Skip to content

auditbeat: Update to quark 0.6.0#51767

Merged
haesbaert merged 1 commit into
mainfrom
quark-update
Jul 9, 2026
Merged

auditbeat: Update to quark 0.6.0#51767
haesbaert merged 1 commit into
mainfrom
quark-update

Conversation

@haesbaert

@haesbaert haesbaert commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Proposed commit message

Mostly keeping track of API changes, while here add some more members to the
metrics.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
  • I have added an entry in ./changelog/fragments using the changelog tool.

Related issues

@botelastic botelastic Bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jul 7, 2026
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)
  • /test : Run the Buildkite pipeline.

@mergify

mergify Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @haesbaert? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

@github-actions

This comment has been minimized.

@github-actions

This comment has been minimized.

@github-actions

This comment has been minimized.

Comment thread go.mod Outdated
@haesbaert haesbaert force-pushed the quark-update branch 3 times, most recently from e955fc1 to 60f3c5d Compare July 9, 2026 07:24
@haesbaert

Copy link
Copy Markdown
Contributor Author

this is the current ECS for a simple ls:

}
{
  "@timestamp": "2026-07-09T07:24:45.920Z",
  "@metadata": {
    "beat": "auditbeat",
    "type": "_doc",
    "version": "9.6.0"
  },
  "host": {
    "name": "fc39vm"
  },
  "agent": {
    "ephemeral_id": "22944a8b-8f39-4ce4-9b6d-4a4e12d0f818",
    "id": "89ca6db8-2a5d-4043-9924-a7b6ed98cf00",
    "name": "fc39vm",
    "type": "auditbeat",
    "version": "9.6.0"
  },
  "ecs": {
    "version": "8.0.0"
  },
  "event": {
    "module": "system",
    "dataset": "process",
    "type": [
      "start",
      "change",
      "end"
    ],
    "action": "process_ran",
    "category": [
      "process"
    ],
    "kind": "event"
  },
  "process": {
    "entry_leader": {
      "start": "2026-07-07T07:32:44.720Z",
      "entity_id": "NDAyNjUzMTgzNl9fZDM1ZGIwZTEtMzcwZC00ZDUyLTkxMzMtYmI4YzExNTVlNDQ2X182NjYwMF9fMTc4MzQwOTU2NA==",
      "executable": "",
      "name": "",
      "interactive": true,
      "working_directory": "/home/haesbaert",
      "entry_meta": {
        "type": "sshd"
      },
      "pid": 66600,
      "args": [],
      "user": {
        "id": "1000",
        "name": "haesbaert"
      },
      "group": {
        "id": "1000",
        "name": "haesbaert"
      },
      "same_as_process": false
    },
    "entity_id": "NDAyNjUzMTgzNl9fZDM1ZGIwZTEtMzcwZC00ZDUyLTkxMzMtYmI4YzExNTVlNDQ2X180NTM1OTNfXzE3ODM1ODE4ODQ=",
    "args": [
      "ls",
      "-F"
    ],
    "interactive": true,
    "hash": {
      "sha1": "0c5f47f25f4379690945f6e7eaa92e1999d0755d"
    },
    "user": {
      "id": "1000",
      "name": "haesbaert"
    },
    "group_leader": {
      "start": "2026-07-09T07:24:44.379Z",
      "entity_id": "NDAyNjUzMTgzNl9fZDM1ZGIwZTEtMzcwZC00ZDUyLTkxMzMtYmI4YzExNTVlNDQ2X180NTM1OTNfXzE3ODM1ODE4ODQ=",
      "user": {
        "id": "1000",
        "name": "haesbaert"
      },
      "group": {
        "id": "1000",
        "name": "haesbaert"
      },
      "pid": 453593,
      "executable": "/usr/bin/ls",
      "name": "ls",
      "interactive": true,
      "working_directory": "/home/haesbaert",
      "args": [
        "ls",
        "-F"
      ],
      "same_as_process": true
    },
    "session_leader": {
      "start": "2026-07-07T07:32:44.720Z",
      "entity_id": "NDAyNjUzMTgzNl9fZDM1ZGIwZTEtMzcwZC00ZDUyLTkxMzMtYmI4YzExNTVlNDQ2X182NjYwMF9fMTc4MzQwOTU2NA==",
      "executable": "/usr/bin/mksh",
      "name": "mksh",
      "group": {
        "id": "1000",
        "name": "haesbaert"
      },
      "pid": 66600,
      "interactive": true,
      "working_directory": "/home/haesbaert",
      "user": {
        "id": "1000",
        "name": "haesbaert"
      },
      "args": [
        "-mksh"
      ],
      "same_as_process": false
    },
    "end": "2026-07-09T07:24:44.381Z",
    "name": "ls",
    "vpid": 0,
    "working_directory": "/home/haesbaert",
    "executable": "/usr/bin/ls",
    "start": "2026-07-09T07:24:44.379Z",
    "args_count": 2,
    "parent": {
      "pid": 66600,
      "start": "2026-07-07T07:32:44.720Z",
      "entity_id": "NDAyNjUzMTgzNl9fZDM1ZGIwZTEtMzcwZC00ZDUyLTkxMzMtYmI4YzExNTVlNDQ2X182NjYwMF9fMTc4MzQwOTU2NA==",
      "name": "mksh",
      "interactive": true,
      "args": [
        "-mksh"
      ],
      "executable": "/usr/bin/mksh",
      "working_directory": "/home/haesbaert",
      "user": {
        "id": "1000",
        "name": "haesbaert"
      },
      "group": {
        "id": "1000",
        "name": "haesbaert"
      }
    },
    "tty": {
      "char_device": {
        "major": 136,
        "minor": 2
      }
    },
    "pid": 453593,
    "exit_code": 0,
    "group": {
      "id": "1000",
      "name": "haesbaert"
    }
  },
  "user": {
    "saved": {
      "id": 1000,
      "group": {
        "id": 1000
      }
    },
    "name": "haesbaert",
    "id": 1000,
    "group": {
      "id": 1000,
      "name": "haesbaert"
    },
    "effective": {
      "id": 1000,
      "group": {
        "id": 1000
      }
    }
  },
  "message": "Process ls (PID: 453593) by user haesbaert RAN",
  "service": {
    "type": "system"
  }
}

