[Auditbeat] error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_struct_creds failed: timeout while waiting for event

[jmbass]

Version: Auditbeat 8.4.3 - Auditbeat 8.10.4
Operating System:
CentOS Linux release 8.8 (Green Obsidian)
Kernel 6.3.6-1.el8.x86_64

Beats fails to start with error:
Exiting: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_struct_creds failed: timeout while waiting for event

I think the struct_creds definition changed / was removed around the 6.1.

Using the kernel version 6.1.38-1.el8.x86_64 works alright.

[jmbass]

We'd say that there are two commits as being of interest in the kernel code:
981ee95cc1f5905ae4936b0dd501085909cdc14f introduced in v6.3
c8ffd8bcdd28296a198f237cc595148a8d4adfbe introduced in v5.9

It's clear how the v6.3 can result in what we are seeing but not that obvious for versions 6.1 as Beats isn't setting AT_EACCESS, access_override_creds should be called and thus prepare_creds should be called).

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[efd6]

@jmbass I've gone through the relevant kernel code for v6.0 and v6.5.9 and I agree that the change in 981ee95c does look like it would explain this behaviour.

There is no change in the type definition of creds over that same period.

Something that I'm unclear about in your discussion, I don't see where v6.1 comes in. In "but not that obvious for versions 6.1 as Beats isn't setting AT_EACCESS, access_override_creds should be called and thus prepare_creds should be called", this looks to me like a description of the state where the guess works. Am I missing something?

I've taken a look at other places in v6.5.9 where prepare_creds is called and there doesn't look to be another safe, non-suspicion-inducing syscall that could be used as a trigger.

[haesbaert]

I've suggested @efd6 to tap into dentry_open third argument and trigger a call to it from a dummy mq_create(2), he has a change halfway there.

sudo bpftrace -e 'kprobe:dentry_open { printf("comm=%s\n", comm) }'                                 <
Attaching 1 probe...

comm=mq_open
comm=mq_open
comm=mq_open
comm=mq_open

#include <fcntl.h>           /* For O_* constants */
#include <sys/stat.h>        /* For mode constants */
#include <mqueue.h>
#include <stdio.h>
#include <err.h>
#include <strings.h>

int
main(void)
{
	mqd_t m;
	struct mq_attr attr;

	bzero(&attr, sizeof(attr));
	attr.mq_flags = 0;
	attr.mq_maxmsg = 1;
	attr.mq_msgsize = 8;
	attr.mq_curmsgs = 0;

	m = mq_open("/omg", O_CREAT|O_RDWR, 0644, &attr);
	if (m == (mqd_t)-1)
		err(1, "mq_open");

	printf("great success\n");
	mq_close(m);

	return 0;
}