Brewing in Beats: Seccomp filters
Welcome to Brewing in Beats! With these weekly series, we're keeping you up to date with what's new in Beats, including the latest commits and releases.
Did you know that Beats 6.2 is already available? Try it and let us know what you think. If you are curious to see the Beats in action, check out the Getting Started with Beats webinar.
Seccomp filters
Added a default seccomp (Secure Computing) filter for all Beats on Linux that prohibits execve, execveat, fork, and vfork system calls for the Beat process. This hardens the security of the Beats so that even if an attacker manages to execute remote code in Beats, they will have a harder time spawning new processes.
The seccomp filter policy is configurable as well, so you can block more system calls depending on your Beat and configuration. You can create your own whitelist or blacklist policy with specific actions.
This is how the default configuration for seccomp looks like:
seccomp:
default_action: allow
syscalls:
- action: errno
names:
- execve
- execveat
- fork
- vfork
This new feature will be available in the 6.4 release.
netinfo for add_host_metadata processor
With the add_host_metadata processor it is possible to add metadata about the host machine to each event. Thanks to the contribution from @hypp it is now possible to set netinfo.enabled: true to also add the MAC and IP addresses to of the host to each event: #6878
All Beats changes
Repository: elastic/beats
Packetbeat
Changes in master:
- Fix out of bounds access in packetbeat's HTTP parser #6997
Filebeat
Changes in master:
- Inherit Kibana credentials from the ES output #6993
- Registry file fsync improvements #6988
- Support MySQL 5.7.19 by mysql/slowlog #6969
- Fix: protect the registry critical zone when stop/close are called. #6959
Changes in 6.3:
- Commit registry writes to stable storage to avoid corrupt registry files #6877
- Inherit Kibana credentials from the ES output #6993
Heartbeat
Changes in 6.3:
- Fix heartbeat races on event updates #6950
Changes in 6.2:
- Fix heartbeat races on event updates #6950
Auditbeat
Changes in master:
- Update github.com/elastic/go-libaudit #7012
- Tentative fix to auditbeat test panic under macOS #6990
Processors
Changes in master:
- Add IP-addresses and MAC-addresses to event #6878
Testing
Changes in 6.3:
- Update 6.3 to 46941e7c build for testing #7013
Changes in master:
- Increase compose timeout to 300s #7017
- Increase retries for k8s healthchecks #7007
- Winlogbeat: Replace hardcoded delays in checkpoint tests #7005
- Prevent warning in Auditbeat's system tests #6998
- Remove test for comparing short / long config #6975
- Remove `-` char from docker-compose project name #6966
- Update URL to -oss artifacts #6965
- Change to snapshot testing for Elastic Stack #6944
- Harden file integrity flaky test #6907
- Start simplify system tests #6906
Changes in 6.2:
- Cherry-pick #6833 to 6.2: Remove version from docker-compose project name #6919
Documentation
Changes in 6.3:
- Backport to 6.3: Fixed omission of github.com in git clone path (#6851) #7002
- Backport to 6.3: community beats updates #7000
- Fix double node_stats entry Elasticsearch module docs #6973
Changes in master:
- Remove mention of Windows XP from docs #7014
- Replace references to X-Pack with attributes or remove them #6985
- [DOCS] Fixes certutil command name #6980
- Fixed omission of github.com in git clone path #6851
Changes in 6.2:
- Backport to 6.2: #6557 #7001
- Backport to 6.2: community beats updates #6999
- Modify title to indicate that ingest node is used for more than logs #6650,
- Indicate that Beats monitoring requires ES 6.2 or later #6651,
- Change title for SEO #6652,
- Fix descriptions of include_line and exclude_line #6654,
- Remove old reviewer notes #6655,
- Docs: use a simple clone in the New Beat guide #6786,
- Document role required to load dashboards #6849,
- Fixed omission of github.com in git clone path #6851)
- Fix double node_stats entry Elasticsearch module docs #6972
Repository: elastic/go-libaudit
Changes in master: