From cfaadecaf2499970ed49fff9027d7d50b67e04e7 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Tue, 17 May 2022 12:10:56 +0200 Subject: [PATCH] Add config option to deploy custom elastic-agents as test services (#786) * Add config option to deploy custom elastic-agents as test services * Tidy go.mod * Simplify runner changes * Clean go.mod * Move logic to custom_agent deployer * Use DockerComposeDeployedService code * Connect to network before healthcheck * Add test, docs, and initialize the same as a composer deployer * Change Makefile * Format test package * Add test to CI * Bump stack versions * Ignore errors in test pipeline * Use apache as custom-agent test and revert stack version changes * Fail if docker-compose.yml is not found * Change custom agent deployer to use a base agent config * Replace apache custom agent example with auditd_manager * Wrap compose service deployer * Format * Overwrite setup and teardown to avoid changing compose deployer * Use service variant to avoid overriding teardown entirely * Update docs * Revert Makefile unrelated change * Use installed resources instead of a temp file * add version to custom-agent.yml * quote version field --- .ci/Jenkinsfile | 1 + Makefile | 5 +- docs/howto/system_testing.md | 53 + internal/configuration/locations/locations.go | 19 +- .../_static/docker-custom-agent-base.yml | 15 + internal/install/install.go | 16 + internal/install/static.go | 3 + .../system/servicedeployer/custom_agent.go | 151 ++ .../runners/system/servicedeployer/factory.go | 7 + .../auditd_manager/_dev/build/build.yml | 3 + .../auditd_manager/changelog.yml | 6 + .../auditd/_dev/deploy/agent/custom-agent.yml | 8 + .../_dev/test/system/test-default-config.yml | 5 + .../auditd/agent/stream/auditd.yml.hbs | 34 + .../elasticsearch/ingest_pipeline/default.yml | 327 ++++ .../data_stream/auditd/fields/base-fields.yml | 21 + .../data_stream/auditd/fields/ecs.yml | 76 + .../data_stream/auditd/fields/fields.yml | 2 + .../data_stream/auditd/manifest.yml | 128 ++ .../auditd_manager/docs/README.md | 1 + .../auditd_manager/img/linux.svg | 1532 +++++++++++++++++ .../auditd_manager/img/sample-screenshot.png | Bin 0 -> 18849 bytes .../auditd_manager/manifest.yml | 32 + 23 files changed, 2441 insertions(+), 4 deletions(-) create mode 100644 internal/install/_static/docker-custom-agent-base.yml create mode 100644 internal/testrunner/runners/system/servicedeployer/custom_agent.go create mode 100644 test/packages/with-custom-agent/auditd_manager/_dev/build/build.yml create mode 100644 test/packages/with-custom-agent/auditd_manager/changelog.yml create mode 100644 test/packages/with-custom-agent/auditd_manager/data_stream/auditd/_dev/deploy/agent/custom-agent.yml create mode 100644 test/packages/with-custom-agent/auditd_manager/data_stream/auditd/_dev/test/system/test-default-config.yml create mode 100644 test/packages/with-custom-agent/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs create mode 100644 test/packages/with-custom-agent/auditd_manager/data_stream/auditd/elasticsearch/ingest_pipeline/default.yml create mode 100644 test/packages/with-custom-agent/auditd_manager/data_stream/auditd/fields/base-fields.yml create mode 100644 test/packages/with-custom-agent/auditd_manager/data_stream/auditd/fields/ecs.yml create mode 100644 test/packages/with-custom-agent/auditd_manager/data_stream/auditd/fields/fields.yml create mode 100644 test/packages/with-custom-agent/auditd_manager/data_stream/auditd/manifest.yml create mode 100644 test/packages/with-custom-agent/auditd_manager/docs/README.md create mode 100644 test/packages/with-custom-agent/auditd_manager/img/linux.svg create mode 100644 test/packages/with-custom-agent/auditd_manager/img/sample-screenshot.png create mode 100644 test/packages/with-custom-agent/auditd_manager/manifest.yml diff --git a/.ci/Jenkinsfile b/.ci/Jenkinsfile index 9ee12dad1..4ce959627 100644 --- a/.ci/Jenkinsfile +++ b/.ci/Jenkinsfile @@ -103,6 +103,7 @@ pipeline { 'stack-command-8x': generateTestCommandStage(command: 'test-stack-command-8x', artifacts: ['build/elastic-stack-dump/stack/*/logs/*.log', 'build/elastic-stack-dump/stack/*/logs/fleet-server-internal/*']), 'check-packages-with-kind': generateTestCommandStage(command: 'test-check-packages-with-kind', artifacts: ['build/test-results/*.xml', 'build/kubectl-dump.txt', 'build/elastic-stack-dump/check-*/logs/*.log', 'build/elastic-stack-dump/check-*/logs/fleet-server-internal/*'], junitArtifacts: true, publishCoverage: true), 'check-packages-other': generateTestCommandStage(command: 'test-check-packages-other', artifacts: ['build/test-results/*.xml', 'build/elastic-stack-dump/check-*/logs/*.log', 'build/elastic-stack-dump/check-*/logs/fleet-server-internal/*'], junitArtifacts: true, publishCoverage: true), + 'check-packages-with-custom-agent': generateTestCommandStage(command: 'test-check-packages-with-custom-agent', artifacts: ['build/test-results/*.xml', 'build/elastic-stack-dump/check-*/logs/*.log', 'build/elastic-stack-dump/check-*/logs/fleet-server-internal/*'], junitArtifacts: true, publishCoverage: true), 'build-zip': generateTestCommandStage(command: 'test-build-zip', artifacts: ['build/elastic-stack-dump/build-zip/logs/*.log', 'build/integrations/*.sig']), 'profiles-command': generateTestCommandStage(command: 'test-profiles-command') ] diff --git a/Makefile b/Makefile index 9f5aed7fb..ad3fa0ace 100644 --- a/Makefile +++ b/Makefile @@ -65,7 +65,7 @@ test-stack-command-8x: test-stack-command: test-stack-command-default test-stack-command-7x test-stack-command-800 test-stack-command-8x -test-check-packages: test-check-packages-with-kind test-check-packages-other test-check-packages-parallel +test-check-packages: test-check-packages-with-kind test-check-packages-other test-check-packages-parallel test-check-packages-with-custom-agent test-check-packages-with-kind: PACKAGE_TEST_TYPE=with-kind ./scripts/test-check-packages.sh @@ -76,6 +76,9 @@ test-check-packages-other: test-check-packages-parallel: PACKAGE_TEST_TYPE=parallel ./scripts/test-check-packages.sh +test-check-packages-with-custom-agent: + PACKAGE_TEST_TYPE=with-custom-agent ./scripts/test-check-packages.sh + test-build-zip: ./scripts/test-build-zip.sh diff --git a/docs/howto/system_testing.md b/docs/howto/system_testing.md index 2b974a813..366d0a2e2 