diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index fa5667f14b45..b48229565b01 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -86,6 +86,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Package dataset: Improve dpkg parsing. {pull}12325[12325] - System module: Start system module without host ID. {pull}12373[12373] - Host dataset: Fix reboot detection logic. {pull}12591[12591] +- Add syscalls used by librpm for the system/package dataset to the default Auditbeat seccomp policy. {issue}12578[12578] {pull}12617[12617] *Filebeat* diff --git a/Vagrantfile b/Vagrantfile index a851be38692f..183888b1fd0d 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -223,6 +223,17 @@ Vagrant.configure(2) do |config| end end + config.vm.define "centos7", primary: true do |c| + c.vm.box = "bento/centos-7" + c.vm.network :forwarded_port, guest: 22, host: 2231, id: "ssh", auto_correct: true + + c.vm.provision "shell", inline: $unixProvision, privileged: false + c.vm.provision "shell", inline: linuxGvmProvision, privileged: false + c.vm.provision "shell", inline: "yum install -y make gcc python-pip python-virtualenv git" + + c.vm.synced_folder ".", "/vagrant", type: "virtualbox" + end + end # -*- mode: ruby -*- diff --git a/libbeat/common/seccomp/seccomp.go b/libbeat/common/seccomp/seccomp.go index ff4d682b6635..5280838c3187 100644 --- a/libbeat/common/seccomp/seccomp.go +++ b/libbeat/common/seccomp/seccomp.go @@ -27,6 +27,14 @@ import ( "github.com/elastic/go-seccomp-bpf" ) +// PolicyChangeType specifies the type of change to make to a seccomp policy. +type PolicyChangeType uint8 + +const ( + // AddSyscall changes a policy by adding a syscall. + AddSyscall PolicyChangeType = iota +) + var ( defaultPolicy *seccomp.Policy registeredPolicy *seccomp.Policy @@ -134,3 +142,29 @@ func getPolicy(c *common.Config) (*seccomp.Policy, error) { return policy, nil } + +// ModifyDefaultPolicy modifies the syscalls in the default policy. Any callers +// of this function must first check the architecture because policies are +// architecture specific. +func ModifyDefaultPolicy(changeType PolicyChangeType, syscalls ...string) error { + if defaultPolicy == nil { + return errors.New("no default policy exists (check the architecture)") + } + + switch changeType { + case AddSyscall: + list := defaultPolicy.Syscalls[0].Names + for _, newSyscall := range syscalls { + for _, existingSyscall := range list { + if newSyscall == existingSyscall { + break + } + + list = append(list, newSyscall) + } + } + defaultPolicy.Syscalls[0].Names = list + } + + return nil +} diff --git a/x-pack/auditbeat/seccomp_linux.go b/x-pack/auditbeat/seccomp_linux.go new file mode 100644 index 000000000000..9bbd28985db9 --- /dev/null +++ b/x-pack/auditbeat/seccomp_linux.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package main + +import ( + "runtime" + + "github.com/elastic/beats/libbeat/common/seccomp" +) + +func init() { + switch runtime.GOARCH { + case "amd64", "386": + // The system/package dataset uses librpm which has additional syscall + // requirements beyond the default policy from libbeat so whitelist + // these additional syscalls. + if err := seccomp.ModifyDefaultPolicy(seccomp.AddSyscall, "umask", "mremap"); err != nil { + panic(err) + } + } +}