Auditbeat fails to retrieve System Module packages dataset when the Installed-Size of a package contains units

[ismael-hasan]

Auditbeat info

• Version: 7.4
• Operating System: Ubuntu 16.04, Ubuntu 18.04

Issue
It seems Auditbeat gets packages data from /var/lib/dpkg/status. In particular, it seems it expects to find in Installed-size a number - see code - but some packages report the installed size in that file with units like 356K, so parsing the packages contents throws an error: "failed to get packages: error getting DEB packages: error converting 356K to int: strconv.ParseUint: parsing "356K": invalid syntax"

I could find only an old version of the definition of that field from the debian policy, so I do not know if it is current, which effectively indicates: The disk space is given as the integer value of the estimated installed size in bytes, divided by 1024 and rounded up..

However, the previous does not seem to be enforced, since sometimes packages report that value with units. See the following Github issue on the same topic: #16661

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[adriansr]

Any idea about which package is causing this?

[ismael-hasan]

I can reproduce it by faking the size of package:

• Grab a .deb (for instance, Filebeat)
• Decompress it to a folder tmp - dpkg-deb -R filebeat-7.6.1-amd64.deb tmp
• edit tmp/DEBIAN/control and change the installed-size line to have a value like 65K
• Build the package - dpkg-deb --build tmp
• Install the tmp.deb package: sudo dpkg -i tmp.deb

Now, on starting auditbeat, it will fail with the aforementioned error

[adriansr]

I've created a PR to fix this: #17188

It's likely too late for 7.6.2, but will be backported to 7.7.0.

[jamiehynds]

Closing via #17188