Stop running auditbeat container as root by default (#21202)

jsoriano · web-flow · commit 6bd70908fec6 · 2020-09-24T13:47:28.000+02:00
Stop running Auditbeat container as root by default. After this change,
when user root is required it will need to be explicitly set on runtime.
This is already done in Kubernetes manifests and some other examples
in the documentation, so change is probably not so breaking.
Also `USER root` is usually not enough to be fully privileged, so some
customization was always expected when running Auditbeat on docker.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -28,6 +28,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - File integrity dataset (macOS): Replace unnecessary `file.origin.raw` (type keyword) with `file.origin.text` (type `text`). {issue}12423[12423] {pull}15630[15630]
 - Change event.kind=error to event.kind=event to comply with ECS. {issue}18870[18870] {pull}20685[20685]
 - Change network.direction values to ECS recommended values (inbound, outbound). {issue}12445[12445] {pull}20695[20695]
+- Docker container needs to be explicitly run as user root for auditing. {pull}21202[21202]
 
 *Filebeat*
 
diff --git a/auditbeat/docs/running-on-docker.asciidoc b/auditbeat/docs/running-on-docker.asciidoc
@@ -10,5 +10,5 @@ It is also essential to run {beatname_uc} in the host PID namespace.
 
 ["source","sh",subs="attributes"]
 ----
-docker run --cap-add=AUDIT_CONTROL,AUDIT_READ --pid=host {dockerimage}
+docker run --cap-add=AUDIT_CONTROL --cap-add=AUDIT_READ --user=root --pid=host {dockerimage}
 ----
diff --git a/auditbeat/magefile.go b/auditbeat/magefile.go
@@ -92,7 +92,7 @@ func Package() {
 
 // TestPackages tests the generated packages (i.e. file modes, owners, groups).
 func TestPackages() error {
-	return devtools.TestPackages(devtools.WithRootUserContainer())
+	return devtools.TestPackages()
 }
 
 // Update is an alias for running fields, dashboards, config, includes.
diff --git a/auditbeat/scripts/mage/package.go b/auditbeat/scripts/mage/package.go
@@ -95,7 +95,6 @@ func CustomizePackaging(pkgFlavor PackagingFlavor) {
 				args.Spec.ReplaceFile("/etc/{{.BeatName}}/{{.BeatName}}.reference.yml", referenceConfig)
 				sampleRulesTarget = "/etc/{{.BeatName}}/" + defaultSampleRulesTarget
 			case devtools.Docker:
-				args.Spec.ExtraVar("user", "root")
 			default:
 				panic(errors.Errorf("unhandled package type: %v", pkgType))
 			}
diff --git a/x-pack/auditbeat/magefile.go b/x-pack/auditbeat/magefile.go
@@ -84,7 +84,7 @@ func Package() {
 
 // TestPackages tests the generated packages (i.e. file modes, owners, groups).
 func TestPackages() error {
-	return devtools.TestPackages(devtools.WithRootUserContainer())
+	return devtools.TestPackages()
 }
 
 // Update is an alias for running fields, dashboards, config.

Original file line number	Diff line number	Diff line change
`@@ -92,7 +92,7 @@ func Package() {`
`92`	`92`
`93`	`93`	`// TestPackages tests the generated packages (i.e. file modes, owners, groups).`
`94`	`94`	`func TestPackages() error {`
`95`		`- return devtools.TestPackages(devtools.WithRootUserContainer())`
	`95`	`+ return devtools.TestPackages()`
`96`	`96`	`}`
`97`	`97`
`98`	`98`	`// Update is an alias for running fields, dashboards, config, includes.`
Original file line number	Diff line number	Diff line change
`@@ -95,7 +95,6 @@ func CustomizePackaging(pkgFlavor PackagingFlavor) {`
`95`	`95`	`args.Spec.ReplaceFile("/etc/{{.BeatName}}/{{.BeatName}}.reference.yml", referenceConfig)`
`96`	`96`	`sampleRulesTarget = "/etc/{{.BeatName}}/" + defaultSampleRulesTarget`
`97`	`97`	`case devtools.Docker:`
`98`		`- args.Spec.ExtraVar("user", "root")`
`99`	`98`	`default:`
`100`	`99`	`panic(errors.Errorf("unhandled package type: %v", pkgType))`
`101`	`100`	`}`
Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,7 @@ func Package() {`
`84`	`84`
`85`	`85`	`// TestPackages tests the generated packages (i.e. file modes, owners, groups).`
`86`	`86`	`func TestPackages() error {`
`87`		`- return devtools.TestPackages(devtools.WithRootUserContainer())`
	`87`	`+ return devtools.TestPackages()`
`88`	`88`	`}`
`89`	`89`
`90`	`90`	`// Update is an alias for running fields, dashboards, config.`