search

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
https://www.elastic.co/products/beats
Other
12.17k stars 4.92k forks source link

[Auditbeat] auditd not receiving event when outside of host network namespace #28063

Open andrewkroh opened 3 years ago

andrewkroh commented 3 years ago

While running Auditbeat's auditd module in a container it will not receive events unless I put it into the host's network namespace. I believe this used to work because the docs don't mention anything about the network namespace requirement.

While doing some brief searching I found a newer flag NETLINK_F_LISTEN_ALL_NSID that I wonder if it is related. And some commits like https://github.com/torvalds/linux/commit/7212462fa6fdae61f7f40a4ead048def45bb23cb. This needs more research, but the goal would be to see if we can still run Auditbeat in its own namespace and receive audit events. If we can't, then we should update the docs to mention the requirement to run in the host's network namespace.

Version: 7.14.2 OS: Linux akroh-beats-dev 5.11.0-1018-gcp #20~20.04.2-Ubuntu SMP Fri Sep 3 01:01:37 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux Discuss: https://discuss.elastic.co/t/auditbeat-on-docker-fails-to-run-auditd-module/284399 Config:

auditbeat.modules:
- module: auditd
  socket_type: multicast

output.console.enabled: true

logging.level: debug
logging.selectors: [auditd, processors]

seccomp.enabled: false
elasticmachine commented 3 years ago

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

jradikk commented 2 years ago

Just faced the same problem while configuring auditbeat in Kubernetes. That'd be great to add a note about it in auditbeat documentation until it is fixed

r00tu53r commented 2 years ago

@andrewkroh I happened to run auditbeat in a docker container without bind/EPERM errors. I Pulled 8.0 docker pull docker.elastic.co/beats/auditbeat:8.0.0 and ran the auditbeat with my config based on what was on the post -

docker run -i -t -v ~/docker_share:/share --security-opt seccomp=unconfined --pid=host --user=root --cap-add=AUDIT_CONTROL --cap-add=AUDIT_READ docker.elastic.co/beats/auditbeat:8.0.0 /bin/bash

In the container -

# /usr/share/auditbeat/auditbeat -c ./auditbeat-test.yml -e

Logs -

{"log.level":"info","@timestamp":"2022-05-09T08:05:51.825Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1062},"message":"Go runtime info","service.name":"auditbeat","system_info":{"go":{"os":"linux","arch":"amd64","max_procs":1,"version":"go1.17.6"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-05-09T08:05:51.825Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1066},"message":"Host info","service.name":"auditbeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2022-05-09T03:40:33Z","containerized":false,"name":"5ad6ded50b44","ip":["127.0.0.1/8","172.17.0.2/16"],"kernel_version":"5.13.0-30-generic","mac":["02:42:ac:11:00:02"],"os":{"type":"linux","family":"debian","platform":"ubuntu","name":"Ubuntu","version":"20.04.3 LTS (Focal Fossa)","major":20,"minor":4,"patch":3,"codename":"focal"},"timezone":"UTC","timezone_offset_sec":0},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-05-09T08:05:51.825Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1095},"message":"Process info","service.name":"auditbeat","system_info":{"process":{"capabilities":{"inheritable":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","audit_control","setfcap","audit_read"],"permitted":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","audit_control","setfcap","audit_read"],"effective":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","audit_control","setfcap","audit_read"],"bounding":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","audit_control","setfcap","audit_read"],"ambient":null},"cwd":"/usr/share/auditbeat","exe":"/usr/share/auditbeat/auditbeat","name":"auditbeat","pid":84071,"ppid":84044,"seccomp":{"mode":"disabled","no_new_privs":false},"start_time":"2022-05-09T08:05:48.200Z"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-05-09T08:05:51.825Z","log.origin":{"file.name":"instance/beat.go","file.line":332},"message":"Setup Beat: auditbeat; Version: 8.0.0","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-09T08:05:51.826Z","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":105},"message":"elasticsearch url: https://c13cda942b7c48199acbf0ee8bd28dc0.australia-southeast1.gcp.elastic-cloud.com:443","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-09T08:05:51.827Z","log.logger":"publisher","log.origin":{"file.name":"pipeline/module.go","file.line":113},"message":"Beat name: 5ad6ded50b44","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-09T08:05:51.828Z","log.logger":"auditd","log.origin":{"file.name":"auditd/audit_linux.go","file.line":107},"message":"auditd module is running as euid=0 on kernel=5.13.0-30-generic","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-05-09T08:05:51.879Z","log.logger":"auditd","log.origin":{"file.name":"auditd/audit_linux.go","file.line":999},"message":"The audit rules specified in the configuration cannot be applied when using a multicast socket_type.","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-09T08:05:51.879Z","log.logger":"auditd","log.origin":{"file.name":"auditd/audit_linux.go","file.line":134},"message":"socket_type=multicast will be used.","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-09T08:05:51.880Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":142},"message":"Starting metrics logging every 30s","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-09T08:05:51.880Z","log.origin":{"file.name":"instance/beat.go","file.line":498},"message":"auditbeat start running.","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-09T08:05:55.764Z","log.logger":"auditd","log.origin":{"file.name":"auditd/audit_linux.go","file.line":279},"message":"Deleted 6 pre-existing audit rules.","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-09T08:05:55.764Z","log.logger":"auditd","log.origin":{"file.name":"auditd/audit_linux.go","file.line":298},"message":"Successfully added 9 of 9 audit rules.","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-09T08:06:21.883Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":184},"message":"Non-zero metrics in the last 30s","service.name":"auditbeat","monitoring":{"metrics":{"beat":{"cgroup":{"cpu":{"cfs":{"period":{"us":100000}},"id":"/"},"cpuacct":{"id":"/","total":{"ns":197236104}},"memory":{"id":"/","mem":{"limit":{"bytes":9223372036854771712},"usage":{"bytes":42033152}}}},"cpu":{"system":{"ticks":20,"time":{"ms":21}},"total":{"ticks":100,"time":{"ms":108},"value":100},"user":{"ticks":80,"time":{"ms":87}}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":9},"info":{"ephemeral_id":"c7752cde-0708-4013-9a40-7240c7d6c8ed","uptime":{"ms":33187},"version":"8.0.0"},"memstats":{"gc_next":11749328,"memory_alloc":6356736,"memory_sys":20095105,"memory_total":16443552,"rss":108953600},"runtime":{"goroutines":21}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0},"type":"elasticsearch"},"pipeline":{"clients":1,"events":{"active":0},"queue":{"max_events":4096}}},"system":{"cpu":{"cores":1},"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}
andrewkroh commented 2 years ago

@r00tu53r I wonder if something changed in the kernel. Your tests were on "kernel_version": "5.13.0-30-generic" and mine were on 5.11. Maybe the issue got fixed?

r00tu53r commented 2 years ago

Thanks @andrewkroh I will confirm my tests on a few older versions.

botelastic[bot] commented 1 year ago

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

elasticmachine commented 8 months ago

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)