Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Auditbeat] Monitoring of files/folders with a space in the path not possible #27196

Closed
secuinfra-admin opened this issue Aug 2, 2021 · 3 comments
Closed

[Auditbeat] Monitoring of files/folders with a space in the path not possible #27196

secuinfra-admin opened this issue Aug 2, 2021 · 3 comments
Labels
Auditbeat bug

Comments

@secuinfra-admin
Copy link

Hi,
the monitoring of files/folders with a space in the path was not possible using auditbeat (version 7.13).
We also posted our issue on the elastic discuss forum a month ago: https://discuss.elastic.co/t/auditbeat-monitoring-of-files-folders-with-a-space-in-the-path-not-possible/277537

The following rules all resulted in errors:

-w /tmp/folder with space -p r -k test1
-w "/tmp/folder with space" -p r -k test2
-w '/tmp/folder with space' -p r -k test3
-w /tmp/folder\ with\ space -p r -k test4
-w "/tmp/folder\ with\ space" -p r -k test5
-w '/tmp/folder\ with\ space' -p r -k test6

If an auditd key containing a whitespace is used, everything after the whitespace is ignored. For example if the following rule:

-w /tmp/test -p r -k "test matched"

is triggered, the log only contains "test as auditd key.

Not sure if we missed an obvious way to escape spaces in a path. Even though paths with spaces are rather unusual for linux, it should be possible.

Note that the linux audit system (auditd) solves this issue by converting ascii strings to their hexadecimal representation, if they contain special characters (e.g. whitespaces)

Any help will be appreciated.

Kind regards
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Aug 2, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Aug 20, 2021
@andrewkroh andrewkroh added the bug label Feb 1, 2022
@andrewkroh andrewkroh mentioned this issue Jul 7, 2022
Closed
@andrewkroh
Copy link
Member

I created an upstream issue for this: elastic/go-libaudit#114

@andrewkroh
Copy link
Member

Fixed in v8.4.0 via 54e9141.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Auditbeat bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jsoriano @andrewkroh @elasticmachine @secuinfra-admin