10 May 2018

Brewing in Beats: Seccomp filters

By Monica Sarbu

Welcome to Brewing in Beats! With these weekly series, we're keeping you up to date with what's new in Beats, including the latest commits and releases.

Did you know that Beats 6.2 is already available? Try it and let us know what you think. If you are curious to see the Beats in action, check out the Getting Started with Beats webinar.

Seccomp filters

Added a default seccomp (Secure Computing) filter for all Beats on Linux that prohibits execve, execveat, fork, and vfork system calls for the Beat process. This hardens the security of the Beats so that even if an attacker manages to execute remote code in Beats, they will have a harder time spawning new processes.

The seccomp filter policy is configurable as well, so you can block more system calls depending on your Beat and configuration. You can create your own whitelist or blacklist policy with specific actions.

This is how the default configuration for seccomp looks like:

seccomp:
  default_action: allow
  syscalls:
  - action: errno
    names:
    - execve
    - execveat
    - fork
    - vfork

This new feature will be available in the 6.4 release.

netinfo for add_host_metadata processor

With the add_host_metadata processor it is possible to add metadata about the host machine to each event. Thanks to the contribution from @hypp it is now possible to set netinfo.enabled: true to also add the MAC and IP addresses to of the host to each event: #6878

All Beats changes

Repository: elastic/beats

Packetbeat

Changes in master:

  • Fix out of bounds access in packetbeat's HTTP parser #6997
Filebeat

Changes in master:

  • Inherit Kibana credentials from the ES output #6993
  • Registry file fsync improvements #6988
  • Support MySQL 5.7.19 by mysql/slowlog #6969
  • Fix: protect the registry critical zone when stop/close are called. #6959

Changes in 6.3:

  • Commit registry writes to stable storage to avoid corrupt registry files #6877
  • Inherit Kibana credentials from the ES output #6993
Heartbeat

Changes in 6.3:

  • Fix heartbeat races on event updates #6950

Changes in 6.2:

  • Fix heartbeat races on event updates #6950
Auditbeat

Changes in master:

Processors

Changes in master:

  • Add IP-addresses and MAC-addresses to event #6878
Testing

Changes in 6.3:

  • Update 6.3 to 46941e7c build for testing #7013

Changes in master:

  • Increase compose timeout to 300s #7017
  • Increase retries for k8s healthchecks #7007
  • Winlogbeat: Replace hardcoded delays in checkpoint tests #7005
  • Prevent warning in Auditbeat's system tests #6998
  • Remove test for comparing short / long config #6975
  • Remove `-` char from docker-compose project name #6966
  • Update URL to -oss artifacts #6965
  • Change to snapshot testing for Elastic Stack #6944
  • Harden file integrity flaky test #6907
  • Start simplify system tests #6906

Changes in 6.2:

  • Cherry-pick #6833 to 6.2: Remove version from docker-compose project name #6919
Documentation

Changes in 6.3:

  • Backport to 6.3: Fixed omission of github.com in git clone path (#6851) #7002
  • Backport to 6.3: community beats updates #7000
  • Fix double node_stats entry Elasticsearch module docs #6973

Changes in master:

  • Remove mention of Windows XP from docs #7014
  • Replace references to X-Pack with attributes or remove them #6985
  • [DOCS] Fixes certutil command name #6980
  • Fixed omission of github.com in git clone path #6851

Changes in 6.2:

  • Backport to 6.2: #6557 #7001
  • Backport to 6.2: community beats updates #6999
  • Modify title to indicate that ingest node is used for more than logs #6650,
  • Indicate that Beats monitoring requires ES 6.2 or later #6651,
  • Change title for SEO #6652,
  • Fix descriptions of include_line and exclude_line #6654,
  • Remove old reviewer notes #6655,
  • Docs: use a simple clone in the New Beat guide #6786,
  • Document role required to load dashboards #6849,
  • Fixed omission of github.com in git clone path #6851)
  • Fix double node_stats entry Elasticsearch module docs #6972

Repository: elastic/go-libaudit

Changes in master:

  • Better errors when kernel does not support auditing #33
  • Update syscall and audit message type tables for Linux 4.16 #30