diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 39f80047af3c..809ba6207cee 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -166,6 +166,7 @@ Setting environmental variable ELASTIC_NETINFO:false in Elastic Agent pod will d - Add `ignore_errors` option to audit module. {issue}15768[15768] {pull}36851[36851] - Fix copy arguments for strict aligned architectures. {pull}36976[36976] +- Add process capabilities to the process module. {issue}36404[36404] {pull}37303[37303] *Filebeat* diff --git a/x-pack/auditbeat/module/system/process/process.go b/x-pack/auditbeat/module/system/process/process.go index d2dfae065980..5e7420124c3f 100644 --- a/x-pack/auditbeat/module/system/process/process.go +++ b/x-pack/auditbeat/module/system/process/process.go @@ -105,6 +105,7 @@ type Process struct { UserInfo *types.UserInfo User *user.User Group *user.Group + CapabilityInfo *types.CapabilityInfo Hashes map[hasher.HashType]hasher.Digest Error error } @@ -353,6 +354,17 @@ func (ms *MetricSet) processEvent(process *Process, eventType string, action eve }, } + if process.CapabilityInfo != nil { + if len(process.CapabilityInfo.Effective) > 0 { + event.RootFields.Put("process.thread.capabilities.effective", + process.CapabilityInfo.Effective) + } + if len(process.CapabilityInfo.Permitted) > 0 { + event.RootFields.Put("process.thread.capabilities.permitted", + process.CapabilityInfo.Permitted) + } + } + if process.UserInfo != nil { putIfNotEmpty(&event.RootFields, "user.id", process.UserInfo.UID) putIfNotEmpty(&event.RootFields, "user.group.id", process.UserInfo.GID) @@ -488,6 +500,13 @@ func (ms *MetricSet) getProcesses() ([]*Process, error) { process.UserInfo = &userInfo } + if capIface, ok := sysinfoProc.(types.Capabilities); ok { + process.CapabilityInfo, err = capIface.Capabilities(); + if err != nil && process.Error == nil { + process.Error = fmt.Errorf("failed to load capabilities for PID %d: %w", + sysinfoProc.PID(), err) + } + } // Exclude Linux kernel processes, they are not very interesting. if runtime.GOOS == "linux" && userInfo.UID == "0" && process.Info.Exe == "" { continue