x-pack/auditbeat/module/system/process Report Linux capabilities

[haesbaert]

DISREGARD THIS
Implements #36404
ECS: https://www.elastic.co/guide/en/ecs/master/ecs-process.html#field-process-thread-capabilities-effective

Example output:

{
  "@timestamp": "2023-12-05T19:34:54.425Z",
  "@metadata": {
    "beat": "auditbeat",
    "type": "_doc",
    "version": "8.12.0"
  },
  "process": {
    "thread": {
      "capabilities": {
        "effective": [
          "CAP_DAC_READ_SEARCH",
          "CAP_SYS_RESOURCE"
        ],
        "permitted": [
          "CAP_DAC_READ_SEARCH",
          "CAP_SYS_RESOURCE"
        ]
      }
    },
    "entity_id": "DADEDQU03GoDNhc1",
    "pid": 2841325,
    "start": "2023-12-05T19:32:53.180Z",
    "args": [
      "systemd-userwork: waiting..."
    ],
...
...

Implementation is pretty straightforward, go-sysinfo will parse /proc/$PID/status and fill in CapabilityInfo.

Don't merge, this depends on two external PRs:

elastic/go-sysinfo#196
elastic/go-sysinfo#197

Next step is adding the same to add_process_metadata

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

$ cat auditbeat.yml

auditbeat.modules:

- module: system
  datasets:
    - process
#    - socket
  period: 1m # The frequency at which the datasets check for changes


  # How often datasets send state updates with the
  # current state of the system (e.g. all currently
  # running processes, all open sockets).
  state.period: 5m

output.console:
  pretty: true

eru:beats: cat /d/tmp/auditbeat_socket.yml
auditbeat.modules:

- module: system
  datasets:
    - process
#    - socket
  period: 1m # The frequency at which the datasets check for changes


  # How often datasets send state updates with the
  # current state of the system (e.g. all currently
  # running processes, all open sockets).
  state.period: 5m

output.console:
  pretty: true

$ mage build && sudo auditbeat -c /tmp/auditbeat.yml | grep -C100 CAP_

{
  "@timestamp": "2023-12-05T19:34:54.425Z",
  "@metadata": {
    "beat": "auditbeat",
    "type": "_doc",
    "version": "8.12.0"
  },
  "process": {
    "thread": {
      "capabilities": {
        "effective": [
          "CAP_DAC_READ_SEARCH",
          "CAP_SYS_RESOURCE"
        ],
        "permitted": [
          "CAP_DAC_READ_SEARCH",
          "CAP_SYS_RESOURCE"
        ]
      }
    },
    "entity_id": "DADEDQU03GoDNhc1",
    "pid": 2841325,
    "start": "2023-12-05T19:32:53.180Z",
    "args": [
      "systemd-userwork: waiting..."
    ],
....

Related issues

• Closes [Auditbeat] system.process - report Linux capabilities #36404

[botelastic]

This pull request doesn't have a Team:<team> label.

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @haesbaert? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

[elasticmachine]

❕ Build Aborted

Either there was a build timeout or someone aborted the build.

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Duration: 25 min 31 sec

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

💔 Build Failed

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Duration: 31 min 2 sec

Pipeline error

This error is likely related to the pipeline itself. Click here
and then you will see the error (either incorrect syntax or an invalid configuration).

❕ Flaky test report

No test was executed to be analysed.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

💔 Build Failed

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Duration: 33 min 37 sec

Pipeline error

This error is likely related to the pipeline itself. Click here
and then you will see the error (either incorrect syntax or an invalid configuration).

❕ Flaky test report

No test was executed to be analysed.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[haesbaert]

I'm going another route