[Packetbeat] - Sniffer failed to start (linux/386 binary on x86_64) with seccomp #7839
Labels
Comments
andrewkroh
added a commit
to andrewkroh/beats
that referenced
this issue
Aug 2, 2018
Fixes elastic#7839 I received an error while running the 32-bit Packetbeat binary on a 64-bit Debian 9 OS. ``` 2018-06-07T14:33:10.103Z ERROR instance/beat.go:714 Exiting: Sniffer main loop failed: Error starting sniffer: can't get FD flags when changing filter: Operation not permitted ``` When the error occurred this is what Auditbeat reported. 0x40000003 is i386 and 221 is fcntl64. ``` { "event": { "category": "dac-decision", "type": "seccomp", "action": "violated-seccomp-policy", "module": "auditd" }, "process": { "pid": "30690", "name": "packetbeat", "exe": "/beats/packetbeat/build/distributions/packetbeat-7.0.0-alpha1-SNAPSHOT-linux-x86/packetbeat" }, "auditd": { "data": { "code": "0x50000", "sig": "0", "syscall": "221", "compat": "1", "ip": "0xf775ab49", "arch": "40000003" } } } ```
ruflin
pushed a commit
that referenced
this issue
Aug 8, 2018
Fixes #7839 I received an error while running the 32-bit Packetbeat binary on a 64-bit Debian 9 OS. ``` 2018-06-07T14:33:10.103Z ERROR instance/beat.go:714 Exiting: Sniffer main loop failed: Error starting sniffer: can't get FD flags when changing filter: Operation not permitted ``` When the error occurred this is what Auditbeat reported. 0x40000003 is i386 and 221 is fcntl64. ``` { "event": { "category": "dac-decision", "type": "seccomp", "action": "violated-seccomp-policy", "module": "auditd" }, "process": { "pid": "30690", "name": "packetbeat", "exe": "/beats/packetbeat/build/distributions/packetbeat-7.0.0-alpha1-SNAPSHOT-linux-x86/packetbeat" }, "auditd": { "data": { "code": "0x50000", "sig": "0", "syscall": "221", "compat": "1", "ip": "0xf775ab49", "arch": "40000003" } } } ```
andrewkroh
added a commit
to andrewkroh/beats
that referenced
this issue
Aug 8, 2018
…c#7840) Fixes elastic#7839 I received an error while running the 32-bit Packetbeat binary on a 64-bit Debian 9 OS. ``` 2018-06-07T14:33:10.103Z ERROR instance/beat.go:714 Exiting: Sniffer main loop failed: Error starting sniffer: can't get FD flags when changing filter: Operation not permitted ``` When the error occurred this is what Auditbeat reported. 0x40000003 is i386 and 221 is fcntl64. ``` { "event": { "category": "dac-decision", "type": "seccomp", "action": "violated-seccomp-policy", "module": "auditd" }, "process": { "pid": "30690", "name": "packetbeat", "exe": "/beats/packetbeat/build/distributions/packetbeat-7.0.0-alpha1-SNAPSHOT-linux-x86/packetbeat" }, "auditd": { "data": { "code": "0x50000", "sig": "0", "syscall": "221", "compat": "1", "ip": "0xf775ab49", "arch": "40000003" } } } ``` (cherry picked from commit c4e7b13)
andrewkroh
added a commit
to andrewkroh/beats
that referenced
this issue
Aug 8, 2018
…c#7840) Fixes elastic#7839 I received an error while running the 32-bit Packetbeat binary on a 64-bit Debian 9 OS. ``` 2018-06-07T14:33:10.103Z ERROR instance/beat.go:714 Exiting: Sniffer main loop failed: Error starting sniffer: can't get FD flags when changing filter: Operation not permitted ``` When the error occurred this is what Auditbeat reported. 0x40000003 is i386 and 221 is fcntl64. ``` { "event": { "category": "dac-decision", "type": "seccomp", "action": "violated-seccomp-policy", "module": "auditd" }, "process": { "pid": "30690", "name": "packetbeat", "exe": "/beats/packetbeat/build/distributions/packetbeat-7.0.0-alpha1-SNAPSHOT-linux-x86/packetbeat" }, "auditd": { "data": { "code": "0x50000", "sig": "0", "syscall": "221", "compat": "1", "ip": "0xf775ab49", "arch": "40000003" } } } ``` (cherry picked from commit c4e7b13)
adriansr
pushed a commit
that referenced
this issue
Aug 9, 2018
