Skip to content

Commit

Permalink
fim: implement ebpf backend
Browse files Browse the repository at this point in the history
  • Loading branch information
mmat11 committed Jan 30, 2024
1 parent 5a9613e commit 0c697ec
Show file tree
Hide file tree
Showing 36 changed files with 1,347 additions and 241 deletions.
File renamed without changes.
43 changes: 1 addition & 42 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,7 @@ Setting environmental variable ELASTIC_NETINFO:false in Elastic Agent pod will d

*Auditbeat*

- Add opt-in eBPF backend for file_integrity module. {pull}37223[37223]

*Filebeat*

Expand Down Expand Up @@ -254,45 +255,3 @@ Setting environmental variable ELASTIC_NETINFO:false in Elastic Agent pod will d


==== Known Issues










































98 changes: 94 additions & 4 deletions NOTICE.txt
Original file line number Diff line number Diff line change
Expand Up @@ -12255,6 +12255,32 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.


--------------------------------------------------------------------------------
Dependency : github.com/elastic/ebpfevents
Version: v0.3.2
Licence type (autodetected): Apache-2.0
--------------------------------------------------------------------------------

Contents of probable licence file $GOMODCACHE/github.com/elastic/ebpfevents@v0.3.2/LICENSE.txt:

The https://github.com/elastic/ebpfevents repository contains source code under
various licenses:

- Source code in the 'headers/bpf' directory, is dual-licensed under the GNU Lesser General
Public License version 2.1 (LICENSES/LGPL-2.1-only.txt) OR BSD-2-Clause license
(LICENSES/BSD-2-Clause.txt)

- Source code in the 'ebpf' submodule is licensed with multiple licenses. Read more at
https://github.com/elastic/ebpf/blob/main/LICENSE.txt.

- The binary files 'bpf_bpfel_x86.o' and 'bpf_bpfel_amd64.o' are compiled
from dual-licensed GPL-2.0-only OR BSD-2-Clause licensed code, and are distributed with
the GPL-2.0-only License (LICENSES/GPL-2.0-only.txt).

- Source code not listed in the previous points is licensed under the Apache License,
version 2 (LICENSES/Apache-2.0.txt).


--------------------------------------------------------------------------------
Dependency : github.com/elastic/elastic-agent-autodiscover
Version: v0.6.7
Expand Down Expand Up @@ -36167,6 +36193,39 @@ OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.


--------------------------------------------------------------------------------
Dependency : github.com/cilium/ebpf
Version: v0.12.3
Licence type (autodetected): MIT
--------------------------------------------------------------------------------

Contents of probable licence file $GOMODCACHE/github.com/cilium/ebpf@v0.12.3/LICENSE:

MIT License

Copyright (c) 2017 Nathan Sweet
Copyright (c) 2018, 2019 Cloudflare
Copyright (c) 2019 Authors of Cilium

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.


--------------------------------------------------------------------------------
Dependency : github.com/codegangsta/inject
Version: v0.0.0-20150114235600-33e0aa1cb7c0
Expand Down Expand Up @@ -38172,11 +38231,11 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

--------------------------------------------------------------------------------
Dependency : github.com/frankban/quicktest
Version: v1.14.3
Version: v1.14.5
Licence type (autodetected): MIT
--------------------------------------------------------------------------------

Contents of probable licence file $GOMODCACHE/github.com/frankban/quicktest@v1.14.3/LICENSE:
Contents of probable licence file $GOMODCACHE/github.com/frankban/quicktest@v1.14.5/LICENSE:

MIT License

Expand All @@ -38201,6 +38260,37 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.


--------------------------------------------------------------------------------
Dependency : github.com/go-faker/faker/v4
Version: v4.2.0
Licence type (autodetected): MIT
--------------------------------------------------------------------------------

Contents of probable licence file $GOMODCACHE/github.com/go-faker/faker/v4@v4.2.0/LICENSE:

MIT License

Copyright (c) 2017 Iman Tumorang

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.