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

TL;DR

x-pack/auditbeat: Run check/update failed because the PR head is not goimports-clean: make check rewrites one line in x-pack/auditbeat/module/system/process/quark_provider_linux_test.go, then the generated-file check fails on that dirty worktree. Apply the formatter output and commit the one-line change.

Remediation

  • In x-pack/auditbeat/module/system/process/quark_provider_linux_test.go:261, remove the extra spacing before //nolint:gosec so the line matches goimports output.
  • Validate with PATH="$(go env GOPATH)/bin:$PATH" make -C x-pack/auditbeat check update && make check-no-changes or rerun the Buildkite job after committing the formatter diff.
Investigation details

Root Cause

This is a generated/formatting drift, not a quark runtime test failure. The check target runs the formatter before checking for a clean git index; dev-tools/mage/check.go:56-68 then fails if any file differs from HEAD. In this build, the only reported modified file was x-pack/auditbeat/module/system/process/quark_provider_linux_test.go.

The stale PR-head line is:

"process.pid":                           uint32(os.Getpid()),   (nolint/redacted):gosec

goimports rewrites it to:

"process.pid":                           uint32(os.Getpid()), (nolint/redacted):gosec

Evidence

Error: some files are not up-to-date. Run 'make update' then review and commit the changes. Modified: [x-pack/auditbeat/module/system/process/quark_provider_linux_test.go]
make: *** [../../dev-tools/make/mage.mk:21: check] Error 1

Local reproduction on PR head produced the same formatter diff:

diff --git a/x-pack/auditbeat/module/system/process/quark_provider_linux_test.go b/x-pack/auditbeat/module/system/process/quark_provider_linux_test.go
@@ -258,7 +258,7 @@ func makeSelfEvent(t *testing.T, qp quark.Process, be backend) mb.Event {
 			"process.name":                          qp.Comm,
 			"process.args":                          qp.Cmdline,
 			"process.args_count":                    len(qp.Cmdline),
-			"process.pid":                           uint32(os.Getpid()),   (nolint/redacted):gosec
+			"process.pid":                           uint32(os.Getpid()), (nolint/redacted):gosec
 			"process.executable":                    exe,
 			"process.parent.pid":                    uint32(os.Getppid()), (nolint/redacted):gosec
 			"process.start":                         time.Unix(0, int64(qp.Proc.TimeBoot)),

Verification

  • Reproduced the dirty-file diff in a temporary PR-head worktree by running the scoped x-pack/auditbeat check until the formatter stage. The local run later hit an unrelated temporary-environment Python dependency issue, so the meaningful validation here is the captured formatter diff and Buildkite's matching modified-file report.

