Auditbeat alerts seccomp policy violation in default system with no outside access #12578
Comments
|
cc @andrewkroh since you were involved on the discuss thread and you know our seccomp implementation. |
|
It's the system/package metricset which utilizes librpm on RedHat systems. It's making two system calls that are not allowed -- |
andrewkroh
added a commit
to andrewkroh/beats
that referenced
this issue
Jun 19, 2019
While running on CentOS 7 with the system/package dataset Auditbeat was violating its seccomp policy. This adds the syscalls that it was using to the default seccomp policy for Auditbeat. Fixes elastic#12578
|
PR to edit the policy for Auditbeat only: #12617 |
andrewkroh
added a commit
that referenced
this issue
Jun 20, 2019
While running on CentOS 7 with the system/package dataset Auditbeat was violating its seccomp policy. This adds the syscalls that it was using to the default seccomp policy for Auditbeat. Fixes #12578
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Please post all questions and issues on https://discuss.elastic.co/c/beats
before opening a Github Issue. Your questions will reach a wider audience there,
and if we confirm that there is a bug, then you can open a new issue.
For security vulnerabilities please only send reports to security@elastic.co.
See https://www.elastic.co/community/security for more information.
Please include configurations and logs if available.
For confirmed bugs, please report:
rules did not seem to stop the alerts happening
The text was updated successfully, but these errors were encountered: