[auditbeat] fim: implement ebpf backend

[mmat11]

Proposed commit message

This PR adds an additional opt-in eBPF backend to the file_integrity module. See related issues for more context.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• open source https://github.com/elastic/ebpfevents
• support setxattrs file modification events
• support directories creation events(?)

How to test this PR locally

Enable the eBPF backend in the file_integrity module config by specifying force_backend: ebpf and observe file events after running auditbeat.

Related issues

• File Integrity Monitoring | User Information - Linux integrations#7401
• [auditbeat] fim: implement kprobes backend #37796

[elasticmachine]

❕ Build Aborted

There is a new build on-going so the previous on-going builds have been aborted.

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2024-02-02T20:25:10.367+0000

• Duration: 21 min 53 sec

Test stats 🧪

Test	Results
Failed	0
Passed	3
Skipped	0
Total	3

Steps errors

Expand to view the steps failures

Show only the first 10 steps failures

auditbeat-rhel-9-rhel-9 - mage build unitTest

• Took 1 min 6 sec . View more details here
• Description: mage build unitTest

auditbeat-rhel-9-rhel-9 - mage build unitTest

• Took 0 min 2 sec . View more details here
• Description: mage build unitTest

auditbeat-rhel-9-rhel-9 - mage build unitTest

• Took 0 min 2 sec . View more details here
• Description: mage build unitTest

x-pack/auditbeat-build - mage update build test

• Took 1 min 16 sec . View more details here
• Description: mage update build test

x-pack/auditbeat-build - mage update build test

• Took 0 min 5 sec . View more details here
• Description: mage update build test

x-pack/auditbeat-build - mage update build test

• Took 0 min 5 sec . View more details here
• Description: mage update build test

x-pack/auditbeat-rhel-9-rhel-9 - mage build unitTest

• Took 1 min 11 sec . View more details here
• Description: mage build unitTest

x-pack/auditbeat-rhel-9-rhel-9 - mage build unitTest

• Took 0 min 2 sec . View more details here
• Description: mage build unitTest

x-pack/auditbeat-rhel-9-rhel-9 - mage build unitTest

• Took 0 min 2 sec . View more details here
• Description: mage build unitTest

Error signal

• Took 0 min 0 sec . View more details here
• Description: Error 'hudson.AbortException: script returned exit code 1'

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

❕ Build Aborted

Either there was a build timeout or someone aborted the build.

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Duration: 16 min 10 sec

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Duration: 178 min 13 sec

❕ Flaky test report

No test was executed to be analysed.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @mmat11? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

[mmat11]

/test auditbeat integTest

[mmat11]

/test auditbeat integTest arm

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b matt/fim-ebpf upstream/matt/fim-ebpf
git merge upstream/main
git push upstream matt/fim-ebpf

[mmat11]

/test auditbeat integTest arm

[mmat11]

/test auditbeat integTest arm

[andrewkroh]

Just a few minor comments, I don't think anything that requires another look.

For future reference, in these larger changesets I would prefer if we didn't force push after the first peer review comments come in. Being able to view the changes since you last reviewed is valuable. At least in this repo, you are required to squash at merge so you still have an opportunity to clean up the commit message.

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 04234eb

History

• 💔 Build #1213 failed df7dc6f
• 💚 Build #1208 succeeded b9982c8

cc @mmat11

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 04234eb

History

• 💔 Build #1208 failed df7dc6f

cc @mmat11

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 04234eb

History

• 💔 Build #377 failed df7dc6f

cc @mmat11

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 04234eb

History

• 💔 Build #2426 failed df7dc6f

cc @mmat11

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 04234eb

History

• 💔 Build #1538 failed df7dc6f

cc @mmat11

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 04234eb

History

• 💔 Build #2877 failed df7dc6f
• 💚 Build #2799 succeeded ba46a56
• 💚 Build #2787 succeeded 3e7db0b
• 💔 Build #2456 failed 9b4acb4
• 💔 Build #2407 failed c372c54

cc @mmat11

[pkoutsovasilis]

LGTM!