Add the ability to prevent auditbeat's file_integrity module from sending all monitoring files in an initial "created" status

[danleerunk]

When Auditbeat is initially started with the file_integrity module enabled, all files within the monitored paths are logged with created status - which is in some cases not preferred.

scan_at_start: false works, but can be insecure as no changed will be logged if you restart Auditbeat and a file is modified while the application is not running.

This is a feature request for the option to either prevent the sending of this initial data, and/or adding a flag to the records to indicate the data was generated on the applications initial start.

Let me know if there is any additional information that would be helpful here!

/cc @andrewkroh @strawgate

[andrewkroh]

The only tricky part I foresee around implementing this is what to do when the configuration is changed to add new paths. From Auditbeat's POV it doesn't know that new paths were added to config and would think that it needs to send an action: created event.

[strawgate]

The challenge with the current behavior (expanding on @danleerunk mention of "not preferred") is that it creates a ton of noise in the logs when new clients are added or as @andrewkroh points to, that when new paths are added it creates a large amount of noise in the logs.

[ndubss]

Agree, this would be a useful feature for larger environments.

[cwurm]

I thought about it a bit and came up with some ideas of configurations we could implement:

Idea 1

On start, if there's no beat.db we scan but don't emit events.

Pro: Easy to implement, should work for large deployments rollouts (where the same config is rolled out to many clients, but not a lot of config changes happen later) where this is probably the biggest problem
Con: Does not cover any configuration changes after the first run

Idea 2

On start, check if each configured path is in beat.db. For those that are not, we assume they're new and scan but don't emit events. All others we proceed as today.

Pro: Might still not be too hard to implement, and in addition to the very first run also covers subsequent changes to paths
Con: Does not cover other config changes, esp. to recursive, and could lead to unexpected behavior (e.g. when changing from /etc/ssl/certs/ to /etc/ssl/ we'd miss changes in certs/ which the user might not have expected)

Idea 3

When scanning on start, for each encountered file check if the file itself or any of its parent directories (e.g. /etc/ssl/certs/ca-certificates.crt, /etc/ssl/certs/, /etc/ssl/, /etc/) are in beat.db. If none is, we assume it's a new part of the config and scan but don't emit events. All others we proceed as today.

Pro: Also covers config changes such as recursive: true (which can cause a lot more files to be selected)
Con: Harder to implement, possible performance penalty from all the checks

Thoughts?

[strawgate]

@cwurm perhaps instead of not emitting events in these cases they could just report a status of "Found" instead of created or something similar so that they can be filtered out.

I did have another idea -- would it be possible to add a command line flag that would start the beat, process all the paths, add to beats.db and then exit?

This would allow us to:

1. Push out a temporary config
2. Populate the beats cache
3. Replace the normal config with the temporary config
4. Restart the auditbeat service

[cwurm]

@cwurm perhaps instead of not emitting events in these cases they could just report a status of "Found" instead of created or something similar so that they can be filtered out.

We could do that. We would still need to decide how to determine when a file is truly new and when it's just newly "found", e.g. one of the three ideas above - I would be hesitant of a status where it would not be possible to distinguish between a file that was added while Auditbeat was down (e.g. a malicious cert) vs. a file that has been around all the time.

I did have another idea -- would it be possible to add a command line flag that would start the beat, process all the paths, add to beats.db and then exit?

It's certainly possible. Though if we had the above "found" state, we could have a configuration flag for whether or not to emit events of that type. Would that work?

[cwurm]

Fyi, when implementing #7954 I realized my Option 3 from above does not work: When encountering a deeply nested file e.g. dir1/dir2/file1 with dir1 in beats.db there's no way of knowing whether dir2/file1 appears because recursive: true (action should be found) or because both were recently created (action should be created). The only way I can see of correctly handling recursive: true would be to store/diff the old config to know that it changed in that way.

[andrewkroh]

This was implemented in #7954. You should be able to filter events by looking for event.action with initial_scan.

If you'd like to test it out you can try the snapshot builds. You can drop any (good or bad) feedback here.