100644 --- a/docs/howto/system_testing.md +++ b/docs/howto/system_testing.md @@ -64,6 +64,7 @@ or the data stream's level: `` - a name of the supported service deployer: * `docker` - Docker Compose +* `agent` - Custom `elastic-agent` with Docker Compose * `k8s` - Kubernetes * `tf` - Terraform @@ -106,6 +107,58 @@ volumes: mysqldata: ``` +### Agent service deployer + +When using the Agent service deployer, the `elastic-agent` provided by the stack +will not be used. An agent will be deployed as a Docker compose service named `docker-custom-agent` +which base configuration is provided [here](../../internal/install/_static/docker-custom-agent-base.yml). +This configuration will be merged with the one provided in the `custom-agent.yml` file. +This is useful if you need different capabilities than the provided by the +`elastic-agent` used by the `elastic-package stack` command. + +`custom-agent.yml` +``` +version: '2.3' +services: + docker-custom-agent: + pid: host + cap_add: + - AUDIT_CONTROL + - AUDIT_READ + user: root +``` + +This will result in an agent configuration such as: + +``` +version: '2.3' +services: + docker-custom-agent: + hostname: docker-custom-agent + image: "docker.elastic.co/beats/elastic-agent-complete:8.2.0" + pid: host + cap_add: + - AUDIT_CONTROL + - AUDIT_READ + user: root + healthcheck: + test: "elastic-agent status" + retries: 180 + interval: 1s + environment: + FLEET_ENROLL: "1" + FLEET_INSECURE: "1" + FLEET_URL: "http://fleet-server:8220" +``` + +And in the test config: + +``` +data_stream: + vars: + # ... +``` + ### Terraform service deployer diff --git a/internal/configuration/locations/locations.go b/internal/configuration/locations/locations.go index 68849ad4b..934733578 100644 --- a/internal/configuration/locations/locations.go +++ b/internal/configuration/locations/locations.go @@ -27,12 +27,15 @@ const ( fieldsCachedDir = "cache/fields" terraformDeployerYmlFile = "terraform-deployer.yml" + + dockerCustomAgentDeployerYmlFile = "docker-custom-agent-base.yml" ) var ( - serviceLogsDir = filepath.Join(temporaryDir, "service_logs") - kubernetesDeployerDir = filepath.Join(deployerDir, "kubernetes") - terraformDeployerDir = filepath.Join(deployerDir, "terraform") + serviceLogsDir = filepath.Join(temporaryDir, "service_logs") + kubernetesDeployerDir = filepath.Join(deployerDir, "kubernetes") + terraformDeployerDir = filepath.Join(deployerDir, "terraform") + dockerCustomAgentDeployerDir = filepath.Join(deployerDir, "docker_custom_agent") ) //LocationManager maintains an instance of a config path location @@ -96,6 +99,16 @@ func (loc LocationManager) TerraformDeployerYml() string { return filepath.Join(loc.stackPath, terraformDeployerDir, terraformDeployerYmlFile) } +// DockerCustomAgentDeployerDir returns the DockerCustomAgent Directory +func (loc LocationManager) DockerCustomAgentDeployerDir() string { + return filepath.Join(loc.stackPath, dockerCustomAgentDeployerDir) +} + +// DockerCustomAgentDeployerYml returns the DockerCustomAgent deployer yml file +func (loc LocationManager) DockerCustomAgentDeployerYml() string { + return filepath.Join(loc.stackPath, dockerCustomAgentDeployerDir, dockerCustomAgentDeployerYmlFile) +} + // ServiceLogDir returns the log directory func (loc LocationManager) ServiceLogDir() string { return filepath.Join(loc.stackPath, serviceLogsDir) diff --git a/internal/install/_static/docker-custom-agent-base.yml b/internal/install/_static/docker-custom-agent-base.yml new file mode 100644 index 000000000..ade70a2a0 --- /dev/null +++ b/internal/install/_static/docker-custom-agent-base.yml @@ -0,0 +1,15 @@ +version: "2.3" +services: + docker-custom-agent: + image: "${ELASTIC_AGENT_IMAGE_REF}" + healthcheck: + test: "elastic-agent status" + retries: 180 + interval: 1s + hostname: docker-custom-agent + environment: + - FLEET_ENROLL=1 + - FLEET_INSECURE=1 + - FLEET_URL=http://fleet-server:8220 + volumes: + - ${SERVICE_LOGS_DIR}:/tmp/service_logs/ diff --git a/internal/install/install.go b/internal/install/install.go index 4078ee9d6..23eddf83e 100644 --- a/internal/install/install.go +++ b/internal/install/install.go @@ -67,6 +67,11 @@ func EnsureInstalled() error { return errors.Wrap(err, "writing Terraform deployer resources failed") } + err = writeDockerCustomAgentResources(elasticPackagePath) + if err != nil { + return errors.Wrap(err, "writing Terraform deployer resources failed") + } + if err := createServiceLogsDir(elasticPackagePath); err != nil { return errors.Wrap(err, "creating service logs directory failed") } @@ -218,6 +223,17 @@ func writeTerraformDeployerResources(elasticPackagePath *locations.LocationManag return nil } +func writeDockerCustomAgentResources(elasticPackagePath *locations.LocationManager) error { + dir := elasticPackagePath.DockerCustomAgentDeployerDir() + if err := os.MkdirAll(dir, 0755); err != nil { + return errors.Wrapf(err, "creating directory failed (path: %s)", dir) + } + if err := writeStaticResource(nil, elasticPackagePath.DockerCustomAgentDeployerYml(), dockerCustomAgentBaseYml); err != nil { + return errors.Wrap(err, "writing static resource failed") + } + return nil +} + func writeConfigFile(elasticPackagePath *locations.LocationManager) error { var err error err = writeStaticResource(err, filepath.Join(elasticPackagePath.RootDir(), applicationConfigurationYmlFile), applicationConfigurationYml) diff --git a/internal/install/static.go b/internal/install/static.go index 9dbe93dba..fb6b6d40c 100644 --- a/internal/install/static.go +++ b/internal/install/static.go @@ -29,3 +29,6 @@ var geoIpCountryMmdb string //go:embed _static/service_tokens var serviceTokens string + +//go:embed _static/docker-custom-agent-base.yml +var dockerCustomAgentBaseYml string diff --git a/internal/testrunner/runners/system/servicedeployer/custom_agent.go b/internal/testrunner/runners/system/servicedeployer/custom_agent.go new file mode 100644 index 000000000..1f38a7330 --- /dev/null +++ b/internal/testrunner/runners/system/servicedeployer/custom_agent.go @@ -0,0 +1,151 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +package servicedeployer + +import ( + _ "embed" + "fmt" + + "github.com/pkg/errors" + + "github.com/elastic/elastic-package/internal/compose" + "github.com/elastic/elastic-package/internal/configuration/locations" + "github.com/elastic/elastic-package/internal/docker" + "github.com/elastic/elastic-package/internal/files" + "github.com/elastic/elastic-package/internal/install" + "github.com/elastic/elastic-package/internal/kibana" + "github.com/elastic/elastic-package/internal/logger" + "github.com/elastic/elastic-package/internal/stack" +) + +const dockerCustomAgentName = "docker-custom-agent" + +// CustomAgentDeployer knows how to deploy a custom elastic-agent defined via +// a Docker Compose file. +type CustomAgentDeployer struct { + cfg string +} + +// NewCustomAgentDeployer returns a new instance of a deployedCustomAgent. +func NewCustomAgentDeployer(cfgPath string) (*CustomAgentDeployer, error) { + return &CustomAgentDeployer{ + cfg: cfgPath, + }, nil +} + +// SetUp sets up the service and returns any relevant information. +func (d *CustomAgentDeployer) SetUp(inCtxt ServiceContext) (DeployedService, error) { + logger.Debug("setting up service using Docker Compose service deployer") + + appConfig, err := install.Configuration() + if err != nil { + return nil, errors.Wrap(err, "can't read application configuration") + } + + kibanaClient, err := kibana.NewClient() + if err != nil { + return nil, errors.Wrap(err, "can't create Kibana client") + } + + stackVersion, err := kibanaClient.Version() + if err != nil { + return nil, errors.Wrap(err, "can't read Kibana injected metadata") + } + + env := append( + appConfig.StackImageRefs(stackVersion).AsEnv(), + fmt.Sprintf("%s=%s", serviceLogsDirEnv, inCtxt.Logs.Folder.Local), + ) + + ymlPaths, err := d.loadComposeDefinitions() + if err != nil { + return nil, err + } + + service := dockerComposeDeployedService{ + ymlPaths: ymlPaths, + project: "elastic-package-service", + sv: ServiceVariant{ + Name: dockerCustomAgentName, + Env: env, + }, + } + + outCtxt := inCtxt + + p, err := compose.NewProject(service.project, service.ymlPaths...) + if err != nil { + return nil, errors.Wrap(err, "could not create Docker Compose project for service") + } + + // Verify the Elastic stack network + err = stack.EnsureStackNetworkUp() + if err != nil { + return nil, errors.Wrap(err, "Elastic stack network is not ready") + } + + // Clean service logs + err = files.RemoveContent(outCtxt.Logs.Folder.Local) + if err != nil { + return nil, errors.Wrap(err, "removing service logs failed") + } + + inCtxt.Name = dockerCustomAgentName + serviceName := inCtxt.Name + opts := compose.CommandOptions{ + Env: env, + ExtraArgs: []string{"--build", "-d"}, + } + err = p.Up(opts) + if err != nil { + return nil, errors.Wrap(err, "could not boot up service using Docker Compose") + } + + // Connect service network with stack network (for the purpose of metrics collection) + err = docker.ConnectToNetwork(p.ContainerName(serviceName), stack.Network()) + if err != nil { + return nil, errors.Wrapf(err, "can't attach service container to the stack network") + } + + err = p.WaitForHealthy(opts) + if err != nil { + processServiceContainerLogs(p, compose.CommandOptions{ + Env: opts.Env, + }, outCtxt.Name) + return nil, errors.Wrap(err, "service is unhealthy") + } + + // Build service container name + outCtxt.Hostname = p.ContainerName(serviceName) + + logger.Debugf("adding service container %s internal ports to context", p.ContainerName(serviceName)) + serviceComposeConfig, err := p.Config(compose.CommandOptions{Env: env}) + if err != nil { + return nil, errors.Wrap(err, "could not get Docker Compose configuration for service") + } + + s := serviceComposeConfig.Services[serviceName] + outCtxt.Ports = make([]int, len(s.Ports)) + for idx, port := range s.Ports { + outCtxt.Ports[idx] = port.InternalPort + } + + // Shortcut to first port for convenience + if len(outCtxt.Ports) > 0 { + outCtxt.Port = outCtxt.Ports[0] + } + + outCtxt.Agent.Host.NamePrefix = inCtxt.Name + service.ctxt = outCtxt + return &service, nil +} + +func (d *CustomAgentDeployer) loadComposeDefinitions() ([]string, error) { + locationManager, err := locations.NewLocationManager() + if err != nil { + return nil, errors.Wrap(err, "can't locate Docker Compose file for Custom Agent deployer") + } + return []string{locationManager.DockerCustomAgentDeployerYml(), d.cfg}, nil +} diff --git a/internal/testrunner/runners/system/servicedeployer/factory.go b/internal/testrunner/runners/system/servicedeployer/factory.go index 44effe78e..bbd4ae02d 100644 --- a/internal/testrunner/runners/system/servicedeployer/factory.go +++ b/internal/testrunner/runners/system/servicedeployer/factory.go @@ -51,6 +51,13 @@ func Factory(options FactoryOptions) (ServiceDeployer, error) { } return NewDockerComposeServiceDeployer([]string{dockerComposeYMLPath}, sv) } + case "agent": + customAgentCfgYMLPath := filepath.Join(serviceDeployerPath, "custom-agent.yml") + if _, err := os.Stat(customAgentCfgYMLPath); err != nil { + return nil, errors.Wrap(err, "can't find expected file custom-agent.yml") + } + return NewCustomAgentDeployer(customAgentCfgYMLPath) + case "tf": if _, err := os.Stat(serviceDeployerPath); err == nil { return NewTerraformServiceDeployer(serviceDeployerPath) diff --git a/test/packages/with-custom-agent/auditd_manager/_dev/build/build.yml b/test/packages/with-custom-agent/auditd_manager/_dev/build/build.yml new file mode 100644 index 000000000..d61527283 --- /dev/null +++ b/test/packages/with-custom-agent/auditd_manager/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@8.2 diff --git a/test/packages/with-custom-agent/auditd_manager/changelog.yml b/test/packages/with-custom-agent/auditd_manager/changelog.yml new file mode 100644 index 000000000..fbfe014a8 --- /dev/null +++ b/test/packages/with-custom-agent/auditd_manager/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "999.999.999" + changes: + - description: Initial draft of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/1 diff --git a/test/packages/with-custom-agent/auditd_manager/data_stream/auditd/_dev/deploy/agent/custom-agent.yml b/test/packages/with-custom-agent/auditd_manager/data_stream/auditd/_dev/deploy/agent/custom-agent.yml new file mode 100644 index 000000000..531c24ced --- /dev/null +++ b/test/packages/with-custom-agent/auditd_manager/data_stream/auditd/_dev/deploy/agent/custom-agent.yml @@ -0,0 +1,8 @@ +version: "2.3" +services: + docker-custom-agent: + pid: host + cap_add: + - AUDIT_CONTROL + - AUDIT_READ + user: root diff --git a/test/packages/with-custom-agent/auditd_manager/data_stream/auditd/_dev/test/system/test-default-config.yml b/test/packages/with-custom-agent/auditd_manager/data_stream/auditd/_dev/test/system/test-default-config.yml new file mode 100644 index 000000000..50f51ca6e --- /dev/null +++ b/test/packages/with-custom-agent/auditd_manager/data_stream/auditd/_dev/test/system/test-default-config.yml @@ -0,0 +1,5 @@ +data_stream: + vars: + audit_rules: + - "-a always,exit -F arch=b64 -S execve,execveat -k exec" + preserve_original_event: true diff --git a/test/packages/with-custom-agent/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs b/test/packages/with-custom-agent/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs new file mode 100644 index 000000000..626b5973e --- /dev/null +++ b/test/packages/with-custom-agent/auditd_manager/data_stream/auditd/agent/stream/auditd.yml.hbs @@ -0,0 +1,34 @@ +# EQL expression evaluated by Elastic Agent to limit input to Linux. +condition: ${host.platform} == 'linux' + +type: audit/auditd +include_raw_message: true +{{#if multicast}} +socket_type: multicast +{{else}} +socket_type: unicast +{{/if}} +resolve_ids: {{resolve_ids}} +failure_mode: {{failure_mode}} +audit_rules: | +{{#each audit_rules as |rule i|}} + {{rule}} +{{/each}} +backlog_limit: {{backlog_limit}} +rate_limit: {{rate_limit}} +include_warnings: {{include_warnings}} +backpressure_strategy: {{backpressure_strategy}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} \ No newline at end of file diff --git a/test/packages/with-custom-agent/auditd_manager/data_stream/auditd/elasticsearch/ingest_pipeline/default.yml b/test/packages/with-custom-agent/auditd_manager/data_stream/auditd/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 000000000..761b0df32 --- /dev/null +++ b/test/packages/with-custom-agent/auditd_manager/data_stream/auditd/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,327 @@ +--- +description: Pipeline for parsing Linux auditd logs +processors: + - set: + field: ecs.version + value: '8.2.0' + - rename: + field: event.original + target_field: auditd.messages + ignore_missing: true + - join: + field: auditd.messages + separator: "\n" + target_field: event.original + if: ctx?.auditd?.messages != null && ctx.auditd.messages instanceof List + - rename: + field: error.message + target_field: auditd.warnings + ignore_missing: true + - join: + field: auditd.warnings + separator: "\n" + target_field: error.message + if: ctx?.auditd?.warnings != null && ctx.auditd.warnings instanceof List + - rename: + field: source.path + target_field: source.address + ignore_missing: true + ignore_failure: true + - rename: + field: destination.path + target_field: destination.address + ignore_missing: true + ignore_failure: true + - rename: + field: user.audit + target_field: auditd.user.audit + ignore_missing: true + ignore_failure: true + - rename: + field: file.selinux + target_field: auditd.file.selinux + ignore_missing: true + ignore_failure: true + - rename: + field: user.selinux + target_field: auditd.user.selinux + ignore_missing: true + ignore_failure: true + - rename: + field: user.saved + target_field: auditd.user.saved + ignore_missing: true + ignore_failure: true + - rename: + field: user.filesystem + target_field: auditd.user.filesystem + ignore_missing: true + ignore_failure: true + - rename: + field: user.new_auid + target_field: auditd.user.new_auid + ignore_missing: true + ignore_failure: true + - rename: + field: user.new-auid + target_field: auditd.user.new_auid + ignore_missing: true + ignore_failure: true + - rename: + field: user.old_auid + target_field: auditd.user.old_auid + ignore_missing: true + ignore_failure: true + - rename: + field: user.old-auid + target_field: auditd.user.old_auid + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.new-ses + target_field: auditd.data.new_ses + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.old-ses + target_field: auditd.data.old_ses + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.new-enabled + target_field: auditd.data.new_enabled + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.old-enabled + target_field: auditd.data.old_enabled + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.vm-ctx + target_field: auditd.data.vm_ctx + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.new-rng + target_field: auditd.data.new_rng + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.new-net + target_field: auditd.data.new_net + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.new-seuser + target_field: auditd.data.new_seuser + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.old-net + target_field: auditd.data.old_net + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.nlnk-pid + target_field: auditd.data.nlnk_pid + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.ipx-net + target_field: auditd.data.ipx_net + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.old-vpcu + target_field: auditd.data.old_vpcu + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.new-fs + target_field: auditd.data.new_fs + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.vm-pid + target_field: auditd.data.vm_pid + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.old-auid + target_field: auditd.data.old_auid + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.new-disk + target_field: auditd.data.new_disk + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.nlnk-grp + target_field: auditd.data.nlnk_grp + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.new-mem + target_field: auditd.data.new_mem + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.new-chardev + target_field: auditd.data.new_chardev + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.old-rng + target_field: auditd.data.old_rng + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.new-level + target_field: auditd.data.new_level + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.old-mem + target_field: auditd.data.old_mem + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.default-context + target_field: auditd.data.default_context + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.new-log_passwd + target_field: auditd.data.new_log_passwd + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.selected-context + target_field: auditd.data.selected_context + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.old-range + target_field: auditd.data.old_range + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.new-range + target_field: auditd.data.new_range + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.old-disk + target_field: auditd.data.old_disk + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.nlnk-fam + target_field: auditd.data.nlnk_fam + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.old-fs + target_field: auditd.data.old_fs + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.old-ses + target_field: auditd.data.old_ses + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.new-vcpu + target_field: auditd.data.new_vcpu + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.old-level + target_field: auditd.data.old_level + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.old-role + target_field: auditd.data.old_role + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.new-role + target_field: auditd.data.new_role + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.old-log_passwd + target_field: auditd.data.old_log_passwd + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.old-seuser + target_field: auditd.data.old_seuser + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.img-ctx + target_field: auditd.data.img_ctx + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.old-chardev + target_field: auditd.data.old_chardev + ignore_missing: true + ignore_failure: true + - set: + field: event.outcome + value: failure + if: ctx?.event?.outcome == "fail" + - rename: + field: auditd.sequence + target_field: event.sequence + ignore_missing: true + ignore_failure: true + - rename: + field: auditd.data.id + target_field: event.id + ignore_missing: true + ignore_failure: true + - remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - remove: + field: auditd.messages + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true + - script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + handleMap(ctx); +on_failure: + - set: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/test/packages/with-custom-agent/auditd_manager/data_stream/auditd/fields/base-fields.yml b/test/packages/with-custom-agent/auditd_manager/data_stream/auditd/fields/base-fields.yml new file mode 100644 index 000000000..aff492ff4 --- /dev/null +++ b/test/packages/with-custom-agent/auditd_manager/data_stream/auditd/fields/base-fields.yml @@ -0,0 +1,21 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: auditd +- name: event.dataset + type: constant_keyword + description: Event dataset + value: auditd_manager.auditd +- name: '@timestamp' + external: ecs +- name: tags + external: ecs diff --git a/test/packages/with-custom-agent/auditd_manager/data_stream/auditd/fields/ecs.yml b/test/packages/with-custom-agent/auditd_manager/data_stream/auditd/fields/ecs.yml new file mode 100644 index 000000000..d2aeb018d --- /dev/null +++ b/test/packages/with-custom-agent/auditd_manager/data_stream/auditd/fields/ecs.yml @@ -0,0 +1,76 @@ +- name: ecs.version + external: ecs +- name: event.outcome + external: ecs +- name: process.pid + external: ecs +- name: process.executable + external: ecs +- name: process.name + external: ecs +- name: process.parent.pid + external: ecs +- name: process.title + external: ecs +- name: process.working_directory + external: ecs +- name: process.args + external: ecs +- name: related.user + external: ecs +- name: service.type + external: ecs +- name: event.id + external: ecs +- name: file.device + external: ecs +- name: file.gid + external: ecs +- name: file.group + external: ecs +- name: file.inode + external: ecs +- name: file.mode + external: ecs +- name: file.owner + external: ecs +- name: file.path + external: ecs +- name: file.uid + external: ecs +- name: source.ip + external: ecs +- name: source.address + external: ecs +- name: destination.address + external: ecs +- name: network.direction + external: ecs +- name: group.id + external: ecs +- name: group.name + external: ecs +- name: user.group.id + external: ecs +- name: user.group.name + external: ecs +- name: user.id + external: ecs +- name: user.name + external: ecs +- name: user.effective.id + external: ecs +- name: user.effective.name + external: ecs +- name: user.target.id + external: ecs +- name: user.target.name + external: ecs +- name: user.effective.group.id + external: ecs +- name: user.effective.group.name + external: ecs +- name: user.target.group.id + external: ecs +- name: user.target.group.name + external: ecs diff --git a/test/packages/with-custom-agent/auditd_manager/data_stream/auditd/fields/fields.yml b/test/packages/with-custom-agent/auditd_manager/data_stream/auditd/fields/fields.yml new file mode 100644 index 000000000..e27a9a233 --- /dev/null +++ b/test/packages/with-custom-agent/auditd_manager/data_stream/auditd/fields/fields.yml @@ -0,0 +1,2 @@ +- name: auditd + type: flattened diff --git a/test/packages/with-custom-agent/auditd_manager/data_stream/auditd/manifest.yml b/test/packages/with-custom-agent/auditd_manager/data_stream/auditd/manifest.yml new file mode 100644 index 000000000..626fed5ba --- /dev/null +++ b/test/packages/with-custom-agent/auditd_manager/data_stream/auditd/manifest.yml @@ -0,0 +1,128 @@ +title: "Auditd Manager" +type: logs +streams: + - input: audit/auditd + title: Auditd events + template_path: auditd.yml.hbs + description: Collect auditd events + vars: + - name: multicast + type: bool + title: Multicast socket type + show_user: true + multi: false + default: false + description: "This setting controls if the socket type used to receive events is multicast.\nThis setting should be disabled when `elastic-agent` is the primary userspace\ndaemon for receiving audit events and managing the rules. Only a single process\ncan receive audit events if this is disabled, so any other daemons should be \nstopped (e.g. stop `auditd`).\n\nThis setting can be enabled with kernel versions 3.16 and newer. By setting it\n`elastic-agent` will receive an audit event broadcast that is not exclusive\nto a single process. This is ideal for situations where `auditd` is running and\nmanaging the rules.\n\nIf it is set to `true`, but the kernel version is less than 3.16 it will be\nautomatically disabled.