auditd: Store program arguments in process.args array #29601
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This avoids a fields mapping explosion and indexing errors when execve calls have thousands of arguments.
botelastic
bot
added
the
needs_team
adriansr
added
backport-v8.0.0
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
botelastic
bot
removed
the
needs_team
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
efd6
reviewed
Jan 3, 2022
| String fld = String.format("a%d", fmt); | ||
| def arg = ctx.auditd.log.remove(fld); | ||
| if (arg == null) break; | ||
| args.add(arg); |
There was a problem hiding this comment.
Can we retain the original argument order? At the moment we are retaining the args in lexical order.
There was a problem hiding this comment.
This is caused by the test_modules.py sorting all array fields before comparison, as some array fields can be generated in a different order each run.
beats/filebeat/tests/system/test_modules.py
Lines 200 to 202 in 405c342
I've added some configuration to the testing so that we can skip the sorting step for some fields, for now just process.args.
mergify bot
pushed a commit
that referenced
this pull request
Jan 10, 2022
Changes Filebeat's auditd module to store program arguments
(from an EXECVE call) in process.args (arg0 also in process.executable).
Previously it was using fields arg0 to argN under auditd.log.
This prevents too many fields being created. When a call contained
more than 10.000 arguments, this lead to an ingest error and contributed to
very large indices:
> Could not index event to Elasticsearch: "status"=>400,
> "error"=>{
> "type"=>"illegal_argument_exception",
> "reason"=>"Limit of total fields [10000] has been exceeded"}}
(cherry picked from commit 03bf169)
adriansr
added a commit
that referenced
this pull request
Jan 10, 2022
Changes Filebeat's auditd module to store program arguments
(from an EXECVE call) in process.args (arg0 also in process.executable).
Previously it was using fields arg0 to argN under auditd.log.
This prevents too many fields being created. When a call contained
more than 10.000 arguments, this lead to an ingest error and contributed to
very large indices:
> Could not index event to Elasticsearch: "status"=>400,
> "error"=>{
> "type"=>"illegal_argument_exception",
> "reason"=>"Limit of total fields [10000] has been exceeded"}}
(cherry picked from commit 03bf169)
Co-authored-by: Adrian Serrano <[email protected]>
v1v
added a commit
to v1v/beats
that referenced
this pull request
Jan 12, 2022
…b-for-macos * upstream/master: (172 commits) [Elastic Agent] Fix issue with ensureServiceToken. (elastic#29800) [Winlogbeat] Add provider name to Security routing pipeline check (elastic#29781) Add summary to journeys which don't emit journey:end (early node subprocess exits) (elastic#29606) Prepare 8.0.0-rc1 changelog (elastic#29795) (elastic#29806) Change docker image from CentOS 7 to Ubuntu 20.04 (elastic#29681) libbeat/processors/add_process_metadata: implement a process cache eviction policy (elastic#29717) [Automation] Update elastic stack version to 8.1.0-7004acda for testing (elastic#29783) Missing changelog entry for elastic#29773 (elastic#29791) Add a readme for k8s autodiscover provider (elastic#28213) Remove overriding of index pattern on the Kubernetes overview dashboard (elastic#29676) jjbb: remove obsoleted branches (<7.16) (elastic#29707) Add k8s metadata in state_cronjob metricset (elastic#29572) ibmmq: Fix timestamp parsing (elastic#29773) Do not add date to index if `@meta.index` is set (elastic#29775) ci: uses aliases for the branches (elastic#29706) Filebeat tests: Restore `@timestamp` field validation (elastic#29772) Forward port 7.16.3 changelog to master (elastic#29777) auditd: Store program arguments in process.args array (elastic#29601) System/socket: Support kernel_clone() replacement for _do_fork() (elastic#29744) Do not mention removal if version is not specified in `cfgwarn` messages (elastic#29727) ...
4 tasks
4 tasks
adriansr
added a commit
to elastic/integrations
that referenced
this pull request
Feb 23, 2022
Prevents the indices exceeding the 10,000 field limit due to an arbitrarily large number of aNN fields. This is a combination of the following Filebeat module fixes: - elastic/beats#29601 - elastic/beats#30382 Updates version to 2.1.0
eyalkraft
pushed a commit
to build-security/integrations
that referenced
this pull request
Mar 30, 2022
…2730) Prevents the indices exceeding the 10,000 field limit due to an arbitrarily large number of aNN fields. This is a combination of the following Filebeat module fixes: - elastic/beats#29601 - elastic/beats#30382 Updates version to 2.1.0
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Changes Filebeat's auditd module to store program arguments (from an EXECVE call) in
process.args(arg0 also inprocess.executable). Previously it was using fieldsarg0toargNunderauditd.log.Why is it important?
This prevents too many fields being created. When a call contained more than 10.000 arguments, this lead to an ingest error and contributed to very large indices:
Checklist
[ ] I have made corresponding changes to the documentation[ ] I have made corresponding change to the default configuration filesCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.