Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Auditbeat][add_session_metadata processor] Fix more potential enrichment failures #39243

Merged
merged 15 commits into from
May 1, 2024
Merged

[Auditbeat][add_session_metadata processor] Fix more potential enrichment failures #39243

merged 15 commits into from
May 1, 2024

Conversation

mjwolf
Copy link
Contributor

@mjwolf mjwolf commented Apr 26, 2024
edited
Loading

Proposed commit message

Fix two more cases that could cause unenriched processes in the add_session_metadata processor.

It was possible for auditd events to arrive before the ebpf event added processes to the process DB, now the enrichment will wait for the process to be inserted into the DB, if it's not already before enrichment is run on it. Also stop attempting to enrich failed syscall events, and modifying the DB based on these.

Changes:

  • With the ebpf backend, when an event is processed wait for a process to be added to the DB before enriching, if it's not already in the DB before the event is received.
  • Do not enrich failed syscall auditd events. Since failed syscalls don't actually cause a process to be created, they should not be enriched, or inserted to the process
  • Remove scrapeAncestors from DB. The intention of this was to fill in missed processes, but now processes should not be missed with epbf, and ineffective with procfs, as the process will most likely already be ended. This was causing DB inconsistancies when run on failed syscall events, and I haven't ever seen any cases where it's helpful now.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

  1. Setup Auditbeat with the session view processors and connected to ES/Kibana.
  2. Run some commands in a session. Compile commands, such as building Beats, caused many unenriched processes before this fix, so it's good to try that.
  3. In Kibana, on the host page, apply this filter not process.entry_leader.entity_id : * and process.pid: * and not auditd.result: "fail"
  4. There shouldn't be any events shown.

Related issues

mjwolf added 4 commits April 25, 2024 15:48
@mjwolf
Wait for processes to arrive in the ebpf backend
8ec6275 
With the ebpf backend for the add_session_metadata processor, wait
for processes to be inserted into the processdb, if they are not
already in it at the time that the process event is enriched.
@mjwolf
don't process failed syscall events
5ffa397
@mjwolf
Merge branch 'session-view-sync-bpf-events' into session-view-syscall…
e01540a 
…-failure
@mjwolf
remove scrape ancestors
c57e009
@mjwolf mjwolf added bugfix Team:Security-Deployment and Devices Deployment and Devices Team in Security Solution backport-v8.14.0 Automated backport with mergify labels Apr 26, 2024
@mjwolf mjwolf requested a review from a team as a code owner April 26, 2024 20:51
@elasticmachine
Copy link
Collaborator

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Apr 26, 2024
@mergify mergify bot assigned mjwolf Apr 26, 2024
@mjwolf mjwolf changed the title Session view fix missing proc [Auditbeat][add_session_metadata processor] Fix more potential enrichment failures Apr 26, 2024
@elasticmachine
Copy link
Collaborator

elasticmachine commented Apr 26, 2024
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Duration: 57 min 50 sec

❕ Flaky test report

No test was executed to be analysed.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

pkoutsovasilis
pkoutsovasilis approved these changes May 1, 2024
View reviewed changes
Copy link
Contributor

@pkoutsovasilis pkoutsovasilis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm with 1 nit. Also my brain had a hard time digesting UpdateDB for ebpf provider

@mjwolf
Copy link
Contributor Author

mjwolf commented May 1, 2024

lgtm with 1 nit. Also my brain had a hard time digesting UpdateDB for ebpf provider

I'll look into reworking UpdateDB in the future, I want to keep this PR to bugfixes only

@mjwolf mjwolf enabled auto-merge (squash) May 1, 2024 17:50
@mjwolf mjwolf disabled auto-merge May 1, 2024 17:51
@mjwolf mjwolf enabled auto-merge (squash) May 1, 2024 19:28
@mjwolf mjwolf merged commit ffcd181 into elastic:main May 1, 2024
27 checks passed
mergify bot pushed a commit that referenced this pull request May 1, 2024
@mjwolf @mergify
[Auditbeat][add_session_metadata processor] Fix more potential enrich…
39b3d0e 
…ment failures (#39243)

Fix two more cases that could cause unenriched processes in the add_session_metadata processor.

It was possible for auditd events to arrive before the ebpf event added processes to the process DB, now the enrichment will wait for the process to be inserted into the DB, if it's not already before enrichment is run on it. Also stop attempting to enrich failed syscall events, and modifying the DB based on these.

Changes:

With the ebpf backend, when an event is processed wait for a process to be added to the DB before enriching, if it's not already in the DB before the event is received.
Do not enrich failed syscall auditd events. Since failed syscalls don't actually cause a process to be created, they should not be enriched, or inserted to the process
Remove scrapeAncestors from DB. The intention of this was to fill in missed processes, but now processes should not be missed with epbf, and ineffective with procfs, as the process will most likely already be ended. This was causing DB inconsistancies when run on failed syscall events, and I haven't ever seen any cases where it's helpful now.

(cherry picked from commit ffcd181)
@mergify mergify bot mentioned this pull request May 1, 2024
Merged
6 tasks
mjwolf added a commit that referenced this pull request May 1, 2024
@mergify @mjwolf
[Auditbeat][add_session_metadata processor] Fix more potential enrich…
7502340 
…ment failures (#39243) (#39354)

Fix two more cases that could cause unenriched processes in the add_session_metadata processor.

It was possible for auditd events to arrive before the ebpf event added processes to the process DB, now the enrichment will wait for the process to be inserted into the DB, if it's not already before enrichment is run on it. Also stop attempting to enrich failed syscall events, and modifying the DB based on these.

Changes:

With the ebpf backend, when an event is processed wait for a process to be added to the DB before enriching, if it's not already in the DB before the event is received.
Do not enrich failed syscall auditd events. Since failed syscalls don't actually cause a process to be created, they should not be enriched, or inserted to the process
Remove scrapeAncestors from DB. The intention of this was to fill in missed processes, but now processes should not be missed with epbf, and ineffective with procfs, as the process will most likely already be ended. This was causing DB inconsistancies when run on failed syscall events, and I haven't ever seen any cases where it's helpful now.

(cherry picked from commit ffcd181)

Co-authored-by: Michael Wolf <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicholasberlin nicholasberlin nicholasberlin left review comments

@pkoutsovasilis pkoutsovasilis pkoutsovasilis approved these changes

Assignees

@mjwolf mjwolf

Labels
backport-v8.14.0 Automated backport with mergify bugfix Team:Security-Deployment and Devices Deployment and Devices Team in Security Solution
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Security-Linux Platform Integrations] Auditbeat missing Session View Process fields
4 participants
@mjwolf @elasticmachine @pkoutsovasilis @nicholasberlin