Skip to content

[8.x](backport #41952) auditbeat: Add a cached file hasher for auditbeat#41992

Merged
haesbaert merged 1 commit into8.xfrom
mergify/bp/8.x/pr-41952
Dec 11, 2024
Merged

[8.x](backport #41952) auditbeat: Add a cached file hasher for auditbeat#41992
haesbaert merged 1 commit into8.xfrom
mergify/bp/8.x/pr-41952

Conversation

@mergify
Copy link
Copy Markdown
Contributor

@mergify mergify bot commented Dec 11, 2024

Proposed commit message

This implements a LRU cache on top of the FileHasher from hasher.go, it will be used in the new backend for the system process module on linux.

The cache is indexed by file path and stores the metadata (what we get from stat(2)/statx(2)) along with the hashes of each file.

When we want to hash a file: we stat() the file, then do cache lookup and compare against the stored metadata, if it differs, we rehash, if not we use the cached values.

The cache ignores access time (atime), it's only interested in write modifications, if the machine doesn't support statx(2) it falls back to stat(2) but uses the same Unix.Statx_t.

With this we end up with a stat() + lookup on the hotpath, and a stat() + stat() + insert on the cold path.

The motivation for this is that the new backend ends up fetching "all processes", which in turn causes it to try to hash at every event, the current/old hasher just can't cope with it:

  1. Hashing for each event is simply too expensive, in the 100us-50ms range on the default configuration, which puts us below 1000/s.
  2. It has a scan rate throttling that on the default configuration ends easily at 40ms per event (25/s).

With the cache things improve considerably, we stay below 5us (200k/s) in all cases:

MISSES
"miss (/usr/sbin/sshd) took 2.571359ms"
"miss (/usr/bin/containerd) took 52.099386ms"
"miss (/usr/sbin/gssproxy) took 160us"
"miss (/usr/sbin/atd) took 50.032us"
HITS
"hit (/usr/sbin/sshd) took 2.163us"
"hit (/usr/lib/systemd/systemd) took 3.024us"
"hit (/usr/lib/systemd/systemd) took 859ns"
"hit (/usr/sbin/sshd) took 805ns"

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
    - [ ] I have made corresponding changes to the documentation
    - [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.
    This is an automatic backport of pull request auditbeat: Add a cached file hasher for auditbeat #41952 done by Mergify.

@haesbaert @mergify
auditbeat: Add a cached file hasher for auditbeat (#41952)
2877004 
This implements a LRU cache on top of the FileHasher from hasher.go, it will be
used in the new backend for the system process module on linux.

The cache is indexed by file path and stores the metadata (what we get from
stat(2)/statx(2)) along with the hashes of each file.

When we want to hash a file: we stat() the file, then do cache lookup and
compare against the stored metadata, if it differs, we rehash, if not we use the
cached values.

The cache ignores access time (atime), it's only interested in write
modifications, if the machine doesn't support statx(2) it falls back to stat(2)
but uses the same Unix.Statx_t.

With this we end up with a stat() + lookup on the hotpath, and a stat() + stat()
+ insert on the cold path.

The motivation for this is that the new backend ends up fetching "all
processes", which in turn causes it to try to hash at every event, the
current/old hasher just can't cope with it:
 1. Hashing for each event is simply to expensive, in the 100us-50ms range on the
    default configuration, which puts us below 1000/s.
 2. It has a scan rate throttling that on the default configuration ends easily
    at 40ms per event (25/s).

With the cache things improve considerably, we stay below 5us (200k/s) in all
cases:

```
MISSES
"miss (/usr/sbin/sshd) took 2.571359ms"
"miss (/usr/bin/containerd) took 52.099386ms"
"miss (/usr/sbin/gssproxy) took 160us"
"miss (/usr/sbin/atd) took 50.032us"
HITS
"hit (/usr/sbin/sshd) took 2.163us"
"hit (/usr/lib/systemd/systemd) took 3.024us"
"hit (/usr/lib/systemd/systemd) took 859ns"
"hit (/usr/sbin/sshd) took 805ns"
```

(cherry picked from commit 8ec2e31)
@mergify mergify bot requested a review from a team as a code owner December 11, 2024 16:05
@mergify mergify bot added the backport label Dec 11, 2024
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Dec 11, 2024
@haesbaert haesbaert added the Team:Security-Linux Platform Linux Platform Team in Security Solution label Dec 11, 2024
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Dec 11, 2024

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Dec 11, 2024
@haesbaert haesbaert merged commit 47b2060 into 8.x Dec 11, 2024
@haesbaert haesbaert deleted the mergify/bp/8.x/pr-41952 branch December 11, 2024 17:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@haesbaert haesbaert

Labels

backport Team:Security-Linux Platform Linux Platform Team in Security Solution

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@elasticmachine @haesbaert