[Filebeat] Do not run o365audit input and o365 module in FIPS builds

[ycombinator]

Proposed commit message

This PR ensures that the Filebeat o365audit input will not start in FIPS-capable distributions of Filebeat, as the input indirectly depends on code that is not FIPS-compliant. Specifically, the o365audit input depends on the github.com/Azure/azure-sdk-for-go/sdk/azidentity package. This package, in turn, depends on the golang.org/x/crypto/pkcs12 package, which is not FIPS-compliant. Further, the SDK doesn't plan to offer a way to disable the use of this package at compile time (see Azure/azure-sdk-for-go#24336).

In addition to the o365audit input, the o365 module will also not start in FIPS-capable distributions of Filebeat, as this module uses the o365audit input.

Attempting to run a FIPS-capable distribution of Filebeat with either the o365audit input or the o365 module configured will result in Filebeat not starting up and an error in the Filebeat logs like so:

{"log.level":"info","@timestamp":"2025-06-25T14:21:46.596-0700","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).launch","file.name":"instance/beat.go","file.line":542},"message":"filebeat stopped.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-06-25T14:21:46.596-0700","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.handleError","file.name":"instance/beat.go","file.line":1355},"message":"Exiting: Failed to start crawler: starting input failed: error while initializing input: running a FIPS-capable distribution but input [o365audit] is not FIPS capable","service.name":"filebeat","ecs.version":"1.6.0"}
Exiting: Failed to start crawler: starting input failed: error while initializing input: running a FIPS-capable distribution but input [o365audit] is not FIPS capable

The o365audit input declares itself as not being FIPS-capable by setting the ExcludeFromFIPS field on the v2.Plugin struct to true (see also: #45036).

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

FIPS-capable artifacts of Filebeat will not start the o365 module or the o365audit input.

$ mage clean && FIPS=true mage build

$ cat <<EOF > filebeat-test-input.yml
filebeat.inputs:
- type: o365audit
  id: id-nofips
  enabled: true
  application_id: foo
  tenant_id: bar
  client_secret: qux

output.console:
  enabled: true
EOF
$ ./filebeat -c ./filebeat-test-input.yml -e

$ cat <<EOF > filebeat-test-module.yml
filebeat.modules:
- module: o365
  audit:
    enabled: true
    var.application_id: "<MyApplicationID>"
    var.tenants:
     - id: "<MyTenantID>"
       name: "mytenant.onmicrosoft.com"
    var.client_secret: "<YourClientSecretHere>"

output.console:
  enabled: true
EOF
$ ./filebeat -c ./filebeat-test-module.yml -e

[github-actions]

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @ycombinator? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[efd6]

This looks like two PRs, one enabling and one that is what's described on the tin. Could we separate them? Also, please include the import path that leads to the concerning import.

[ycombinator]

This looks like two PRs, one enabling and one that is what's described on the tin. Could we separate them?

Created #44920 to enable the module exclusion. Will rework this PR here to only be about what's on the tin once the enabling PR is merged.

[ycombinator]

Also, please include the import path that leads to the concerning import.

Update the PR description. Let me know if that looks good to you.

[efd6]

Let me know if that looks good to you.

Thanks. Crystal clear now.

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[efd6]

@ycombinator Can you update the title and propose commit message to explain how this works?

[ycombinator]

@ycombinator Can you update the title and propose commit message to explain how this works?

Done. Let me know if you want me to include the implementation notes, i.e. use of the FIPSAwareInput interface, in the commit message too. I left that out as I figured we wanted the message to be more user-facing but happy to add it in if you think it'll be valuable.

[efd6]

I'd like the implementation details there.

[ycombinator]

I'd like the implementation details there.

Added.

[efd6]

Thanks.

(please make sure to appropriately wrap the commit message)

[ycombinator]

I was testing the changes in this PR again this morning and I'm seeing some flaky behavior. Sometimes Filebeat stops with the "Exiting: Failed to start crawler: starting input failed: running a FIPS-capable distribution but input [o365audit] is not FIPS capable" error message as expected but sometimes it just hangs and never exits. Investigating...

[ycombinator]

I was testing the changes in this PR again this morning and I'm seeing some flaky behavior. Sometimes Filebeat stops with the "Exiting: Failed to start crawler: starting input failed: running a FIPS-capable distribution but input [o365audit] is not FIPS capable" error message as expected but sometimes it just hangs and never exits. Investigating...

Found a corner-case bug in Filebeat unrelated to this PR: #45034

As such, this PR here is still good to go.

[ycombinator]

@Mergifyio backport 9.1

[mergify]

backport 9.1

✅ Backports have been created

Details

• Backport to branch 9.1 not needed, change already in branch 9.1