Follow-up

  • This is not a duplicate of the previous Buildkite Detective comment on this PR; that earlier report covered the TestQuarkMetricSetEbpf /bin/true vs /usr/bin/true assertion failure, while this build fails before tests because the formatter changes the committed file.

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

@github-actions

This comment has been minimized.

@github-actions

This comment has been minimized.

@haesbaert haesbaert force-pushed the quark-update branch 2 times, most recently from a6cf99b to 23170fd Compare July 9, 2026 09:50
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

TL;DR

golangci-lint now fails only on Ubuntu with two findings in x-pack/auditbeat/module/system/process/quark_provider_linux.go: one unchecked uint64 -> int64 conversion for process.Proc.TimeBoot, and one //nolint:gosec directive missing an explanation. Guard or justify those conversions, then rerun the lint workflow.

Remediation

  • In x-pack/auditbeat/module/system/process/quark_provider_linux.go, handle process.Proc.TimeBoot before time.Unix(0, int64(process.Proc.TimeBoot)) so the uint64 -> int64 conversion cannot overflow; for example, check it against math.MaxInt64 and surface an event/log error if it is out of range before converting.
  • Add an explanation to the existing qm.selfMntNsIno = uint32(ino64) (nolint/redacted):gosec directive, or replace the suppression with an explicit range check before assigning to uint32.
  • Validate with the workflow lint shape after committing the fix: golangci-lint run --new-from-patch=<PR patch> --timeout=90m --whole-files, or rerun the golangci-lint GitHub Actions workflow.
Investigation details

Root Cause

The PR has already fixed the earlier broader lint failures, but the current golangci-lint run still reports two new issues from the Linux quark provider. The remaining failures are both conversion-related: gosec flags the unchecked uint64 timestamp narrowing at quark_provider_linux.go:203, and nolintlint rejects the unexplained gosec suppression at quark_provider_linux.go:70.

Evidence

2026-07-09T09:58:59.9581167Z ##[error]x-pack/auditbeat/module/system/process/quark_provider_linux.go:203:33: G115: integer overflow conversion uint64 -> int64 (gosec)
2026-07-09T09:58:59.9590485Z 	startTime := time.Unix(0, int64(process.Proc.TimeBoot))
2026-07-09T09:58:59.9593974Z ##[error]x-pack/auditbeat/module/system/process/quark_provider_linux.go:70:34: directive `//nolint:gosec` should provide explanation such as `//nolint:gosec // this is why` (nolintlint)
2026-07-09T09:58:59.9596158Z 	qm.selfMntNsIno = uint32(ino64) (nolint/redacted):gosec
2026-07-09T09:58:59.9597328Z 2 issues:

The latest prior PR Actions Detective comments covered earlier check-default / NOTICE.txt and broader 19/10-issue lint states. This report is not a duplicate because the current run has a narrower remaining failure set in quark_provider_linux.go.

Validation

  • Not run locally; this is a read-only diagnostic workflow, and the failing CI log contains the exact linter diagnostics and source locations.

Follow-up

  • After fixing these two lint findings, rerun the golangci-lint workflow to confirm Ubuntu matches the already-passing macOS and Windows jobs.

What is this? | From workflow: PR Actions Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

@biscout42 biscout42 added the Team:Security-Linux Platform Linux Platform Team in Security Solution label Jul 9, 2026
@botelastic botelastic Bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jul 9, 2026
@haesbaert haesbaert force-pushed the quark-update branch 2 times, most recently from 287d47b to dee8fee Compare July 9, 2026 11:48
@haesbaert haesbaert marked this pull request as ready for review July 9, 2026 13:05
@haesbaert haesbaert requested review from a team as code owners July 9, 2026 13:05
@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

Comment thread x-pack/auditbeat/module/system/process/quark_provider_linux.go Outdated
Mostly keeping track of API changes, while here add some more members to the
metrics.
@mergify

mergify Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

  • Queue this pull request

@haesbaert haesbaert merged commit 25a0b37 into main Jul 9, 2026
209 of 213 checks passed
@haesbaert haesbaert deleted the quark-update branch July 9, 2026 20:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement Team:Security-Linux Platform Linux Platform Team in Security Solution

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants