[Auditbeat] Make librpm discovery more robust

[andrewkroh]

Auditbeat's system/package dataset loads librpm dynamically using dlopen. It finds the library using a hardcoded set of library version names:

beats/x-pack/auditbeat/module/system/package/rpm_linux.go

Lines 207 to 222 in 6fedaef

	func openLibrpm() (*librpm, error) {
	var librpmNames = []string{
	"librpm.so", // with rpm-devel installed
	"librpm.so.9", // Fedora 31/32
	"librpm.so.8", // Fedora 29/30
	"librpm.so.3", // CentOS 7
	"librpm.so.1", // CentOS 6
	// Following for completeness, but not explicitly tested
	"librpm.so.10",
	"librpm.so.7",
	"librpm.so.6",
	"librpm.so.5",
	"librpm.so.4",
	"librpm.so.2",
	}

We'd like to have something that is a less brittle.

Relates: #19275 (comment)
Relates: #19253

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[leehinman]

tried proof of concept with rpm, getting error when using exec.Command

out, err := exec.Command("rpm", "-ql", "rpm-libs").Output()
Couldn't open [fork/exec /usr/bin/rpm: operation not permitted]

[andrewkroh]

Beats don’t allow execve by default to minimize the impact of vulnerabilities.