[Auditbeat][add_session_metadata processor] Fix more potential enrichment failures #39243
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
With the ebpf backend for the add_session_metadata processor, wait for processes to be inserted into the processdb, if they are not already in it at the time that the process event is enriched.
mjwolf
added
bugfix
Team:Security-Deployment and Devices
|
Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices) |
botelastic
bot
added
needs_team
mjwolf
changed the title
💚 Build Succeeded
Expand to view the summary
Build stats
❕ Flaky test reportNo test was executed to be analysed. 🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
x-pack/auditbeat/processors/sessionmd/provider/ebpf_provider/ebpf_provider.go
Outdated
Show resolved
Hide resolved
pkoutsovasilis
approved these changes
May 1, 2024
…ts into session-view-fix-missing-proc
I'll look into reworking UpdateDB in the future, I want to keep this PR to bugfixes only |
mergify bot
pushed a commit
that referenced
this pull request
May 1, 2024
…ment failures (#39243) Fix two more cases that could cause unenriched processes in the add_session_metadata processor. It was possible for auditd events to arrive before the ebpf event added processes to the process DB, now the enrichment will wait for the process to be inserted into the DB, if it's not already before enrichment is run on it. Also stop attempting to enrich failed syscall events, and modifying the DB based on these. Changes: With the ebpf backend, when an event is processed wait for a process to be added to the DB before enriching, if it's not already in the DB before the event is received. Do not enrich failed syscall auditd events. Since failed syscalls don't actually cause a process to be created, they should not be enriched, or inserted to the process Remove scrapeAncestors from DB. The intention of this was to fill in missed processes, but now processes should not be missed with epbf, and ineffective with procfs, as the process will most likely already be ended. This was causing DB inconsistancies when run on failed syscall events, and I haven't ever seen any cases where it's helpful now. (cherry picked from commit ffcd181)
6 tasks
mjwolf
added a commit
that referenced
this pull request
May 1, 2024
…ment failures (#39243) (#39354) Fix two more cases that could cause unenriched processes in the add_session_metadata processor. It was possible for auditd events to arrive before the ebpf event added processes to the process DB, now the enrichment will wait for the process to be inserted into the DB, if it's not already before enrichment is run on it. Also stop attempting to enrich failed syscall events, and modifying the DB based on these. Changes: With the ebpf backend, when an event is processed wait for a process to be added to the DB before enriching, if it's not already in the DB before the event is received. Do not enrich failed syscall auditd events. Since failed syscalls don't actually cause a process to be created, they should not be enriched, or inserted to the process Remove scrapeAncestors from DB. The intention of this was to fill in missed processes, but now processes should not be missed with epbf, and ineffective with procfs, as the process will most likely already be ended. This was causing DB inconsistancies when run on failed syscall events, and I haven't ever seen any cases where it's helpful now. (cherry picked from commit ffcd181) Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed commit message
Fix two more cases that could cause unenriched processes in the add_session_metadata processor.
It was possible for auditd events to arrive before the ebpf event added processes to the process DB, now the enrichment will wait for the process to be inserted into the DB, if it's not already before enrichment is run on it. Also stop attempting to enrich failed syscall events, and modifying the DB based on these.
Changes:
Checklist
I have made corresponding changes to the documentationI have made corresponding change to the default configuration filesI have added tests that prove my fix is effective or that my feature worksCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.How to test this PR locally
not process.entry_leader.entity_id : * and process.pid: * and not auditd.result: "fail"Related issues