beats icon indicating copy to clipboard operation
beats copied to clipboard
verified publisher icon elastic

[Filebeat] Do not run `azure-eventhub` input and `azure` module in FIPS builds

Open ycombinator opened this issue 6 months ago • 4 comments

Proposed commit message

This PR ensures that the Filebeat azure-eventhub input will not start in FIPS-capable distributions of Filebeat, as the input indirectly depends on code that is not FIPS-compliant. Specifically, the azure-eventhub input depends on the github.com/Azure/azure-sdk-for-go/sdk/azidentity package. This package, in turn, depends on the golang.org/x/crypto/pkcs12 package, which is not FIPS-compliant. Further, the SDK doesn't plan to offer a way to disable the use of this package at compile time (see https://github.com/Azure/azure-sdk-for-go/issues/24336).

In addition to the azure-eventhub input, the azure module will also not start in FIPS-capable distributions of Filebeat, as this module uses the azure-eventhub input.

Attempting to run a FIPS-capable distribution of Filebeat with either the azure-eventhub input or the azure module configured will result in Filebeat not starting up and an error in the Filebeat logs like so:

{"log.level":"error","@timestamp":"2025-06-24T15:55:19.333-0700","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.handleError","file.name":"instance/beat.go","file.line":1355},"message":"Exiting: Failed to start crawler: starting input failed: running a FIPS-capable distribution but input [azure-eventhub] is not FIPS capable","service.name":"filebeat","ecs.version":"1.6.0"}
Exiting: Failed to start crawler: starting input failed: running a FIPS-capable distribution but input [azure-eventhub] is not FIPS capable

The azure-eventhub input declares itself as not being FIPS-capable by implementing the FIPSAwareInput interface and making its IsFIPSCapable() method return false (see also: https://github.com/elastic/beats/pull/44920).

Checklist

  • [x] My code follows the style guidelines of this project
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [x] I have made corresponding changes to the documentation
  • [ ] ~I have made corresponding change to the default configuration files~
  • [ ] ~I have added tests that prove my fix is effective or that my feature works~
  • [ ] ~I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.~

Disruptive User Impact

FIPS-capable artifacts of Filebeat will not start the azure module or the o365audit input.

$ mage clean && FIPS=true mage build

$ cat <<EOF > filebeat-test-input.yml
filebeat.inputs:
- type: azure-eventhub
  id: id-nofips
  enabled: true
  eventhub: foo
  connection_string: bar
  storage_account: baz
  storage_account_key: qux

output.console:
  enabled: true
EOF
$ ./filebeat -c ./filebeat-test-input.yml -e

$ cat <<EOF > filebeat-test-module.yml
filebeat.modules:
- module: azure
  activitylogs:
    enabled: true
    var.connection_string: foo
    var.storage_account: bar
    var.storage_account_key: baz

output.console:
  enabled: true
EOF
$ ./filebeat -c ./filebeat-test-module.yml -e

ycombinator avatar Jun 18 '25 17:06 ycombinator

:robot: GitHub comments

Expand to view the GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

github-actions[bot] avatar Jun 18 '25 17:06 github-actions[bot]

This pull request does not have a backport label. If this is a bug or security fix, could you label this PR @ycombinator? 🙏. For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

mergify[bot] avatar Jun 18 '25 17:06 mergify[bot]

Pinging @elastic/obs-ds-hosted-services (Team:obs-ds-hosted-services)

elasticmachine avatar Jun 20 '25 07:06 elasticmachine

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

elasticmachine avatar Jun 20 '25 07:06 elasticmachine

@Mergifyio backport 9.1

ycombinator avatar Jun 28 '25 00:06 ycombinator

backport 9.1

✅ Backports have been created

  • Backport to branch 9.1 not needed, change already in branch 9.1

mergify[bot] avatar Jun 28 '25 00:06 mergify[bot]