x-pack/auditbeat/module/system/process Report Linux capabilities

Implements #36404 ECS: https://www.elastic.co/guide/en/ecs/master/ecs-process.html#field-process-thread-capabilities-effective Example output: ``` { "@timestamp": "2023-12-05T19:34:54.425Z", "@metadata": { "beat": "auditbeat", "type": "_doc", "version": "8.12.0" }, "process": { "thread": { "capabilities": { "effective": [ "CAP_DAC_READ_SEARCH", "CAP_SYS_RESOURCE" ], "permitted": [ "CAP_DAC_READ_SEARCH", "CAP_SYS_RESOURCE" ] } }, "entity_id": "DADEDQU03GoDNhc1", "pid": 2841325, "start": "2023-12-05T19:32:53.180Z", "args": [ "systemd-userwork: waiting..." ], ... ... ``` Implementation is pretty straightforward, go-sysinfo will parse /proc/$PID/status and fill in CapabilityInfo. Don't merge, this depends on two external PRs: elastic/go-sysinfo#196 elastic/go-sysinfo#197 Next step is adding the same to add_process_metadata
elastic · Dec 6, 2023 · 93b380e · 93b380e
1 parent 16b713b
commit 93b380e
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 6 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -166,6 +166,7 @@ Setting environmental variable ELASTIC_NETINFO:false in Elastic Agent pod will d
 
 - Add `ignore_errors` option to audit module. {issue}15768[15768] {pull}36851[36851]
 - Fix copy arguments for strict aligned architectures. {pull}36976[36976]
+- Add process capabilities to the process module. {issue}36404[36404] {pull}37303[37303]
 
 *Filebeat*
 

diff --git a/x-pack/auditbeat/module/system/process/process.go b/x-pack/auditbeat/module/system/process/process.go
@@ -101,12 +101,13 @@ type MetricSet struct {
 
 // Process represents information about a process.
 type Process struct {
-	Info     types.ProcessInfo
-	UserInfo *types.UserInfo
-	User     *user.User
-	Group    *user.Group
-	Hashes   map[hasher.HashType]hasher.Digest
-	Error    error
+	Info           types.ProcessInfo
+	UserInfo       *types.UserInfo
+	User           *user.User
+	Group          *user.Group
+	CapabilityInfo *types.CapabilityInfo
+	Hashes         map[hasher.HashType]hasher.Digest
+	Error          error
 }
 
 // Hash creates a hash for Process.
@@ -353,6 +354,17 @@ func (ms *MetricSet) processEvent(process *Process, eventType string, action eve
 		},
 	}
 
+	if process.CapabilityInfo != nil {
+		if len(process.CapabilityInfo.Effective) > 0 {
+			event.RootFields.Put("process.thread.capabilities.effective",
+				process.CapabilityInfo.Effective)
+		}
+		if len(process.CapabilityInfo.Permitted) > 0 {
+			event.RootFields.Put("process.thread.capabilities.permitted",
+				process.CapabilityInfo.Permitted)
+		}
+	}
+
 	if process.UserInfo != nil {
 		putIfNotEmpty(&event.RootFields, "user.id", process.UserInfo.UID)
 		putIfNotEmpty(&event.RootFields, "user.group.id", process.UserInfo.GID)
@@ -488,6 +500,13 @@ func (ms *MetricSet) getProcesses() ([]*Process, error) {
 			process.UserInfo = &userInfo
 		}
 
+		if capIface, ok := sysinfoProc.(types.Capabilities); ok {
+			process.CapabilityInfo, err = capIface.Capabilities()
+			if err != nil && process.Error == nil {
+				process.Error = fmt.Errorf("failed to load capabilities for PID %d: %w",
+					sysinfoProc.PID(), err)
+			}
+		}
 		// Exclude Linux kernel processes, they are not very interesting.
 		if runtime.GOOS == "linux" && userInfo.UID == "0" && process.Info.Exe == "" {
 			continue