXECVE events with truncated argument list (elastic#30382) Set `log.offset` to the start of the reported line in filestream (elastic#30445) clarify SelectedPackageTypes meaning and improve its usage (elastic#30142) [elasticsearch module] serialize shards properties (elastic#30408) ...
4 tasks
adriansr
added a commit
to elastic/integrations
that referenced
this pull request
Feb 23, 2022
Prevents the indices exceeding the 10,000 field limit due to an arbitrarily large number of aNN fields. This is a combination of the following Filebeat module fixes: - elastic/beats#29601 - elastic/beats#30382 Updates version to 2.1.0
eyalkraft
pushed a commit
to build-security/integrations
that referenced
this pull request
Mar 30, 2022
…2730) Prevents the indices exceeding the 10,000 field limit due to an arbitrarily large number of aNN fields. This is a combination of the following Filebeat module fixes: - elastic/beats#29601 - elastic/beats#30382 Updates version to 2.1.0
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This modifies Filebeat's auditd ingest pipeline to support parsing of EXECVE events with truncated argument lists.
In a normal EXECVE event, the auditd fields
argc(=N) anda0toaN-1are present. The pipeline would store the arguments in theprocess.argsarray, as well as setprocess.args_countto N andprocess.executabletoprocess.args[0].A truncated EXECVE event usually lacks the
argcfield, and contains only the last fewaNNfields.In that case, this PR will add the arguments into
process.argswith a leading warning[... N truncated arguments ...]and will not populateprocess.executable.Why is it important?
This PR avoids ingesting an arbitrarily large number of fields in the form
aNN,aNN_lenandaNN[M], to prevent a mapping explosion leading to large indices:This was partially fixed by #29601, but after it was merged, we observed truncated EXECVE records that were still causing issues.
Checklist
[ ] I have made corresponding changes to the documentation[ ] I have made corresponding change to the default configuration filesCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Related issues