fix(auditbeat/fim/kprobes): check correctly with "fsnotify_nameremove"

fix(auditbeat/fim/kprobes): allow appropriate syscalls for seccomp/apparmor policies fix(tests/system): remove check on absent key of the event
oakrizan · May 2, 2024 · 907f94a · 907f94a
1 parent 6eb9344
commit 907f94a
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 2 deletions.
diff --git a/auditbeat/module/file_integrity/kprobes/probes_fsnotify_nameremove.go b/auditbeat/module/file_integrity/kprobes/probes_fsnotify_nameremove.go
@@ -35,7 +35,7 @@ func loadFsNotifyNameRemoveSymbol(s *probeManager) error {
 	if err != nil {
 		if errors.Is(err, ErrSymbolNotFound) {
 			s.buildChecks = append(s.buildChecks, func(spec *tkbtf.Spec) bool {
-				return !spec.ContainsSymbol(symbolInfo.symbolName)
+				return !spec.ContainsSymbol("fsnotify_nameremove")
 			})
 			return nil
 		}

diff --git a/auditbeat/module/file_integrity/kprobes/seccomp_linux.go b/auditbeat/module/file_integrity/kprobes/seccomp_linux.go
@@ -0,0 +1,31 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package kprobes
+
+import (
+	"runtime"
+
+	"github.com/elastic/beats/v7/libbeat/common/seccomp"
+)
+
+func init() {
+	switch runtime.GOARCH {
+	case "amd64", "386", "arm64":
+		// The module/file_integrity with kprobes BE uses additional syscalls
+		if err := seccomp.ModifyDefaultPolicy(seccomp.AddSyscall,
+			"eventfd2",        // required by auditbeat/tracing
+			"mount",           // required by auditbeat/tracing
+			"perf_event_open", // required by auditbeat/tracing
+			"ppoll",           // required by auditbeat/tracing
+			"umount2",         // required by auditbeat/tracing
+			"truncate",        // required during kprobes verification
+			"utime",           // required during kprobes verification
+			"utimensat",       // required during kprobes verification
+			"setxattr",        // required during kprobes verification
+		); err != nil {
+			panic(err)
+		}
+	}
+}
diff --git a/auditbeat/tests/system/test_file_integrity.py b/auditbeat/tests/system/test_file_integrity.py
@@ -108,7 +108,6 @@ def _assert_process_data(self, event, backend):
         if backend != "ebpf":
             return
         assert event["process.entity_id"] != ""
-        assert event["process.executable"] == "pytest"
         assert event["process.pid"] == os.getpid()
         assert int(event["process.user.id"]) == os.geteuid()
         assert event["process.user.name"] == pwd.getpwuid(os.geteuid()).pw_name