auditbeat/module/file_integrity: add support for selinux and posix_acl_access xattrs

[efd6]

Proposed commit message

In environments where SELinux is employed then it is useful to monitor file metadata for changes to SELinux labels. A change to labeling can impact security posture. Similarly in environments where file ACLs are used (e.g. getfacl, setfacl) it is useful to monitor for changes to these ACLs (just like it is useful to monitor permissions in the file mode). So add support for the filesystem extended attributes (xattrs) named security.selinux and system.posix_acl_access that detail these.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• [ ]

How to test this PR locally

Related issues

• For [Auditbeat] file_integrity - Monitor ACL and selinux attributes on Linux #36265

Use cases

Screenshots

Logs

Sample event:

{
  "@metadata": {
    "beat": "auditbeat",
    "type": "_doc",
    "version": "8.10.0"
  },
  "@timestamp": "2023-08-16T14:30:29.388Z",
  "agent": {
    "ephemeral_id": "b7d1b2b6-712a-48d7-8de2-b419afd46d75",
    "id": "1681fe91-1cc8-460e-9e7e-fb1fe9b29348",
    "name": "linux",
    "type": "auditbeat",
    "version": "8.10.0"
  },
  "ecs": {
    "version": "8.0.0"
  },
  "event": {
    "action": [
      "attributes_modified"
    ],
    "category": [
      "file"
    ],
    "dataset": "file",
    "kind": "event",
    "module": "file_integrity",
    "type": [
      "change"
    ]
  },
  "file": {
    "ctime": "2023-08-16T14:30:29.384Z",
    "extension": "bar",
    "gid": "0",
    "group": "root",
    "hash": {
      "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709"
    },
    "inode": "71102",
    "mode": "0674",
    "mtime": "2023-08-14T20:49:03.249Z",
    "owner": "root",
    "path": "/foo.bar",
    "posix_acl_access": [
      "user::rw-",
      "user:landscape:-wx",
      "group::r--",
      "mask::rwx",
      "other::r--"
    ],
    "selinux": "system_u:object_r:quota_db_t:s0",
    "size": 0,
    "type": "file",
    "uid": "0"
  },
  "host": {
    "name": "linux"
  },
  "service": {
    "type": "file_integrity"
  }
}

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-08-16T07:10:11.968+0000

• Duration: 138 min 13 sec

Test stats 🧪

Test	Results
Failed	0
Passed	28124
Skipped	2015
Total	30139

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[andrewkroh]

I tested that changing both selinux and acl attributes triggers an inotify CHMOD event.

This is missing a modification to diffEvents() to detect if these new attributes changed.

beats/auditbeat/module/file_integrity/event.go

Lines 406 to 412 in 2797a04

	// Test if metadata has changed.
	if o, n := old.Info, new.Info; o != nil && n != nil {
	// The owner and group names are ignored (they aren't persisted).
	if o.Inode != n.Inode || o.UID != n.UID || o.GID != n.GID || o.SID != n.SID ||
	o.Mode != n.Mode || o.Type != n.Type || o.SetUID != n.SetUID || o.SetGID != n.SetGID {
	result |= AttributesModified
	}

And it needs a modification in buildMetricbeatEvent() to expose the new fields in events.

beats/auditbeat/module/file_integrity/event.go

Line 260 in 2797a04

func buildMetricbeatEvent(e *Event, existedBefore bool) mb.Event {

[andrewkroh]

Assuming this is linux-only then can we guard this with a if runtime.GOOS == "linux".

[efd6]

The system.posix_acl_access should in principle be available on other OSs.

[andrewkroh]

The value coming back from FGet is actually the raw binary data. It is not a base64 encoded value. The 0s base64 must just be the representation used with getfattr when the value binary. I think this also means the system.posix_acl_access value should not be trimNulled.

I hacked in changes and re-tested, and I observed what I expected in the output event with 👍

    "posix_acl_access": [
      "user::rw-",
      "user:landscape:rwx",
      "group::r--",
      "mask::rwx",
      "other::r--"
    ],

[efd6]

I've kept the POSIXACLAccess field as a string. It sits right on the boundary of making a decision to change it to a []byte, but I think it's just slightly better as string.

[andrewkroh]

The only impact of this decision to users will be the debug message that shows the old and new metadata. How does go encode a []byte? IIRC it uses base64 which IMO would be slightly nicer in the logs.

{"log.level":"debug","@timestamp":"2023-08-16T10:30:29.388-0400","log.logger":"file_integrity","log.origin":{"file.name":"file_integrity/metricset.go","file.line":296},"message":"File changed since it was last seen","service.name":"auditbeat","file_path":"/foo.bar","took":280205,"event":{"action":"attributes_modified","old":{"timestamp":"2023-08-16T14:30:00.686192244Z","path":"/foo.bar","info":{"inode":71102,"uid":0,"gid":0,"sid":"","owner":"","group":"","size":0,"mtime":"2023-08-14T20:49:03.249161413Z","ctime":"2023-08-15T17:49:52.337561405Z","type":"file","mode":444,"setuid":false,"setgid":false,"origin":null,"selinux":"system_u:object_r:quota_db_t:s0","posix_acl_access":"\u0002\u0000\u0000\u0000\u0001\u0000\u0006\u0000\ufffd\ufffd\ufffd\ufffd\u0002\u0000\u0007\u0000o\u0000\u0000\u0000\u0004\u0000\u0004\u0000\ufffd\ufffd\ufffd\ufffd\u0010\u0000\u0007\u0000\ufffd\ufffd\ufffd\ufffd \u0000\u0004\u0000\ufffd\ufffd\ufffd\ufffd"},"source":"scan","action":"none","hash":{"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709"}},"new":{"timestamp":"2023-08-16T14:30:29.388513038Z","path":"/foo.bar","info":{"inode":71102,"uid":0,"gid":0,"sid":"","owner":"root","group":"root","size":0,"mtime":"2023-08-14T20:49:03.249161413Z","ctime":"2023-08-16T14:30:29.384200342Z","type":"file","mode":444,"setuid":false,"setgid":false,"origin":null,"selinux":"system_u:object_r:quota_db_t:s0","posix_acl_access":"\u0002\u0000\u0000\u0000\u0001\u0000\u0006\u0000\ufffd\ufffd\ufffd\ufffd\u0002\u0000\u0003\u0000o\u0000\u0000\u0000\u0004\u0000\u0004\u0000\ufffd\ufffd\ufffd\ufffd\u0010\u0000\u0007\u0000\ufffd\ufffd\ufffd\ufffd \u0000\u0004\u0000\ufffd\ufffd\ufffd\ufffd"},"source":"fsnotify","action":"attributes_modified","hash":{"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709"}},"ecs.version":"1.6.0"}}

[efd6]

We could add a MarshalText method to the POSIXACLAccess field that renders it in the standard format. WDYT?

[efd6]

I guess that's not very different from keeping it as a []byte. I think one of these should be done because note the \ufffd. These are not in the original data; they are the unicode replacement rune because 0xffff is not a valid code point.

[efd6]

run elasticsearch-ci/docs