From 06b8556feeb5f9e19347c8b795b053a1459fd1df Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Mon, 27 Apr 2020 23:29:46 -0400 Subject: [PATCH 1/3] [Auditbeat] Add system module package dataset ECS categorization fields --- .../module/system/package/package.go | 21 +++++++++++++++++-- .../system/package/package_homebrew_test.go | 3 +++ 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/x-pack/auditbeat/module/system/package/package.go b/x-pack/auditbeat/module/system/package/package.go index 4d051827314..d80174f2478 100644 --- a/x-pack/auditbeat/module/system/package/package.go +++ b/x-pack/auditbeat/module/system/package/package.go @@ -76,6 +76,21 @@ func (action eventAction) String() string { } } +func (action eventAction) Type() string { + switch action { + case eventActionExistingPackage: + return "info" + case eventActionPackageInstalled: + return "installation" + case eventActionPackageRemoved: + return "deletion" + case eventActionPackageUpdated: + return "change" + default: + return "info" + } +} + func init() { mb.Registry.MustAddMetricSet(moduleName, metricsetName, New, mb.DefaultMetricSet(), @@ -343,8 +358,10 @@ func (ms *MetricSet) packageEvent(pkg *Package, eventType string, action eventAc event := mb.Event{ RootFields: common.MapStr{ "event": common.MapStr{ - "kind": eventType, - "action": action.String(), + "kind": eventType, + "category": []string{"package"}, + "type": []string{action.Type()}, + "action": action.String(), }, "message": packageMessage(pkg, action), }, diff --git a/x-pack/auditbeat/module/system/package/package_homebrew_test.go b/x-pack/auditbeat/module/system/package/package_homebrew_test.go index 4dae9a22370..007ae741f53 100644 --- a/x-pack/auditbeat/module/system/package/package_homebrew_test.go +++ b/x-pack/auditbeat/module/system/package/package_homebrew_test.go @@ -51,6 +51,9 @@ func TestHomebrew(t *testing.T) { if assert.Len(t, events, 1) { event := mbtest.StandardizeEvent(f, events[0], core.AddDatasetToEvent) + checkFieldValue(t, event, "event.kind", "state") + checkFieldValue(t, event, "event.category", []string{"package"}) + checkFieldValue(t, event, "event.type", []string{"info"}) checkFieldValue(t, event, "system.audit.package.name", "test-package") checkFieldValue(t, event, "system.audit.package.summary", "Test package") checkFieldValue(t, event, "system.audit.package.url", "https://www.elastic.co/") From 5c54f0c2850bcfc37a967691a7b260e25e95e8da Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Mon, 27 Apr 2020 23:32:41 -0400 Subject: [PATCH 2/3] add changelog entry --- CHANGELOG.next.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b1f70eea949..bb0c27c68ef 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -210,6 +210,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Log to stderr when running using reference kubernetes manifests. {pull}17443[174443] - Fix syscall kprobe arguments for 32-bit systems in socket module. {pull}17500[17500] - Fix memory leak on when we miss socket close kprobe events. {pull}17500[17500] +- Add system module package dataset ECS categorization fields. {pull}18033[18033] *Filebeat* From 490071ab655a199acfb7945216ed6518ad4ca338 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 5 May 2020 00:29:55 -0400 Subject: [PATCH 3/3] Add ECS package fields --- .../module/system/package/package.go | 27 ++++++++++++++++--- .../module/system/package/package_homebrew.go | 1 + .../system/package/package_homebrew_test.go | 5 ++++ .../module/system/package/package_test.go | 6 +++++ .../module/system/package/rpm_common_test.go | 1 + .../module/system/package/rpm_linux.go | 4 ++- 6 files changed, 39 insertions(+), 5 deletions(-) diff --git a/x-pack/auditbeat/module/system/package/package.go b/x-pack/auditbeat/module/system/package/package.go index d80174f2478..b6b11593520 100644 --- a/x-pack/auditbeat/module/system/package/package.go +++ b/x-pack/auditbeat/module/system/package/package.go @@ -122,6 +122,7 @@ type Package struct { Summary string URL string Error error + Type string } // Hash creates a hash for Package. @@ -134,11 +135,15 @@ func (pkg Package) Hash() uint64 { return h.Sum64() } -func (pkg Package) toMapStr() common.MapStr { +func (pkg Package) toMapStr() (common.MapStr, common.MapStr) { mapstr := common.MapStr{ "name": pkg.Name, "version": pkg.Version, } + ecsMapstr := common.MapStr{ + "name": pkg.Name, + "version": pkg.Version, + } if pkg.Release != "" { mapstr.Put("release", pkg.Release) @@ -146,29 +151,39 @@ func (pkg Package) toMapStr() common.MapStr { if pkg.Arch != "" { mapstr.Put("arch", pkg.Arch) + ecsMapstr.Put("architecture", pkg.License) } if pkg.License != "" { mapstr.Put("license", pkg.License) + ecsMapstr.Put("license", pkg.License) } if !pkg.InstallTime.IsZero() { mapstr.Put("installtime", pkg.InstallTime) + ecsMapstr.Put("installed", pkg.InstallTime) } if