Skip to content

Commit

Permalink
x-pack/auditbeat/module/system/process Report Linux capabilities
Browse files Browse the repository at this point in the history
Implements #36404
ECS: https://www.elastic.co/guide/en/ecs/master/ecs-process.html#field-process-thread-capabilities-effective

Example output:

```
{
  "@timestamp": "2023-12-05T19:34:54.425Z",
  "@metadata": {
    "beat": "auditbeat",
    "type": "_doc",
    "version": "8.12.0"
  },
  "process": {
    "thread": {
      "capabilities": {
        "effective": [
          "CAP_DAC_READ_SEARCH",
          "CAP_SYS_RESOURCE"
        ],
        "permitted": [
          "CAP_DAC_READ_SEARCH",
          "CAP_SYS_RESOURCE"
        ]
      }
    },
    "entity_id": "DADEDQU03GoDNhc1",
    "pid": 2841325,
    "start": "2023-12-05T19:32:53.180Z",
    "args": [
      "systemd-userwork: waiting..."
    ],
...
...
```

Implementation is pretty straightforward, go-sysinfo will parse
/proc/$PID/status and fill in CapabilityInfo.

Don't merge, this depends on two external PRs:

elastic/go-sysinfo#196
elastic/go-sysinfo#197

Next step is adding the same to add_process_metadata
  • Loading branch information
haesbaert committed Dec 6, 2023
1 parent 62c5e91 commit 75b48db
Showing 1 changed file with 19 additions and 0 deletions.
19 changes: 19 additions & 0 deletions x-pack/auditbeat/module/system/process/process.go
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,7 @@ type Process struct {
UserInfo *types.UserInfo
User *user.User
Group *user.Group
CapabilityInfo *types.CapabilityInfo
Hashes map[hasher.HashType]hasher.Digest
Error error
}
Expand Down Expand Up @@ -353,6 +354,17 @@ func (ms *MetricSet) processEvent(process *Process, eventType string, action eve
},
}

if process.CapabilityInfo != nil {
if len(process.CapabilityInfo.Effective) > 0 {
event.RootFields.Put("process.thread.capabilities.effective",
process.CapabilityInfo.Effective)
}
if len(process.CapabilityInfo.Permitted) > 0 {
event.RootFields.Put("process.thread.capabilities.permitted",
process.CapabilityInfo.Permitted)
}
}

if process.UserInfo != nil {
putIfNotEmpty(&event.RootFields, "user.id", process.UserInfo.UID)
putIfNotEmpty(&event.RootFields, "user.group.id", process.UserInfo.GID)
Expand Down Expand Up @@ -488,6 +500,13 @@ func (ms *MetricSet) getProcesses() ([]*Process, error) {
process.UserInfo = &userInfo
}

if capIface, ok := sysinfoProc.(types.Capabilities); ok {
process.CapabilityInfo, err = capIface.Capabilities();
if err != nil && process.Error == nil {
process.Error = fmt.Errorf("failed to load capabilities for PID %d: %w",
sysinfoProc.PID(), err)
}
}
// Exclude Linux kernel processes, they are not very interesting.
if runtime.GOOS == "linux" && userInfo.UID == "0" && process.Info.Exe == "" {
continue
Expand Down

0 comments on commit 75b48db

Please sign in to comment.