Fixes #7839 I received an error while running the 32-bit Packetbeat binary on a 64-bit Debian 9 OS. ``` 2018-06-07T14:33:10.103Z ERROR instance/beat.go:714 Exiting: Sniffer main loop failed: Error starting sniffer: can't get FD flags when changing filter: Operation not permitted ``` When the error occurred this is what Auditbeat reported. 0x40000003 is i386 and 221 is fcntl64. ``` { "event": { "category": "dac-decision", "type": "seccomp", "action": "violated-seccomp-policy", "module": "auditd" }, "process": { "pid": "30690", "name": "packetbeat", "exe": "/beats/packetbeat/build/distributions/packetbeat-7.0.0-alpha1-SNAPSHOT-linux-x86/packetbeat" }, "auditd": { "data": { "code": "0x50000", "sig": "0", "syscall": "221", "compat": "1", "ip": "0xf775ab49", "arch": "40000003" } } } ``` (cherry picked from commit c4e7b13)
jsoriano
pushed a commit
that referenced
this issue
Aug 17, 2018
…#7918) Fixes #7839 I received an error while running the 32-bit Packetbeat binary on a 64-bit Debian 9 OS. ``` 2018-06-07T14:33:10.103Z ERROR instance/beat.go:714 Exiting: Sniffer main loop failed: Error starting sniffer: can't get FD flags when changing filter: Operation not permitted ``` When the error occurred this is what Auditbeat reported. 0x40000003 is i386 and 221 is fcntl64. ``` { "event": { "category": "dac-decision", "type": "seccomp", "action": "violated-seccomp-policy", "module": "auditd" }, "process": { "pid": "30690", "name": "packetbeat", "exe": "/beats/packetbeat/build/distributions/packetbeat-7.0.0-alpha1-SNAPSHOT-linux-x86/packetbeat" }, "auditd": { "data": { "code": "0x50000", "sig": "0", "syscall": "221", "compat": "1", "ip": "0xf775ab49", "arch": "40000003" } } } ``` (cherry picked from commit c4e7b13)
leweafan
pushed a commit
to leweafan/beats
that referenced
this issue
Apr 28, 2023
…c#7840) Fixes elastic#7839 I received an error while running the 32-bit Packetbeat binary on a 64-bit Debian 9 OS. ``` 2018-06-07T14:33:10.103Z ERROR instance/beat.go:714 Exiting: Sniffer main loop failed: Error starting sniffer: can't get FD flags when changing filter: Operation not permitted ``` When the error occurred this is what Auditbeat reported. 0x40000003 is i386 and 221 is fcntl64. ``` { "event": { "category": "dac-decision", "type": "seccomp", "action": "violated-seccomp-policy", "module": "auditd" }, "process": { "pid": "30690", "name": "packetbeat", "exe": "/beats/packetbeat/build/distributions/packetbeat-7.0.0-alpha1-SNAPSHOT-linux-x86/packetbeat" }, "auditd": { "data": { "code": "0x50000", "sig": "0", "syscall": "221", "compat": "1", "ip": "0xf775ab49", "arch": "40000003" } } } ``` (cherry picked from commit f397916)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Packetbeat 32-bit on Debian 9 (x86_64) fails to start the sniffer when running with seccomp enabled.
2018-06-07T14:33:10.103Z ERROR instance/beat.go:714 Exiting: Sniffer main loop failed: Error starting sniffer: can't get FD flags when changing filter: Operation not permittedAuditbeat was also reporting the seccomp violation.
{ "@timestamp": "2018-06-07T14:57:06.350Z", "@metadata": { "beat": "auditbeat", "type": "doc", "version": "7.0.0-alpha1" }, "event": { "category": "dac-decision", "type": "seccomp", "action": "violated-seccomp-policy", "module": "auditd" }, "user": { "gid": "0", "auid": "unset", "name_map": { "gid": "root", "uid": "root" }, "uid": "0" }, "process": { "pid": "30690", "name": "packetbeat", "exe": "/beats/packetbeat/build/distributions/packetbeat-7.0.0-alpha1-SNAPSHOT-linux-x86/packetbeat" }, "auditd": { "data": { "code": "0x50000", "sig": "0", "syscall": "221", "compat": "1", "ip": "0xf775ab49", "arch": "40000003" }, "summary": { "actor": { "primary": "unset", "secondary": "root" }, "object": { "primary": "221", "type": "process" }, "how": "/beats/packetbeat/build/distributions/packetbeat-7.0.0-alpha1-SNAPSHOT-linux-x86/packetbeat" }, "sequence": 7, "result": "unknown", "session": "unset" }, "beat": { "name": "a271a8ba1505", "hostname": "a271a8ba1505", "version": "7.0.0-alpha1" }, "host": { "name": "a271a8ba1505" } }For confirmed bugs, please report:
The text was updated successfully, but these errors were encountered: