-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auditd: Store program arguments in process.args array #29601
Conversation
This avoids a fields mapping explosion and indexing errors when execve calls have thousands of arguments.
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
String fld = String.format("a%d", fmt); | ||
def arg = ctx.auditd.log.remove(fld); | ||
if (arg == null) break; | ||
args.add(arg); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we retain the original argument order? At the moment we are retaining the args in lexical order.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is caused by the test_modules.py sorting all array fields before comparison, as some array fields can be generated in a different order each run.
beats/filebeat/tests/system/test_modules.py
Lines 200 to 202 in 405c342
for key in objects[k].keys(): | |
if isinstance(objects[k][key], list): | |
objects[k][key].sort(key=str) |
I've added some configuration to the testing so that we can skip the sorting step for some fields, for now just process.args
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Changes Filebeat's auditd module to store program arguments (from an EXECVE call) in process.args (arg0 also in process.executable). Previously it was using fields arg0 to argN under auditd.log. This prevents too many fields being created. When a call contained more than 10.000 arguments, this lead to an ingest error and contributed to very large indices: > Could not index event to Elasticsearch: "status"=>400, > "error"=>{ > "type"=>"illegal_argument_exception", > "reason"=>"Limit of total fields [10000] has been exceeded"}} (cherry picked from commit 03bf169)
Changes Filebeat's auditd module to store program arguments (from an EXECVE call) in process.args (arg0 also in process.executable). Previously it was using fields arg0 to argN under auditd.log. This prevents too many fields being created. When a call contained more than 10.000 arguments, this lead to an ingest error and contributed to very large indices: > Could not index event to Elasticsearch: "status"=>400, > "error"=>{ > "type"=>"illegal_argument_exception", > "reason"=>"Limit of total fields [10000] has been exceeded"}} (cherry picked from commit 03bf169) Co-authored-by: Adrian Serrano <[email protected]>
…b-for-macos * upstream/master: (172 commits) [Elastic Agent] Fix issue with ensureServiceToken. (elastic#29800) [Winlogbeat] Add provider name to Security routing pipeline check (elastic#29781) Add summary to journeys which don't emit journey:end (early node subprocess exits) (elastic#29606) Prepare 8.0.0-rc1 changelog (elastic#29795) (elastic#29806) Change docker image from CentOS 7 to Ubuntu 20.04 (elastic#29681) libbeat/processors/add_process_metadata: implement a process cache eviction policy (elastic#29717) [Automation] Update elastic stack version to 8.1.0-7004acda for testing (elastic#29783) Missing changelog entry for elastic#29773 (elastic#29791) Add a readme for k8s autodiscover provider (elastic#28213) Remove overriding of index pattern on the Kubernetes overview dashboard (elastic#29676) jjbb: remove obsoleted branches (<7.16) (elastic#29707) Add k8s metadata in state_cronjob metricset (elastic#29572) ibmmq: Fix timestamp parsing (elastic#29773) Do not add date to index if `@meta.index` is set (elastic#29775) ci: uses aliases for the branches (elastic#29706) Filebeat tests: Restore `@timestamp` field validation (elastic#29772) Forward port 7.16.3 changelog to master (elastic#29777) auditd: Store program arguments in process.args array (elastic#29601) System/socket: Support kernel_clone() replacement for _do_fork() (elastic#29744) Do not mention removal if version is not specified in `cfgwarn` messages (elastic#29727) ...
Prevents the indices exceeding the 10,000 field limit due to an arbitrarily large number of aNN fields. This is a combination of the following Filebeat module fixes: - elastic/beats#29601 - elastic/beats#30382 Updates version to 2.1.0
…2730) Prevents the indices exceeding the 10,000 field limit due to an arbitrarily large number of aNN fields. This is a combination of the following Filebeat module fixes: - elastic/beats#29601 - elastic/beats#30382 Updates version to 2.1.0
What does this PR do?
Changes Filebeat's auditd module to store program arguments (from an EXECVE call) in
process.args
(arg0 also inprocess.executable
). Previously it was using fieldsarg0
toargN
underauditd.log
.Why is it important?
This prevents too many fields being created. When a call contained more than 10.000 arguments, this lead to an ingest error and contributed to very large indices:
Checklist
[ ] I have made corresponding changes to the documentation[ ] I have made corresponding change to the default configuration filesCHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.