Skip to content

Auditbeat: socket reports truncated process name #24667

New issue
New issue
Closed
#29410
Closed
Auditbeat: socket reports truncated process name#24667
#29410
Labels
bughelp wantedIndicates that a maintainer wants help on an issue or pull request
@adriansr

Description

@adriansr
adriansr
opened on Mar 22, 2021

Auditbeat's system/socket dataset can return truncated process names in two scenarios:

  1. When the table of running processes its bootstrapped during startup, the "comm" field of /proc/<pid>/stat is used as the process name. This value is truncated to 15 chars by the kernel (TASK_COMM_LEN=16).

To align with the rest of the system/socket code, the filename extracted from the executable path should be used.

Example document:

{
    "@timestamp": "2021-03-22T08:57:10.558Z",
    "process": {
      "pid": 21830,
      "name": "elastic-endpoin",
      "args": [
        "/opt/Elastic/Endpoint/elastic-endpoint",
        "run"
      ],
      "executable": "/opt/Elastic/Endpoint/elastic-endpoint",
      "created": "2021-03-04T14:05:55.860Z"
    },
   [...]
}
  1. When an execve event is received, the length of the executable path and program arguments is limited to 128 characters each. When path is truncated, the wrong process name will be extracted from it.

As a suggestion, we could detect this truncation and do an alternative enrichment from /proc/<pid>/.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bughelp wantedIndicates that a maintainer wants help on an issue or pull request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions