Description
The Beat process on Linux can drop privileges to perform specific syscalls (like execve, fork, clone) using a seccomp-bpf filter. This is one-way operation where the process drops privileges and cannot restore them. This limits the damage that can be done if there ever would be a vulnerability.
There is a kernel version requirement, but we can test if the feature is available use it when possible.
I wrote a POC that uses google/kafel, a C library that generates the BPF syscall filter from a policy string. We could statically link with the library (we already use cgo in our Beats since 6.0).
When there is a policy violation the kernel kills the thread rather than the whole process. When it does this an audit event is generated.
FYI you can use /proc/[pid]/status to see if the process has a seccomp filter applied. Look for the Seccomp: line and a value > 0.
We can audit the syscalls used by a Beat by using strace -c [beat cmd] then develop a policy based on that data.