Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Auditbeat] Cherry-pick #10508 to 6.x: System module: Detect package updates #10562

Merged
merged 1 commit into from
Feb 5, 2019
Merged

[Auditbeat] Cherry-pick #10508 to 6.x: System module: Detect package updates #10562

merged 1 commit into from
Feb 5, 2019

Conversation

cwurm
Copy link
Contributor

@cwurm cwurm commented Feb 5, 2019

Cherry-pick of PR #10508 to 6.x branch. Original message:

Detects package updates by checking if any of the "new" package objects have the same package name as one of the "old" package objects. The event will have event.action: package_updated.

Also fixes two issues:

  1. Removes InstallTime from change detection. It is not set for dpkg, and for Homebrew it is currently the modification time of the package's directory. A touch will cause it to be reported as changed. I'm actually wondering if we should not set it for Homebrew at all. For change detection, we now rely on name, version, release (only set for RPM), and size - all of which (hopefully) only change when the package has indeed changed.
  2. For dpkg, reports packages as removed that have only been removed (apt-get remove) but not purged (apt-get purge). Removed package stay around in /var/lib/dpkg/status, but with a deinstall status.

As an urgent follow-up, we should add tests with sample files for at least:

  • /var/lib/dpkg/status in various stages (no package, installed package, new version, deinstalled package). I wanted to add it here, but we'll need a way to pass the test files to the metricset, and at the moment there is no config value for it (but there probably should be). I didn't want to do that bigger change here.
  • /usr/local/Cellar/{pkg.Name}/INSTALL_RECEIPT.json (read since [Auditbeat] Read formula path from INSTALL_RECEIPT.json for Homebrew packages #10507), and a Ruby formula file.

@cwurm cwurm changed the title Cherry-pick #10508 to 6.x: [Auditbeat] System module: Detect package updates [Auditbeat] Cherry-pick #10508 to 6.x: System module: Detect package updates Feb 5, 2019
[Auditbeat] System module: Detect package updates (elastic#10508)
aff9296 
Detects package updates by checking if any of the "new" package objects have the same package name as one of the "old" package objects. The event will have `event.action: package_updated`.

Also removes `InstallTime` from change detection. And for dpkg, reports packages as removed that have only been removed (`apt-get remove`) but not purged (`apt-get purge`).

(cherry picked from commit 394d93d)
@cwurm cwurm force-pushed the backport_10508_6.x branch from eece0ac to aff9296 Compare February 5, 2019 11:54
@cwurm cwurm added the Auditbeat label Feb 5, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/secops

@cwurm cwurm added the SecOps label Feb 5, 2019
@cwurm cwurm requested a review from a team February 5, 2019 11:54
webmat
webmat approved these changes Feb 5, 2019
View reviewed changes
Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cwurm cwurm merged commit f5f0dc9 into elastic:6.x Feb 5, 2019
@cwurm cwurm deleted the backport_10508_6.x branch February 5, 2019 14:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webmat webmat webmat approved these changes

Assignees
No one assigned
Labels
Auditbeat backport review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cwurm @elasticmachine @webmat