\\n\"\n" + - name: resolve_ids + type: bool + title: Resolve IDs + show_user: true + multi: false + default: true + description: Enables the resolution of UIDs and GIDs to their associated names. + - name: failure_mode + type: text + title: Failure mode + required: true + multi: false + show_user: false + default: silent + description: | + This determines the kernel's behavior on critical + failures such as errors sending events to `elastic-agent`, the backlog limit was + exceeded, the kernel ran out of memory, or the rate limit was exceeded. The + options are `silent`, `log`, or `panic`. `silent` makes the kernel + ignore the errors, `log` makes the kernel write the audit messages using + `printk` so they show up in system's syslog, and `panic` causes the kernel to + panic to prevent use of the machine. + - name: audit_rules + type: text + title: Audit rules + required: true + multi: true + show_user: true + description: "List of the audit rules that should be\ninstalled to the kernel. There should be one rule per line. Comments can be\nembedded in the string using `#` as a prefix. The format for rules is the same\nused by the Linux `auditctl` utility. `elastic-agent` supports adding file watches\n(`-w`) and syscall rules (`-a` or `-A`). For more information, \nsee the integration detail page.\n" + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + default: false + multi: false + - name: backlog_limit + type: text + title: Backlog limit + required: true + show_user: false + default: 8192 + description: This controls the maximum number of audit messages that will be buffered by the kernel. + multi: false + - name: rate_limit + type: text + title: Rate limit + required: true + show_user: false + default: 0 + multi: false + description: | + This sets a rate limit on the number of messages/sec + delivered by the kernel. The default is `0`, which disables rate limiting. + Changing this value to anything other than zero can cause messages to be lost. + The preferred approach to reduce the messaging rate is be more selective in the + audit ruleset. + - name: include_warnings + required: true + show_user: false + multi: false + title: Include warnings + description: | + Causes to include as warnings any issues that were encountered while parsing the raw + messages. The messages are written to the `error.message` field. + When this setting is enabled the raw messages will be included + in the event regardless of the `Preserve original event` config setting. This + setting is primarily used for debugging purposes. + type: bool + default: false + - name: backpressure_strategy + type: text + title: Backpressure strategy + required: true + show_user: false + multi: false + default: auto + description: | + Specifies the strategy that used to + prevent backpressure from propagating to the kernel and impacting audited + processes. + + The possible values are: + + * `auto`: uses the `kernel` strategy, if supported, or + falls back to the `userspace` strategy. + * `kernel`: sets the `backlog_wait_time` in the kernel's + audit framework to 0. This causes events to be discarded in the kernel if + the audit backlog queue fills to capacity. Requires a 3.14 kernel or + newer. + * `userspace`: drops events when there is backpressure + from the publishing pipeline. If no `Rate limit` is set, sets a rate + limit of `5000``. Users should test their setup and adjust the `Rate limit` + option accordingly. + * `both`: uses the `kernel` and `userspace` strategies at the same + time. + * `none`: No backpressure mitigation measures are enabled. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - auditd_manager-auditd + - name: processors + type: yaml + title: Processors + required: false + show_user: false + multi: false + description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" diff --git a/test/packages/with-custom-agent/auditd_manager/docs/README.md b/test/packages/with-custom-agent/auditd_manager/docs/README.md new file mode 100644 index 000000000..4381ae615 --- /dev/null +++ b/test/packages/with-custom-agent/auditd_manager/docs/README.md @@ -0,0 +1 @@ +# TEST PACKAGE \ No newline at end of file diff --git a/test/packages/with-custom-agent/auditd_manager/img/linux.svg b/test/packages/with-custom-agent/auditd_manager/img/linux.svg new file mode 100644 index 000000000..c0a92e0c0 --- /dev/null +++ b/test/packages/with-custom-agent/auditd_manager/img/linux.svg @@ -0,0 +1,1532 @@ + + + + Tux + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + image/svg+xml + + Tux + 20 June 2012 + + + Garrett LeSage + + + + + + Larry Ewing, the creator of the original Tux graphic + + + + + tux + Linux + penguin + logo + + + + + Larry Ewing, Garrett LeSage + + + https://github.com/garrett/Tux + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/test/packages/with-custom-agent/auditd_manager/img/sample-screenshot.png b/test/packages/with-custom-agent/auditd_manager/img/sample-screenshot.png new file mode 100644 index 0000000000000000000000000000000000000000..d7a56a3ecc078c38636698cefba33f86291dd178 GIT binary patch literal 18849 zcmeEu^S~#!E#4Tq;}?6chqwB{?k=6jc5D4>l%v(rleJ2Y%tW zDj9g7px}|*e;{M?LDwiK3@FNS(lDRTd-MJYIyUJCN948~OJk1M(DrJyI#iV;P4k~& zFZo35IfQt0RwlUN`48^6(1dv_wm(y1xhEdMld=Y?!%u=fPT_*{3( zwBwz3#qR}_)t>C*jp5@U)Ti~B)Y;qq*TRxZJ7ZRN_^A3TDAEM*@7Ve%(Ro7=1%1B< zVj6GBUTxXev>_^SFA zgKZ=g4aTS}9>Ofj7cSB0WO?gQ)x=+!hs_)b$6#>ScFZ>XAoIX)%Bc|BDC~JFBk0f0 z0NY}6gb)&!qx^FWC(!ji+Kl$V$2|ocA=vN0TM0Y`U?tX+T)c*C zA!IL(T2Vm%MCLa85^if@J@Kkprx8QN5!6eCR@4Oa5S?4-4|ou?90mFCM8D!;n(5xz zO}-*t!TntN>|a$s(kGQg1P-U?hqvGF2_fGvd&~yZ_l3Qf&j~XWa=;>N3#-~#zjzcc z*m18L`A-K2o!d@J>a8SRbm4P&-q1(H>|JgIymDbnJF&@008`=X!P?4DGgZb>voUl^ zNJKgPR4S={)3vuk_{n@=M8q;;aJL>q+VLdTnO=}`&x;1DKjJA3*f*idS{jP5?+;!W zn-^7021Z4zv`Aq`hmX1aid997RNh3fa-@PG(W7TzKa1W&5^y3|lPeETP7j9qXpo4)7%(W0_2 z^Nmq;t@rb1eP3?%kOkH`P%!zTC7ZHjSfNN3*Sb#=3#jB*KpNGNfnRZ{N(6DrW(;B2Bwom<%m?VQP%K+ zsFeF1-(DY}oP@)w^Kw~gPg03q?N;)Ec6^|nikA34T~RynX*z}H>R~qgT$`Zbhn8wzZs$j2fsGN&rOK-mIBBvzD@a8FgbLpL!h5N^u&0wG} zq!#md3MHITv?3@$37J?lc_5*LWJTTjel;IiU-Yq;(g9I^D&KN_NKVS0O~GvB~FzPM6}=4d%fG4Nw4pZshcyLqK@`b8?RhD38haIyr@+8+0r5TC1*C7^WleJ zZN3_ngTD#RQvNL*;qD2H@cBWJbCC#d!}=oKfod5SE9a?!?j%DVt1z@inN}Iy$r+96 zM@P?AC+(`cM;z6J94BYGJ;+P-N#yj$?`G26ydS&OVH?~JY(N4l()Fh+x+DoJ@r<+i zhm^ck@QP`=fLApr62@KyOef~}zuG;(VbDQmw|Wb+oSHSw=%w9R)=et0cY*~ytX)#M zEXlK^p;zM@vTnXn+C1vwP)~TJv|TvDE2($;;EzC5_5IL#H;u z)#CO8)TSzbt8)wHB8$I8KcIojx&GoE)3QNu{CQ+_xBmQ&`mL5-u=BX(hs^hMY^ zae!!