[Auditbeat] System module - Backlog

[cwurm]

Backlog for the Auditbeat system module.

General

• Unify top-level process object across process, socket, and login metricsets
• Should Cache be thread safe (can Fetch() ever be called concurrently?)?
• Add more unit tests, tighten system tests (check every document, check for presence of top-level error object, maybe wait longer for more documents)
• Make data collection more resilient everywhere (do not fail on every error, collect errors in Error field for every object, log and send to ES)

1. Login

• De-duplicate failed login attempts ([Auditbeat] System module login dataset: De-duplicate login records #10901)
• Better documentation

2. Package

• Tests with sample files (/var/lib/dpkg/status and /usr/local/Cellar)

3. Process

• Implement using the Linux Audit Framework (system calls exec/execve) by default instead of reading /proc (requires modifying go-libaudit to allow multiple clients/subscribers)

4. Socket

• Evaluate and possibly implement using the Linux Audit Framework (system calls connect/bind) by default instead of using netlink (requires modifying go-libaudit to allow multiple clients/subscribers)
• Enrichment by RPC service ([Metricbeat][Auditbeat] RPC enrichment for sockets #8837)

5. User

• Tests with sample /etc/passwd, /etc/shadow, and /etc/group files

[elasticmachine]

Pinging @elastic/secops

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.