pkg.Size != 0 { mapstr.Put("size", pkg.Size) + ecsMapstr.Put("size", pkg.Size) } if pkg.Summary != "" { mapstr.Put("summary", pkg.Summary) + ecsMapstr.Put("description", pkg.Summary) } if pkg.URL != "" { mapstr.Put("url", pkg.URL) + ecsMapstr.Put("reference", pkg.URL) } - return mapstr + if pkg.Type != "" { + ecsMapstr.Put("type", pkg.Type) + } + + return mapstr, ecsMapstr } // entityID creates an ID that uniquely identifies this package across machines. @@ -355,6 +370,7 @@ func convertToPackage(cacheValues []interface{}) []*Package { } func (ms *MetricSet) packageEvent(pkg *Package, eventType string, action eventAction) mb.Event { + pkgFields, ecsPkgFields := pkg.toMapStr() event := mb.Event{ RootFields: common.MapStr{ "event": common.MapStr{ @@ -363,9 +379,10 @@ func (ms *MetricSet) packageEvent(pkg *Package, eventType string, action eventAc "type": []string{action.Type()}, "action": action.String(), }, + "package": ecsPkgFields, "message": packageMessage(pkg, action), }, - MetricSetFields: pkg.toMapStr(), + MetricSetFields: pkgFields, } if ms.HostID() != "" { @@ -555,7 +572,9 @@ func (ms *MetricSet) listDebPackages() ([]*Package, error) { value := strings.TrimSpace(words[1]) if pkg == nil { - pkg = &Package{} + pkg = &Package{ + Type: "dpkg", + } } switch strings.ToLower(words[0]) { diff --git a/x-pack/auditbeat/module/system/package/package_homebrew.go b/x-pack/auditbeat/module/system/package/package_homebrew.go index b5b8fa5b36d..063c99187a7 100644 --- a/x-pack/auditbeat/module/system/package/package_homebrew.go +++ b/x-pack/auditbeat/module/system/package/package_homebrew.go @@ -52,6 +52,7 @@ func listBrewPackages() ([]*Package, error) { Name: packageDir.Name(), Version: version.Name(), InstallTime: version.ModTime(), + Type: "brew", } // Read formula diff --git a/x-pack/auditbeat/module/system/package/package_homebrew_test.go b/x-pack/auditbeat/module/system/package/package_homebrew_test.go index 007ae741f53..97fc149fe01 100644 --- a/x-pack/auditbeat/module/system/package/package_homebrew_test.go +++ b/x-pack/auditbeat/module/system/package/package_homebrew_test.go @@ -59,6 +59,11 @@ func TestHomebrew(t *testing.T) { checkFieldValue(t, event, "system.audit.package.url", "https://www.elastic.co/") checkFieldValue(t, event, "system.audit.package.version", "1.0.0") checkFieldValue(t, event, "system.audit.package.entity_id", "Krm421rtYM4wgq1S") + checkFieldValue(t, event, "package.name", "test-package") + checkFieldValue(t, event, "package.description", "Test package") + checkFieldValue(t, event, "package.reference", "https://www.elastic.co/") + checkFieldValue(t, event, "package.version", "1.0.0") + checkFieldValue(t, event, "package.type", "brew") } } } diff --git a/x-pack/auditbeat/module/system/package/package_test.go b/x-pack/auditbeat/module/system/package/package_test.go index d1d8aa5e7f9..c2261015291 100644 --- a/x-pack/auditbeat/module/system/package/package_test.go +++ b/x-pack/auditbeat/module/system/package/package_test.go @@ -75,6 +75,12 @@ func TestDpkg(t *testing.T) { checkFieldValue(t, event, "system.audit.package.summary", "Test Package") checkFieldValue(t, event, "system.audit.package.url", "https://www.elastic.co/") checkFieldValue(t, event, "system.audit.package.version", "8.2.0-1ubuntu2~18.04") + checkFieldValue(t, event, "package.name", "test") + checkFieldValue(t, event, "package.size", uint64(269)) + checkFieldValue(t, event, "package.description", "Test Package") + checkFieldValue(t, event, "package.reference", "https://www.elastic.co/") + checkFieldValue(t, event, "package.version", "8.2.0-1ubuntu2~18.04") + checkFieldValue(t, event, "package.type", "dpkg") } } diff --git a/x-pack/auditbeat/module/system/package/rpm_common_test.go b/x-pack/auditbeat/module/system/package/rpm_common_test.go index 2e75d475811..ce384e9165c 100644 --- a/x-pack/auditbeat/module/system/package/rpm_common_test.go +++ b/x-pack/auditbeat/module/system/package/rpm_common_test.go @@ -41,6 +41,7 @@ func rpmPackagesByExec() ([]*Package, error) { // size - 6 URL: words[7], Summary: words[8], + Type: "rpm", } ts, err := strconv.ParseInt(words[5], 10, 64) if err != nil { diff --git a/x-pack/auditbeat/module/system/package/rpm_linux.go b/x-pack/auditbeat/module/system/package/rpm_linux.go index 46e4f34cbc4..76e10fd8164 100644 --- a/x-pack/auditbeat/module/system/package/rpm_linux.go +++ b/x-pack/auditbeat/module/system/package/rpm_linux.go @@ -357,7 +357,9 @@ func packageFromHeader(header C.Header, openedLibrpm *librpm) (*Package, error) } defer C.my_headerFree(openedLibrpm.headerFree, header) - pkg := Package{} + pkg := Package{ + Type: "rpm", + } name := C.my_headerGetString(openedLibrpm.headerGetString, header, RPMTAG_NAME) if name != nil {