Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Auditbeat] system/package failing on Fedora 31+ #19253

Closed
andrewkroh opened this issue Jun 17, 2020 · 1 comment · Fixed by #19275
Closed

[Auditbeat] system/package failing on Fedora 31+ #19253

andrewkroh opened this issue Jun 17, 2020 · 1 comment · Fixed by #19275
Labels
Auditbeat bug

Comments

@andrewkroh
Copy link
Member

andrewkroh commented Jun 17, 2020
edited
Loading

The system/package dataset fails on Fedora 31 and newer because it cannot open librpm.

ERROR [package] package/package.go:246 failed to get packages: error getting RPM packages: unable to open a handle to the library

It uses dlopen, but does not try to load librpm.so.9 which is what Fedora 31 has.

beats/x-pack/auditbeat/module/system/package/rpm_linux.go

Lines 207 to 220 in 5e69e25

func openLibrpm() (*librpm, error) {
var librpmNames = []string{
"librpm.so", // with rpm-devel installed
"librpm.so.8", // Fedora 29
"librpm.so.3", // CentOS 7
"librpm.so.1", // CentOS 6
// Following for completeness, but not explicitly tested
"librpm.so.7",
"librpm.so.6",
"librpm.so.5",
"librpm.so.4",
"librpm.so.2",
}

As a workaround, installing rpm-devel will create symlink to fix the issue /usr/lib64/librpm.so -> librpm.so.9.0.1.

For confirmed bugs, please report:

  • Version: v7.7.0, v7.8.0
  • Operating System: Fedora 31
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jun 17, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jun 17, 2020
andrewkroh added a commit to andrewkroh/beats that referenced this issue Jun 18, 2020
@andrewkroh
Add librpm.so.9 to the names dlopen searches
4d7f176 
Fedora 31 and 32 use librpm.so.9, but Auditbeat's system/package dataset doesn't try to load
this version of the library.

Fixes elastic#19253
@andrewkroh andrewkroh mentioned this issue Jun 18, 2020
Merged
6 tasks
andrewkroh added a commit that referenced this issue Jun 18, 2020
@andrewkroh
Add librpm.so.9 to the names dlopen searches (#19275)
6fedaef 
Fedora 31 and 32 use librpm.so.9, but Auditbeat's system/package dataset doesn't try to load
this version of the library.

Fixes #19253
andrewkroh added a commit to andrewkroh/beats that referenced this issue Jun 18, 2020
@andrewkroh
Add librpm.so.9 to the names dlopen searches (elastic#19275)
27b0ca0 
Fedora 31 and 32 use librpm.so.9, but Auditbeat's system/package dataset doesn't try to load
this version of the library.

Fixes elastic#19253

(cherry picked from commit 6fedaef)
@andrewkroh andrewkroh mentioned this issue Jun 18, 2020
Merged
6 tasks
andrewkroh added a commit to andrewkroh/beats that referenced this issue Jun 18, 2020
@andrewkroh
Add librpm.so.9 to the names dlopen searches (elastic#19275)
cec69df 
Fedora 31 and 32 use librpm.so.9, but Auditbeat's system/package dataset doesn't try to load
this version of the library.

Fixes elastic#19253

(cherry picked from commit 6fedaef)
This was referenced Jun 18, 2020
Merged
Closed
andrewkroh added a commit that referenced this issue Jun 18, 2020
@andrewkroh
Add librpm.so.9 to the names dlopen searches (#19275) (#19285)
5a066ac 
Fedora 31 and 32 use librpm.so.9, but Auditbeat's system/package dataset doesn't try to load
this version of the library.

Fixes #19253

(cherry picked from commit 6fedaef)
andrewkroh added a commit that referenced this issue Jun 18, 2020
@andrewkroh
Add librpm.so.9 to the names dlopen searches (#19275) (#19286)
cc95c44 
Fedora 31 and 32 use librpm.so.9, but Auditbeat's system/package dataset doesn't try to load
this version of the library.

Fixes #19253

(cherry picked from commit 6fedaef)
melchiormoulin pushed a commit to melchiormoulin/beats that referenced this issue Oct 14, 2020
@andrewkroh @melchiormoulin
Add librpm.so.9 to the names dlopen searches (elastic#19275)
8e95b9d 
Fedora 31 and 32 use librpm.so.9, but Auditbeat's system/package dataset doesn't try to load
this version of the library.

Fixes elastic#19253
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Auditbeat bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add librpm.so.9 to the names dlopen searches andrewkroh/beats
2 participants
@andrewkroh @elasticmachine