Skip to content

[Auditbeat] Cherry-pick #10508 to 6.x: System module: Detect package updates#10562

Merged
cwurm merged 1 commit intoelastic:6.xfrom
cwurm:backport_10508_6.x
Feb 5, 2019
Merged

[Auditbeat] Cherry-pick #10508 to 6.x: System module: Detect package updates#10562
cwurm merged 1 commit intoelastic:6.xfrom
cwurm:backport_10508_6.x

Conversation

@cwurm
Copy link
Copy Markdown
Contributor

@cwurm cwurm commented Feb 5, 2019

Cherry-pick of PR #10508 to 6.x branch. Original message:

Detects package updates by checking if any of the "new" package objects have the same package name as one of the "old" package objects. The event will have event.action: package_updated.

Also fixes two issues:

  1. Removes InstallTime from change detection. It is not set for dpkg, and for Homebrew it is currently the modification time of the package's directory. A touch will cause it to be reported as changed. I'm actually wondering if we should not set it for Homebrew at all. For change detection, we now rely on name, version, release (only set for RPM), and size - all of which (hopefully) only change when the package has indeed changed.
  2. For dpkg, reports packages as removed that have only been removed (apt-get remove) but not purged (apt-get purge). Removed package stay around in /var/lib/dpkg/status, but with a deinstall status.

As an urgent follow-up, we should add tests with sample files for at least:

  • /var/lib/dpkg/status in various stages (no package, installed package, new version, deinstalled package). I wanted to add it here, but we'll need a way to pass the test files to the metricset, and at the moment there is no config value for it (but there probably should be). I didn't want to do that bigger change here.
  • /usr/local/Cellar/{pkg.Name}/INSTALL_RECEIPT.json (read since [Auditbeat] Read formula path from INSTALL_RECEIPT.json for Homebrew packages #10507), and a Ruby formula file.

@cwurm cwurm changed the title Cherry-pick #10508 to 6.x: [Auditbeat] System module: Detect package updates [Auditbeat] Cherry-pick #10508 to 6.x: System module: Detect package updates Feb 5, 2019
[Auditbeat] System module: Detect package updates (elastic#10508)
aff9296 
Detects package updates by checking if any of the "new" package objects have the same package name as one of the "old" package objects. The event will have `event.action: package_updated`.

Also removes `InstallTime` from change detection. And for dpkg, reports packages as removed that have only been removed (`apt-get remove`) but not purged (`apt-get purge`).

(cherry picked from commit 394d93d)
@cwurm cwurm force-pushed the backport_10508_6.x branch from eece0ac to aff9296 Compare February 5, 2019 11:54
@cwurm cwurm added the Auditbeat label Feb 5, 2019
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Feb 5, 2019

Pinging @elastic/secops

@cwurm cwurm added the SecOps label Feb 5, 2019
@cwurm cwurm requested a review from a team February 5, 2019 11:54
webmat
webmat approved these changes Feb 5, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cwurm cwurm merged commit f5f0dc9 into elastic:6.x Feb 5, 2019
@cwurm cwurm deleted the backport_10508_6.x branch February 5, 2019 14:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@webmat webmat webmat approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Auditbeat backport review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cwurm @elasticmachine @webmat