Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Session view processor procfs #38799

Merged
merged 66 commits into from
Apr 15, 2024
Merged

Session view processor procfs #38799

merged 66 commits into from
Apr 15, 2024

Conversation

mjwolf
Copy link
Contributor

@mjwolf mjwolf commented Apr 10, 2024
edited
Loading

Proposed commit message

Add a procfs backend to the auditbeat add_session_metadata processor. For systems that don't support ebpf, this procfs backend can be used instead to enrich auditbeat events with the data needed for session view.

However the backend is expected to be less reliable than the ebpf backend; if processes exit before their info is read from procfs, the info will not be available, and some processes will be not be enriched (particularly very short-lived processes).

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

In the auditbeat config file, add below lines to enable the add_session_metadata processor, with forced procfs backend.

- module: auditd
  # Load audit rules from separate files. Same format as audit.rules(7).
  processors:
    - add_session_metadata:
        backend: "procfs"

When running and sending data to a supported Kibana version, the session viewer should show events from auditbeat, powered by procfs.

Related issues

Use cases

Screenshots

Logs

mjwolf and others added 30 commits January 10, 2024 10:53
@mjwolf
Add a add_session_metadata auditbeat processor
88d0a0e 
This processor will enrich process events with additional infomation needed to
enable session view in Kibana.

This processor can be run on Linux systems, and will use eBPF to enrich auditd events
for process exec and exit events. The additional fields that will be added are information
on process parent, session leader and process group leader.
@mjwolf
Add unit tests for add_session_metadata
d5a01bf
@mjwolf
Calculate process entry leader
7cec455 
Calculate and append entry leader information to enriched processes.
@mjwolf
Merge remote-tracking branch 'origin/main' into session_view_processo…
7de480d 
…r_ebpf
@mjwolf
Add entry leader tests
782504c
@mjwolf
Update CHANGELOG
6b7037b
@mjwolf
Merge branch 'main' into session_view_processor_ebpf
0f610cb
@mjwolf @efd6
Apply suggestions from code review
c688f5a 
Co-authored-by: Dan Kortschak <[email protected]>
@mjwolf
Rework directory structure
f35b4c7
@mjwolf
Remove DB interface
bf38e89 
Remove the DB interface, as there will only be one implementation for it
@mjwolf
Pass DB by reference in tests
910aba2
@mjwolf
Rework entry leader tests
0cbb970
@mjwolf
Reformat processor
06b7064
@mjwolf
Only build tests on Linux
be57ad8
@mjwolf
Add linux build directive to all files in processor
9ad7811
@mjwolf
Merge remote-tracking branch 'origin/main' into session_view_processo…
f6aad7e 
…r_ebpf
@mjwolf
Add Procfs provider for add_session_view processor
3f0bdae 
Add a procfs provider to the add_session_view processor, which can be used to gather
session metadata on systems where the ebpf implementation is not supported.
@mjwolf
Changes for PR feedback
3598b3c 
* Changed to use time.Duration in timeutils for process start NS
* Used go-cmp library to compare ECS docs in tests
@mjwolf
Merge branch 'elastic:main' into session_view_processor_ebpf
743e8da
@mjwolf
Add empty file to add_session_metadata package
17fdf1c
@mjwolf
Fix linter warnings
1ab4752 
Fix linter warnings and upgrade go-libaudit to v2.5.0
@mjwolf
Merge branch 'main' into session_view_processor_ebpf
23e097c
@mjwolf
Merge remote-tracking branch 'origin/main' into session_view_processo…
882f8a4 
…r_ebpf
@mjwolf
Use single channel from epbevents
145f627 
ebpfevents library has been updated to use a single channel. Updated to use
latest ebpfevents library and the single channel.
@mjwolf
Use watcher for ebpf events
e9aea4d 
Use watcher, which provides singleton access for ebpfevents
@mjwolf
remove seccomp init
c001219
@mjwolf @mmat11
Update x-pack/auditbeat/internal/ebpf/watcher_linux.go
a5986dd 
Co-authored-by: Mattia Meleleo <[email protected]>
@mjwolf
Merge remote-tracking branch 'origin/main' into session_view_processo…
5658c76 
…r_ebpf
@mjwolf
Add seccomp policy modification
d5da140
@mjwolf
Merge branch 'session_view_processor_ebpf' of github.com:mjwolf/beats…
ca81839 
… into session_view_processor_ebpf
@mjwolf
Merge remote-tracking branch 'origin/main' into session_view_processo…
9a52b90 
…r_ebpf
@mjwolf
Remove possibilities of panics
36c8998 
Remove possibe panics in program initialization, and handle unexpected events
more gracefully.
@mjwolf
Merge remote-tracking branch 'origin/main' into session_view_processo…
5f5f777 
…r_ebpf
@mjwolf
Merge remote-tracking branch 'origin/session_view_processor_ebpf' int…
b43e9bc 
…o session_view_processor_procfs
@mjwolf
Update procfs provider to work with other processor changes
afe10b2
@mjwolf
Retry scraping process if ancestry incomplete
82572d2 
If any process ancestry is incomplete, retry scraping the info from proc.

As procfs scraping can miss events, or not be updated when process re-parenting
happens, if any inconsistancy in the DB is found, rescrape to update the data.
@mjwolf
Merge remote-tracking branch 'origin/main' into session_view_processo…
f2a538f 
…r_procfs
@mjwolf mjwolf added enhancement backport-skip Skip notification from the automated backport with mergify labels Apr 10, 2024
@mjwolf mjwolf requested a review from a team as a code owner April 10, 2024 05:38
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Apr 10, 2024
@mergify mergify bot assigned mjwolf Apr 10, 2024
@elasticmachine
Copy link
Collaborator

elasticmachine commented Apr 10, 2024
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2024-04-15T17:27:56.038+0000

  • Duration: 47 min 11 sec

Test stats 🧪

Test Results
Failed 0
Passed 467
Skipped 60
Total 527

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@andrewkroh andrewkroh added Team:Security-Linux Platform Linux Platform Team in Security Solution Team:Security-Deployment and Devices Deployment and Devices Team in Security Solution labels Apr 12, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

@elasticmachine
Copy link
Collaborator

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Apr 12, 2024
@andrewkroh andrewkroh added Auditbeat needs_team Indicates that the issue/PR needs a Team:* label labels Apr 12, 2024
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Apr 12, 2024
@mergify Mergify
Copy link
Contributor

mergify bot commented Apr 15, 2024

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b session_view_processor_procfs upstream/session_view_processor_procfs
git merge upstream/main
git push upstream session_view_processor_procfs

@mjwolf mjwolf merged commit 1898d37 into elastic:main Apr 15, 2024
39 checks passed
@mjwolf mjwolf deleted the session_view_processor_procfs branch April 15, 2024 18:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees

@mjwolf mjwolf

Labels
Auditbeat backport-skip Skip notification from the automated backport with mergify enhancement Team:Security-Deployment and Devices Deployment and Devices Team in Security Solution Team:Security-Linux Platform Linux Platform Team in Security Solution
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mjwolf @elasticmachine @andrewkroh