Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Auditbeat] Package: Auto-detect package directories #12289

Merged
merged 2 commits into from
May 28, 2019
Merged

[Auditbeat] Package: Auto-detect package directories #12289

merged 2 commits into from
May 28, 2019

Conversation

cwurm
Copy link
Contributor

@cwurm cwurm commented May 24, 2019

Users have recently struggled with using Auditbeat on distros the system/package dataset does not recognize. When this happens, Auditbeat aborts the start with a not very helpful error message.

This PR fixes this by changing the behavior:

  1. Instead of selecting the package manager based on the OS family we check which package directories exist: /var/lib/dpkg, /var/lib/rpm, or /usr/local/Cellar. In the future, we could make these configurable.
  2. If we find no directories, we log a warning once and continue checking. We do not abort Auditbeat's launch.

Possible future improvements:

  1. Add a package.type (naming tbd) to distinguish between rpm, deb, and homebrew packages.
  2. Make the package directories configurable by the user. We use the default path for each which will work in most cases, but each package manager allows this to be customized.

This is a bigger change, but I'd want to backport it as a bugfix since the current behavior is causing frustration to users. The system module is still in beta, giving us more freedom in what we backport.

@cwurm cwurm added review needs_backport PR is waiting to be backported to other branches. Auditbeat SecOps labels May 24, 2019
@cwurm cwurm requested a review from a team as a code owner May 24, 2019 22:59
@elasticmachine
Copy link
Collaborator

Pinging @elastic/secops

andrewkroh
andrewkroh approved these changes May 25, 2019
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. 😄

@cwurm cwurm force-pushed the package_no_os_check branch 3 times, most recently from 7bbc0f5 to 7f3cfe4 Compare May 28, 2019 19:58
@cwurm cwurm merged commit afbe070 into elastic:master May 28, 2019
@cwurm cwurm deleted the package_no_os_check branch May 28, 2019 22:14
cwurm pushed a commit to cwurm/beats that referenced this pull request May 28, 2019
[Auditbeat] Package: Auto-detect package directories (elastic#12289)
990502b 
Changes the `system/package` dataset to select the package manager based on which package directories exist: `/var/lib/dpkg`, `/var/lib/rpm`, or `/usr/local/Cellar`.

If we find no directories, we log a warning once and continue checking. We do not abort Auditbeat's launch.

(cherry picked from commit afbe070)
@cwurm cwurm mentioned this pull request May 28, 2019
Merged
@cwurm cwurm added v7.2.0 and removed needs_backport PR is waiting to be backported to other branches. labels May 28, 2019
@cwurm cwurm mentioned this pull request May 28, 2019
Merged
@cwurm cwurm added the v6.8.1 label May 28, 2019
cwurm pushed a commit to cwurm/beats that referenced this pull request May 28, 2019
[Auditbeat] Package: Auto-detect package directories (elastic#12289)
cde8942 
Changes the `system/package` dataset to select the package manager based on which package directories exist: `/var/lib/dpkg`, `/var/lib/rpm`, or `/usr/local/Cellar`.

If we find no directories, we log a warning once and continue checking. We do not abort Auditbeat's launch.

(cherry picked from commit afbe070)
cwurm pushed a commit that referenced this pull request May 29, 2019
[Auditbeat] Cherry-pick #12289 to 7.2: Package: Auto-detect package d…
c1dd2e4 
…irectories (#12323)

Changes the `system/package` dataset to select the package manager based on which package directories exist: `/var/lib/dpkg`, `/var/lib/rpm`, or `/usr/local/Cellar`.

If we find no directories, we log a warning once and continue checking. We do not abort Auditbeat's launch.

(cherry picked from commit afbe070)
cwurm pushed a commit that referenced this pull request May 29, 2019
[Auditbeat] Cherry-pick #12289 to 6.8: Package: Auto-detect package d…
4c34994 
…irectories (#12324)

Changes the `system/package` dataset to select the package manager based on which package directories exist: `/var/lib/dpkg`, `/var/lib/rpm`, or `/usr/local/Cellar`.

If we find no directories, we log a warning once and continue checking. We do not abort Auditbeat's launch.

(cherry picked from commit afbe070)
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
[Auditbeat] Cherry-pick elastic#12289 to 7.2: Package: Auto-detect pa…
3d6052f 
…ckage directories (elastic#12323)

Changes the `system/package` dataset to select the package manager based on which package directories exist: `/var/lib/dpkg`, `/var/lib/rpm`, or `/usr/local/Cellar`.

If we find no directories, we log a warning once and continue checking. We do not abort Auditbeat's launch.

(cherry picked from commit 33d5d1b)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
Auditbeat review v6.8.1 v7.2.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cwurm @elasticmachine @andrewkroh