Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Auditbeat] Make librpm discovery more robust #19287

Closed
andrewkroh opened this issue Jun 18, 2020 · 3 comments · Fixed by #21936
Closed

[Auditbeat] Make librpm discovery more robust #19287

andrewkroh opened this issue Jun 18, 2020 · 3 comments · Fixed by #21936
Assignees
@leehinman
Labels
Auditbeat enhancement

Comments

@andrewkroh
Copy link
Member

Auditbeat's system/package dataset loads librpm dynamically using dlopen. It finds the library using a hardcoded set of library version names:

beats/x-pack/auditbeat/module/system/package/rpm_linux.go

Lines 207 to 222 in 6fedaef

func openLibrpm() (*librpm, error) {
var librpmNames = []string{
"librpm.so", // with rpm-devel installed
"librpm.so.9", // Fedora 31/32
"librpm.so.8", // Fedora 29/30
"librpm.so.3", // CentOS 7
"librpm.so.1", // CentOS 6
// Following for completeness, but not explicitly tested
"librpm.so.10",
"librpm.so.7",
"librpm.so.6",
"librpm.so.5",
"librpm.so.4",
"librpm.so.2",
}

We'd like to have something that is a less brittle.

Relates: #19275 (comment)
Relates: #19253
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jun 18, 2020
@andrewkroh andrewkroh mentioned this issue Jun 18, 2020
Merged
6 tasks
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jun 18, 2020
@leehinman leehinman self-assigned this Jun 18, 2020
@leehinman
Copy link
Contributor

tried proof of concept with rpm, getting error when using exec.Command

out, err := exec.Command("rpm", "-ql", "rpm-libs").Output()
Couldn't open [fork/exec /usr/bin/rpm: operation not permitted]

@andrewkroh
Copy link
Member Author

Beats don’t allow execve by default to minimize the impact of vulnerabilities.

leehinman added a commit to leehinman/beats that referenced this issue Oct 16, 2020
@leehinman
dynamically find librpm
382686e 
- use elf header of rpm binary to find version of librpm
- use librpm.so as fallback, provided by rpm-devel

Closes elastic#19287
@leehinman leehinman mentioned this issue Oct 16, 2020
Merged
2 tasks
leehinman added a commit that referenced this issue Oct 20, 2020
@leehinman
dynamically find librpm (#21936)
37dc557 
- use elf header of rpm binary to find version of librpm
- use librpm.so as fallback, provided by rpm-devel

Closes #19287
@leehinman leehinman mentioned this issue Oct 20, 2020
Merged
2 tasks
leehinman added a commit to leehinman/beats that referenced this issue Oct 20, 2020
@leehinman
dynamically find librpm (elastic#21936)
614f274 
- use elf header of rpm binary to find version of librpm
- use librpm.so as fallback, provided by rpm-devel

Closes elastic#19287

(cherry picked from commit 37dc557)
leehinman added a commit that referenced this issue Oct 21, 2020
@leehinman
dynamically find librpm (#21936) (#22024)
114058d 
- use elf header of rpm binary to find version of librpm
- use librpm.so as fallback, provided by rpm-devel

Closes #19287

(cherry picked from commit 37dc557)
This was referenced Oct 22, 2020
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@leehinman leehinman

Labels
Auditbeat enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Auditbeat] dynamically find librpm.so leehinman/beats
3 participants
@andrewkroh @elasticmachine @leehinman