From 1209bca121e23d20347224f5d4adf66b9b48f0bf Mon Sep 17 00:00:00 2001 From: Dan Kortschak <90160302+efd6@users.noreply.github.com> Date: Tue, 5 Sep 2023 17:58:50 +0930 Subject: [PATCH] libbeat/processors/add_process_metadata: fix environment collection (#36471) Previously, the go-sysinfo types.Process was not being queried for its environment value if it existed. This is conditionally available depending on platform, so check and add it if it is. --- CHANGELOG.next.asciidoc | 2 +- .../add_process_metadata_test.go | 27 ++++++++++++++++--- .../gosysinfo_provider.go | 9 +++++-- 3 files changed, 32 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index f69f030f54e..4465d25f97d 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -62,7 +62,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] - Eliminate cloning of event in deepUpdate {pull}35945[35945] - Fix ndjson parser to store JSON fields correctly under `target` {issue}29395[29395] - Support build of projects outside of beats directory {pull}36126[36126] - +- Fix environment capture by `add_process_metadata` processor. {issue}36469[36469] {pull}36471[36471] *Auditbeat* diff --git a/libbeat/processors/add_process_metadata/add_process_metadata_test.go b/libbeat/processors/add_process_metadata/add_process_metadata_test.go index cd2042d8b89..b31481e8ebc 100644 --- a/libbeat/processors/add_process_metadata/add_process_metadata_test.go +++ b/libbeat/processors/add_process_metadata/add_process_metadata_test.go @@ -21,6 +21,8 @@ import ( "errors" "math" "os" + "runtime" + "strings" "testing" "time" "unsafe" @@ -819,9 +821,10 @@ func TestUsingCache(t *testing.T) { } config, err := conf.NewConfigFrom(mapstr.M{ - "match_pids": []string{"system.process.ppid"}, - "include_fields": []string{"container.id"}, - "target": "meta", + "match_pids": []string{"system.process.ppid"}, + "include_fields": []string{"container.id", "process.env"}, + "target": "meta", + "restricted_fields": true, }) if err != nil { t.Fatal(err) @@ -853,6 +856,24 @@ func TestUsingCache(t *testing.T) { } assert.Equal(t, "b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", containerID) + // check environment for GOOSes that support it. + switch runtime.GOOS { + case "darwin", "linux": + env, err := result.Fields.GetValue("meta.process.env") + if err != nil { + t.Fatal(err) + } + // The event is for this process, so we can just grab our env to compare. + want := make(map[string]string) + for _, kv := range os.Environ() { + k, v, ok := strings.Cut(kv, "=") + if ok { + want[k] = v + } + } + assert.Equal(t, want, env) + } + ev = beat.Event{ Fields: mapstr.M{ "system": mapstr.M{ diff --git a/libbeat/processors/add_process_metadata/gosysinfo_provider.go b/libbeat/processors/add_process_metadata/gosysinfo_provider.go index e20c5c0b7ff..ecc94233dce 100644 --- a/libbeat/processors/add_process_metadata/gosysinfo_provider.go +++ b/libbeat/processors/add_process_metadata/gosysinfo_provider.go @@ -28,8 +28,7 @@ import ( type gosysinfoProvider struct{} func (p gosysinfoProvider) GetProcessMetadata(pid int) (result *processMetadata, err error) { - var proc types.Process - proc, err = sysinfo.Process(pid) + proc, err := sysinfo.Process(pid) if err != nil { return nil, err } @@ -40,6 +39,11 @@ func (p gosysinfoProvider) GetProcessMetadata(pid int) (result *processMetadata, return nil, err } + var env map[string]string + if e, ok := proc.(types.Environment); ok { + env, _ = e.Environment() + } + username, userid := "", "" if userInfo, err := proc.User(); err == nil { userid = userInfo.UID @@ -51,6 +55,7 @@ func (p gosysinfoProvider) GetProcessMetadata(pid int) (result *processMetadata, r := processMetadata{ name: info.Name, args: info.Args, + env: env, title: strings.Join(info.Args, " "), exe: info.Exe, pid: info.PID,