[auditbeat] fim: implement kprobes backend#37796
[auditbeat] fim: implement kprobes backend#37796pkoutsovasilis merged 43 commits intoelastic:mainfrom
Conversation
…tr tk-btf probe builders in probe manager
…directory entry cache emit the respective event
…nce of generated fs events are properly emitted
…and satisfy testing needs
…el and event emitting
…ew monitor based on these
|
This pull request does not have a backport label.
To fixup this pull request, you need to add the backport labels for the needed
|
|
Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform) |
b4efcc5 to
46ef848
Compare
|
This pull request is now in conflicts. Could you fix it? 🙏 |
andrewkroh
left a comment
There was a problem hiding this comment.
In a follow up PR we should implement some metrics to improve observability and troubleshooting. The BaseMetricSet should provide a metric namespace for the input to hook into for adding new metrics that get exposed on the /inputs/ monitoring API.
Would you mind gofumpting this new package please.
I did quick test on Ubuntu 22.04 (Linux linux 5.15.0-94-generic #104-Ubuntu SMP Tue Jan 9 15:26:57 UTC 2024 aarch64 aarch64 aarch64 GNU/Linux) with the kprobes backend enabled. It appears to be working as expected. 👍 Looking forward to the addition of user info next.
| - KIBANA_PORT=5601 | ||
| volumes: | ||
| - ${PWD}/..:/go/src/github.com/elastic/beats/ | ||
| - /sys:/sys |
There was a problem hiding this comment.
Auditbeat has doc page about running in Docker. For a future PR, I think that page should get updated to specify the specific settings (capabilities, user, mounts, etc) that are necessary for each FIM backend.
There was a problem hiding this comment.
oops noted, I wasn't aware of that but definitely more than a valid think to look out, especially when kprobe BE of FIM transitions out from technical preview, thx for the catch!
# Conflicts: # auditbeat/auditbeat.reference.yml # auditbeat/docs/modules/file_integrity.asciidoc # auditbeat/module/file_integrity/_meta/config.yml.tmpl # auditbeat/module/file_integrity/_meta/docs.asciidoc # auditbeat/module/file_integrity/config.go # auditbeat/module/file_integrity/event.go # auditbeat/module/file_integrity/eventreader_fsnotify.go # auditbeat/module/file_integrity/eventreader_linux.go # auditbeat/module/file_integrity/eventreader_other.go # auditbeat/module/file_integrity/schema.fbs # auditbeat/module/file_integrity/schema/Source.go # auditbeat/tests/system/test_file_integrity.py # go.mod # x-pack/auditbeat/auditbeat.reference.yml
…time to verify the probes and print output
Oh thx, metrics is such a nice idea, definitely we will implement them!
you are officially the first tech preview tester 😁 |
💚 Build Succeeded
History
|
💚 Build Succeeded
History
|
💚 Build Succeeded
History
|
💚 Build Succeeded
History
|
💚 Build Succeeded
History
|
💚 Build Succeeded
History
|
Proposed commit message
This PR adds an additional opt-in
kprobes(through tracefs) backend to the auditbeat's File Integrity Module (FIM). This is the first part in a PR series that just introduces this new FIM backend and captures only thepidof the process that caused the respective file change. As soon as this one gets merged to main, another one will follow as an extension to this one that captures also theuidandgidof the process. This FIM BE serves as a fallback for older linux kernels (3.10-5.10.15) where the eBPF FIM BE (#37223) is not supported.Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Author's Checklist
How to test this PR locally
TEST-go-integration.out.json (kprobe package coverage 85%)
TEST-python-integration.xml.txt
One observation is that
mage build integTestis running all unit-tests and python integration tests inside containers using the docker-compose.yml of auditbeat package, thus everything is tested. However, in the CI pipelinesmage build unitTestis invoked which performs the same steps, unit-tests, python integration test but as this is invoked with no root the kprobe fim unit-tests and integration tests can't be invoked.Related issues