x-pack/auditbeat/module/system/socket: defend against exec with zero …

…arguments execve can have a zero-length argv so fall back to using /proc/comm, or path base.
elastic · Feb 28, 2022 · aa7298f · aa7298f
1 parent e9e86a8
commit aa7298f
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -47,6 +47,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...main[Check the HEAD dif
 *Auditbeat*
 
 - auditd: Add error.message to events when processing fails. {pull}30009[30009]
+- Fix handling of execve call events which have no argument. {issue}30585[30585] {pull}30586[30586]
 
 *Filebeat*
 

diff --git a/x-pack/auditbeat/module/system/socket/events.go b/x-pack/auditbeat/module/system/socket/events.go
@@ -888,6 +888,8 @@ func (e *execveCall) getProcess() *process {
 	if idx := bytes.IndexByte(e.Path[:], 0); idx >= 0 {
 		// Fast path if we already have the path.
 		p.path = string(e.Path[:idx])
+		// Keep the basename in case we can't get the process name.
+		p.name = filepath.Base(p.path)
 	} else {
 		// Attempt to get the path from the /prox/<pid>/exe symlink.
 		var err error
@@ -896,9 +898,13 @@ func (e *execveCall) getProcess() *process {
 			if pe, ok := err.(*os.PathError); ok && strings.Contains(pe.Path, "(deleted)") {
 				// Keep the deleted path from the PathError.
 				p.path = pe.Path
+				// Keep the basename in case we can't get the process name.
+				p.name = filepath.Base(strings.TrimSuffix(p.path, " (deleted)"))
 			} else {
 				// Fallback to the truncated path.
 				p.path = string(e.Path[:]) + " ..."
+				// Don't trim the ellipsis to indicate this may be incorrect.
+				p.name = filepath.Base(p.path)
 			}
 		}
 	}
@@ -943,8 +949,24 @@ func (e *execveCall) getProcess() *process {
 		}
 	}
 
-	// Get name from first argument.
-	p.name = filepath.Base(p.args[0])
+	// Carefully get the process name; we may have zero arguments.
+	if len(p.args) != 0 {
+		// Get name from first argument.
+		p.name = filepath.Base(p.args[0])
+	} else {
+		// Attempt to get name from /proc/<pid>/comm — only available since 2.6.33.
+		comm, err := os.ReadFile(fmt.Sprintf("/proc/%d/comm", e.Meta.PID))
+		if err == nil {
+			p.name = strings.TrimRight(string(comm), "\x00")
+			if len(p.name) == 16 {
+				// The name may have been truncated if it is TASK_COMM_LEN long.
+				p.name += "..."
+			}
+		} else if p.name == "" {
+			// This should never happen.
+			p.name = "(unknown)"
+		}
+	}
 
 	if e.creds != nil {
 		p.hasCreds = true