Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auditbeat 7.16+ ERROR none of the required functions for DO_FORK is found. #29607

Closed
Aqualie opened this issue Dec 26, 2021 · 6 comments · Fixed by #29744
Closed

auditbeat 7.16+ ERROR none of the required functions for DO_FORK is found. #29607

Aqualie opened this issue Dec 26, 2021 · 6 comments · Fixed by #29744
Assignees
@adriansr
Labels
Auditbeat bug

Comments

@Aqualie
Copy link

Aqualie commented Dec 26, 2021
edited
Loading

  • Version: Beats [auditbeat] 7.16.1
  • Operating System: 5.15.8-arch1-1
  • Steps to Reproduce:
  1. Configure auditbeat.yml with
- module: system
   datasets:
      - socket  # Opened and closed sockets
  1. Try to start auditbeat
  2. Errors on startup

Seems to be related to the latest commit for auditbeat 7.16: fab2197
which adds:
"DO_FORK": {"_do_fork", "do_fork"},

Startup/error log

-- Journal begins at Fri 2021-12-24 21:07:06 EST, ends at Sun 2021-12-26 12:03:45 EST. --
Dec 26 11:58:58 REPLACED systemd[1]: Started Audit the activities of users and processes on your system..
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.369-0500        INFO        instance/beat.go:686        Home path: [/opt/elastic/auditbeat] Config path: [/opt/elastic/auditbeat/conf] Data path: [/opt/elastic/auditbeat/data] Logs path: [/opt/elastic/auditbeat/logs] Hostfs Path: [/]
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.369-0500        INFO        instance/beat.go:694        Beat ID: REPLACED
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.383-0500        INFO        [service]        service/service.go:110        Start pprof endpoint
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.383-0500        INFO        [seccomp]        seccomp/seccomp.go:124        Syscall filter successfully installed
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.383-0500        INFO        [beat]        instance/beat.go:1040        Beat info        {"system_info": {"beat": {"path": {"config": "/opt/elastic/auditbeat/conf", "data": "/opt/elastic/auditbeat/data", "home": "/opt/elastic/auditbeat", "logs": "/opt/elastic/auditbeat/logs"}, "type": "auditbeat", "uuid": "REPLACED"}}}
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.383-0500        INFO        [beat]        instance/beat.go:1049        Build info        {"system_info": {"build": {"commit": "7e56c4a053a2fe26c0cac168dd974780428a2aa6", "libbeat": "7.16.1", "time": "2021-12-11T01:43:21.000Z", "version": "7.16.1"}}}
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.383-0500        INFO        [beat]        instance/beat.go:1052        Go runtime info        {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":8,"version":"go1.17.2"}}}
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.384-0500        INFO        [beat]        instance/beat.go:1056        Host info        {"system_info": {"host": {"architecture":"x86_64","boot_time":"2021-12-24T21:07:05-05:00","containerized":false,"name":"REPLACED","ip":["127.0.0.1/8","REPLACED","REPLACED","REPLACED","REPLACED","REPLACED"],"kernel_version":"5.15.8-arch1-1","mac":["REPLACED"],"os":{"type":"linux","family":"","platform":"arch","name":"Arch Linux","version":"","major":0,"minor":0,"patch":0,"build":"rolling"},"timezone":"EST","timezone_offset_sec":-18000,"id":"REPLACED"}}}
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.385-0500        INFO        [beat]        instance/beat.go:1085        Process info        {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null}, "cwd": "/", "exe": "/opt/elastic/auditbeat/auditbeat", "name": "auditbeat", "pid": 1824432, "ppid": 1, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2021-12-26T11:58:58.109-0500"}}}
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.385-0500        INFO        instance/beat.go:328        Setup Beat: auditbeat; Version: 7.16.1
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.385-0500        INFO        [publisher]        pipeline/module.go:113        Beat name: REPLACED
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.388-0500        INFO        [auditd]        auditd/audit_linux.go:107        auditd module is running as euid=0 on kernel=5.15.8-arch1-1
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.388-0500        INFO        [auditd]        auditd/audit_linux.go:134        socket_type=unicast will be used.
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.389-0500        WARN        [cfgwarn]        host/host.go:188        BETA: The system/host dataset is beta
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.391-0500        WARN        [cfgwarn]        login/login.go:96        BETA: The system/login dataset is beta
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.392-0500        WARN        [cfgwarn]        user/user.go:233        BETA: The system/user dataset is beta
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.392-0500        WARN        [cfgwarn]        socket/socket_linux.go:125        BETA: The system/socket dataset is beta.
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.392-0500        INFO        [socket]        socket/socket_linux.go:260        Setting up system/socket for kernel 5.15.8-arch1-1
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.775-0500        INFO        instance/beat.go:461        auditbeat stopped.
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.775-0500        ERROR        instance/beat.go:1015        Exiting: 1 error: system/socket dataset setup failed: none of the required functions for DO_FORK is found. One of [_do_fork do_fork] is required
Dec 26 11:58:58 REPLACED auditbeat[1824432]: Exiting: 1 error: system/socket dataset setup failed: none of the required functions for DO_FORK is found. One of [_do_fork do_fork] is required
Dec 26 11:58:58 REPLACED systemd[1]: auditbeat.service: Main process exited, code=exited, status=1/FAILURE
Dec 26 11:58:58 REPLACED systemd[1]: auditbeat.service: Failed with result 'exit-code'.
Dec 26 11:58:59 REPLACED systemd[1]: auditbeat.service: Scheduled restart job, restart counter is at 1.

kprobes is enabled as well:

> sudo cat /sys/kernel/debug/kprobes/enabled                                                                                                                                    
1

Also fails on 5.10.16-hardened1-1-hardened as well
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Dec 26, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jan 4, 2022
@jamiehynds jamiehynds added Auditbeat needs_team Indicates that the issue/PR needs a Team:* label labels Jan 4, 2022
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jan 4, 2022
@botelastic
Copy link

botelastic bot commented Jan 4, 2022

This issue doesn't have a Team:<team> label.

@jamiehynds jamiehynds added the bug label Jan 4, 2022
@jamiehynds
Copy link

FYI @adriansr

@adriansr adriansr self-assigned this Jan 4, 2022
@efd6
Copy link
Contributor

efd6 commented Jan 4, 2022

It appears that do_fork was removed in 5.9 (change) and then _do_fork was removed in 5.10 (change), replacing it with kernel_clone.

It looks from the patch sequence that adding kernel_clone to the probe candidate list should fix this.

@adriansr adriansr mentioned this issue Jan 7, 2022
Merged
3 tasks
@lucafwp
Copy link

lucafwp commented Sep 9, 2022

Hi @adriansr I can't see this fix merged on version 7.16.
Has it been released? Should I clone a specific branch?

@andrewkroh
Copy link
Member

Try a 7.17 release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adriansr adriansr

Labels
Auditbeat bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

System/socket: Support kernel_clone() replacement for _do_fork() adriansr/beats
7 participants
@andrewkroh @Aqualie @adriansr @elasticmachine @lucafwp @jamiehynds @efd6