[Auditbeat] auditd not receiving event when outside of host network namespace

[andrewkroh]

While running Auditbeat's auditd module in a container it will not receive events unless I put it into the host's network namespace. I believe this used to work because the docs don't mention anything about the network namespace requirement.

While doing some brief searching I found a newer flag NETLINK_F_LISTEN_ALL_NSID that I wonder if it is related. And some commits like torvalds/linux@7212462. This needs more research, but the goal would be to see if we can still run Auditbeat in its own namespace and receive audit events. If we can't, then we should update the docs to mention the requirement to run in the host's network namespace.

Version: 7.14.2
OS: Linux akroh-beats-dev 5.11.0-1018-gcp #20~20.04.2-Ubuntu SMP Fri Sep 3 01:01:37 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Discuss: https://discuss.elastic.co/t/auditbeat-on-docker-fails-to-run-auditd-module/284399
Config:

auditbeat.modules:
- module: auditd
  socket_type: multicast

output.console.enabled: true

logging.level: debug
logging.selectors: [auditd, processors]

seccomp.enabled: false

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[jradikk]

Just faced the same problem while configuring auditbeat in Kubernetes. That'd be great to add a note about it in auditbeat documentation until it is fixed

[r00tu53r]

@andrewkroh I happened to run auditbeat in a docker container without bind/EPERM errors. I Pulled 8.0 docker pull docker.elastic.co/beats/auditbeat:8.0.0 and ran the auditbeat with my config based on what was on the post -

docker run -i -t -v ~/docker_share:/share --security-opt seccomp=unconfined --pid=host --user=root --cap-add=AUDIT_CONTROL --cap-add=AUDIT_READ docker.elastic.co/beats/auditbeat:8.0.0 /bin/bash

In the container -

# /usr/share/auditbeat/auditbeat -c ./auditbeat-test.yml -e

Logs -

{"log.level":"info","@timestamp":"2022-05-09T08:05:51.825Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1062},"message":"Go runtime info","service.name":"auditbeat","system_info":{"go":{"os":"linux","arch":"amd64","max_procs":1,"version":"go1.17.6"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-05-09T08:05:51.825Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1066},"message":"Host info","service.name":"auditbeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2022-05-09T03:40:33Z","containerized":false,"name":"5ad6ded50b44","ip":["127.0.0.1/8","172.17.0.2/16"],"kernel_version":"5.13.0-30-generic","mac":["02:42:ac:11:00:02"],"os":{"type":"linux","family":"debian","platform":"ubuntu","name":"Ubuntu","version":"20.04.3 LTS (Focal Fossa)","major":20,"minor":4,"patch":3,"codename":"focal"},"timezone":"UTC","timezone_offset_sec":0},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-05-09T08:05:51.825Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1095},"message":"Process info","service.name":"auditbeat","system_info":{"process":{"capabilities":{"inheritable":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","audit_control","setfcap","audit_read"],"permitted":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","audit_control","setfcap","audit_read"],"effective":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","audit_control","setfcap","audit_read"],"bounding":["chown","dac_override","fowner","fsetid","kill","setgid","setuid","setpcap","net_bind_service","net_raw","sys_chroot","mknod","audit_write","audit_control","setfcap","audit_read"],"ambient":null},"cwd":"/usr/share/auditbeat","exe":"/usr/share/auditbeat/auditbeat","name":"auditbeat","pid":84071,"ppid":84044,"seccomp":{"mode":"disabled","no_new_privs":false},"start_time":"2022-05-09T08:05:48.200Z"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-05-09T08:05:51.825Z","log.origin":{"file.name":"instance/beat.go","file.line":332},"message":"Setup Beat: auditbeat; Version: 8.0.0","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-09T08:05:51.826Z","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":105},"message":"elasticsearch url: https://c13cda942b7c48199acbf0ee8bd28dc0.australia-southeast1.gcp.elastic-cloud.com:443","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-09T08:05:51.827Z","log.logger":"publisher","log.origin":{"file.name":"pipeline/module.go","file.line":113},"message":"Beat name: 5ad6ded50b44","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-09T08:05:51.828Z","log.logger":"auditd","log.origin":{"file.name":"auditd/audit_linux.go","file.line":107},"message":"auditd module is running as euid=0 on kernel=5.13.0-30-generic","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-05-09T08:05:51.879Z","log.logger":"auditd","log.origin":{"file.name":"auditd/audit_linux.go","file.line":999},"message":"The audit rules specified in the configuration cannot be applied when using a multicast socket_type.","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-09T08:05:51.879Z","log.logger":"auditd","log.origin":{"file.name":"auditd/audit_linux.go","file.line":134},"message":"socket_type=multicast will be used.","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-09T08:05:51.880Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":142},"message":"Starting metrics logging every 30s","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-09T08:05:51.880Z","log.origin":{"file.name":"instance/beat.go","file.line":498},"message":"auditbeat start running.","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-09T08:05:55.764Z","log.logger":"auditd","log.origin":{"file.name":"auditd/audit_linux.go","file.line":279},"message":"Deleted 6 pre-existing audit rules.","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-09T08:05:55.764Z","log.logger":"auditd","log.origin":{"file.name":"auditd/audit_linux.go","file.line":298},"message":"Successfully added 9 of 9 audit rules.","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-05-09T08:06:21.883Z","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":184},"message":"Non-zero metrics in the last 30s","service.name":"auditbeat","monitoring":{"metrics":{"beat":{"cgroup":{"cpu":{"cfs":{"period":{"us":100000}},"id":"/"},"cpuacct":{"id":"/","total":{"ns":197236104}},"memory":{"id":"/","mem":{"limit":{"bytes":9223372036854771712},"usage":{"bytes":42033152}}}},"cpu":{"system":{"ticks":20,"time":{"ms":21}},"total":{"ticks":100,"time":{"ms":108},"value":100},"user":{"ticks":80,"time":{"ms":87}}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":9},"info":{"ephemeral_id":"c7752cde-0708-4013-9a40-7240c7d6c8ed","uptime":{"ms":33187},"version":"8.0.0"},"memstats":{"gc_next":11749328,"memory_alloc":6356736,"memory_sys":20095105,"memory_total":16443552,"rss":108953600},"runtime":{"goroutines":21}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0},"type":"elasticsearch"},"pipeline":{"clients":1,"events":{"active":0},"queue":{"max_events":4096}}},"system":{"cpu":{"cores":1},"load":{"1":0,"15":0,"5":0,"norm":{"1":0,"15":0,"5":0}}}},"ecs.version":"1.6.0"}}

[andrewkroh]

@r00tu53r I wonder if something changed in the kernel. Your tests were on "kernel_version": "5.13.0-30-generic" and mine were on 5.11. Maybe the issue got fixed?

[r00tu53r]

Thanks @andrewkroh I will confirm my tests on a few older versions.

[botelastic]

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

[elasticmachine]

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)