Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Auditbeat/FIM/kprobes]: allow extra syscalls by auditbeat required in FIM with kprobes #39361

Merged
merged 5 commits into from
May 2, 2024
Merged

[Auditbeat/FIM/kprobes]: allow extra syscalls by auditbeat required in FIM with kprobes #39361

merged 5 commits into from
May 2, 2024

Conversation

pkoutsovasilis
Copy link
Contributor

Proposed commit message

This PR allows extra necessary syscalls in the applied seccomp/apparmor policy invoked during the verification stage of FIM kprobes. Also it removes the wrong check of event[process.executable] for ebpf backend in the integrations tests. Such a coupling of commits is ok as both of them need to be back-ported at 8.14 and 8.13

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

N/A

How to test this PR locally

Already tested here

Related issues

Use cases

N/A

Screenshots

N/A

Logs

N/A

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label May 2, 2024
@mergify Mergify
Copy link
Contributor

mergify bot commented May 2, 2024

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @pkoutsovasilis? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

@pkoutsovasilis pkoutsovasilis force-pushed the pkoutsovasilis/fix_kprobes_and_ebpf_integ_tests branch from 99b607f to 603f60c Compare May 2, 2024 11:21
@pkoutsovasilis pkoutsovasilis added bug Team:Security-Linux Platform Linux Platform Team in Security Solution backport-v8.13.0 Automated backport with mergify backport-v8.14.0 Automated backport with mergify labels May 2, 2024
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label May 2, 2024
@pkoutsovasilis pkoutsovasilis marked this pull request as ready for review May 2, 2024 11:26
@pkoutsovasilis pkoutsovasilis requested a review from a team as a code owner May 2, 2024 11:26
@elasticmachine
Copy link
Collaborator

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

@elasticmachine
Copy link
Collaborator

elasticmachine commented May 2, 2024
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Duration: 89 min 52 sec

❕ Flaky test report

No test was executed to be analysed.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@pkoutsovasilis
Copy link
Contributor Author

run docs-build

nicholasberlin
nicholasberlin approved these changes May 2, 2024
View reviewed changes
Copy link
Contributor

@nicholasberlin nicholasberlin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@pkoutsovasilis pkoutsovasilis merged commit ab54de6 into elastic:main May 2, 2024
34 checks passed
@pkoutsovasilis pkoutsovasilis deleted the pkoutsovasilis/fix_kprobes_and_ebpf_integ_tests branch May 2, 2024 13:04
mergify bot pushed a commit that referenced this pull request May 2, 2024
@pkoutsovasilis @mergify
[Auditbeat/FIM/kprobes]: allow extra syscalls by auditbeat required i…
695ddee 
…n FIM with kprobes (#39361)

* fix(auditbeat/fim/kprobes): allow appropriate syscalls for seccomp/apparmor policies

* fix(auditbeat/fim/kprobes): check correctly the "fsnotify_nameremove" symbol

* fix(auditbeat/fim/tests): remove check on absent key of the event for ebpf

* doc: update CHANGELOG.next.asciidoc

(cherry picked from commit ab54de6)
@mergify mergify bot mentioned this pull request May 2, 2024
Merged
6 tasks
mergify bot pushed a commit that referenced this pull request May 2, 2024
@pkoutsovasilis @mergify
[Auditbeat/FIM/kprobes]: allow extra syscalls by auditbeat required i…
58d0b56 
…n FIM with kprobes (#39361)

* fix(auditbeat/fim/kprobes): allow appropriate syscalls for seccomp/apparmor policies

* fix(auditbeat/fim/kprobes): check correctly the "fsnotify_nameremove" symbol

* fix(auditbeat/fim/tests): remove check on absent key of the event for ebpf

* doc: update CHANGELOG.next.asciidoc

(cherry picked from commit ab54de6)
@mergify mergify bot mentioned this pull request May 2, 2024
Merged
6 tasks
@dliappis dliappis mentioned this pull request May 2, 2024
Merged
6 tasks
pkoutsovasilis added a commit that referenced this pull request May 2, 2024
@mergify @pkoutsovasilis
[Auditbeat/FIM/kprobes]: allow extra syscalls by auditbeat required i…
5ed492f 
…n FIM with kprobes (#39361) (#39365)

* fix(auditbeat/fim/kprobes): allow appropriate syscalls for seccomp/apparmor policies

* fix(auditbeat/fim/kprobes): check correctly the "fsnotify_nameremove" symbol

* fix(auditbeat/fim/tests): remove check on absent key of the event for ebpf

* doc: update CHANGELOG.next.asciidoc

(cherry picked from commit ab54de6)

Co-authored-by: Panos Koutsovasilis <[email protected]>
pkoutsovasilis added a commit that referenced this pull request May 2, 2024
@mergify @pkoutsovasilis
[Auditbeat/FIM/kprobes]: allow extra syscalls by auditbeat required i…
2b390e5 
…n FIM with kprobes (#39361) (#39366)

* fix(auditbeat/fim/kprobes): allow appropriate syscalls for seccomp/apparmor policies

* fix(auditbeat/fim/kprobes): check correctly the "fsnotify_nameremove" symbol

* fix(auditbeat/fim/tests): remove check on absent key of the event for ebpf

* doc: update CHANGELOG.next.asciidoc

(cherry picked from commit ab54de6)

Co-authored-by: Panos Koutsovasilis <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicholasberlin nicholasberlin nicholasberlin approved these changes

Assignees

@pkoutsovasilis pkoutsovasilis

Labels
backport-v8.13.0 Automated backport with mergify backport-v8.14.0 Automated backport with mergify bug Team:Security-Linux Platform Linux Platform Team in Security Solution
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pkoutsovasilis @elasticmachine @nicholasberlin