Skip to content

[8.15](backport #41863) helper/hasher general improvements#41873

Merged
haesbaert merged 1 commit into8.15from
mergify/bp/8.15/pr-41863
Dec 4, 2024
Merged

[8.15](backport #41863) helper/hasher general improvements#41873
haesbaert merged 1 commit into8.15from
mergify/bp/8.15/pr-41863

Conversation

@mergify
Copy link
Copy Markdown
Contributor

@mergify mergify bot commented Dec 3, 2024
edited by zube bot
Loading

Proposed commit message

  • Fix a TOCTOU by opening the file handle and then doing stat(), instead of doning stat() and then opening.
  • Make sure this is a regular file, otherwise you could trick auditbeat into hashing an infinite source like a pipe.
  • Allow for rate (but not file size) to be infinite, this is needed for an upcoming new backend for module/system/process.
  • Finally, fix error messages that show up on ECS, see below.

before:

failed to hash executable /d/e/beats/x-pack/auditbeat/auditbeat for PID 50751: failed to hash file /d/e/beats/x-pack/auditbeat/auditbeat: hasher: file size 143673152 exceeds max file size

after:

failed to hash executable /d/e/beats/x-pack/auditbeat/auditbeat for PID 50804: size 143673152 exceeds max file size

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
    - [ ] I have made corresponding changes to the documentation
    - [ ] I have made corresponding change to the default configuration files
    - [ ] I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

error.message will stop duplicating text.

This is an automatic backport of pull request #41863 done by Mergify.

@haesbaert @mergify
helper/hasher general improvements (#41863)
37bc406 
 * Fix a TOCTOU by opening the file handle and then doing stat(), instead of
   doning stat() and then opening.
 * Make sure this is a regular file, otherwise you could trick auditbeat into
   hashing an infinite source like a pipe.
 * Allow for rate (but not file size) to be infinite, this is needed for an
   upcoming new backend for module/system/process.
 * Finally, fix error messages that show up on ECS, see below.

before:
```
failed to hash executable /d/e/beats/x-pack/auditbeat/auditbeat for PID 50751: failed to hash file /d/e/beats/x-pack/auditbeat/auditbeat: hasher: file size 143673152 exceeds max file size
```

after:
```
failed to hash executable /d/e/beats/x-pack/auditbeat/auditbeat for PID 50804: size 143673152 exceeds max file size
```

(cherry picked from commit 8b38b65)
@mergify mergify bot added the backport label Dec 3, 2024
@mergify mergify bot requested a review from a team as a code owner December 3, 2024 20:21
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Dec 3, 2024
@haesbaert haesbaert enabled auto-merge (squash) December 3, 2024 20:22
@haesbaert haesbaert disabled auto-merge December 3, 2024 20:29
@haesbaert haesbaert added the Team:Security-Linux Platform Linux Platform Team in Security Solution label Dec 3, 2024
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Dec 3, 2024

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Dec 3, 2024
@haesbaert haesbaert merged commit f025174 into 8.15 Dec 4, 2024
@haesbaert haesbaert deleted the mergify/bp/8.15/pr-41863 branch December 4, 2024 08:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@haesbaert haesbaert haesbaert approved these changes

Assignees

@haesbaert haesbaert

Labels

backport Team:Security-Linux Platform Linux Platform Team in Security Solution

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@elasticmachine @haesbaert