elastic
[Filebeat] Do not run `o365audit` input and `o365` module in FIPS builds
Proposed commit message
This PR ensures that the Filebeat o365audit input will not start in FIPS-capable distributions of Filebeat, as the input indirectly depends on code that is not FIPS-compliant. Specifically, the o365audit input depends on the github.com/Azure/azure-sdk-for-go/sdk/azidentity package. This package, in turn, depends on the golang.org/x/crypto/pkcs12 package, which is not FIPS-compliant. Further, the SDK doesn't plan to offer a way to disable the use of this package at compile time (see https://github.com/Azure/azure-sdk-for-go/issues/24336).
In addition to the o365audit input, the o365 module will also not start in FIPS-capable distributions of Filebeat, as this module uses the o365audit input.
Attempting to run a FIPS-capable distribution of Filebeat with either the o365audit input or the o365 module configured will result in Filebeat not starting up and an error in the Filebeat logs like so:
{"log.level":"error","@timestamp":"2025-06-24T15:41:43.799-0700","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.handleError","file.name":"instance/beat.go","file.line":1355},"message":"Exiting: Failed to start crawler: starting input failed: running a FIPS-capable distribution but input [o365audit] is not FIPS capable","service.name":"filebeat","ecs.version":"1.6.0"}
The o365audit input declares itself as not being FIPS-capable by implementing the FIPSAwareInput interface and making its IsFIPSCapable() method return false (see also: https://github.com/elastic/beats/pull/44920).
Checklist
- [x] My code follows the style guidelines of this project
- [x] I have commented my code, particularly in hard-to-understand areas
- [x] I have made corresponding changes to the documentation
- [ ] ~I have made corresponding change to the default configuration files~
- [ ] ~I have added tests that prove my fix is effective or that my feature works~
- [ ] ~I have added an entry in
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.~
Disruptive User Impact
FIPS-capable artifacts of Filebeat will not start the o365 module or the o365audit input.
$ mage clean && FIPS=true mage build
$ cat <<EOF > filebeat-test-input.yml
filebeat.inputs:
- type: o365audit
id: id-nofips
enabled: true
application_id: foo
tenant_id: bar
client_secret: qux
output.console:
enabled: true
EOF
$ ./filebeat -c ./filebeat-test-input.yml -e
$ cat <<EOF > filebeat-test-module.yml
filebeat.modules:
- module: o365
audit:
enabled: true
var.application_id: "<MyApplicationID>"
var.tenants:
- id: "<MyTenantID>"
name: "mytenant.onmicrosoft.com"
var.client_secret: "<YourClientSecretHere>"
output.console:
enabled: true
EOF
$ ./filebeat -c ./filebeat-test-module.yml -e
:robot: GitHub comments
Expand to view the GitHub comments
Just comment with:
rundocs-build: Re-trigger the docs validation. (use unformatted text in the comment!)
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This pull request does not have a backport label. If this is a bug or security fix, could you label this PR @ycombinator? 🙏. For such, you'll need to label your PR with:
- The upcoming major version of the Elastic Stack
- The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)
To fixup this pull request, you need to add the backport labels for the needed branches, such as:
backport-8./dis the label to automatically backport to the8./dbranch./dis the digitbackport-active-allis the label that automatically backports to all active branches.backport-active-8is the label that automatically backports to all active minor branches for the 8 major.backport-active-9is the label that automatically backports to all active minor branches for the 9 major.
![mergify[bot] avatar](https://avatars.githubusercontent.com/in/10562?v=4 "Published by a pub.dev verified publisher"){kind=small}
This looks like two PRs, one enabling and one that is what's described on the tin. Could we separate them?
Created https://github.com/elastic/beats/pull/44920 to enable the module exclusion. Will rework this PR here to only be about what's on the tin once the enabling PR is merged.
Also, please include the import path that leads to the concerning import.
Update the PR description. Let me know if that looks good to you.
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)
@ycombinator Can you update the title and propose commit message to explain how this works?
@ycombinator Can you update the title and propose commit message to explain how this works?
Done. Let me know if you want me to include the implementation notes, i.e. use of the FIPSAwareInput interface, in the commit message too. I left that out as I figured we wanted the message to be more user-facing but happy to add it in if you think it'll be valuable.
I was testing the changes in this PR again this morning and I'm seeing some flaky behavior. Sometimes Filebeat stops with the "Exiting: Failed to start crawler: starting input failed: running a FIPS-capable distribution but input [o365audit] is not FIPS capable" error message as expected but sometimes it just hangs and never exits. Investigating...
I was testing the changes in this PR again this morning and I'm seeing some flaky behavior. Sometimes Filebeat stops with the "Exiting: Failed to start crawler: starting input failed: running a FIPS-capable distribution but input [o365audit] is not FIPS capable" error message as expected but sometimes it just hangs and never exits. Investigating...
Found a corner-case bug in Filebeat unrelated to this PR: https://github.com/elastic/beats/issues/45034
As such, this PR here is still good to go.
backport 9.1
✅ Backports have been created
- Backport to branch
9.1not needed, change already in branch9.1