From 6bd70908fec6b338d9e0a5a41cf4c58a116416ab Mon Sep 17 00:00:00 2001
From: Jaime Soriano Pastor <jaime.soriano@elastic.co>
Date: Thu, 24 Sep 2020 13:47:28 +0200
Subject: [PATCH] Stop running auditbeat container as root by default (#21202)

Stop running Auditbeat container as root by default. After this change,
when user root is required it will need to be explicitly set on runtime.
This is already done in Kubernetes manifests and some other examples
in the documentation, so change is probably not so breaking.
Also `USER root` is usually not enough to be fully privileged, so some
customization was always expected when running Auditbeat on docker.
---
 CHANGELOG.next.asciidoc                   | 1 +
 auditbeat/docs/running-on-docker.asciidoc | 2 +-
 auditbeat/magefile.go                     | 2 +-
 auditbeat/scripts/mage/package.go         | 1 -
 x-pack/auditbeat/magefile.go              | 2 +-
 5 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 145d7ae09e5..01517e07245 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -28,6 +28,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - File integrity dataset (macOS): Replace unnecessary `file.origin.raw` (type keyword) with `file.origin.text` (type `text`). {issue}12423[12423] {pull}15630[15630]
 - Change event.kind=error to event.kind=event to comply with ECS. {issue}18870[18870] {pull}20685[20685]
 - Change network.direction values to ECS recommended values (inbound, outbound). {issue}12445[12445] {pull}20695[20695]
+- Docker container needs to be explicitly run as user root for auditing. {pull}21202[21202]
 
 *Filebeat*
 
diff --git a/auditbeat/docs/running-on-docker.asciidoc b/auditbeat/docs/running-on-docker.asciidoc
index 74007cdeb35..dee50fa254a 100644
--- a/auditbeat/docs/running-on-docker.asciidoc
+++ b/auditbeat/docs/running-on-docker.asciidoc
@@ -10,5 +10,5 @@ It is also essential to run {beatname_uc} in the host PID namespace.
 
 ["source","sh",subs="attributes"]
 ----
-docker run --cap-add=AUDIT_CONTROL,AUDIT_READ --pid=host {dockerimage}
+docker run --cap-add=AUDIT_CONTROL --cap-add=AUDIT_READ --user=root --pid=host {dockerimage}
 ----
diff --git a/auditbeat/magefile.go b/auditbeat/magefile.go
index 73110b17354..bc99856a890 100644
--- a/auditbeat/magefile.go
+++ b/auditbeat/magefile.go
@@ -92,7 +92,7 @@ func Package() {
 
 // TestPackages tests the generated packages (i.e. file modes, owners, groups).
 func TestPackages() error {
-	return devtools.TestPackages(devtools.WithRootUserContainer())
+	return devtools.TestPackages()
 }
 
 // Update is an alias for running fields, dashboards, config, includes.
diff --git a/auditbeat/scripts/mage/package.go b/auditbeat/scripts/mage/package.go
index fbda2077f4f..09591705121 100644
--- a/auditbeat/scripts/mage/package.go
+++ b/auditbeat/scripts/mage/package.go
@@ -95,7 +95,6 @@ func CustomizePackaging(pkgFlavor PackagingFlavor) {
 				args.Spec.ReplaceFile("/etc/{{.BeatName}}/{{.BeatName}}.reference.yml", referenceConfig)
 				sampleRulesTarget = "/etc/{{.BeatName}}/" + defaultSampleRulesTarget
 			case devtools.Docker:
-				args.Spec.ExtraVar("user", "root")
 			default:
 				panic(errors.Errorf("unhandled package type: %v", pkgType))
 			}
diff --git a/x-pack/auditbeat/magefile.go b/x-pack/auditbeat/magefile.go
index 989f8e6d7b6..7484e6465b7 100644
--- a/x-pack/auditbeat/magefile.go
+++ b/x-pack/auditbeat/magefile.go
@@ -84,7 +84,7 @@ func Package() {
 
 // TestPackages tests the generated packages (i.e. file modes, owners, groups).
 func TestPackages() error {
-	return devtools.TestPackages(devtools.WithRootUserContainer())
+	return devtools.TestPackages()
 }
 
 // Update is an alias for running fields, dashboards, config.