Stop running auditbeat container as root by default (elastic#21202)

Stop running Auditbeat container as root by default. After this change, when user root is required it will need to be explicitly set on runtime. This is already done in Kubernetes manifests and some other examples in the documentation, so change is probably not so breaking. Also `USER root` is usually not enough to be fully privileged, so some customization was always expected when running Auditbeat on docker.
jsoriano · Sep 24, 2020 · 6bd7090 · 6bd7090
1 parent 0c8f82b
commit 6bd7090
Show file tree

Hide file tree

Showing 5 changed files with 4 additions and 4 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -28,6 +28,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - File integrity dataset (macOS): Replace unnecessary `file.origin.raw` (type keyword) with `file.origin.text` (type `text`). {issue}12423[12423] {pull}15630[15630]
 - Change event.kind=error to event.kind=event to comply with ECS. {issue}18870[18870] {pull}20685[20685]
 - Change network.direction values to ECS recommended values (inbound, outbound). {issue}12445[12445] {pull}20695[20695]
+- Docker container needs to be explicitly run as user root for auditing. {pull}21202[21202]
 
 *Filebeat*
 

diff --git a/auditbeat/docs/running-on-docker.asciidoc b/auditbeat/docs/running-on-docker.asciidoc
@@ -10,5 +10,5 @@ It is also essential to run {beatname_uc} in the host PID namespace.
 
 ["source","sh",subs="attributes"]
 ----
-docker run --cap-add=AUDIT_CONTROL,AUDIT_READ --pid=host {dockerimage}
+docker run --cap-add=AUDIT_CONTROL --cap-add=AUDIT_READ --user=root --pid=host {dockerimage}
 ----
diff --git a/auditbeat/magefile.go b/auditbeat/magefile.go
@@ -92,7 +92,7 @@ func Package() {
 
 // TestPackages tests the generated packages (i.e. file modes, owners, groups).
 func TestPackages() error {
-	return devtools.TestPackages(devtools.WithRootUserContainer())
+	return devtools.TestPackages()
 }
 
 // Update is an alias for running fields, dashboards, config, includes.

diff --git a/auditbeat/scripts/mage/package.go b/auditbeat/scripts/mage/package.go
@@ -95,7 +95,6 @@ func CustomizePackaging(pkgFlavor PackagingFlavor) {
 				args.Spec.ReplaceFile("/etc/{{.BeatName}}/{{.BeatName}}.reference.yml", referenceConfig)
 				sampleRulesTarget = "/etc/{{.BeatName}}/" + defaultSampleRulesTarget
 			case devtools.Docker:
-				args.Spec.ExtraVar("user", "root")
 			default:
 				panic(errors.Errorf("unhandled package type: %v", pkgType))
 			}

diff --git a/x-pack/auditbeat/magefile.go b/x-pack/auditbeat/magefile.go
@@ -84,7 +84,7 @@ func Package() {
 
 // TestPackages tests the generated packages (i.e. file modes, owners, groups).
 func TestPackages() error {
-	return devtools.TestPackages(devtools.WithRootUserContainer())
+	return devtools.TestPackages()
 }
 
 // Update is an alias for running fields, dashboards, config.