Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cherry-pick #19300 to 7.x: Update to go-libaudit v2.0.0 #19908

Merged
merged 1 commit into from
Jul 16, 2020
Merged

Cherry-pick #19300 to 7.x: Update to go-libaudit v2.0.0 #19908

merged 1 commit into from
Jul 16, 2020

Conversation

andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented Jul 14, 2020
edited by zube bot
Loading

Cherry-pick of PR #19300 to 7.x branch. Original message:

What does this PR do?

This updates the go-libaudit library to v2.0.0. Some of the updates since the last release were already
incorporated into Beats.

https://github.com/elastic/go-libaudit/releases/tag/v2.0.0

Fixes #14055 (seccomp field enrichments)
Fixes a few minor typos and spelling issues in auditd event.category and event.action values.

@andrewkroh andrewkroh requested a review from a team as a code owner July 14, 2020 16:45
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jul 14, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jul 14, 2020
adriansr
adriansr approved these changes Jul 15, 2020
View reviewed changes
CHANGELOG.next.asciidoc Outdated Show resolved Hide resolved
@andrewkroh
Update to go-libaudit v2.0.0 (elastic#19300)
9b3ec40 
* Update to go-libaudit v2.0.0

This updates the go-libaudit library to v2.0.0. Some of the updates since the last release were already
incorporated into Beats.

https://github.com/elastic/go-libaudit/releases/tag/v2.0.0

Fixes elastic#14055 (seccomp field enrichments)
Fixes a few minor typos and spelling issues in auditd event.category and event.action values.

* Only import go-libaudit on linux

(cherry picked from commit 4f3d950)
@andrewkroh
Copy link
Member Author

I've been seeing this unusual error from the Metricbeat tests:

[2020-07-15T08:36:14.406Z] + mage goIntegTest
[2020-07-15T08:37:22.185Z] Generated fields.yml for metricbeat to /var/lib/jenkins/workspace/Beats_beats_PR-19908/src/github.com/elastic/beats/metricbeat/fields.yml
[2020-07-15T08:37:22.185Z] Error: no module auditd
script returned exit code 1

I tracked down some discussion of it to #18592 (comment). In this case the MODULE=auditd but that's only an Auditbeat module. Similarly I saw this with a Filebeat module change that triggered Metricbeat to build and it failed for the same reason (logs). // fyi: @jsoriano @v1v

@v1v
Copy link
Member

v1v commented Jul 16, 2020

@andrewkroh , that particular misbehaviour was theoretically solved with #18777 and backported. I'll run some tests locally and see if i can reproduce the behaviour for this PR

@v1v
Copy link
Member

v1v commented Jul 16, 2020
edited
Loading

I see what's going on:

  • The pattern to search for should not be generic but specific per beat, in other words:

    beats/Jenkinsfile

    Lines 39 to 40 in 4dcbde3

    XPACK_MODULE_PATTERN = '^x-pack\\/[a-z0-9]+beat\\/module\\/([^\\/]+)\\/.*'
    OSS_MODULE_PATTERN = '^[a-z0-9]+beat\\/module\\/([^\\/]+)\\/.*'

should use <beatname> rather than [a-z0-9]+beat to avoid injecting the MODULE env variable to the Integration Tests stage that's related to another module.

If I recall we used the generic pattern to be easy to handle all the cases, but it seems it's not 100% accurate.

I've just raised #19986 to explain the reason of the issue and some test scenarios that should be verified when doing the implementation.

@v1v v1v mentioned this pull request Jul 16, 2020
Merged
@andrewkroh
Copy link
Member Author

Thanks @v1v !

@andrewkroh andrewkroh merged commit 4084104 into elastic:7.x Jul 16, 2020
@zube zube bot removed the [zube]: Done label Oct 15, 2020
@v1v v1v mentioned this pull request Jun 8, 2021
Closed
6 tasks
@andrewkroh andrewkroh deleted the backport_19300_7.x branch January 14, 2022 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adriansr adriansr adriansr approved these changes

Assignees
No one assigned
Labels
backport
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@andrewkroh @elasticmachine @v1v @adriansr