beats icon indicating copy to clipboard operation
beats copied to clipboard

Published 20 hours ago verified publisher icon elastic

[Auditbeat][add_session_metadata processor] Fix more potential enrichment failures

Open mjwolf opened this issue 10 months ago • 2 comments

Proposed commit message

Fix two more cases that could cause unenriched processes in the add_session_metadata processor.

It was possible for auditd events to arrive before the ebpf event added processes to the process DB, now the enrichment will wait for the process to be inserted into the DB, if it's not already before enrichment is run on it. Also stop attempting to enrich failed syscall events, and modifying the DB based on these.

Changes:

  • With the ebpf backend, when an event is processed wait for a process to be added to the DB before enriching, if it's not already in the DB before the event is received.
  • Do not enrich failed syscall auditd events. Since failed syscalls don't actually cause a process to be created, they should not be enriched, or inserted to the process
  • Remove scrapeAncestors from DB. The intention of this was to fill in missed processes, but now processes should not be missed with epbf, and ineffective with procfs, as the process will most likely already be ended. This was causing DB inconsistancies when run on failed syscall events, and I haven't ever seen any cases where it's helpful now.

Checklist

  • [x] My code follows the style guidelines of this project
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [ ] ~~I have made corresponding changes to the documentation~~
  • [ ] ~~I have made corresponding change to the default configuration files~~
  • [ ] ~~I have added tests that prove my fix is effective or that my feature works~~
  • [x] I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

  1. Setup Auditbeat with the session view processors and connected to ES/Kibana.
  2. Run some commands in a session. Compile commands, such as building Beats, caused many unenriched processes before this fix, so it's good to try that.
  3. In Kibana, on the host page, apply this filter not process.entry_leader.entity_id : * and process.pid: * and not auditd.result: "fail"
  4. There shouldn't be any events shown.

Related issues

  • Closes #38955

mjwolf avatar Apr 26 '24 20:04 mjwolf

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

elasticmachine avatar Apr 26 '24 20:04 elasticmachine

:green_heart: Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Duration: 57 min 50 sec

:grey_exclamation: Flaky test report

No test was executed to be analysed.

:robot: GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

elasticmachine avatar Apr 26 '24 21:04 elasticmachine

lgtm with 1 nit. Also my brain had a hard time digesting UpdateDB for ebpf provider

I'll look into reworking UpdateDB in the future, I want to keep this PR to bugfixes only

mjwolf avatar May 01 '24 17:05 mjwolf