Skip to content

Stop running auditbeat container as root by default#21202

Merged
jsoriano merged 3 commits intoelastic:masterfrom
jsoriano:auditbeat-docker-uroot-user
Sep 24, 2020
Merged

Stop running auditbeat container as root by default#21202
jsoriano merged 3 commits intoelastic:masterfrom
jsoriano:auditbeat-docker-uroot-user

Conversation

@jsoriano
Copy link
Copy Markdown
Member

@jsoriano jsoriano commented Sep 21, 2020
edited
Loading

What does this PR do?

Stop running Auditbeat container as root by default. After this change, when user root is required it will need to be explicitly set on runtime. This is already done in Kubernetes manifests and some other examples in the documentation, so change is probably not so breaking.
Also USER root is usually not enough to be fully privileged, so some customization was always expected when running Auditbeat on docker.

Why is it important?

Using USER root in docker images is not a very good practice, and is not allowed in some certification processes (see #20996).

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

  • Run Auditbeat on docker using a configuration that requires root privileges.

Related issues

@jsoriano jsoriano added :Packaging needs_backport PR is waiting to be backported to other branches. Team:SIEM Team:Platforms Label for the Integrations - Platforms team v7.10.0 labels Sep 21, 2020
@jsoriano jsoriano requested a review from a team as a code owner September 21, 2020 16:40
@jsoriano jsoriano self-assigned this Sep 21, 2020
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Sep 21, 2020

Pinging @elastic/siem (Team:SIEM)

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Sep 21, 2020

Pinging @elastic/integrations-platforms (Team:Platforms)

@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Sep 21, 2020
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Sep 21, 2020
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #21202 updated]

  • Start Time: 2020-09-24T08:33:18.716+0000

  • Duration: 41 min 44 sec

Test stats 🧪

Test Results
Failed 0
Passed 595
Skipped 81
Total 676

@jsoriano
Copy link
Copy Markdown
Member Author

jsoriano commented Sep 21, 2020

/packaging

@jsoriano
Copy link
Copy Markdown
Member Author

jsoriano commented Sep 21, 2020

/package

1 similar comment
@jsoriano
Copy link
Copy Markdown
Member Author

jsoriano commented Sep 22, 2020

/package

@jsoriano
Copy link
Copy Markdown
Member Author

jsoriano commented Sep 24, 2020

/package

@jsoriano jsoriano merged commit 6bd7090 into elastic:master Sep 24, 2020
@jsoriano jsoriano deleted the auditbeat-docker-uroot-user branch September 24, 2020 11:47
@jsoriano jsoriano mentioned this pull request Sep 24, 2020
Merged
6 tasks
@jsoriano jsoriano removed the needs_backport PR is waiting to be backported to other branches. label Sep 24, 2020
jsoriano added a commit to jsoriano/beats that referenced this pull request Sep 24, 2020
@jsoriano
Stop running auditbeat container as root by default (elastic#21202)
3b03817 
Stop running Auditbeat container as root by default. After this change,
when user root is required it will need to be explicitly set on runtime.
This is already done in Kubernetes manifests and some other examples
in the documentation, so change is probably not so breaking.
Also `USER root` is usually not enough to be fully privileged, so some
customization was always expected when running Auditbeat on docker.

(cherry picked from commit 6bd7090)
v1v added a commit to v1v/beats that referenced this pull request Sep 24, 2020
@v1v
Merge remote-tracking branch 'upstream/master' into feature/ci-pipeli…
778c037 
…ne-2.0

* upstream/master: (33 commits)
  Stop running agent container as root by default (elastic#21213)
  Stop running auditbeat container as root by default (elastic#21202)
  Fix autodiscover flaky tests (elastic#21242)
  [Ingest Manager] Enabled dev builds (elastic#21241)
  Fix librpm installation in auditbeat build (elastic#21239)
  Fix prometheus default config (elastic#21253)
  Fix dev guide test command (elastic#21254)
  Move aws lambda metricset to GA (elastic#21255)
  [Docs] Typo in table syntax (elastic#20227)
  [ECS] Adds related.hosts to capture all hostnames and host identifiers on an event. (elastic#21160)
  Add recursive split to httpjson (elastic#21214)
  [DOCS] Add beat specific start widgets (elastic#21217)
  Fix timestamp handling in remote_write (elastic#21166)
  Fix aws, azure and googlecloud compute dashboards (elastic#21098)
  Add acceptable event log keys to winlog (elastic#21205)
  Add elastic-agent to gitignore (elastic#21219)
  Add cloudfoundry tags to events (elastic#21177)
  [Ingest Manager] Agent includes pgp file (elastic#19480)
  Add compatibility note about ingress-controller-v0.34.1 (elastic#21209)
  [Ingest Manager] Support for UPGRADE_ACTION (elastic#21002)
  ...
v1v added a commit to v1v/beats that referenced this pull request Sep 24, 2020
@v1v
Merge remote-tracking branch 'upstream/master' into feature/ci-pipeli…
ce70a4f 
…ne-2.0-arm

* upstream/master:
  [Ingest manager] Copy Action store on upgrade (elastic#21298)
  [CI] Pipeline 2.0 for monorepos (elastic#20104)
  Stop running agent container as root by default (elastic#21213)
  Stop running auditbeat container as root by default (elastic#21202)
  Fix autodiscover flaky tests (elastic#21242)
  [Ingest Manager] Enabled dev builds (elastic#21241)
v1v added a commit to v1v/beats that referenced this pull request Sep 24, 2020
@v1v
Merge remote-tracking branch 'upstream/master' into feature/ci-runbld…
21a22f0 
…-refactor

* upstream/master:
  [Ingest manager] Copy Action store on upgrade (elastic#21298)
  [CI] Pipeline 2.0 for monorepos (elastic#20104)
  Stop running agent container as root by default (elastic#21213)
  Stop running auditbeat container as root by default (elastic#21202)
  Fix autodiscover flaky tests (elastic#21242)
  [Ingest Manager] Enabled dev builds (elastic#21241)
  Fix librpm installation in auditbeat build (elastic#21239)
  Fix prometheus default config (elastic#21253)
  Fix dev guide test command (elastic#21254)
  Move aws lambda metricset to GA (elastic#21255)
  [Docs] Typo in table syntax (elastic#20227)
  [ECS] Adds related.hosts to capture all hostnames and host identifiers on an event. (elastic#21160)
v1v added a commit to v1v/beats that referenced this pull request Sep 28, 2020
@v1v
Merge remote-tracking branch 'upstream/master' into feature/windows-2008
2cbe6d9 
* upstream/master: (417 commits)
  libbeat/cmd/instance: report cgroup stats (elastic#21113)
  Configurable index template loading (elastic#21212)
  [Ingest Manager] Thread safe sorted set (elastic#21290)
  Change mirror of kafka download (elastic#19645)
  [Ingest manager] Copy Action store on upgrade (elastic#21298)
  [CI] Pipeline 2.0 for monorepos (elastic#20104)
  Stop running agent container as root by default (elastic#21213)
  Stop running auditbeat container as root by default (elastic#21202)
  Fix autodiscover flaky tests (elastic#21242)
  [Ingest Manager] Enabled dev builds (elastic#21241)
  Fix librpm installation in auditbeat build (elastic#21239)
  Fix prometheus default config (elastic#21253)
  Fix dev guide test command (elastic#21254)
  Move aws lambda metricset to GA (elastic#21255)
  [Docs] Typo in table syntax (elastic#20227)
  [ECS] Adds related.hosts to capture all hostnames and host identifiers on an event. (elastic#21160)
  Add recursive split to httpjson (elastic#21214)
  [DOCS] Add beat specific start widgets (elastic#21217)
  Fix timestamp handling in remote_write (elastic#21166)
  Fix aws, azure and googlecloud compute dashboards (elastic#21098)
  ...
v1v added a commit to v1v/beats that referenced this pull request Sep 28, 2020
@v1v
Merge remote-tracking branch 'upstream/master' into feature/windows-7-32
a823b84 
* upstream/master: (399 commits)
  libbeat/cmd/instance: report cgroup stats (elastic#21113)
  Configurable index template loading (elastic#21212)
  [Ingest Manager] Thread safe sorted set (elastic#21290)
  Change mirror of kafka download (elastic#19645)
  [Ingest manager] Copy Action store on upgrade (elastic#21298)
  [CI] Pipeline 2.0 for monorepos (elastic#20104)
  Stop running agent container as root by default (elastic#21213)
  Stop running auditbeat container as root by default (elastic#21202)
  Fix autodiscover flaky tests (elastic#21242)
  [Ingest Manager] Enabled dev builds (elastic#21241)
  Fix librpm installation in auditbeat build (elastic#21239)
  Fix prometheus default config (elastic#21253)
  Fix dev guide test command (elastic#21254)
  Move aws lambda metricset to GA (elastic#21255)
  [Docs] Typo in table syntax (elastic#20227)
  [ECS] Adds related.hosts to capture all hostnames and host identifiers on an event. (elastic#21160)
  Add recursive split to httpjson (elastic#21214)
  [DOCS] Add beat specific start widgets (elastic#21217)
  Fix timestamp handling in remote_write (elastic#21166)
  Fix aws, azure and googlecloud compute dashboards (elastic#21098)
  ...
v1v added a commit to v1v/beats that referenced this pull request Sep 28, 2020
@v1v
Merge remote-tracking branch 'upstream/master' into feature/windows-10
a8cb7d8 
* upstream/master: (60 commits)
  libbeat/cmd/instance: report cgroup stats (elastic#21113)
  Configurable index template loading (elastic#21212)
  [Ingest Manager] Thread safe sorted set (elastic#21290)
  Change mirror of kafka download (elastic#19645)
  [Ingest manager] Copy Action store on upgrade (elastic#21298)
  [CI] Pipeline 2.0 for monorepos (elastic#20104)
  Stop running agent container as root by default (elastic#21213)
  Stop running auditbeat container as root by default (elastic#21202)
  Fix autodiscover flaky tests (elastic#21242)
  [Ingest Manager] Enabled dev builds (elastic#21241)
  Fix librpm installation in auditbeat build (elastic#21239)
  Fix prometheus default config (elastic#21253)
  Fix dev guide test command (elastic#21254)
  Move aws lambda metricset to GA (elastic#21255)
  [Docs] Typo in table syntax (elastic#20227)
  [ECS] Adds related.hosts to capture all hostnames and host identifiers on an event. (elastic#21160)
  Add recursive split to httpjson (elastic#21214)
  [DOCS] Add beat specific start widgets (elastic#21217)
  Fix timestamp handling in remote_write (elastic#21166)
  Fix aws, azure and googlecloud compute dashboards (elastic#21098)
  ...
jsoriano added a commit that referenced this pull request Sep 28, 2020
@jsoriano
Stop running auditbeat container as root by default (#21202) (#21291)
0c2f218 
Stop running Auditbeat container as root by default. After this change,
when user root is required it will need to be explicitly set on runtime.
This is already done in Kubernetes manifests and some other examples
in the documentation, so change is probably not so breaking.
Also `USER root` is usually not enough to be fully privileged, so some
customization was always expected when running Auditbeat on docker.

(cherry picked from commit 6bd7090)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@kvch kvch kvch approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@jsoriano jsoriano

Labels

:Packaging Team:Platforms Label for the Integrations - Platforms team v7.10.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@jsoriano @elasticmachine @kvch @masci @andresrc