Closed cwurm closed 5 years ago
Pinging @elastic/secops
I did a bit more research. It's probably an ERANGE
error that getgrent()
can return when there's not enough buffer space (man getgrent(3)
). getgrent()
itself does not take a buffer as an argument though.
Maybe it would be better to switch to looking up groups by user instead of looking up users by group. The assumption being that the maximum number of groups for a user in an environment is likely to be smaller than the maximum number of users belonging to a group.
Groups can be almost arbitrarily large, and if we (Elastic) have groups on our servers that are large enough to trigger this condition there are probably other organizations out there that have much larger groups.
As a side note, while researching this I thought it might be a good idea to only collect users/groups when the system is using local files (/etc/passwd
, etc.). That's what we implicitly assume anyway by checking for a change to these files. There's probably no point in collecting this data when the system is using a centralized service, e.g. LDAP (it would be a lot of the same information from every system, and potentially a lot of it). The file to check for that is /etc/nsswitch.conf
, either parsing it directly or using glibc functions, e.g. nss_parse_file()
.
Flaky Test
Test Name: user.TestData (from github.com_elastic_beats_x-pack_auditbeat_module_system_user)
Link: https://github.com/elastic/beats/blob/master/x-pack/auditbeat/module/system/user/user_test.go#L16
Branch:
master
,6.x
,6.6
Artifact Link:
TEST-go-unit.out
in build.zipNotes:
getgrent()
is returning the errornumerical result out of range
.I'm disabling the test for now.
Stack Trace