Skip to content

[8.19](backport #44909) [Filebeat] Do not run o365audit input and o365 module in FIPS builds#45040

Merged
ycombinator merged 1 commit into8.19from
mergify/bp/8.19/pr-44909
Jun 26, 2025
Merged

[8.19](backport #44909) [Filebeat] Do not run o365audit input and o365 module in FIPS builds#45040
ycombinator merged 1 commit into8.19from
mergify/bp/8.19/pr-44909

Conversation

@mergify
Copy link
Copy Markdown
Contributor

@mergify mergify bot commented Jun 25, 2025

Proposed commit message

This PR ensures that the Filebeat o365audit input will not start in FIPS-capable distributions of Filebeat, as the input indirectly depends on code that is not FIPS-compliant. Specifically, the o365audit input depends on the github.com/Azure/azure-sdk-for-go/sdk/azidentity package. This package, in turn, depends on the golang.org/x/crypto/pkcs12 package, which is not FIPS-compliant. Further, the SDK doesn't plan to offer a way to disable the use of this package at compile time (see Azure/azure-sdk-for-go#24336).

In addition to the o365audit input, the o365 module will also not start in FIPS-capable distributions of Filebeat, as this module uses the o365audit input.

Attempting to run a FIPS-capable distribution of Filebeat with either the o365audit input or the o365 module configured will result in Filebeat not starting up and an error in the Filebeat logs like so:

{"log.level":"info","@timestamp":"2025-06-25T14:21:46.596-0700","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).launch","file.name":"instance/beat.go","file.line":542},"message":"filebeat stopped.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-06-25T14:21:46.596-0700","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.handleError","file.name":"instance/beat.go","file.line":1355},"message":"Exiting: Failed to start crawler: starting input failed: error while initializing input: running a FIPS-capable distribution but input [o365audit] is not FIPS capable","service.name":"filebeat","ecs.version":"1.6.0"}
Exiting: Failed to start crawler: starting input failed: error while initializing input: running a FIPS-capable distribution but input [o365audit] is not FIPS capable

The o365audit input declares itself as not being FIPS-capable by setting the ExcludeFromFIPS field on the v2.Plugin struct to true (see also: #45036).

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

FIPS-capable artifacts of Filebeat will not start the o365 module or the o365audit input.

$ mage clean && FIPS=true mage build

$ cat <<EOF > filebeat-test-input.yml
filebeat.inputs:
- type: o365audit
  id: id-nofips
  enabled: true
  application_id: foo
  tenant_id: bar
  client_secret: qux

output.console:
  enabled: true
EOF
$ ./filebeat -c ./filebeat-test-input.yml -e

$ cat <<EOF > filebeat-test-module.yml
filebeat.modules:
- module: o365
  audit:
    enabled: true
    var.application_id: "<MyApplicationID>"
    var.tenants:
     - id: "<MyTenantID>"
       name: "mytenant.onmicrosoft.com"
    var.client_secret: "<YourClientSecretHere>"

output.console:
  enabled: true
EOF
$ ./filebeat -c ./filebeat-test-module.yml -e
```<hr>This is an automatic backport of pull request #44909 done by [Mergify](https://mergify.com).

@mergify mergify bot requested a review from a team as a code owner June 25, 2025 23:09
@mergify mergify bot added the backport label Jun 25, 2025
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jun 25, 2025
@github-actions github-actions bot added Filebeat Filebeat Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team labels Jun 25, 2025
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jun 25, 2025

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jun 25, 2025
@ycombinator ycombinator enabled auto-merge (squash) June 26, 2025 00:27
@ycombinator
[Filebeat] Do not run o365audit input and o365 module in FIPS bui…
abe6fd0 
…lds (#44909)

* Return error in FIPS mode if input wants to opt-out of FIPS distributions

* Add ability for Filebeat plugins (inputs) to specify that they should be excluded from FIPS builds

* Remove ExcludeForFIPS implementation

* Make o365 input use FIPSAwareInput interface

* Remove debugging statement

* Adding godoc comments for implementations of the IsFIPSCapable() method

* Add doc about module availability

* Reimplementation

* Remove duplicate imports

(cherry picked from commit e0e464a)
@ycombinator ycombinator force-pushed the mergify/bp/8.19/pr-44909 branch from 30560a8 to abe6fd0 Compare June 26, 2025 00:28
@ycombinator ycombinator merged commit c014fc7 into 8.19 Jun 26, 2025
28 of 32 checks passed
@ycombinator ycombinator deleted the mergify/bp/8.19/pr-44909 branch June 26, 2025 02:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ycombinator ycombinator ycombinator approved these changes

Assignees

@ycombinator ycombinator

Labels

backport Filebeat Filebeat Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@elasticmachine @ycombinator