x-pack/auditbeat/module/socket/guess: fix creds trigger for newer kernels #37136

efd6 · 2023-11-15T21:56:43Z

Proposed commit message

In kernel commit 981ee95c (into v6.3) calls to access_override_creds
were gated behind a test for the requirement for the call. This change
results in non-execution of prepare_creds and so failure of the guess.

An alternative has been identified that does not exhibit this behaviour,
mq_open which calls dentry_open with creds in the third parameter. So
replace the sys_access trigger with sys_mq_open and add the probe to
dentry_open with P3 for the address.

Checklist

My code follows the style guidelines of this project
I have commented my code, particularly in hard-to-understand areas
I have made corresponding changes to the documentation
I have made corresponding change to the default configuration files
I have added tests that prove my fix is effective or that my feature works
I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

[ ]

How to test this PR locally

Related issues

Fixes [Auditbeat] error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_struct_creds failed: timeout while waiting for event #36905

Use cases

Screenshots

Logs

elasticmachine · 2023-11-16T06:52:15Z

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

Start Time: 2023-11-16T06:09:10.000+0000
Duration: 43 min 59 sec

Test stats 🧪

Test	Results
Failed	0
Passed	395
Skipped	63
Total	458

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

/test : Re-trigger the build.
/package : Generate the packages and run the E2E tests.
/beats-tester : Run the installation tests with beats-tester.
run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

elasticmachine · 2023-11-16T06:58:14Z

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

haesbaert · 2023-11-16T08:18:16Z

x-pack/auditbeat/module/system/socket/guess/creds.go

 func (g *guessStructCreds) Trigger() error {
-	syscall.Syscall(unix.SYS_ACCESS, 0, 0, 0)
-	return nil
+	name, err := unix.BytePtrFromString("omg")


I'd use a more unique string here __guess_creds or something.

haesbaert · 2023-11-16T08:19:38Z

x-pack/auditbeat/seccomp_linux.go

+		if err := seccomp.ModifyDefaultPolicy(seccomp.AddSyscall,
+			"mremap",
+			"umask",
+		); err != nil {


solely whitespace changes would be nicer in a second commit.

Agreed, but unfortunately this will all get squashed.

haesbaert

lgtm!

elasticmachine · 2023-11-16T09:09:20Z

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

Start Time: 2023-11-16T08:27:24.589+0000
Duration: 42 min 50 sec

Test stats 🧪

Test	Results
Failed	0
Passed	395
Skipped	63
Total	458

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

/test : Re-trigger the build.
/package : Generate the packages and run the E2E tests.
/beats-tester : Run the installation tests with beats-tester.
run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

mergify · 2023-11-22T19:09:51Z

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 36905-auditbeat upstream/36905-auditbeat
git merge upstream/main
git push upstream 36905-auditbeat

…nels In kernel commit 981ee95c (into v6.3) calls to access_override_creds were gated behind a test for the requirement for the call. This change results in non-execution of prepare_creds and so failure of the guess. An alternative has been identified that does not exhibit this behaviour, mq_open which calls dentry_open with creds in the third parameter. So replace the sys_access trigger with sys_mq_open and add the probe to dentry_open with P3 for the address. Approach developed by Christiano Haesbaert.

elasticmachine · 2023-11-22T21:46:01Z

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

Start Time: 2023-11-22T21:03:03.725+0000
Duration: 43 min 52 sec

Test stats 🧪

Test	Results
Failed	0
Passed	395
Skipped	63
Total	458

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

/test : Re-trigger the build.
/package : Generate the packages and run the E2E tests.
/beats-tester : Run the installation tests with beats-tester.
run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

…nels (#37136) In kernel commit 981ee95c (into v6.3) calls to access_override_creds were gated behind a test for the requirement for the call. This change results in non-execution of prepare_creds and so failure of the guess. An alternative has been identified that does not exhibit this behaviour, mq_open which calls dentry_open with creds in the third parameter. So replace the sys_access trigger with sys_mq_open and add the probe to dentry_open with P3 for the address. Approach developed by Christiano Haesbaert. (cherry picked from commit 284683d)

…nels (#37136) (#37214) In kernel commit 981ee95c (into v6.3) calls to access_override_creds were gated behind a test for the requirement for the call. This change results in non-execution of prepare_creds and so failure of the guess. An alternative has been identified that does not exhibit this behaviour, mq_open which calls dentry_open with creds in the third parameter. So replace the sys_access trigger with sys_mq_open and add the probe to dentry_open with P3 for the address. Approach developed by Christiano Haesbaert. (cherry picked from commit 284683d) Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>

…nels (elastic#37136) In kernel commit 981ee95c (into v6.3) calls to access_override_creds were gated behind a test for the requirement for the call. This change results in non-execution of prepare_creds and so failure of the guess. An alternative has been identified that does not exhibit this behaviour, mq_open which calls dentry_open with creds in the third parameter. So replace the sys_access trigger with sys_mq_open and add the probe to dentry_open with P3 for the address. Approach developed by Christiano Haesbaert.

andrewkroh · 2024-02-14T19:20:01Z

@Mergifyio backport 7.17

mergify · 2024-02-14T19:20:36Z

backport 7.17

✅ Backports have been created

#38027 x-pack/auditbeat/module/socket/guess: fix creds trigger for newer kernels (backport #37136) has been created for branch 7.17

…nels (#37136) In kernel commit 981ee95c (into v6.3) calls to access_override_creds were gated behind a test for the requirement for the call. This change results in non-execution of prepare_creds and so failure of the guess. An alternative has been identified that does not exhibit this behaviour, mq_open which calls dentry_open with creds in the third parameter. So replace the sys_access trigger with sys_mq_open and add the probe to dentry_open with P3 for the address. Approach developed by Christiano Haesbaert. (cherry picked from commit 284683d)

…nels (backport #37136) (#38027) In kernel commit 981ee95c (into v6.3) calls to access_override_creds were gated behind a test for the requirement for the call. This change results in non-execution of prepare_creds and so failure of the guess. An alternative has been identified that does not exhibit this behaviour, mq_open which calls dentry_open with creds in the third parameter. So replace the sys_access trigger with sys_mq_open and add the probe to dentry_open with P3 for the address. Approach developed by Christiano Haesbaert. (cherry picked from commit 284683d) --------- Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>

efd6 added enhancement Auditbeat Team:Security-External Integrations 8.12-candidate labels Nov 15, 2023

efd6 self-assigned this Nov 15, 2023

botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Nov 15, 2023

efd6 added backport-skip Skip notification from the automated backport with mergify bug backport-v8.11.0 Automated backport with mergify and removed enhancement labels Nov 15, 2023

efd6 force-pushed the 36905-auditbeat branch from 516614e to 44d90c4 Compare November 15, 2023 22:42