search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
194 stars 422 forks source link

[auditd_manager] Integration can throw `illegal_argument_exception` #4860

Closed BenB196 closed 1 year ago

BenB196 commented 1 year ago

Context

Elastic Stack 8.4.2

Deploy the Auditd Manager integration with the following audit rules (all other settings left as default).

## Define audit rules here.
## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
## examples or add your own rules.

## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
-a always,exit -F arch=b32 -S all -F key=32bit-abi

## Executions.
-a always,exit -F arch=b64 -S execve,execveat -k exec

## External access (warning: these can be expensive to audit).
##-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
##-a always,exit -F arch=b64 -S accept,bind -F key=external-access

## Identity changes.
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity

## Unauthorized access attempts.
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access

Observer the following error:

{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [auditd.data.exit] of type [long] in document with id 'f4WpHIUBwsLY_n7FkR3M'. Preview of field's value: 'ENOENT'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"For input string: \"ENOENT\""}

Full event log

[2022-12-16T20:39:13,169][WARN ][logstash.outputs.elasticsearch][elastic-agent][elastic_agent_elasticsearch_output] Could not index event to Elasticsearch. {:status=>400, :action=>["create", {:_id=>nil, :_index=>"logs-auditd_manager.auditd-private.linux.stage", :routing=>nil}, {"data_stream"=>{"namespace"=>"private.linux.stage", "dataset"=>"auditd_manager.auditd", "type"=>"logs"}, "agent"=>{"version"=>"8.4.2", "ephemeral_id"=>"5269e44a-2b2b-4904-9487-f72407d97474", "id"=>"22d3f046-36fc-4ecb-aa4d-0d8c84eba3e7", "type"=>"auditbeat", "name"=>"hostname"}, "@timestamp"=>2022-12-16T20:39:12.007Z, "ecs"=>{"version"=>"8.0.0"}, "tags"=>["exec", "auditd_manager-auditd", "beats_input_raw_event"], "auditd"=>{"paths"=>[{"cap_fver"=>"0", "cap_fe"=>"0", "cap_frootid"=>"0", "item"=>"0", "nametype"=>"UNKNOWN", "cap_fi"=>"0", "name"=>"/usr/local/bin/dumpe2fs", "cap_fp"=>"0"}], "summary"=>{"actor"=>{"primary"=>"unset", "secondary"=>"root"}, "object"=>{"primary"=>"/usr/local/bin/dumpe2fs", "type"=>"file"}, "how"=>"/usr/lib/udisks2/udisksd"}, "message_type"=>"syscall", "result"=>"fail", "data"=>{"a1"=>"7ffd81c7f3d0", "a0"=>"55b7bb879c68", "syscall"=>"execve", "a2"=>"55b7bb86ea80", "tty"=>"(none)", "a3"=>"55b7bb7e1e60", "exit"=>"ENOENT", "arch"=>"x86_64"}, "sequence"=>63705735}, "service"=>{"type"=>"auditd"}, "host"=>{"name"=>"k8s02-stg"}, "user"=>{"name"=>"root", "group"=>{"id"=>"0", "name"=>"root"}, "id"=>"0", "saved"=>{"group"=>{"id"=>"0", "name"=>"root"}, "id"=>"0", "name"=>"root"}, "filesystem"=>{"group"=>{"id"=>"0", "name"=>"root"}, "id"=>"0", "name"=>"root"}}, "event"=>{"outcome"=>"failure", "category"=>["process"], "dataset"=>"auditd_manager.auditd", "kind"=>"event", "module"=>"auditd", "type"=>["start"], "action"=>"executed"}, "elastic_agent"=>{"version"=>"8.4.2", "snapshot"=>false, "id"=>"22d3f046-36fc-4ecb-aa4d-0d8c84eba3e7"}, "@version"=>"1", "file"=>{"path"=>"/usr/local/bin/dumpe2fs"}, "process"=>{"executable"=>"/usr/lib/udisks2/udisksd", "working_directory"=>"/", "title"=>"/usr/lib/ud
isks2/udisksd", "pid"=>3519644, "parent"=>{"pid"=>878}, "name"=>"udisksd"}}], :response=>{"create"=>{"_index"=>".ds-logs-auditd_manager.auditd-private.linux.stage-2022.12.12-000001", "_id"=>"f4WpHIUBwsLY_n7FkR3M", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [auditd.data.exit] of type [long] in document with id 'f4WpHIUBwsLY_n7FkR3M'. Preview of field's value: 'ENOENT'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"For input string: \"ENOENT\""}}}}}

