beats icon indicating copy to clipboard operation
beats copied to clipboard

Published 20 hours ago verified publisher icon elastic

Build 27 for 8.13 with status FAILURE - ExtendedWin / auditbeat-windows-11-windows-11 / TestExeObjParser/executableObject_macho_garble – github.com/elastic/beats/v7/auditbeat/module/file_integrity

Open elasticmachine opened this issue 11 months ago • 4 comments

:broken_heart: Tests Failed

the below badges are clickable and redirect to their specific view in the CI or DOCS Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2024-03-06T19:53:44.578+0000

  • Duration: 190 min 5 sec

Test stats :test_tube:

Test Results
Failed 2
Passed 55375
Skipped 4941
Total 60318

Test errors 2

Expand to view the tests failures

ExtendedWin / auditbeat-windows-11-windows-11 / TestExeObjParser/executableObject_macho_garble – github.com/elastic/beats/v7/auditbeat/module/file_integrity
    Expand to view the error details

     Failed
    Expand to view the stacktrace

     === RUN   TestExeObjParser/executableObject_macho_garble
    exeobjparser_test.go:50: unexpected error calling exeObjParser.Parse: open ./testdata/garble_macho_executable: The system cannot find the file specified.
    exeobjparser_test.go:76: unexpected error for garble_macho macho.import_hash: got:key not found want:<nil>
    exeobjparser_test.go:76: unexpected error for garble_macho macho.symhash: got:key not found want:<nil>
    exeobjparser_test.go:76: unexpected error for garble_macho macho.imports: got:key not found want:<nil>
    exeobjparser_test.go:76: unexpected error for garble_macho macho.imports_names_entropy: got:key not found want:<nil>
    exeobjparser_test.go:76: unexpected error for garble_macho macho.imports_names_var_entropy: got:key not found want:<nil>
    exeobjparser_test.go:76: unexpected error for garble_macho macho.go_import_hash: got:key not found want:<nil>
    exeobjparser_test.go:76: unexpected error for garble_macho macho.go_imports: got:key not found want:<nil>
    exeobjparser_test.go:76: unexpected error for garble_macho macho.go_imports_names_entropy: got:key not found want:<nil>
    exeobjparser_test.go:76: unexpected error for garble_macho macho.go_imports_names_var_entropy: got:key not found want:<nil>
    exeobjparser_test.go:76: unexpected error for garble_macho macho.go_stripped: got:key not found want:<nil>
    exeobjparser_test.go:76: unexpected error for garble_macho macho.sections: got:key not found want:<nil>
--- FAIL: TestExeObjParser/executableObject_macho_garble (0.00s)
ExtendedWin / auditbeat-windows-11-windows-11 / TestExeObjParser – github.com/elastic/beats/v7/auditbeat/module/file_integrity
    Expand to view the error details

     Failed
    Expand to view the stacktrace

     === RUN   TestExeObjParser
--- FAIL: TestExeObjParser (0.04s)

Steps errors 4

Expand to view the steps failures

auditbeat-windows-11-windows-11 - mage build unitTest
  • Took 4 min 46 sec . View more details here
  • Description: mage build unitTest
auditbeat-windows-11-windows-11 - mage build unitTest
  • Took 1 min 53 sec . View more details here
  • Description: mage build unitTest
auditbeat-windows-11-windows-11 - mage build unitTest
  • Took 1 min 48 sec . View more details here
  • Description: mage build unitTest
Error signal
  • Took 0 min 0 sec . View more details here
  • Description: Error "hudson.AbortException: script returned exit code 1"

elasticmachine avatar Mar 06 '24 23:03 elasticmachine

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

elasticmachine avatar Mar 06 '24 23:03 elasticmachine

@nfritts could we have someone to take a look here please?

pierrehilbert avatar Mar 07 '24 09:03 pierrehilbert

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

elasticmachine avatar Mar 07 '24 09:03 elasticmachine

Will do

nfritts avatar Mar 11 '24 12:03 nfritts

open ./testdata/garble_macho_executable: The system cannot find the file specified.

IMO the most likely explanation is that some security tool (e.g. MS Defender) has quarantined the files needed for this test to execute. This file is checked into the repo and should always be present. https://github.com/elastic/beats/tree/main/auditbeat/module/file_integrity/testdata

Can we disable MS Defender on this machine?

andrewkroh avatar Mar 11 '24 16:03 andrewkroh

"Funny" thing: I receive a notif this morning saying that Elastic Endpoint blocked "macho_garble"

pierrehilbert avatar Mar 11 '24 16:03 pierrehilbert

I think we should disable the test on CI until we can get this sorted. Like if _, ci := os.LookupEnv("CI"); ci { t.Skip("See https://github.com/elastic/beats/issues/38211") }

andrewkroh avatar Mar 15 '24 00:03 andrewkroh

I've tried to download the file https://github.com/elastic/beats/blob/9c9ae3568309bb4c715fe1c25834eafd06f0f82a/auditbeat/module/file_integrity/testdata/garble_macho_executable on Windows 11 with Windows Defender, it was immediately quaranteened

image

intxgo avatar Mar 15 '24 11:03 intxgo