*Q;Tr$@(0~GoBJAohGw*d{l8~!aXop87aaSUb2jm)Tk>#$1*cdo5Sl+?oD!l4Og~yX+soottl4 zp4OartUuAN(dD~yLJ}`A1*!D4-|L^hM;`_DM^1KYs-VF(}h(BjRO``b+xV~%O=-)?p z7ciJH7Fnl?V&=ay_AB{oQoa2iR;6$^tiE|-eRCFy|3F@%j#6gUxkZX@?K`F$u#;T< z4IZORpUthmB?U`;zrOkp?P(Rvd5TFRWrBJmVg;KEZvJ+;Q}FRY%QZ?c^&$oPXW+C5 zdN#c>v%U?QuE+hMQdzxS1Q(BT90;29qu#^A?a^)Ui;{TJ;%`nLgm2ew$J4NvREjCJ z$`C7&?tH$CrVG@M3J1-KJw_*9BKeL*JX{ zN+Vg_TXb9^jJO$ZGkXO6BBFDjt~w5`w2TB*z$&1W5Il3IiDs=ZMDt|9iRtKET*wF6 z0Z+|N87p-5Fh)^(*l>OVr5^aY5LW(@PuM>Qo@&)yj6XRkPm1>eTF#Y_c*aRF^ZY5A z9FAU7lKEHG@i{wJMPg;n6z2|69d-)q9@<7t()d-zPy&X zdXG7{Uw{k23)CzzQAXw#iqj<1u~W@K_Ljc#?ukh;fRKHeJ2l~Z+52b2n^bGiDF2oX zm25FLx|4AP8>rAi@koY03lrtS#X?zK591c?2iZ_jjc>0y>q9>fU<08o6zG%z9WK+S zDwZMW4~28wu#ye#V*@#5t^S@NiAA`3{SF$xINmc_WW^u-C9M=H>RQ1>WM=|R!660{ z6E6%DwX`eu<3pkmz7Z=FCRd$(vhDkc3yMnSr)5C*aho)DZ<12$`$TXj<8Z70)|rK7 zXFD8QzksfWZU`qL2K8X{C~TcF{KVW`3Y{IMb&)T9%1V`tv(HY1 z+LXkLyM|3mtLD{x-#hOw-U?sr-iLeHFA|=-sGZ4#hX)atL!a91(tWJc+og&5W}VfZ zpgE7`{5D`~?yGR++y7~xA&eU0N*ZezDjF$> zUeK&1aTFQRg*?v^Z2e7u<`lk$czR6}b6Cl-qA9%A`#A6q0*zyTu)X`3rhjR86NK3= zLdw{+-F}+b2gxd-qF7>Rla}dFkj|L#c|pg5Ni+MRA|BZH(@ME*o<1ijKcoXb%PVfJ ztp_uf=G%kvU((pHcw90Xut=}atA!giM-5By)f40nKp zv7Wdb{;^<}VRvruH~rYr~wEuYY2ov-5Q|p@u3Da9+z7PeIpBAwi?RxnxN3Kt+N9L(LUS%wxY` z>e&1VV;{CYw8DNRlvBH)>!I49SU4R!t3I4=y;mCevPZh!-}~G+F>6hcL_Rli4r zC4(WN)`j$>^S=~GMGR=^)A6wrqi(-x{xK37&Vx!OS6t=KQ2JVZo#GrSODtTe=TVh%*qfF%91nqsMNLNL^Gp|_ zz%I*HUkMQGqb!1eh{{bp|0GSCDbkG_D_d)8<(0r<6-%Qi7qDa7xZjcdZ$?Rth9L!f z$erCcs3<~mtupywbaT8NWZF#v?iZkvqSz3@p`RiXs7P!GUa~-U9hEG(NgI#3BzO-# z!9JWf(;r!*A=@g$f}>wi|6Q@9z8AmYf~x8G%sp>C5cfuJY;hs1o3Ozu^{pH0AFbs%yU)Xy5>Cf?qXiHn*-PAfKDRiy`U0sFSKFsgEZ6_ z9#ma!<#Izr^}_z*>PRSt564u6We*XmZUx^jv*dK; z4zyFZ*ZFSE!00<6!|+#33&R)@RA8V9YRjp$HS9?CGq*xDSDRbX#i;}mateEF{fqTI zt?X}Efkq_Ap*_ETgaikOBbQ|;47}hwX44K`(DUI@C)QiG&6UJ1UmRn*Q@6%e`+x(gpQp74O{;yli8YLCV}qD z4gIyZd_(8ED~WWaeXOb0^r=9=AiDT}by~+$KVF~M{ywbQl zng-h?a_E;yX?DCr4|_h7JMc7>xgWf7Ek-VmH^hCYunVp3{(d{---&%-GZ=rK#V5Jo zJvP8b!2AA5?9)G8gwzB6ze3TU<5*Pqms^Q-?C9-CN~4hb-`U0D@kAkTWn23``cao^ z8IWAp8h7`%ZA+eI?w$sJktq5m>e&0@mQn>2BdpKAxbj1$m$8Z;`!iFvl9($Lb9Ff? zT^6cTZ~HgIeR6R*;G(rzpgsJP41Fx9Df;G6{;k6T(i}&8hX(jHSC@~#X@70h#)g(( z*9vUC+a*b%oAdf1$}Z3NR;|c5nY4^Z51pfqk(tmJbB;Q#ka#tf5eae;-kq$I{xO3<(TI$0lSe-JQzJ*es;il=Kn_?&?E zfLbs{qErPqm)-*ZfwbA*D-shgb|1;X;cH*yA|q8gS=HiosF=-kbdk6--SR+`F^H_` z0*i`J==@XSe=HT;_``G}ulE=H@*3GU*?gVd@h*`eT^GKjI;C@8+h~;(u3bA#b&bN{ zYw>dJ$(;RfHDLlndS`CWOE=g0jOocCc&;w(dOzrLf4-DK*MD@P_;u&CbfMw=#Q-B` zDq8hGwKN-O7(hQA_bP3f5XrZH+@*FGw~ppmDgNWcf|Lf*Pc%e5dw1DcJ1BWm!z7z3 zr^toEU*P(>G#;_1X}Rz(5lbDtCui%hY^d3lm)kw0vyk zX~K4$AG#7cG`6s2%9g9zsaQ9o?;3yzW4Pt!;NlS zzI#G7tiq&@eV&}qDtY(e$1JwscAfle%Al{3>Nr%``n?`Jac^CdOXUbFgI3;m{RkA~ zokl+lxuw9=%W&MmzA+G%ZdFMMP&N2^6BWjG2Lt|xKx)lMCR@b0n+xgw<)&Dwi?}>- z+$_e|@M;uW@3z6)q&L7bYitZ%huzGqH_qHOr&G5o!?(8TJv_MN1ka|&c6_!Q>#PgHSFoPWiLg|k_{ zQd#Zy&BPkU(0OE5S35!B5qb6%T3Wd#J(zBl8dw6I#xIDDF-LBPi-jXv1E?!gE|1OIdTejK)+U3ooC^otSIRsWZf-`&K}6}s!407Y58zH zK(oYx*7sN1O|Z_1YIJS_H$E@DH(hB4QKNCGQT3PTvwYoe2&8WKi5`5tU-r4!>_V3XUT}N)>8V;+z-!@-IGCKiD>E9RC(K`NMx=;Qp zf$2g^t?)zpU0L!BZi(oE#)^Z_biT*Svh>r#%1=O+Wo37G`Q)4@k#Pe?^mgBIugC)8 zyEICH=`{A~^x#X&%tr-$j|(nXrIrGQYNY+C3M+LO;yUU4-|v>a5#P)XYp>_|C0f0n{_p0mvwWmghfd%!Cm}$qBDxOqA3htLs~ghSA1>6^dVgd~ zVHHBBy6;Pp=El;dkTE=ttp~BoOJ$L@EB3Z37T1kTNG3tm4PY5O-7hP5DA$-k=vV&6 z?RiAm;W~*o)R7!x9>u$&@|&D4xMmJ*y+^-6t!F0u8G~78t&Bs#W>w_NbW>W9M3tXWXRf zI86FWVx%iXXh6MJ>dg#?lNu{K@S#nzMIG4PXQd%!Bvc*H0c7F_Y=adptJr*cHevMQ z%?Xu~q8CFw>^L*S_83kVhq=)hf0%_Lq}SE*g(Da_A{kXVZfAd*YCwp~bG32wi&SNM z#QZ7}Ug5-=+s^uqAh_|}gzya<(&E?XAZ%0ybd9nraj?|z1YfPr*{N?Q{ji}YG`T#| z=uwJZHIMlsmevnenT#-)t$L*=2wh|1EYXW?_36TR?L!sUItJVxaC0$Gb|gq4{|4gA z(v0ODFj!T)jc5>65ys)* z7$aBHfbKdz@QJq1b`NT`344*g()$>5*Ey`TPB7WI;|_8o8t9-_4ikFub|I{66>ge> zHA+6onzFKY*eaiA!77SD*^&LyumAR6gSvxY6Q?;!AvI{rZ##!G$%ZfIgce4F`aF;e z?jVh%+B-vj69ei~bh_zA9w}S4B4rzRKQ1~u$gwVu_x5PlRKDXX2(_2Mm7fs%6{SS7Qh1gWT8xaxc=f8`mW38ukIZxwU;lmHABwFSg50*o zrj%f%j~IKR?N5Dxwrq|sTa?!pd{b3sFM&~{4~_^YH4$bI^Fq2W4-y`))^|7fS?i0) zJ&Z9wY!8%l7@gAr`2{fqA;L;ptQR*X2|xUtrT47KK%XN+dydN$*M?65LuXTRabgERR{n>;E;(&vS0_@COY!p<%5LsRqGpER%~YjkSK zwBo9-2|-ZFiU3TT&S+@}3gDT35t0IXTzX@yHA(v>Y8;-mZNySQ&fE7RJ1^tzJfvdApX& z*!+tE)Y{oR%jk8A)3EiI3i*(TOwP!;B3hAOj?KQ6^h-q~1V^166uYS~mH*2Hh*0}r z`R3u1#^LG9IW|^QT^|61H(T1Jz?n;(Z>52lU0BO>Q6*zgpP*gTFk2Uw)!3zt>3F~_ ztil4!R*-j}wjh%&(kSB%}X=u4RbFRp@^l+$SmM@nW9B;yGbf@nasjFMEE{m9Oe

}qal5$moSACwfNXLXG5|3R0AtBcN` z?%yS)&>O>sqxU64U~C3&Q^>z-Zt}WuX4Wh3dKj9EO zfSbV!c3e;EOeKHQmWEw#NM4;*tw-2o@x&kKT?rsmy-F|$jw-F>WgA7?C@{O1qPg*J zf92|RTBMh&ptHADFc{T+cB?+mOj>h2HKgwkxq6w&XBxPc?>=JKvU2K9aU93@vp-R% z{5T=P$9U}AYZ5QU{3%7}YZ+ACWXw#-U zWyxU(OP#Q9-2AeGmCwcp`zWghf2hvsOjWjDQbU?U`v0&a--f1`v0Bd8HLiLmo)PKz5!A1|XVO+89 zm3h2~6yI~cpWor!_yt-?Lt>z`c0a7cJAW)#d8N8nNIf0H<+v;s4{0guDD(?T7Z<~$ zd`$vpZ_QQgFaMT0_d5&+(jwGU?M1FqUu6wjA-9z?mRM}(CmSdK;2e$Na}F-8jbhgN z9)@AIQeghf{xCC^{9P%VdYW1PP#}2BJwWt z0Hd8%st1NK5%h+)UB^mVwh{e#8TIm$xxgGo6I5;e{~VUeeMGRpM_Z%=eH5$X1}?Z5 z`|*_Vp~K&ziz45-Ih9y>EOr(Buy0&n$dbQ4$5eSr=Ti z#~7^n8dmem;$0D4+6eV7&G2D~d@ z+R#u8+nw_N%7_U_1e53P?~&10^m|ZUXrZhVp04lQLsGos%0fRDhS=@>8TOAAxK;Cy z9GZw_1pfSxD5~xoR!INI?tU0wrKDd6^Tv{jL>`Xb49kBaNPlhMaIfh_nq_)zB7NcX z05XeQKz`@BDUx7*i!V~%dc8XQ#ngBw0A2tSr(npSCrNy5Z7>48v&Zz?0{%FRElh_h zN2|?#EhJL5HQMIu6m1=ypTR?tVymHK)xQvS9ir7FzMp?CjlND39PK`od#GytVhZWp zQ1@>MTE1*Ip>hnXSWa?XbMH#708@j12yPbm`JfcqIgmJepn$5YgkJn_%5I)mr`Q(k z-a0yFR3A`houhvf&|wNpIsV{2p%MqhR@`@R(l6`}iufEgI*UxWq~26?WTpZCV{JtG zYL?&#I98fyf_;2S0?_V{=Aa4t^x%vy$pF$_Lh7W2f*~5uPvGYh;vZhMv|u+Z?2t0~ zcYPXdxbg6OS*LUjR_=jLDt)ab6;?g1IuySLG@UE;jLpt-wjLX&RlY>fnd@f&?0NyT zht5vhP^};k6`U76$%&I)iWPNxG6KPjdh`S6>g9GN@;KObQsLG zKyjfrPR0PU1B0a0=)3@9eCDl?mB9rFdlTMtTAeZv2}F*|@JWleq2+H1bt>>x!^wTk z+I)cgsZwzCMwoRpW_*!3IySTQu!`HWugAXe(Ai(a9Rsu;*0#o6torxwNMxPzEAjt` z>70Vw;HCQ?AnP`RKQ;2R8h%;LI#tx^(MO*lMWJe4_?)Q571P`kTmN#(ez21V!<6+S z@Uap+y%#8&cGgdf+E@y$dUx3g#)=#5k31Vqv0p!%L`*=-PiQAiSg-d9lKRZQDuJ-| zA96zwwomG+4}X$vR*IU=NC!vL<`rUTbf_uRJC4FS;k&HtV<=<)p(qymH)=MDV^aqK z#%sid7K|~!H`J!7hRr~Z!emxgWq6#GpQs%c#BM+scvNGz|Gi4G`;8Z~dP8)+51iB8 zw)0fazNz5(iK$LJeC_4e^8&@wT(DZ~~>SStz3P(>V8CLNlZqgv=2K-|Lu~si@XFwMN>QE^k zVS2U_A?Q$?M`NkU}^!M8m%O&T=kW>dG}1s2I~hxp9Y=a=1XX-(fB5) zej3`e5Et~R^r%?CZK0)UZsF_+tSOGIBMdrtMf#oJjGF9U`*P8t>i*TWed$Z2WNUZ* z_1Qw4Yr+Q0@bD?hD0P-^v}?FpPBg~zz5~g@J#J76C695|P>1l;OS8%~hZh5&-9Ji# z50%&56ZK4FC9}{jHL0!=qo9Yd(GGHCEX2|-F(f}q6@NMT4P3rQd{Q!=bz-8N(Z^!N;;ZzAWRf@C?X>mG=_NgyQX_?Jv$m(9$W>P;+e}O|&w&DjbsJPdWp0A2$yLr*!BY73Z z5d*BCaTI)w=sTlofc>n}@v_tSXIK?8(g`G_06u>SD*fOZJ~visq3lBVS2+cf-r$UQ zZ(8A0g&5M$IV7w5nqL(m$VS0X?=yy-e6>S>Ca3wZNT)b{GF39_gJdONflqc-j$b~o z2l@@h{$KVfC)V?#We*)@xYC;L^<@cHo>8axRMbSzw|eYTl|8pkabsQJ(3`z{>5H}c z`psz_Y6t)hvzL^=}P#++XUl6v`-j)SuXd6BynjNZ!&c2hnyE&4*K$nXn31Zk)cm+lx;> zya{T?{MRtSu?^3Y9bS&O$*mW^vRUpv!J3Tz12?3&Y62b_oiZ$24O(75Z)JWb+Rj)ACbK`f<&tSwtT$|Sy z$41kRPiM-jnPY9PKrLyI`pHm6LusMsrO*HpmE){Kp1^u2t%6nW^;GB|!4k!Ik8oav zjM?DBKh9G@W0gEwiU-M}0B)}olvoM71RccgiZBCs)L?q_GX&JDhegx4k2&cNatr5w zU)1#2USb8&`etO5Vk z?0}K+*2*@a5yt*X{qg0@8jEz~jcylVj>-042p1PBnabI#xUiCRD!ouw3?u-wwsqwF z8(@m8-Lk7q@v154g6yvx_tRDa>}oqpVda)wfI9(;ZVGt1v^{<|X?vC_(i@IJC+2I_lusrT=$h zF1lPc*Neb`;Xgrdf`p$w)~MzQW0M3_FYRKu{2$VU82J^B=X1#^<&P$_`=S$Ey04WU zTxG;hrFNLhWC*p+sH3x=JVcBJ9*7>eO20)n671SxQhZQlHMRP8FyO}yai~OTsbms0 zQ3b$C1Cn!>jMHDq{VX1ab^~_Q!z+f75+_AuwiN0*wA_#M#0|rU{+NlB%>Y+TNT0Gj z`3^LKMSJjz2(?lwg~ixDl_5%rzzZ}o_6Fj9e)T7gpH4=BgT1zmwJpC@g(f%&0`}8B z%7Y&qlP3aFmI#nmT`|R3+Lwzp+PLXt|5g%vlY_$fvse7zjus0D0fA##r+i4G4K-2Y zC#H95NGoYfWP#ZF_v$^Li{PZpm}fc&)aL?5doPcb835Cr6`T+EzzcEvLtmXcbAb<^ zw!_Zgk6Az7YA@*vb)(G{_W-B|zrf76z^`X%jOgqIIaqi~5nUup3vugzzg&rA^w(zR z+qCzvIV~nGR=47pDOcNTzuBw#5a=<=DMvGa)g zPw$^pmq9Fg&b#BZrPSoml(149rZS!fioV*Dy$z440U3MXDJmI?RZqLy0}IKSxN)o( z8+8wIZs#q(|KTg6y;Z(=96>xfpUsr@SP}I^v zN^R;ZVrDaWmNrM5-<X@k6JyjvA3;jHhma|Y|7!Vk& zgf(UK_6~cC;!|b!YTjke=nBiUqQdb#I9TY}!s5P)H+^c;9cW(QO8O%n5J^8Xfktd*qrn)+?-gP`m%B&q zi^}7jKm`yMW8ITFOMN#!QIB6$SWx*75tnCMaNg*_J*WuwBh~AT>0($nS8%&zmFQDp z$dL65niDtTV%!Kg1`6epWoQGNG`$`doy;Zjaa`keyL0F6iJMae6FIgnhAfzU%m@V+ zm5rQihLwS~b6{-bVR1ZSzBI7(Yj+V6T-8V*7I`ptWArGdy~8pnV>fALpi~NQLZ7;^ zpaj35=md<~-(tNmF69UX3?ua}A7UIn)q5i1iPYEGlhYSbkfeX`5epkxtzk3Qbu| zlgA`7ts%IvF4HJ}-98akyRnjCo{u-`A4&b+r?s|o`4wdYAHs-yh91p$7C_|+EdYH5 z10`!*=n+W9g>V&dfU1H!J}ASZi&-?`2IlDOAHnu306rD`y>jT)4^@S(X4XhN2{g9i zj-ym98+RT|d0ejIFJCM5>S{mT-8uGmRRqkJ3sMO_AQDrv77Q zv$t>zaVpVF6eBguE%9M2u?E-Oleft8z5+~W`G}KXD(Yc;7m4{Op>Le(k`g1UK7(1# zt6g}$n=Tdn{T4pu>v!c;xRCd_WI$Ali13x=U_0T!Ga-U~9W88q-lU+RLn2`N8Ouho z^0@SvC>$DguHWx)?^*ms-{PVq%dn(U3vrLj9zITDqQZ`H>Wsp@Gf%}SG=m)Vh}F$ztQAbwVGdDgd!28j&yX9wLW&s! zNR~6`nYg;ULAq8zi<;gUchAV5ib67Y##l2 zy+%gaD(|~G4@||{A;TYDSoS>q2o{t23t-^!NDSDEm8j3ao7Ei>KYLEpb$jz}7ciAM zD}trDN+AVVT_lXW<++~>8>Cj8fzJo@R;>%nGq)6+w?(#mNc#1J4W+!hA}?g$0Xqo? zn67qJmss)e%k(xO*&K@z6+}nHA(lCkb6n-|{pSztys$8HiOWTVR)tCO*Q9~if%3n7`uxGzE+OCu zwcVV|tgQdq60952$>85-GHk$lwM(uI+CU1?i{sVnKd0+UNq#eSSKjUKfDDgLnBG1y z^v?f#MRFkph~TgkoKBvM`L_~we8__xpLcjh`GwV|87q`vazJq?SX=mXhdvK>VqUf~ z4sYoTIpt5S)KrE-?>&=cRoBumD7;b5pq!Y07)#I$`)<@U+mo*dE*P~773p*u^6waO z2#thJahX_ySlYMpjx%h<)i43ao~Is`^Ya zMNZkuChEA7+ZJe6$>-C*dzTYf3#1SY82yFG?S&Q)5rTbKS-XLjckTLEc7>^sFcntQ zBeNXCSg&q1N3Bi^4zlQ%mcEBQ%2ab$?(;t-$HYd2%cnX$uuwU#I_6D3($m zR(>gHzM9ODf;r8b0l5LuEIQVZiQ0-|3Y_xzJkZc*CD=bPJ+&J+>>se%D4uTq?Ny{l z0Z5~og*Wa1O&anlcRWu_%o)(x?IZ0CfUNk_R-ik>GyvdFmpu1wHZaKTDGhL zqxsji)n<+)VKbV0_BRq9E;Kb`f=&vn(BK0Ba-gL?ZN;^^b3YFg6R=!q#zM;tcX0dM zdy5PPx@6pJPXHzH7$dGjM|6@6777nXPWV;CIQdNf(*Znv)sMy&Xcq> zhCq+6h6&v8<0}vd2(sKqU3j>fr7&#Xy%qZHcMU3m{wld^Nstkz8GagB?Y=SI&H z&{&BSA-|(i35$9(l6LpFyLm$0M0fK`Dz!~ezL?yEInsXAFR!bHe;ZL>Gd(#Hv?<$%`^b)oi?x%(jkylCPb=juPlF znMo&o961=NZ_$gd{xp1ZY2dNDOS!=XVj!M^A z+$z`EK4v=m{Bs{&I4W)({`&<5*^BV#z{IBAI_d+9Qx;~ zby?2zEjzUUeZWBDo5cz>%;z||z)<+6UtC)y60yD5J5`oo_zSM;l21@CY<0_|)NME5 zs)kHCMBa5YzB#N=W2aR?y9((~WuYwwf+HAc2mvU>NYlxOTvGf^Ye3za?*f-qUs^`a zT3>RPh9*Jf%3*bf|kqtnD_Buxv!<9N>BbuD#uYv-q^ z%RDnd7a3O4M9Y~TNISS@9K}JDkdg@>x8E6@n8jF=6qiDV+}{!V)(o?ykcr0sxBGEx zo!X;pc=r{H^vw6ztV5VZXBa4~(ujB$rZQ|AaGN@J7#q%2nU9gJ)g6dcj}zYB1& z@iFE0vMQVxa|v7tDHS$gwX$Ihc#M^DXRC>J@Zk?dC(3uB_s~*W&m-01DFMQGWjj5x z5po1@1gPl!v1Yra@qPG{D;$bYLM3qOwpl~7f~l)#n< zP+6`!NYe3EE~4RFR#_e=7YctPRBt6$He@`%e5m}f$M%yzC2S0<1}hRPjO>HJY~ z*dx(nbMbjv*;o&k{qzBdF|lS;UNVKziV=gbLq}UOCwr8GT5E9oRYQ}+>DhbQ1R=lj zgcNJN8|D)$Mx3#c+t@lhqcDUnHGVt0&EyQ{b5)=52B(VTzw=pQ^ba3`JB@BU^lS`_ zJEiLzgU#Acd_!}FMxCWC**FP^i#P}bYzNs78)#uSejEtYLbG>JJ7Igtho2oKQ;XW~ z4eMGO+t!_;G^V6c&R`5Tg+Pz2ToN(aybq4Q0ssie_{`t*DO%V7FaZ`{MBobFc9|pV z70o5ayHGJo9$$&Pgbs)pWNzduAcbh?~U?_P)(ve0S*3H%eNF&a5XR=!J#4c z;t992n7ZJr{*%`^dU1d-ALE8!3i#v;3r4r%j+JFCe=%3Vj=8{aXe zs)jrcUBZ=;LudcTUXj2ub>K5!{HHFHJ}Trx(PYugbQ8yK7&sqX;(;|UWjk3tGs3zuceeX)i4i_jA8Qz2Bc%DxN8 zXw!$+9jBtEHd1y90bYG4f8DcJM)Ab!M39tH5zz94*MAvnhA377@buNupSOUU3j8~> zd6&hk^ENRCp9T?_QUHk<=(&9Q^MJ^pi;nKOYNR@?L=RCSmKMJ5UQJQ`X!i~(gD*P! zs`RobzJG3Ra_Pg+WZUXUmMU$ilpwfcEti6)mw(~MZ0q!^sza>#jv!-+7B6F3QuMWg zVO!rXwD+lF1BBTito?ml-CV3vxuek~TKuOX^N6sol$v*{_%nAuD7i81eXm^Lz(Z~I z2Xj_Dts#G0&C;PV_Wkq*1QvB7+Post4={v;gk7b9u%#DC_bh(iJm$rqog^{JEx6NE zrs5^2SEL$|98#2WV#iG@L6cq|)SuTMSfGocPl65wUd^|5Lbpnb(;t>-Qu2jvANLgv zdte0vED-3C@^BdyHWLL(7{G$WA02z@JG!T-U^Q7HZ(7Bs&vchkh(p&}KvnS{MG^i6 z4r){gJp9p7WyWOEiKA2Cm6EXIn&&gk|Fc6^78OpPrX4ExCFE=SD$xcH;C2eB^{XTI zaxz_Cef*Yj==w_i_BTGXP;8C&f? z*QEM>={jFM8)lWAR870pG4XEWsl%%K|82S5b=9hVz7p_6i-d(Iyvq76&a#PV zR;VbQV|n?mg}&(ehClg%tK%IjgtnTR-u)lxH06XxXqH0soAZbB_Rm)XX=6Nge1uoG7 z9vQM_S~2h53n|W`y{{R9+=08rv~MohI_v4-BU^7fZ0-A}#b5{AOSTJm+(J;9yw%pD zX6u62GJ&@HKX5zQwq~j8T!Hrv-Mk^QSB5cu09L03{ToDO7jikM0WAcsjW>D}^jqCF zT0DEZ@K^KO_MD*%M!+V)lGVU6?LpX)eQVXEmq}R`NIJv;kBitJ!nW?0OxTVlu2ADf zE{A!*0g3%nwVcBD+AgT5bGx@WOnQk{zRpiZ4HhP`3BF%N|HdqPbbiV5)7x)kzC3ID zZ;27>0^mrMgWc7evsbQY`l`l})wr+e;=8U_!2&B77;1qL!N8y)eTJ2lf#CvhR~!Qa mc;sM|90DP5A*JW%f2r=u1xt!e4gwD_V(@hJb6Mw<&;$SznOm^{ literal 0 HcmV?d00001 diff --git a/test/packages/with-custom-agent/auditd_manager/manifest.yml b/test/packages/with-custom-agent/auditd_manager/manifest.yml new file mode 100644 index 000000000..33aeaf2b4 --- /dev/null +++ b/test/packages/with-custom-agent/auditd_manager/manifest.yml @@ -0,0 +1,32 @@ +format_version: 1.0.0 +name: auditd_manager +title: "Auditd Manager" +version: 999.999.999 +license: basic +description: "The Auditd Manager Integration receives audit events from the Linux Audit Framework that is a part of the Linux kernel." +type: integration +categories: + - os_system + - security +conditions: + kibana.version: "^8.2.0" +screenshots: + - src: /img/sample-screenshot.png + title: Sample screenshot + size: 600x600 + type: image/png +icons: + - src: /img/linux.svg + title: linux + size: 299x354 + type: image/svg+xml +policy_templates: + - name: auditd + title: Auditd + description: Collect auditd events + inputs: + - type: audit/auditd + title: Collect auditd events + description: Collecting auditd events +owner: + github: elastic/security-external-integrations