Skip to content

Commit

Permalink
auditd: Store program arguments in process.args array (#29601)
Browse files Browse the repository at this point in the history 
Changes Filebeat's auditd module to store program arguments
(from an EXECVE call) in process.args (arg0 also in process.executable).
Previously it was using fields arg0 to argN under auditd.log.

This prevents too many fields being created. When a call contained
more than 10.000 arguments, this lead to an ingest error and contributed to
very large indices:

> Could not index event to Elasticsearch: "status"=>400,
>   "error"=>{
>     "type"=>"illegal_argument_exception",
>     "reason"=>"Limit of total fields [10000] has been exceeded"}}

(cherry picked from commit 03bf169)
  • Loading branch information
@adriansr
adriansr authored and mergify-bot committed Jan 10, 2022
1 parent f442f81 commit d832fb4
Show file tree
Hide file tree
Showing 12 changed files with 2,097 additions and 209 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- With the default configuration the cloud modules (aws, azure, googlecloud, o365, okta)
- With the default configuration the cef and panw modules will no longer send the `host`
- Add `while_pattern` type to multiline reader. {pull}19662[19662]
- auditd dataset: Use process.args to store program arguments instead of auditd.log.aNNN fields. {pull}29601[29601]

*Heartbeat*
- Only add monitor.status to browser events when summary. {pull}29460[29460]
Expand Down
25 changes: 24 additions & 1 deletion filebeat/module/auditd/log/ingest/pipeline.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2102,6 +2102,29 @@ processors:
ignore_failure: true
field: auditd.log.msg
target_field: message
- script:
lang: painless
description: Extracts process information from execve calls
if: 'ctx.process?.args_count != null && ctx.auditd?.log != null'
source: >-
long argc = ctx.process.args_count;
List args = new ArrayList();
def[] fmt = new def[] {0};
for (long i=0; i<argc; i++) {
fmt[0] = i;
String fld = String.format("a%d", fmt);
def arg = ctx.auditd.log.remove(fld);
if (arg == null) break;
args.add(arg);
}
if (args.size() == 0) return;
ctx.process.put("args", args);
ctx.process.put("executable", args[0]);
on_failure:
- append:
field: error.message
value: "failed extracting process arguments: {{ _ingest.on_failure_message }}"

- rename:
ignore_failure: true
field: auditd.log.res
Expand Down Expand Up @@ -2160,6 +2183,6 @@ processors:
ignore_failure: true
ignore_missing: true
on_failure:
- set:
- append:
field: error.message
value: "{{ _ingest.on_failure_message }}"
10 changes: 0 additions & 10 deletions filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
[
{
"@timestamp": "2020-07-06T16:38:34.588Z",
"auditd.log.format": "raw",
"auditd.log.kernel": "3.10.0-1062.9.1.el7.x86_64",
"auditd.log.node": "localhost.localdomain",
Expand Down Expand Up @@ -33,7 +32,6 @@
"user.id": "0"
},
{
"@timestamp": "2020-07-06T16:38:34.707Z",
"auditd.log.audit_backlog_limit": "8192",
"auditd.log.node": "localhost.localdomain",
"auditd.log.old": "64",
Expand Down Expand Up @@ -63,7 +61,6 @@
"user.audit.id": "4294967295"
},
{
"@timestamp": "2020-07-06T16:38:34.707Z",
"auditd.log.audit_failure": "1",
"auditd.log.node": "localhost.localdomain",
"auditd.log.old": "1",
Expand Down Expand Up @@ -93,7 +90,6 @@
"user.audit.id": "4294967295"
},
{
"@timestamp": "2020-07-06T16:38:34.709Z",
"auditd.log.node": "localhost.localdomain",
"auditd.log.record_type": "SERVICE_START",
"auditd.log.sequence": 6,
Expand Down Expand Up @@ -125,7 +121,6 @@
"user.id": "0"
},
{
"@timestamp": "2020-07-06T16:38:34.725Z",
"auditd.log.node": "localhost.localdomain",
"auditd.log.record_type": "SYSTEM_BOOT",
"auditd.log.sequence": 7,
Expand All @@ -152,7 +147,6 @@
"user.id": "0"
},
{
"@timestamp": "2020-07-06T16:38:34.739Z",
"auditd.log.node": "localhost.localdomain",
"auditd.log.record_type": "SERVICE_START",
"auditd.log.sequence": 8,
Expand Down Expand Up @@ -184,7 +178,6 @@
"user.id": "0"
},
{
"@timestamp": "2020-07-06T16:38:34.807Z",
"auditd.log.node": "localhost.localdomain",
"auditd.log.record_type": "SERVICE_START",
"auditd.log.sequence": 9,
Expand Down Expand Up @@ -216,7 +209,6 @@
"user.id": "0"
},
{
"@timestamp": "2020-07-06T16:38:34.843Z",
"auditd.log.node": "localhost.localdomain",
"auditd.log.record_type": "SERVICE_START",
"auditd.log.sequence": 10,
Expand Down Expand Up @@ -248,7 +240,6 @@
"user.id": "0"
},
{
"@timestamp": "2020-07-06T16:38:34.850Z",
"auditd.log.node": "localhost.localdomain",
"auditd.log.record_type": "SERVICE_START",
"auditd.log.sequence": 11,
Expand Down Expand Up @@ -280,7 +271,6 @@
"user.id": "0"
},
{
"@timestamp": "2020-07-06T16:38:34.857Z",
"auditd.log.node": "localhost.localdomain",
"auditd.log.record_type": "SERVICE_START",
"auditd.log.sequence": 12,
Expand Down
14 changes: 1 addition & 13 deletions filebeat/module/auditd/log/test/audit-rhel6.log-expected.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
[
{
"@timestamp": "2017-03-14T19:20:30.178Z",
"auditd.log.op": "PAM:session_close",
"auditd.log.record_type": "USER_END",
"auditd.log.sequence": 19600327,
Expand Down Expand Up @@ -32,7 +31,6 @@
"user.name": "root"
},
{
"@timestamp": "2017-03-14T19:20:30.178Z",
"auditd.log.op": "PAM:setcred",
"auditd.log.record_type": "CRED_DISP",
"auditd.log.sequence": 19600328,
Expand Down Expand Up @@ -64,7 +62,6 @@
"user.name": "root"
},
{
"@timestamp": "2017-03-14T19:20:56.192Z",
"auditd.log.record_type": "USER_CMD",
"auditd.log.sequence": 19600329,
"auditd.log.ses": "11988",
Expand All @@ -86,8 +83,8 @@
"input.type": "log",
"log.offset": 373,
"process.args": [
"-p",
"/usr/lib64/nagios/plugins/check_asterisk_sip_peers",
"-p",
"202"
],
"process.args_count": 3,
Expand All @@ -98,7 +95,6 @@
"user.id": "497"
},
{
"@timestamp": "2017-03-14T19:20:56.193Z",
"auditd.log.op": "PAM:setcred",
"auditd.log.record_type": "CRED_ACQ",
"auditd.log.sequence": 19600330,
Expand Down Expand Up @@ -130,7 +126,6 @@
"user.name": "root"
},
{
"@timestamp": "2017-03-14T19:20:56.193Z",
"auditd.log.op": "PAM:session_open",
"auditd.log.record_type": "USER_START",
"auditd.log.sequence": 19600331,
Expand Down Expand Up @@ -162,7 +157,6 @@
"user.name": "root"
},
{
"@timestamp": "2017-03-14T19:23:02.529Z",
"auditd.log.dst_prefixlen": 22,
"auditd.log.op": "SPD-add",
"auditd.log.sequence": 19600354,
Expand All @@ -184,7 +178,6 @@
"user.audit.id": "4294967295"
},
{
"@timestamp": "2017-03-14T19:23:02.529Z",
"auditd.log.a0": "9",
"auditd.log.a1": "7f564ee6d2a0",
"auditd.log.a2": "b8",
Expand Down Expand Up @@ -228,7 +221,6 @@
"user.saved.id": "0"
},
{
"@timestamp": "2017-03-16T04:02:40.072Z",
"auditd.log.new_auid": "700",
"auditd.log.new_ses": "12286",
"auditd.log.old_auid": "700",
Expand Down Expand Up @@ -258,7 +250,6 @@
"user.id": "700"
},
{
"@timestamp": "2017-03-16T04:02:40.070Z",
"auditd.log.direction": "both",
"auditd.log.kind": "session",
"auditd.log.laddr": "107.170.139.210",
Expand Down Expand Up @@ -305,7 +296,6 @@
"user.saved.id": "74"
},
{
"@timestamp": "2017-03-16T04:02:40.072Z",
"auditd.log.op": "success",
"auditd.log.record_type": "USER_AUTH",
"auditd.log.sequence": 19623789,
Expand Down Expand Up @@ -349,7 +339,6 @@
"user.terminal": "ssh"
},
{
"@timestamp": "2017-03-16T04:02:57.804Z",
"auditd.log.op": "PAM:authentication",
"auditd.log.record_type": "USER_AUTH",
"auditd.log.sequence": 19623807,
Expand Down Expand Up @@ -382,7 +371,6 @@
"user.terminal": "pts/0"
},
{
"@timestamp": "2017-03-16T04:02:57.805Z",
"auditd.log.op": "PAM:accounting",
"auditd.log.record_type": "USER_ACCT",
"auditd.log.sequence": 19623808,
Expand Down
Loading

0 comments on commit d832fb4

Please sign in to comment.