Closed
Description
Packetbeat 32-bit on Debian 9 (x86_64) fails to start the sniffer when running with seccomp enabled.
2018-06-07T14:33:10.103Z ERROR instance/beat.go:714 Exiting: Sniffer main loop failed: Error starting sniffer: can't get FD flags when changing filter: Operation not permitted
Auditbeat was also reporting the seccomp violation.
{
"@timestamp": "2018-06-07T14:57:06.350Z",
"@metadata": {
"beat": "auditbeat",
"type": "doc",
"version": "7.0.0-alpha1"
},
"event": {
"category": "dac-decision",
"type": "seccomp",
"action": "violated-seccomp-policy",
"module": "auditd"
},
"user": {
"gid": "0",
"auid": "unset",
"name_map": {
"gid": "root",
"uid": "root"
},
"uid": "0"
},
"process": {
"pid": "30690",
"name": "packetbeat",
"exe": "/beats/packetbeat/build/distributions/packetbeat-7.0.0-alpha1-SNAPSHOT-linux-x86/packetbeat"
},
"auditd": {
"data": {
"code": "0x50000",
"sig": "0",
"syscall": "221",
"compat": "1",
"ip": "0xf775ab49",
"arch": "40000003"
},
"summary": {
"actor": {
"primary": "unset",
"secondary": "root"
},
"object": {
"primary": "221",
"type": "process"
},
"how": "/beats/packetbeat/build/distributions/packetbeat-7.0.0-alpha1-SNAPSHOT-linux-x86/packetbeat"
},
"sequence": 7,
"result": "unknown",
"session": "unset"
},
"beat": {
"name": "a271a8ba1505",
"hostname": "a271a8ba1505",
"version": "7.0.0-alpha1"
},
"host": {
"name": "a271a8ba1505"
}
}- arch=0x40000003= i386
- syscall=221=fcntl64
For confirmed bugs, please report:
- Version: Packetbeat 6.4 and master for linux/386
- Operating System: Debian 9 on x86_64
- Steps to Reproduce: Start Packetbeat with seccomp enabled (default).