Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auditbeat/module/auditd: add ignore_errors config option #36851

Merged
merged 2 commits into from
Oct 27, 2023
Merged

auditbeat/module/auditd: add ignore_errors config option #36851

merged 2 commits into from
Oct 27, 2023

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Oct 15, 2023
edited
Loading

Proposed commit message

Setting ignore_errors to true allows incompletely valid rule sets to be
used in a configuration. This is equivalent to the -i flag of auditctl.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

  • [ ]

How to test this PR locally

In auditbeat/module/auditd, run go test -v -run TestConfig/ValidateWithError. Both tests should pass and the second should emit a warning log line similar to this

{"log.level":"warn","@timestamp":"2023-10-16T09:41:28.941+1030","log.logger":"auditd","log.origin":{"file.name":"auditd/config.go","file.line":232},"message":"errors loading rules: 3 errors: at (audit_rules at auditbeat.yml):1: failed to parse rule '-x bad -F flag': flag provided but not defined: -x; at (audit_rules at auditbeat.yml):2: failed to parse rule '-a always,exit -w /etc/passwd': mutually exclusive flags uses together (file watch [-w|-p] and audit rule [-a|-A|-S|-C|-F]); at (audit_rules at auditbeat.yml):3: failed to interpret rule '-a always,exit -S fake -k exec': failed to add syscall 'fake': unknown syscall 'fake' for arch x86_64","ecs.version":"1.6.0"}

Related issues

Use cases

Screenshots

Logs

@efd6 efd6 added Auditbeat Team:Security-External Integrations backport-skip Skip notification from the automated backport with mergify 8.12-candidate labels Oct 15, 2023
@efd6 efd6 self-assigned this Oct 15, 2023
@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Oct 15, 2023
@elasticmachine
Copy link
Collaborator

elasticmachine commented Oct 15, 2023
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Duration: 45 min 15 sec

❕ Flaky test report

No test was executed to be analysed.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@efd6
auditbeat/module/auditd: add ignore_errors config option
12e708e 
Setting ignore_errors to true allows incompletely valid rule sets to be
used in a configuration. This is equivalent to the -i flag of auditctl.
@efd6 efd6 marked this pull request as ready for review October 16, 2023 03:05
@efd6 efd6 requested a review from a team as a code owner October 16, 2023 03:05
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

kgeller
kgeller reviewed Oct 27, 2023
View reviewed changes
auditbeat/module/auditd/config.go
if log == nil {
return fmt.Errorf("unable to get the absolute path for %s: %w", pattern, err)
}
log.Warnf("unable to get the absolute path for %s: %v", pattern, err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just out of curiousity, why %v here for the error? I was under the impression %w was intended for printing errors

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

%w is only for use with https://pkg.go.dev/fmt#Errorf when wrapping errors.

kgeller
kgeller approved these changes Oct 27, 2023
View reviewed changes
Copy link
Contributor

@kgeller kgeller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@efd6 efd6 merged commit 4453d99 into elastic:main Oct 27, 2023
7 of 8 checks passed
@jamiehynds jamiehynds mentioned this pull request Nov 1, 2023
Closed
Scholar-Li pushed a commit to Scholar-Li/beats that referenced this pull request Feb 5, 2024
@efd6 @Scholar-Li
auditbeat/module/auditd: add ignore_errors config option (elastic#36851)
1a17955 
Setting ignore_errors to true allows incompletely valid rule sets to be
used in a configuration. This is equivalent to the -i flag of auditctl.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kgeller kgeller kgeller approved these changes

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees

@efd6 efd6

Labels
8.12-candidate Auditbeat backport-skip Skip notification from the automated backport with mergify
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Auditbeat] Add ignore errors in audit rules
4 participants
@efd6 @elasticmachine @andrewkroh @kgeller