The process flow for this is: Fleet Managed Elastic Agent -> Logstash Pipeline -> Elasticsearch

elasticmachine commented 1 year ago

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

BenB196 commented 1 year ago

Adding another note that a similar issue can happen with EACCES. Here is an example of this:

[2022-12-21T16:55:32,093][WARN ][logstash.outputs.elasticsearch][elastic-agent][elastic_agent_elasticsearch_output] Could not index event to Elasticsearch. {:status=>400, :action=>["create", {:_id=>nil, :_index=>"logs-auditd_manager.auditd-private.linux.production", :routing=>nil}, {"process"=>{"title"=>"/usr/sbin/httpd -f /usr/local/pf/var/conf/httpd.conf.d/httpd.webservices -DFOREGROUND -Drhel", "executable"=>"/usr/sbin/httpd", "working_directory"=>"/", "pid"=>24046, "parent"=>{"pid"=>24271}, "name"=>"/usr/sbin/httpd"}, "agent"=>{"version"=>"8.4.2", "ephemeral_id"=>"39eba0af-1129-4736-994d-29b4a8229f01", "id"=>"7cae2d9b-0929-49bc-a831-337c31e3d452", "name"=>"server", "type"=>"auditbeat"}, "@timestamp"=>2022-12-21T16:55:28.426Z, "ecs"=>{"version"=>"8.0.0"}, "tags"=>["access", "auditd_manager-auditd", "beats_input_raw_event"], "auditd"=>{"result"=>"fail", "summary"=>{"actor"=>{"primary"=>"unset", "secondary"=>"pf"}, "object"=>{"primary"=>"/tmp/.UUID_STATE", "type"=>"file"}, "how"=>"/usr/sbin/httpd"}, "message_type"=>"syscall", "paths"=>[{"cap_fver"=>"0", "ogid"=>"0", "cap_fe"=>"0", "dev"=>"fd:00", "rdev"=>"00:00", "inode"=>"33615106", "cap_fi"=>"0000000000000000", "name"=>"/tmp/.UUID_STATE", "cap_fp"=>"0000000000000000", "ouid"=>"0", "mode"=>"0100644", "objtype"=>"NORMAL", "item"=>"0"}, {"cap_fe"=>"0", "cap_fver"=>"0", "dev"=>"fd:00", "ogid"=>"0", "rdev"=>"00:00", "inode"=>"33576377", "cap_fi"=>"0000000000000000", "cap_fp"=>"0000000000000000", "name"=>"/tmp/", "ouid"=>"0", "mode"=>"041777", "objtype"=>"PARENT", "item"=>"1"}], "data"=>{"a1"=>"241", "a0"=>"7f6da50312c2", "syscall"=>"open", "a2"=>"1b6", "tty"=>"(none)", "a3"=>"24", "exit"=>"EACCES", "arch"=>"x86_64"}, "sequence"=>28785433}, "service"=>{"type"=>"auditd"}, "host"=>{"name"=>"server"}, "user"=>{"name"=>"pf", "group"=>{"id"=>"988", "name"=>"pf"}, "id"=>"992", "saved"=>{"group"=>{"id"=>"988", "name"=>"pf"}, "id"=>"992", "name"=>"pf"}, "filesystem"=>{"group"=>{"id"=>"988", "name"=>"pf"
}, "id"=>"992", "name"=>"pf"}}, "event"=>{"action"=>"opened-file", "category"=>["file"], "dataset"=>"auditd_manager.auditd", "kind"=>"event", "module"=>"auditd", "type"=>["info"], "outcome"=>"failure"}, "elastic_agent"=>{"version"=>"8.4.2", "snapshot"=>false, "id"=>"7cae2d9b-0929-49bc-a831-337c31e3d452"}, "@version"=>"1", "file"=>{"device"=>"00:00", "gid"=>"0", "owner"=>"root", "mode"=>"0644", "group"=>"root", "inode"=>"33615106", "uid"=>"0", "path"=>"/tmp/.UUID_STATE"}, "data_stream"=>{"namespace"=>"private.linux.production", "dataset"=>"auditd_manager.auditd", "type"=>"logs"}}], :response=>{"create"=>{"_index"=>".ds-logs-auditd_manager.auditd-private.linux.production-2022.12.18-000001", "_id"=>"tAKcNYUBviT9ZTSwk8hC", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [auditd.data.exit] of type [long] in document with id 'tAKcNYUBviT9ZTSwk8hC'. Preview of field's value: 'EACCES'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"For input string: \"EACCES\""}}}}}