auditbeat 7.16+ ERROR none of the required functions for DO_FORK is found.

[Aqualie]

• Version: Beats [auditbeat] 7.16.1
• Operating System: 5.15.8-arch1-1
• Steps to Reproduce:

1. Configure auditbeat.yml with

- module: system
   datasets:
      - socket  # Opened and closed sockets

2. Try to start auditbeat
3. Errors on startup

Seems to be related to the latest commit for auditbeat 7.16: fab2197
which adds:
"DO_FORK": {"_do_fork", "do_fork"},

Startup/error log

-- Journal begins at Fri 2021-12-24 21:07:06 EST, ends at Sun 2021-12-26 12:03:45 EST. --
Dec 26 11:58:58 REPLACED systemd[1]: Started Audit the activities of users and processes on your system..
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.369-0500        INFO        instance/beat.go:686        Home path: [/opt/elastic/auditbeat] Config path: [/opt/elastic/auditbeat/conf] Data path: [/opt/elastic/auditbeat/data] Logs path: [/opt/elastic/auditbeat/logs] Hostfs Path: [/]
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.369-0500        INFO        instance/beat.go:694        Beat ID: REPLACED
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.383-0500        INFO        [service]        service/service.go:110        Start pprof endpoint
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.383-0500        INFO        [seccomp]        seccomp/seccomp.go:124        Syscall filter successfully installed
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.383-0500        INFO        [beat]        instance/beat.go:1040        Beat info        {"system_info": {"beat": {"path": {"config": "/opt/elastic/auditbeat/conf", "data": "/opt/elastic/auditbeat/data", "home": "/opt/elastic/auditbeat", "logs": "/opt/elastic/auditbeat/logs"}, "type": "auditbeat", "uuid": "REPLACED"}}}
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.383-0500        INFO        [beat]        instance/beat.go:1049        Build info        {"system_info": {"build": {"commit": "7e56c4a053a2fe26c0cac168dd974780428a2aa6", "libbeat": "7.16.1", "time": "2021-12-11T01:43:21.000Z", "version": "7.16.1"}}}
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.383-0500        INFO        [beat]        instance/beat.go:1052        Go runtime info        {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":8,"version":"go1.17.2"}}}
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.384-0500        INFO        [beat]        instance/beat.go:1056        Host info        {"system_info": {"host": {"architecture":"x86_64","boot_time":"2021-12-24T21:07:05-05:00","containerized":false,"name":"REPLACED","ip":["127.0.0.1/8","REPLACED","REPLACED","REPLACED","REPLACED","REPLACED"],"kernel_version":"5.15.8-arch1-1","mac":["REPLACED"],"os":{"type":"linux","family":"","platform":"arch","name":"Arch Linux","version":"","major":0,"minor":0,"patch":0,"build":"rolling"},"timezone":"EST","timezone_offset_sec":-18000,"id":"REPLACED"}}}
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.385-0500        INFO        [beat]        instance/beat.go:1085        Process info        {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null}, "cwd": "/", "exe": "/opt/elastic/auditbeat/auditbeat", "name": "auditbeat", "pid": 1824432, "ppid": 1, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2021-12-26T11:58:58.109-0500"}}}
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.385-0500        INFO        instance/beat.go:328        Setup Beat: auditbeat; Version: 7.16.1
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.385-0500        INFO        [publisher]        pipeline/module.go:113        Beat name: REPLACED
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.388-0500        INFO        [auditd]        auditd/audit_linux.go:107        auditd module is running as euid=0 on kernel=5.15.8-arch1-1
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.388-0500        INFO        [auditd]        auditd/audit_linux.go:134        socket_type=unicast will be used.
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.389-0500        WARN        [cfgwarn]        host/host.go:188        BETA: The system/host dataset is beta
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.391-0500        WARN        [cfgwarn]        login/login.go:96        BETA: The system/login dataset is beta
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.392-0500        WARN        [cfgwarn]        user/user.go:233        BETA: The system/user dataset is beta
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.392-0500        WARN        [cfgwarn]        socket/socket_linux.go:125        BETA: The system/socket dataset is beta.
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.392-0500        INFO        [socket]        socket/socket_linux.go:260        Setting up system/socket for kernel 5.15.8-arch1-1
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.775-0500        INFO        instance/beat.go:461        auditbeat stopped.
Dec 26 11:58:58 REPLACED auditbeat[1824432]: 2021-12-26T11:58:58.775-0500        ERROR        instance/beat.go:1015        Exiting: 1 error: system/socket dataset setup failed: none of the required functions for DO_FORK is found. One of [_do_fork do_fork] is required
Dec 26 11:58:58 REPLACED auditbeat[1824432]: Exiting: 1 error: system/socket dataset setup failed: none of the required functions for DO_FORK is found. One of [_do_fork do_fork] is required
Dec 26 11:58:58 REPLACED systemd[1]: auditbeat.service: Main process exited, code=exited, status=1/FAILURE
Dec 26 11:58:58 REPLACED systemd[1]: auditbeat.service: Failed with result 'exit-code'.
Dec 26 11:58:59 REPLACED systemd[1]: auditbeat.service: Scheduled restart job, restart counter is at 1.

kprobes is enabled as well:

> sudo cat /sys/kernel/debug/kprobes/enabled                                                                                                                                    
1

Also fails on 5.10.16-hardened1-1-hardened as well

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[botelastic]

This issue doesn't have a Team:<team> label.

[jamiehynds]

FYI @adriansr

[efd6]

It appears that do_fork was removed in 5.9 (change) and then _do_fork was removed in 5.10 (change), replacing it with kernel_clone.

It looks from the patch sequence that adding kernel_clone to the probe candidate list should fix this.

[lucafwp]

Hi @adriansr I can't see this fix merged on version 7.16.
Has it been released? Should I clone a specific branch?