[BUG] New os user/group doesn't reflect in Cloudbeat

[uri-weisman]

Describe the bug
Remediation that requires creating a new OS user/group won't be presented to the user even though it took effect.

Preconditions
A Containerized cloudbeat using a Kind cluster.

To Reproduce

1. Verify CIS rule 1.1.12 is failing the evaluation.
2. Apply remediation:
3. SSH to host (kind cluster)
4. groupadd etcd
5. useradd -g etcd etcd
6. chown etcd:etcd /var/lib/etcd/
7. Wait a cycle for new results to be presented
8. CIS rule 1.1.12 is still failing the evaluation.

Expected behavior
CIS rule 1.1.12 is should pass as we apply the right remediation.

Investigation conclusions

1. group and user info can be found in /etc/group & /etc/passwd respectively.
2. In order to propagate this data to cloudbeat we mount those files to the elastic-agent.
3. In the case of a missing user/group we use the useradd/groupadd commands.
4. Those commands edit the mentioned files and modify their inodes.
5. When you mount an individual file into a container, what you are mounting is the inode of the file on the FS (discussion).
   As a result, the files inside the container are not synced.

Proposed solution
Mounting an entire directory will solve the issue because the directory's pointer to the inode gets updated.
Having said that, we don't want to mount the entire etc directory, therefore, we can create a new folder to mount and symlink the mentioned files.

Screenshots

useradd cmd modify /etc/passwd file inode.

Related issue:

• [BUG] cloudbeat crash once etcd folder changed group and user #118

[tinnytintin10]

I have prioritized this as a 0 @tehilashn the definition of done should be that remediations should show up as passing and there should be a test developed for this.

[yashtewari]

Very thorough, Uri! This helped me while working on

• https://github.com/elastic/security-team/issues/4311

I managed to make those tests work by using directory mounts and some other hacks. The whole experiment with mounted files is also neatly described in this blog. I found that it's possible to run the useradd and groupadd commands from the container by providing a prefix:

useradd etcd -P /hostfs

So this is for containerized cloudbeat, but what about Elastic Agent? We use the same mount format in those manifests, and I've confirmed that it mostly doesn't work when the file is changed on host. A newly created Agent pod comes online with the latest file contents/inode. Interestingly, in some cases it seems to work for the first time the file is changed after pod creation. The pod goes into a crash loop for a few seconds, and comes back with the latest file contents/inode. This only seems to happen once, and it seems important to understand why.

Having said that, we don't want to mount the entire etc directory, therefore, we can create a new folder to mount and symlink the mentioned files.

Do you mean making changes to the customer's host? I think this goes one step beyond anything we're doing currently, but I wonder if any other use case of Agent/beats does this. A host-agnostic script that runs on Elastic Agent startup could do the trick. @DaveSys911?

[yashtewari]

Some clarification: for files that are mounted individually (ie not as part of a directory tree), our file system fetcher works just fine for updates that are made in place. The problem only occurs with tools like useradd (and many other linux utilities, editors etc) that internally have the following flow:

1. make a copy of the file
2. make changes to the copy
3. replace the original file with the copy

This can be verified for example with the passwd file. From within the host node, append something to it

cat >> /etc/passwd << EOF
See you on the other side
EOF

The change will be reflected in the mounted file on the container. The same problem with the mounted file would happen with a mounted directory if we replace it with a new directory of the same name. But making changes to a directory subtree is analogous to making changes to a mounted file in place as described, so it works.

It follows that if we don't mount the directory, or don't somehow re-mount the mounted file, changes made by useradd won't propagate to the Agent. I tried some things that don't work:

1. A symbolic link (ln -s) as suggested by @uri-weisman is just a file with a path that points to another file. If we don't already have access to what we want on the container, we can't point to it either.
2. A hard link (ln) links to the inode, and suffers from the same limitations of the mounted file.
3. Instead of just the file, I made a volume out of the whole directory /etc, and then restricted the volumeMounts to just the relevant files using subPath or subPathExpr, but to no avail.

The options I can see:

1. Depend on Elastic Agent restarts, and everything gets mounted again with the latest file contents/inodes. We could inform customers that if they use methods that replace the file, an Agent restart is required for changes to be reflected on their dashboard. This makes it a product decision: @tehilashn @tinnytintin10
2. Somehow force un-mount -> mount on a running Agent.
3. Mount the host's entire /etc directory? We would have to prove to @ph and team that exposing all host system configuration to the Agent is OK, which it probably isn't.

[tehilashn]

Thanks @yashtewari . The ideal behaviour imo is for the user not to perform any manual operation. So option 2. seems like the best one. The question is - did you think of a way to implement it? what are the unknowns here/risks?

[yashtewari]

@tehilashn no, it's mostly conceptual. A re-mount will definitely work, but you need superuser permissions to do mount operations, which we can't give to the Agent.

[yashtewari]

The pod goes into a crash loop for a few seconds, and comes back with the latest file contents/inode.

This is interesting to me. Pure speculation, but with the file that is mounted being "deleted" (replaced), maybe we can expect the Agent to eventually restart itself? Looking into this.

[amirbenun]

I am not sure that agent restart will solve it.
Maybe if you delete the agent pod and reinstall it you will get the latest file?