[Auditbeat] Determine event.action based on diff against state

[andrewkroh]

What does this PR do?

Rather than using an event.action that is derived from the OS flags provided in the
file notification event the FIM module will determine the event.action based on the
diff between the stored state for the path and the new state.

Why is it important?

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Build Cause: Pull request #22170 updated

• • Start Time: 2021-02-01T14:30:18.496+0000

• Duration: 30 min 5 sec

• Commit: 0542651

Test stats 🧪

Test	Results
Failed	0
Passed	978
Skipped	222
Total	1200

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test	Results
Failed	0
Passed	978
Skipped	222
Total	1200

[andrewkroh]

The initial attempt with

	if event.Action != InitialScan {
		event.Action = action
	}

doesn't work because you lose actions for renames and deletes (they just appear as attribute_modified.

So perhaps we should only use the diff'ed action for updates.

[andrewkroh]

Relates: #17347

[adriansr]

The problem here was:

• Some applications will open files for writing in exclusive mode (non FILE_READ_SHARED).
• ReadOpen above wants read access, so it fails with permission denied.

As GetSecurityInfo doesn't need read access to the file, but only the metadata (READ_CONTROL), I tried opening the file with just that flag. This also fails because the underlying CreateFile will internally add more permissions to the request (SYNCHRONIZE|FILE_READ_ATTRIBUTES) which causes it to still fail for files open with exclusivity.

Finally I came across this SO thread: https://stackoverflow.com/questions/58393139/createfilew-for-read-control-fails-with-access-is-denied-despite-being-owner-o that points to using GetNamedSecurityInfo, which internally does an NtOpenFile call with the minimum required permissions.

[adriansr]

jenkins, test this

[adriansr]

jenkins, test this

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[andrewkroh]

With the current changes I am seeing attributes_modified when only mtime changed. 👍 @adriansr

One thing I noticed is that I get a sequence of created->deleted->created for new files. Is that explained by some OS behavior? I saw it with both a text editor saving a file and a firefox download on Windows.

auditbeat-fim-create-delete-create.json.txt

[adriansr]

@andrewkroh I've tested under Windows server 2016 and didn't get the created->deleted->created sequence.

This is saving a file with notepad:

Also got similar result with notepad++, but lost the screen capture.

Download a file with iexplore:

Download a file with Firefox:

My understanding is that Windows server 2016 and Windows 10 should behave similarly? Maybe differences in the underlying filesystem?

[andrewkroh]

Your test results look good. I was testing on GCP. The machine is still running if you wanted to look at it.

[adriansr]

Seems like a different behavior under Windows server 2019:

This sequence is indeed what we're getting from fsnotify:

2020-12-30T10:48:45.254Z INFO instance/beat.go:454 auditbeat start running.
2020-12-30T10:48:45.254Z INFO [monitoring] log/log.go:118 Starting metrics logging every 30s
2020-12-30T10:48:51.583Z INFO [file_integrity] file_integrity/eventreader_fsnotify.go:97 Started fsnotify watcher {"file_path": ["C:\Users\adrian_serrano\Documents"], "recursive": true}
2020-12-30T10:49:05.625Z DEBUG [file_integrity] file_integrity/eventreader_fsnotify.go:138 Received fsnotify event {"file_path": "C:\Users\adrian_serrano\Documents\doc.txt", "event_flags": "CREATE"}
2020-12-30T10:49:05.628Z DEBUG [file_integrity] file_integrity/eventreader_fsnotify.go:138 Received fsnotify event {"file_path": "C:\Users\adrian_serrano\Documents\doc.txt", "event_flags": "REMOVE"}
2020-12-30T10:49:05.631Z DEBUG [file_integrity] file_integrity/metricset.go:281 File changed since it was last seen {"file_path": "C:\Users\adrian_serrano\Documents\doc.txt", "took": 0, "event": {"action": "created", "old": null, "new": {"timestamp":"2020-12-30T10:49:05.6280538Z","path":"C:\Users\adrian_serrano\Documents\doc.txt","info":null,"source":"fsnotify","action":"created"}}}
2020-12-30T10:49:05.734Z DEBUG [file_integrity] file_integrity/eventreader_fsnotify.go:138 Received fsnotify event {"file_path": "C:\Users\adrian_serrano\Documents\doc.txt", "event_flags": "CREATE"}
2020-12-30T10:49:05.740Z DEBUG [file_integrity] file_integrity/eventreader_fsnotify.go:138 Received fsnotify event {"file_path": "C:\Users\adrian_serrano\Documents\doc.txt", "event_flags": "WRITE"}
2020-12-30T10:49:05.740Z DEBUG [file_integrity] file_integrity/metricset.go:281 File changed since it was last seen {"file_path": "C:\Users\adrian_serrano\Documents\doc.txt", "took": 0, "event": {"action": "deleted", "old": null, "new": {"timestamp":"2020-12-30T10:49:05.6319632Z","path":"C:\Users\adrian_serrano\Documents\doc.txt","info":null,"source":"fsnotify","action":"deleted"}}}
2020-12-30T10:49:05.745Z DEBUG [file_integrity] file_integrity/metricset.go:281 File changed since it was last seen {"file_path": "C:\Users\adrian_serrano\Documents\doc.txt", "took": 3906500, "event": {"action": "created", "old": null, "new": {"timestamp":"2020-12-30T10:49:05.7354821Z","path":"C:\Users\adrian_serrano\Documents\doc.txt","info":{"inode":3096224743861787,"uid":0,"gid":0,"sid":"S-1-5-21-3277996792-4287217755-2489893845-1001","owner":"AKROH-WINDOWS\adrian_serrano","group":"","size":12,"mtime":"2020-12-30T10:49:05.7101082Z","ctime":"2020-12-30T10:49:05.6251136Z","type":"file","mode":438,"setuid":false,"setgid":false,"origin":null},"source":"fsnotify","action":"created","hash":{"sha1":"2ef7bde608ce5404e97d5f042f95f89f1c232871"}}}}

Looking at it via Process Monitor shows that when saving a file for the first time (Save...), it is first created and deleted, then created and written to:

When saved using the Save option (no file-selection dialog) it results in just an update event:

I believe the first create-delete sequence is the file-selection dialog verifying that the target file can be created before the dialog is closed.

---

For the Firefox issue however, I couldn't reproduce the created->deleted->created, but I got something that I believe is wrong:

It's missing a final event for the target file (moved/created/updated?). I'm looking into it.

[adriansr]

jenkins test this please

[andrewkroh]

I tested out the a build of this on Windows 2019 (same one in GCP). The results LGTM🥇

Thank you @adriansr!

Saving a file with no changes:

Downloading a file with FF:

[adriansr]

Will add a changelog entry