Beats: Auditbeat fails to retrieve System Module packages dataset when the Installed-Size of a package contains units
Auditbeat info
- Version: 7.4
- Operating System: Ubuntu 16.04, Ubuntu 18.04
Issue
It seems Auditbeat gets packages data from /var/lib/dpkg/status. In particular, it seems it expects to find in Installed-size a number - see code - but some packages report the installed size in that file with units like 356K, so parsing the packages contents throws an error: "failed to get packages: error getting DEB packages: error converting 356K to int: strconv.ParseUint: parsing "356K": invalid syntax"
I could find only an old version of the definition of that field from the debian policy, so I do not know if it is current, which effectively indicates: The disk space is given as the integer value of the estimated installed size in bytes, divided by 1024 and rounded up..
However, the previous does not seem to be enforced, since sometimes packages report that value with units. See the following Github issue on the same topic: https://github.com/elastic/beats/issues/16661
ismael-hasan
All 4 comments
Pinging @elastic/siem (Team:SIEM)
elasticmachine
on 23 Mar 2020
Any idea about which package is causing this?
adriansr
on 23 Mar 2020
I can reproduce it by faking the size of package:
- Grab a .deb (for instance, Filebeat)
- Decompress it to a folder
tmp-dpkg-deb -R filebeat-7.6.1-amd64.deb tmp - edit
tmp/DEBIAN/controland change theinstalled-sizeline to have a value like65K - Build the package -
dpkg-deb --build tmp - Install the
tmp.debpackage:sudo dpkg -i tmp.deb
Now, on starting auditbeat, it will fail with the aforementioned error
ismael-hasan
on 23 Mar 2020
I've created a PR to fix this: https://github.com/elastic/beats/pull/17188
It's likely too late for 7.6.2, but will be backported to 7.7.0.
adriansr
on 23 Mar 2020
Related issues
JalehD
路
3Comments
ptrlv
路
3Comments
ppf2
路
3Comments
marian-craciunescu
路
3Comments
MorrieAtElastic
路
3Comments