Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Auditbeat] system.process - report Linux capabilities #36404

Closed
andrewkroh opened this issue Aug 23, 2023 · 3 comments
Closed

[Auditbeat] system.process - report Linux capabilities #36404

andrewkroh opened this issue Aug 23, 2023 · 3 comments
Labels

Comments

@andrewkroh
Copy link
Member

andrewkroh commented Aug 23, 2023

Describe the enhancement:

Auditbeat system.process reports information about running processes. ECS 8.10 added new process fields that hold the associated Linux capabilities. The system.process module should report the capabilities.

go-sysinfo, which this code already uses, supports fetching this data (source), but the returned strings are not in the exact format expected by ECS.

Describe a specific use case for the enhancement or feature:

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Aug 23, 2023
@andrewkroh andrewkroh added the Team:Security-Linux Platform Linux Platform Team in Security Solution label Aug 23, 2023
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Aug 23, 2023
@norrietaylor
Copy link
Member

elastic/go-sysinfo#196

haesbaert added a commit that referenced this issue Dec 6, 2023
Implements #36404
ECS: https://www.elastic.co/guide/en/ecs/master/ecs-process.html#field-process-thread-capabilities-effective

Example output:

```
{
  "@timestamp": "2023-12-05T19:34:54.425Z",
  "@metadata": {
    "beat": "auditbeat",
    "type": "_doc",
    "version": "8.12.0"
  },
  "process": {
    "thread": {
      "capabilities": {
        "effective": [
          "CAP_DAC_READ_SEARCH",
          "CAP_SYS_RESOURCE"
        ],
        "permitted": [
          "CAP_DAC_READ_SEARCH",
          "CAP_SYS_RESOURCE"
        ]
      }
    },
    "entity_id": "DADEDQU03GoDNhc1",
    "pid": 2841325,
    "start": "2023-12-05T19:32:53.180Z",
    "args": [
      "systemd-userwork: waiting..."
    ],
...
...
```

Don't merge, this depends on two external PRs:

elastic/go-sysinfo#196
elastic/go-sysinfo#197

Next step is adding the same to add_process_metadata
haesbaert added a commit that referenced this issue Dec 6, 2023
Implements #36404
ECS: https://www.elastic.co/guide/en/ecs/master/ecs-process.html#field-process-thread-capabilities-effective

Example output:

```
{
  "@timestamp": "2023-12-05T19:34:54.425Z",
  "@metadata": {
    "beat": "auditbeat",
    "type": "_doc",
    "version": "8.12.0"
  },
  "process": {
    "thread": {
      "capabilities": {
        "effective": [
          "CAP_DAC_READ_SEARCH",
          "CAP_SYS_RESOURCE"
        ],
        "permitted": [
          "CAP_DAC_READ_SEARCH",
          "CAP_SYS_RESOURCE"
        ]
      }
    },
    "entity_id": "DADEDQU03GoDNhc1",
    "pid": 2841325,
    "start": "2023-12-05T19:32:53.180Z",
    "args": [
      "systemd-userwork: waiting..."
    ],
...
...
```

Implementation is pretty straightforward, go-sysinfo will parse
/proc/$PID/status and fill in CapabilityInfo.

Don't merge, this depends on two external PRs:

elastic/go-sysinfo#196
elastic/go-sysinfo#197

Next step is adding the same to add_process_metadata
haesbaert added a commit that referenced this issue Dec 6, 2023
Implements #36404
ECS: https://www.elastic.co/guide/en/ecs/master/ecs-process.html#field-process-thread-capabilities-effective

Example output:

```
{
  "@timestamp": "2023-12-05T19:34:54.425Z",
  "@metadata": {
    "beat": "auditbeat",
    "type": "_doc",
    "version": "8.12.0"
  },
  "process": {
    "thread": {
      "capabilities": {
        "effective": [
          "CAP_DAC_READ_SEARCH",
          "CAP_SYS_RESOURCE"
        ],
        "permitted": [
          "CAP_DAC_READ_SEARCH",
          "CAP_SYS_RESOURCE"
        ]
      }
    },
    "entity_id": "DADEDQU03GoDNhc1",
    "pid": 2841325,
    "start": "2023-12-05T19:32:53.180Z",
    "args": [
      "systemd-userwork: waiting..."
    ],
...
...
```

Implementation is pretty straightforward, go-sysinfo will parse
/proc/$PID/status and fill in CapabilityInfo.

Don't merge, this depends on two external PRs:

elastic/go-sysinfo#196
elastic/go-sysinfo#197

Next step is adding the same to add_process_metadata
haesbaert added a commit that referenced this issue Dec 6, 2023
Implements #36404
ECS: https://www.elastic.co/guide/en/ecs/master/ecs-process.html#field-process-thread-capabilities-effective

Example output:

```
{
  "@timestamp": "2023-12-05T19:34:54.425Z",
  "@metadata": {
    "beat": "auditbeat",
    "type": "_doc",
    "version": "8.12.0"
  },
  "process": {
    "thread": {
      "capabilities": {
        "effective": [
          "CAP_DAC_READ_SEARCH",
          "CAP_SYS_RESOURCE"
        ],
        "permitted": [
          "CAP_DAC_READ_SEARCH",
          "CAP_SYS_RESOURCE"
        ]
      }
    },
    "entity_id": "DADEDQU03GoDNhc1",
    "pid": 2841325,
    "start": "2023-12-05T19:32:53.180Z",
    "args": [
      "systemd-userwork: waiting..."
    ],
...
...
```

Implementation is pretty straightforward, go-sysinfo will parse
/proc/$PID/status and fill in CapabilityInfo.

Don't merge, this depends on two external PRs:

elastic/go-sysinfo#196
elastic/go-sysinfo#197

Next step is adding the same to add_process_metadata
haesbaert added a commit that referenced this issue Dec 6, 2023
Implements #36404
ECS: https://www.elastic.co/guide/en/ecs/master/ecs-process.html#field-process-thread-capabilities-effective

Example output:

```
{
  "@timestamp": "2023-12-05T19:34:54.425Z",
  "@metadata": {
    "beat": "auditbeat",
    "type": "_doc",
    "version": "8.12.0"
  },
  "process": {
    "thread": {
      "capabilities": {
        "effective": [
          "CAP_DAC_READ_SEARCH",
          "CAP_SYS_RESOURCE"
        ],
        "permitted": [
          "CAP_DAC_READ_SEARCH",
          "CAP_SYS_RESOURCE"
        ]
      }
    },
    "entity_id": "DADEDQU03GoDNhc1",
    "pid": 2841325,
    "start": "2023-12-05T19:32:53.180Z",
    "args": [
      "systemd-userwork: waiting..."
    ],
...
...
```

Implementation is pretty straightforward, go-sysinfo will parse
/proc/$PID/status and fill in CapabilityInfo.

Don't merge, this depends on two external PRs:

elastic/go-sysinfo#196
elastic/go-sysinfo#197

Next step is adding the same to add_process_metadata
@botelastic
Copy link

botelastic bot commented Dec 5, 2024

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Dec 5, 2024
@andrewkroh
Copy link
Member Author

Appears to have been closed by #37453 and released with v8.13.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants