Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add backend configuration key to fim integration #8807

Merged
merged 5 commits into from
Apr 15, 2024
Merged

Add backend configuration key to fim integration #8807

merged 5 commits into from
Apr 15, 2024

Conversation

Tacklebox
Copy link
Contributor

Proposed commit message

This adds the configuration key force_backend to select an event source for the fim integration on Linux. In order to support including user information on file integrity events across a wider range of linux kernel versions, two new event sources for auditbeat are being developed: ebpf, and kprobes. In order for a user to be able to select which one they would like to enable a configuration key is being added.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Related issues

@Tacklebox Tacklebox added the enhancement New feature or request label Dec 28, 2023
@Tacklebox Tacklebox force-pushed the mborden/fim_uid_support branch from 90f2dae to d9d081f Compare January 16, 2024 15:55
@Tacklebox Tacklebox marked this pull request as ready for review January 16, 2024 17:00
@Tacklebox Tacklebox requested a review from a team as a code owner January 16, 2024 17:00
@pkoutsovasilis
Copy link
Contributor

ty @Tacklebox this LGTM, before I press the Approve @mmat11 any thoughts?

efd6
efd6 reviewed Jan 16, 2024
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add manifest version bump and changelog entries?

packages/fim/data_stream/event/agent/stream/file_integrity.yml.hbs Outdated
@@ -5,6 +5,7 @@ paths:
{{/each}}
recursive: {{recursive}}
scan_at_start: {{scan_at_start}}
force_backend: {{force_backend}}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this have a configuration target yet? I don't see one in auditbeat.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @efd6, the multiple backends for FIM is now part of auditbeat and here is the configuration target?!

packages/fim/manifest.yml Outdated Show resolved Hide resolved
@mmat11
Copy link

mmat11 commented Jan 16, 2024

ty @Tacklebox this LGTM, before I press the Approve @mmat11 any thoughts?

LGTM, this should be merged after both the new backends are in auditbeat, right?

@pkoutsovasilis
Copy link
Contributor

ty for the review @efd6 and the to the point comments. As @mmat11 mentioned above, this config change captured in the PR is about two new BackEnds for the file_integrity module of auditbeat, and I tend to agree here first merge the respective changes in the beats repo and then merge this one, any thoughts on that @efd6 ?

Tacklebox and others added 2 commits January 17, 2024 10:32
@Tacklebox @efd6
Update packages/fim/manifest.yml
f2141b3 
Use a select type instead of text

Co-authored-by: Dan Kortschak <[email protected]>
@Tacklebox
Updated changelog and manifest
0468d34
@bhapas
Copy link
Contributor

bhapas commented Jan 17, 2024

ty for the review @efd6 and the to the point comments. As @mmat11 mentioned above, this config change captured in the PR is about two new BackEnds for the file_integrity module of auditbeat, and I tend to agree here first merge the respective changes in the beats repo and then merge this one, any thoughts on that @efd6 ?

@pkoutsovasilis The beats changes have to go in first and until beats latest is not released this change will not work.

Also, Can you reference the beats issue/PR in this PR.

@Tacklebox Tacklebox self-assigned this Feb 13, 2024
@botelastic
Copy link

botelastic bot commented Mar 14, 2024

Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Mar 14, 2024
@jamiehynds
Copy link

ty for the review @efd6 and the to the point comments. As @mmat11 mentioned above, this config change captured in the PR is about two new BackEnds for the file_integrity module of auditbeat, and I tend to agree here first merge the respective changes in the beats repo and then merge this one, any thoughts on that @efd6 ?

@pkoutsovasilis The beats changes have to go in first and until beats latest is not released this change will not work.

Also, Can you reference the beats issue/PR in this PR.

@bhapas Beats PR here: elastic/beats#38199

@botelastic botelastic bot removed the Stalled label Mar 14, 2024
@pkoutsovasilis pkoutsovasilis mentioned this pull request Apr 8, 2024
Closed
@botelastic
Copy link

botelastic bot commented Apr 13, 2024

Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Apr 13, 2024
@pkoutsovasilis pkoutsovasilis changed the title Add force_backend configuration key to fim integration Add backend configuration key to fim integration Apr 15, 2024
@botelastic botelastic bot removed the Stalled label Apr 15, 2024
@Tacklebox Tacklebox requested a review from a team as a code owner April 15, 2024 07:44
@pkoutsovasilis
Merge remote-tracking branch 'refs/remotes/origin/main' into mborden/…
820f755 
…fim_uid_support

# Conflicts:
#	packages/fim/changelog.yml
#	packages/fim/manifest.yml
@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No Coverage information No data about Coverage
No Duplication information No data about Duplication

See analysis details on SonarQube

@elasticmachine
Copy link

💚 Build Succeeded

History

cc @Tacklebox

@Tacklebox Tacklebox merged commit 002351e into main Apr 15, 2024
5 checks passed
@elasticmachine
Copy link

Package fim - 1.15.0 containing this change is available at https://epr.elastic.co/search?package=fim

@andrewkroh andrewkroh added the Integration:fim File Integrity Monitoring label Jul 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efd6 efd6 efd6 left review comments

@nfritts nfritts nfritts approved these changes

@mmat11 mmat11 Awaiting requested review from mmat11

@pkoutsovasilis pkoutsovasilis Awaiting requested review from pkoutsovasilis

Assignees

@Tacklebox Tacklebox

Labels
enhancement New feature or request Integration:fim File Integrity Monitoring
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@Tacklebox @pkoutsovasilis @mmat11 @bhapas @jamiehynds @elasticmachine @nfritts @efd6 @andrewkroh