[Auditbeat] Flaky user test

[cwurm]

Flaky Test

• Test Name: user.TestData (from github.com_elastic_beats_x-pack_auditbeat_module_system_user)

• Link: https://github.com/elastic/beats/blob/master/x-pack/auditbeat/module/system/user/user_test.go#L16

• Branch: master, 6.x, 6.6

• Artifact Link: TEST-go-unit.out in build.zip

• Notes: getgrent() is returning the error numerical result out of range.

I'm disabling the test for now.

Stack Trace

--- FAIL: TestData (0.05s)
    user_test.go:20: received error: numerical result out of range
        error while reading group file
        github.com/elastic/beats/x-pack/auditbeat/module/system/user.readGroupFile
            /var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/x-pack/auditbeat/label/ubuntu/src/github.com/elastic/beats/x-pack/auditbeat/module/system/user
        github.com/elastic/beats/x-pack/auditbeat/module/system/user.enrichWithGroups
            /var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/x-pack/auditbeat/label/ubuntu/src/github.com/elastic/beats/x-pack/auditbeat/module/system/user
        github.com/elastic/beats/x-pack/auditbeat/module/system/user.GetUsers
            /var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/x-pack/auditbeat/label/ubuntu/src/github.com/elastic/beats/x-pack/auditbeat/module/system/user
        github.com/elastic/beats/x-pack/auditbeat/module/system/user.(*MetricSet).reportState
            /var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/x-pack/auditbeat/label/ubuntu/src/github.com/elastic/beats/x-pack/auditbeat/module/system/user
        github.com/elastic/beats/x-pack/auditbeat/module/system/user.(*MetricSet).Fetch
            /var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/x-pack/auditbeat/label/ubuntu/src/github.com/elastic/beats/x-pack/auditbeat/module/system/user
        github.com/elastic/beats/metricbeat/mb/testing.ReportingFetchV2
            /var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/x-pack/auditbeat/label/ubuntu/src/github.com/elastic/beats/metricbeat/mb/testing/modules.go:20
        github.com/elastic/beats/x-pack/auditbeat/module/system/user.TestData
            /var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/x-pack/auditbeat/label/ubuntu/src/github.com/elastic/beats/x-pack/auditbeat/module/system/user
        testing.tRunner
            /var/lib/jenkins/.gvm/versions/go1.11.3.linux.amd64/src/testing/testing.go:827
        runtime.goexit
            /var/lib/jenkins/.gvm/versions/go1.11.3.linux.amd64/src/runtime/asm_amd64.s:1333
        failed to get users
        github.com/elastic/beats/x-pack/auditbeat/module/system/user.(*MetricSet).reportState
            /var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/x-pack/auditbeat/label/ubuntu/src/github.com/elastic/beats/x-pack/auditbeat/module/system/user
        github.com/elastic/beats/x-pack/auditbeat/module/system/user.(*MetricSet).Fetch
            /var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/x-pack/auditbeat/label/ubuntu/src/github.com/elastic/beats/x-pack/auditbeat/module/system/user
        github.com/elastic/beats/metricbeat/mb/testing.ReportingFetchV2
            /var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/x-pack/auditbeat/label/ubuntu/src/github.com/elastic/beats/metricbeat/mb/testing/modules.go:20
        github.com/elastic/beats/x-pack/auditbeat/module/system/user.TestData
            /var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/x-pack/auditbeat/label/ubuntu/src/github.com/elastic/beats/x-pack/auditbeat/module/system/user
        testing.tRunner
            /var/lib/jenkins/.gvm/versions/go1.11.3.linux.amd64/src/testing/testing.go:827
        runtime.goexit
            /var/lib/jenkins/.gvm/versions/go1.11.3.linux.amd64/src/runtime/asm_amd64.s:1333
FAIL
FAIL    github.com/elastic/beats/x-pack/auditbeat/module/system/user    0.064s

[elasticmachine]

Pinging @elastic/secops

[cwurm]

I did a bit more research. It's probably an ERANGE error that getgrent() can return when there's not enough buffer space (man getgrent(3)). getgrent() itself does not take a buffer as an argument though.

Maybe it would be better to switch to looking up groups by user instead of looking up users by group. The assumption being that the maximum number of groups for a user in an environment is likely to be smaller than the maximum number of users belonging to a group.

Groups can be almost arbitrarily large, and if we (Elastic) have groups on our servers that are large enough to trigger this condition there are probably other organizations out there that have much larger groups.

As a side note, while researching this I thought it might be a good idea to only collect users/groups when the system is using local files (/etc/passwd, etc.). That's what we implicitly assume anyway by checking for a change to these files. There's probably no point in collecting this data when the system is using a centralized service, e.g. LDAP (it would be a lot of the same information from every system, and potentially a lot of it). The file to check for that is /etc/nsswitch.conf, either parsing it directly or using glibc functions, e.g. nss_parse_file().