--------------------------------------------------------------------------------
Dependency : github.com/go-logfmt/logfmt
Version: v0.5.1
Expand Down Expand Up @@ -45643,11 +45733,11 @@ OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

--------------------------------------------------------------------------------
Dependency : github.com/kr/pretty
Version: v0.3.0
Version: v0.3.1
Licence type (autodetected): MIT
--------------------------------------------------------------------------------

Contents of probable licence file $GOMODCACHE/github.com/kr/pretty@v0.3.0/License:
Contents of probable licence file $GOMODCACHE/github.com/kr/pretty@v0.3.1/License:

Copyright 2012 Keith Rarick

Expand Down
1 change: 0 additions & 1 deletion auditbeat/.gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,3 @@ module/*/_meta/config.yml
/auditbeat
/auditbeat.test
/docs/html_docs

4 changes: 4 additions & 0 deletions auditbeat/auditbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,10 @@ auditbeat.modules:
# Auditbeat will ignore files unless they match a pattern.
#include_files:
#- '/\.ssh($|/)'
# Select the backend which will be used to source events.
# Valid values: ebpf, fsnotify.
# Default: fsnotify.
force_backend: fsnotify

# Scan over the configured file paths at startup and send events for new or
# modified files since the last time Auditbeat was running.
Expand Down
1 change: 1 addition & 0 deletions auditbeat/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ services:
- KIBANA_PORT=5601
volumes:
- ${PWD}/..:/go/src/github.com/elastic/beats/
- /sys/kernel/tracing/:/sys/kernel/tracing/
command: make
privileged: true
pid: host
Expand Down
8 changes: 7 additions & 1 deletion auditbeat/docs/modules/file_integrity.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,11 @@ to only send events for new or modified files.

The operating system features that power this feature are as follows.

* Linux - `inotify` is used, and therefore the kernel must have inotify support.
* Linux - As of now, two kernel backends are supported: `ebpf` and `fsnotify`.
By default, `fsnotify` is used, and therefore the kernel must have inotify support.
Inotify was initially merged into the 2.6.13 Linux kernel.
The eBPF backend uses modern eBPF features and supports 5.10.16+ kernels.
The preferred backend can be selected by specifying the `force_backend` config option.
* macOS (Darwin) - Uses the `FSEvents` API, present since macOS 10.5. This API
coalesces multiple changes to a file into a single event. {beatname_uc} translates
this coalesced changes into a meaningful sequence of actions. However,
Expand Down Expand Up @@ -144,6 +147,9 @@ of this directories are watched. If `recursive` is set to `true`, the
`file_integrity` module will watch for changes on this directories and all
their subdirectories.

*`force_backend`*:: (*Linux only*) Select the backend which will be used to
source events. Valid values: `ebpf`, `fsnotify`. Default: `fsnotify`.

include::{docdir}/auditbeat-options.asciidoc[]


Expand Down
44 changes: 44 additions & 0 deletions auditbeat/internal/ebpf/seccomp_linux.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.

//go:build linux

package ebpf

import (
"runtime"

"github.com/elastic/beats/v7/libbeat/common/seccomp"
)

func init() {
switch runtime.GOARCH {
case "amd64", "arm64":
syscalls := []string{
"bpf",
"eventfd2", // needed by ringbuf
"perf_event_open", // needed by tracepoints
"openat", // needed to create map
"newfstatat", // needed for BTF
"prlimit64", // needed to increase MEMLOCK
"setrlimit", // needed to increase MEMLOCK
}
if err := seccomp.ModifyDefaultPolicy(seccomp.AddSyscall, syscalls...); err != nil {
panic(err)
}
}
}
27 changes: 27 additions & 0 deletions auditbeat/internal/ebpf/types.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
// Licensed to Elasticsearch B.V. under one or more contributor
// license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright
// ownership. Elasticsearch B.V. licenses this file to you under
// the Apache License, Version 2.0 (the "License"); you may
// not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.

package ebpf

import "github.com/elastic/ebpfevents"

type EventMask uint64

type Watcher interface {
Subscribe(string, EventMask) <-chan ebpfevents.Record
Unsubscribe(string)
}
Loading

0 comments on commit 0c697ec

Please sign in to comment.