Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[8.x](backport #41952) auditbeat: Add a cached file hasher for auditbeat #41992

Merged
merged 1 commit into from
Dec 11, 2024

Conversation

mergify[bot]
Copy link
Contributor

@mergify mergify bot commented Dec 11, 2024

Proposed commit message

This implements a LRU cache on top of the FileHasher from hasher.go, it will be used in the new backend for the system process module on linux.

The cache is indexed by file path and stores the metadata (what we get from stat(2)/statx(2)) along with the hashes of each file.

When we want to hash a file: we stat() the file, then do cache lookup and compare against the stored metadata, if it differs, we rehash, if not we use the cached values.

The cache ignores access time (atime), it's only interested in write modifications, if the machine doesn't support statx(2) it falls back to stat(2) but uses the same Unix.Statx_t.

With this we end up with a stat() + lookup on the hotpath, and a stat() + stat() + insert on the cold path.

The motivation for this is that the new backend ends up fetching "all processes", which in turn causes it to try to hash at every event, the current/old hasher just can't cope with it:

  1. Hashing for each event is simply too expensive, in the 100us-50ms range on the default configuration, which puts us below 1000/s.
  2. It has a scan rate throttling that on the default configuration ends easily at 40ms per event (25/s).

With the cache things improve considerably, we stay below 5us (200k/s) in all cases:

MISSES
"miss (/usr/sbin/sshd) took 2.571359ms"
"miss (/usr/bin/containerd) took 52.099386ms"
"miss (/usr/sbin/gssproxy) took 160us"
"miss (/usr/sbin/atd) took 50.032us"
HITS
"hit (/usr/sbin/sshd) took 2.163us"
"hit (/usr/lib/systemd/systemd) took 3.024us"
"hit (/usr/lib/systemd/systemd) took 859ns"
"hit (/usr/sbin/sshd) took 805ns"

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
    - [ ] I have made corresponding changes to the documentation
    - [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.
    This is an automatic backport of pull request auditbeat: Add a cached file hasher for auditbeat #41952 done by Mergify.

This implements a LRU cache on top of the FileHasher from hasher.go, it will be
used in the new backend for the system process module on linux.

The cache is indexed by file path and stores the metadata (what we get from
stat(2)/statx(2)) along with the hashes of each file.

When we want to hash a file: we stat() the file, then do cache lookup and
compare against the stored metadata, if it differs, we rehash, if not we use the
cached values.

The cache ignores access time (atime), it's only interested in write
modifications, if the machine doesn't support statx(2) it falls back to stat(2)
but uses the same Unix.Statx_t.

With this we end up with a stat() + lookup on the hotpath, and a stat() + stat()
+ insert on the cold path.

The motivation for this is that the new backend ends up fetching "all
processes", which in turn causes it to try to hash at every event, the
current/old hasher just can't cope with it:
 1. Hashing for each event is simply to expensive, in the 100us-50ms range on the
    default configuration, which puts us below 1000/s.
 2. It has a scan rate throttling that on the default configuration ends easily
    at 40ms per event (25/s).

With the cache things improve considerably, we stay below 5us (200k/s) in all
cases:

```
MISSES
"miss (/usr/sbin/sshd) took 2.571359ms"
"miss (/usr/bin/containerd) took 52.099386ms"
"miss (/usr/sbin/gssproxy) took 160us"
"miss (/usr/sbin/atd) took 50.032us"
HITS
"hit (/usr/sbin/sshd) took 2.163us"
"hit (/usr/lib/systemd/systemd) took 3.024us"
"hit (/usr/lib/systemd/systemd) took 859ns"
"hit (/usr/sbin/sshd) took 805ns"
```

(cherry picked from commit 8ec2e31)
@mergify mergify bot requested a review from a team as a code owner December 11, 2024 16:05
@mergify mergify bot added the backport label Dec 11, 2024
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Dec 11, 2024
@haesbaert haesbaert added the Team:Security-Linux Platform Linux Platform Team in Security Solution label Dec 11, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Dec 11, 2024
@haesbaert haesbaert merged commit 47b2060 into 8.x Dec 11, 2024
30 checks passed
@haesbaert haesbaert deleted the mergify/bp/8.x/pr-41952 branch December 11, 2024 17:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport Team:Security-Linux Platform Linux Platform Team in Security Solution
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants