From 3b038179542f6b7218a261790662a2ea4d81530a Mon Sep 17 00:00:00 2001
From: Jaime Soriano Pastor <jaime.soriano@elastic.co>
Date: Thu, 24 Sep 2020 13:47:28 +0200
Subject: [PATCH] Stop running auditbeat container as root by default (#21202)

Stop running Auditbeat container as root by default. After this change,
when user root is required it will need to be explicitly set on runtime.
This is already done in Kubernetes manifests and some other examples
in the documentation, so change is probably not so breaking.
Also `USER root` is usually not enough to be fully privileged, so some
customization was always expected when running Auditbeat on docker.

(cherry picked from commit 6bd70908fec6b338d9e0a5a41cf4c58a116416ab)
---
 CHANGELOG.next.asciidoc                   | 1 +
 auditbeat/docs/running-on-docker.asciidoc | 2 +-
 auditbeat/magefile.go                     | 2 +-
 auditbeat/scripts/mage/package.go         | 1 -
 x-pack/auditbeat/magefile.go              | 2 +-
 5 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 01d4eef1f12d..32191faac331 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -34,6 +34,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 *Auditbeat*
 
 - Change network.direction values to ECS recommended values (inbound, outbound). {issue}12445[12445] {pull}20695[20695]
+- Docker container needs to be explicitly run as user root for auditing. {pull}21202[21202]
 
 *Filebeat*
 
diff --git a/auditbeat/docs/running-on-docker.asciidoc b/auditbeat/docs/running-on-docker.asciidoc
index 74007cdeb357..dee50fa254a3 100644
--- a/auditbeat/docs/running-on-docker.asciidoc
+++ b/auditbeat/docs/running-on-docker.asciidoc
@@ -10,5 +10,5 @@ It is also essential to run {beatname_uc} in the host PID namespace.
 
 ["source","sh",subs="attributes"]
 ----
-docker run --cap-add=AUDIT_CONTROL,AUDIT_READ --pid=host {dockerimage}
+docker run --cap-add=AUDIT_CONTROL --cap-add=AUDIT_READ --user=root --pid=host {dockerimage}
 ----
diff --git a/auditbeat/magefile.go b/auditbeat/magefile.go
index 73110b173546..bc99856a890a 100644
--- a/auditbeat/magefile.go
+++ b/auditbeat/magefile.go
@@ -92,7 +92,7 @@ func Package() {
 
 // TestPackages tests the generated packages (i.e. file modes, owners, groups).
 func TestPackages() error {
-	return devtools.TestPackages(devtools.WithRootUserContainer())
+	return devtools.TestPackages()
 }
 
 // Update is an alias for running fields, dashboards, config, includes.
diff --git a/auditbeat/scripts/mage/package.go b/auditbeat/scripts/mage/package.go
index fbda2077f4f7..095917051214 100644
--- a/auditbeat/scripts/mage/package.go
+++ b/auditbeat/scripts/mage/package.go
@@ -95,7 +95,6 @@ func CustomizePackaging(pkgFlavor PackagingFlavor) {
 				args.Spec.ReplaceFile("/etc/{{.BeatName}}/{{.BeatName}}.reference.yml", referenceConfig)
 				sampleRulesTarget = "/etc/{{.BeatName}}/" + defaultSampleRulesTarget
 			case devtools.Docker:
-				args.Spec.ExtraVar("user", "root")
 			default:
 				panic(errors.Errorf("unhandled package type: %v", pkgType))
 			}
diff --git a/x-pack/auditbeat/magefile.go b/x-pack/auditbeat/magefile.go
index 989f8e6d7b6d..7484e6465b76 100644
--- a/x-pack/auditbeat/magefile.go
+++ b/x-pack/auditbeat/magefile.go
@@ -84,7 +84,7 @@ func Package() {
 
 // TestPackages tests the generated packages (i.e. file modes, owners, groups).
 func TestPackages() error {
-	return devtools.TestPackages(devtools.WithRootUserContainer())
+	return devtools.TestPackages()
 }
 
 // Update is an alias for running fields, dashboards, config.