[Filebeat] [auditd]: Support EXECVE events with truncated argument list

[adriansr]

What does this PR do?

This modifies Filebeat's auditd ingest pipeline to support parsing of EXECVE events with truncated argument lists.

In a normal EXECVE event, the auditd fields argc(=N) and a0 to aN-1 are present. The pipeline would store the arguments in the process.args array, as well as set process.args_count to N and process.executable to process.args[0].

A truncated EXECVE event usually lacks the argc field, and contains only the last few aNN fields.

In that case, this PR will add the arguments into process.args with a leading warning [... N truncated arguments ...] and will not populate process.executable.

Why is it important?

This PR avoids ingesting an arbitrarily large number of fields in the form aNN, aNN_len and aNN[M], to prevent a mapping explosion leading to large indices:

Could not index event to Elasticsearch: "status"=>400,
"error"=>{
"type"=>"illegal_argument_exception",
"reason"=>"Limit of total fields [10000] has been exceeded"}}

This was partially fixed by #29601, but after it was merged, we observed truncated EXECVE records that were still causing issues.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• [ ] I have made corresponding changes to the documentation
• [ ] I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

• Supersedes auditd: Store program arguments in process.args array #29601

[mergify]

This pull request does not have a backport label. Could you fix it @adriansr? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 7./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

💔 Tests Failed

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-02-17T14:01:37.132+0000

• Duration: 89 min 13 sec

Test stats 🧪

Test	Results
Failed	1
Passed	8498
Skipped	911
Total	9410

Test errors

Expand to view the tests failures

Extended / filebeat-windows-2016-windows-2016 / TestNewModuleRegistry – github.com/elastic/beats/v7/filebeat/fileset

Expand to view the error details

 Failed 

Expand to view the stacktrace

 === RUN   TestNewModuleRegistry
{"log.level":"info","@timestamp":"2022-02-17T15:17:55.901Z","log.logger":"modules","log.origin":{"file.name":"fileset/modules.go","file.line":108},"message":"Enabled modules/filesets: nginx (error), nginx (access), mysql (slowlog), mysql (error), system (syslog), system (auth), auditd (log)","ecs.version":"1.6.0"}
    modules_test.go:104: 
        	Error Trace:	modules_test.go:104
        	Error:      	Not equal: 
        	            	expected: []string{"error", "access"}
        	            	actual  : []string{"access", "error"}
        	            	
        	            	Diff:
        	            	--- Expected
        	            	+++ Actual
        	            	@@ -1,4 +1,4 @@
        	            	 ([]string) (len=2) {
        	            	- (string) (len=5) "error",
        	            	- (string) (len=6) "access"
        	            	+ (string) (len=6) "access",
        	            	+ (string) (len=5) "error"
        	            	 }
        	Test:       	TestNewModuleRegistry
--- FAIL: TestNewModuleRegistry (0.02s)
 

Steps errors

Expand to view the steps failures

filebeat-goIntegTest - mage goIntegTest

• Took 5 min 10 sec . View more details here
• Description: mage goIntegTest

filebeat-windows-2016-windows-2016 - mage build unitTest

• Took 2 min 25 sec . View more details here
• Description: mage build unitTest

filebeat-windows-2016-windows-2016 - mage build unitTest

• Took 1 min 33 sec . View more details here
• Description: mage build unitTest

filebeat-windows-2016-windows-2016 - mage build unitTest

• Took 1 min 33 sec . View more details here
• Description: mage build unitTest

gsutil -m -q cp -a public-read test-build-artifacts-filebeat-windows-2016-windows-2016-tgz gs://beat

• Took 0 min 2 sec . View more details here
• Description: @echo off gsutil -m -q cp -a public-read test-build-artifacts-filebeat-windows-2016-windows-2016-tgz gs://beats-ci-temp/Beats/beats/PR-30382-2

filebeat-windows-10-windows-10 - mage build unitTest

• Took 3 min 12 sec . View more details here
• Description: mage build unitTest

Error signal

• Took 0 min 0 sec . View more details here
• Description: Error 'hudson.AbortException: script returned exit code 1'

🐛 Flaky test report

❕ There are test failures but not known flaky tests.

Expand to view the summary

Genuine test errors

💔 There are test failures but not known flaky tests, most likely a genuine test failure.

• Name: Extended / filebeat-windows-2016-windows-2016 / TestNewModuleRegistry – github.com/elastic/beats/v7/filebeat/fileset

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[adriansr]

Tests failed due to flaky test, fixed here #30453