In general it makes more sense to run Auditbeat and Elastic Agent as root. Most of Auditbeat functionality requires high privileges, and Elastic Agent has capabilities to start and supervise other services, including Auditbeat, so it also requires these privileges. Endpoint probably also require high privileges.
For that, docker images use USER root, but this goes against generally accepted good practices, containers run with arbitrary user ids in secured Kubernetes environments, and Red Hat certified images cannot run as root.
So we should stop using USER root, at least in UBI images, that are more intended to certified, secure environments. We have to take into account that the images could still be run as root in privileged environments with runtime options.
Things to do:
- Remove
USER root from Auditbeat and Elastic Agent docker images (at least from the UBI ones).
- Ensure that they include a minimal configuration that provides some functionality without root privileges. If this is not possible, we will have to reconsider this.
- Ensure that they can still be run as root, with specific runtime options for that, in privileged environments.
Where to look at:
- User is set to root for Auditbeat in the
magefile.go (here), if we are going to provide different config for default and UBI images, we will have to move this to the packages.yml file as a new config that extends common Beats config, what would allow a cleaner override.
- User is set to root for Elastic Agent in the
packages.yml file (here).
Related PRs and issues:
In general it makes more sense to run Auditbeat and Elastic Agent as root. Most of Auditbeat functionality requires high privileges, and Elastic Agent has capabilities to start and supervise other services, including Auditbeat, so it also requires these privileges. Endpoint probably also require high privileges.
For that, docker images use
USER root, but this goes against generally accepted good practices, containers run with arbitrary user ids in secured Kubernetes environments, and Red Hat certified images cannot run as root.So we should stop using
USER root, at least in UBI images, that are more intended to certified, secure environments. We have to take into account that the images could still be run as root in privileged environments with runtime options.Things to do:
USER rootfrom Auditbeat and Elastic Agent docker images (at least from the UBI ones).Where to look at:
magefile.go(here), if we are going to provide different config for default and UBI images, we will have to move this to thepackages.ymlfile as a new config that extends common Beats config, what would allow a cleaner override.packages.ymlfile (here).Related PRs and issues: