add_process_metadata: enrich process info with process owner (#21068) (…

…#21111) Enrich process metadata with process owner info. Creates two new fields, "owner.id" and "owner.name" under "process".
elastic · Jul 19, 2021 · 16e2989 · 16e2989
1 parent 683130a
commit 16e2989
Show file tree

Hide file tree

Showing 26 changed files with 421 additions and 24 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -616,6 +616,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add orchestrator.cluster.name/url fields as k8s metadata {pull}26056[26056]
 - Libbeat: report beat version to monitoring. {pull}26214[26214]
 - Ensure common proxy settings support in HTTP clients: proxy_disabled, proxy_url, proxy_headers and typical environment variables HTTP_PROXY, HTTPS_PROXY, NOPROXY. {pull}25219[25219]
+- `add_process_metadata` processor enrich process information with owner name and id. {issue}21068[21068] {pull}21111[21111]
 
 *Auditbeat*
 

diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc
@@ -12676,6 +12676,39 @@ alias to: process.executable
 
 --
 
+[float]
+=== owner
+
+Process owner information.
+
+
+*`process.owner.id`*::
++
+--
+Unique identifier of the user.
+
+type: keyword
+
+--
+
+*`process.owner.name`*::
++
+--
+Short name or login of the user.
+
+type: keyword
+
+example: albert
+
+--
+
+*`process.owner.name.text`*::
++
+--
+type: text
+
+--
+
 [[exported-fields-system]]
 == System fields
 

diff --git a/auditbeat/include/fields.go b/auditbeat/include/fields.go
diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -114836,6 +114836,39 @@ alias to: process.executable
 
 --
 
+[float]
+=== owner
+
+Process owner information.
+
+
+*`process.owner.id`*::
++
+--
+Unique identifier of the user.
+
+type: keyword
+
+--
+
+*`process.owner.name`*::
++
+--
+Short name or login of the user.
+
+type: keyword
+
+example: albert
+
+--
+
+*`process.owner.name.text`*::
++
+--
+type: text
+
+--
+
 [[exported-fields-proofpoint]]
 == Proofpoint Email Security fields
 

diff --git a/filebeat/include/fields.go b/filebeat/include/fields.go
diff --git a/heartbeat/docs/fields.asciidoc b/heartbeat/docs/fields.asciidoc
@@ -10258,6 +10258,39 @@ alias to: process.executable
 
 --
 
+[float]
+=== owner
+
+Process owner information.
+
+
+*`process.owner.id`*::
++
+--
+Unique identifier of the user.
+
+type: keyword
+
+--
+
+*`process.owner.name`*::
++
+--
+Short name or login of the user.
+
+type: keyword
+
+example: albert
+
+--
+
+*`process.owner.name.text`*::
++
+--
+type: text
+
+--
+
 [[exported-fields-resolve]]
 == Host lookup fields
 

diff --git a/heartbeat/include/fields.go b/heartbeat/include/fields.go
diff --git a/journalbeat/docs/fields.asciidoc b/journalbeat/docs/fields.asciidoc
@@ -10603,3 +10603,36 @@ alias to: process.executable
 
 --
 
+[float]
+=== owner
+
+Process owner information.
+
+
+*`process.owner.id`*::
++
+--
+Unique identifier of the user.
+
+type: keyword
+
+--
+
+*`process.owner.name`*::
++
+--
+Short name or login of the user.
+
+type: keyword
+
+example: albert
+
+--
+
+*`process.owner.name.text`*::
++
+--
+type: text
+
+--
+
diff --git a/journalbeat/include/fields.go b/journalbeat/include/fields.go
diff --git a/libbeat/processors/add_process_metadata/_meta/fields.yml b/libbeat/processors/add_process_metadata/_meta/fields.yml
@@ -10,3 +10,22 @@
           type: alias
           path: process.executable
           migration: true
+        - name: owner
+          type: group
+          description: Process owner information.
+          fields:
+            - name: id
+              type: keyword
+              ignore_above: 1024
+              description: Unique identifier of the user.
+            - name: name
+              type: keyword
+              ignore_above: 1024
+              multi_fields:
+              - name: text
+                type: text
+                norms: false
+                default_field: false
+              description: Short name or login of the user.
+              example: albert
+
diff --git a/libbeat/processors/add_process_metadata/add_process_metadata.go b/libbeat/processors/add_process_metadata/add_process_metadata.go
@@ -65,11 +65,11 @@ type addProcessMetadata struct {
 }
 
 type processMetadata struct {
-	name, title, exe string
-	args             []string
-	env              map[string]string
-	startTime        time.Time
-	pid, ppid        int
+	name, title, exe, username, userid string
+	args                               []string
+	env                                map[string]string
+	startTime                          time.Time
+	pid, ppid                          int
 	//
 	fields common.MapStr
 }
@@ -301,16 +301,28 @@ func (p *addProcessMetadata) String() string {
 }
 
 func (p *processMetadata) toMap() common.MapStr {
+	process := common.MapStr{
+		"name":       p.name,
+		"title":      p.title,
+		"executable": p.exe,
+		"args":       p.args,
+		"env":        p.env,
+		"pid":        p.pid,
+		"ppid":       p.ppid,
+		"start_time": p.startTime,
+	}
+	if p.username != "" || p.userid != "" {
+		user := common.MapStr{}
+		if p.username != "" {
+			user["name"] = p.username
+		}
+		if p.userid != "" {
+			user["id"] = p.userid
+		}
+		process["owner"] = user
+	}
+
 	return common.MapStr{
-		"process": common.MapStr{
-			"name":       p.name,
-			"title":      p.title,
-			"executable": p.exe,
-			"args":       p.args,
-			"env":        p.env,
-			"pid":        p.pid,
-			"ppid":       p.ppid,
-			"start_time": p.startTime,
-		},
+		"process": process,
 	}
 }
diff --git a/libbeat/processors/add_process_metadata/add_process_metadata_test.go b/libbeat/processors/add_process_metadata/add_process_metadata_test.go
@@ -50,6 +50,8 @@ func TestAddProcessMetadata(t *testing.T) {
 			pid:       1,
 			ppid:      0,
 			startTime: startTime,
+			username:  "root",
+			userid:    "0",
 		},
 		3: {
 			name:  "systemd",
@@ -65,6 +67,8 @@ func TestAddProcessMetadata(t *testing.T) {
 			pid:       1,
 			ppid:      0,
 			startTime: startTime,
+			username:  "user",
+			userid:    "1001",
 		},
 	}
 
@@ -136,6 +140,10 @@ func TestAddProcessMetadata(t *testing.T) {
 					"pid":        1,
 					"ppid":       0,
 					"start_time": startTime,
+					"owner": common.MapStr{
+						"name": "root",
+						"id":   "0",
+					},
 				},
 				"container": common.MapStr{
 					"id": "b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1",
@@ -217,6 +225,10 @@ func TestAddProcessMetadata(t *testing.T) {
 						"pid":        1,
 						"ppid":       0,
 						"start_time": startTime,
+						"owner": common.MapStr{
+							"name": "root",
+							"id":   "0",
+						},
 					},
 					"container": common.MapStr{
 						"id": "b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1",
@@ -251,6 +263,10 @@ func TestAddProcessMetadata(t *testing.T) {
 							"BOOT_IMAGE": "/boot/vmlinuz-4.11.8-300.fc26.x86_64",
 							"LANG":       "en_US.UTF-8",
 						},
+						"owner": common.MapStr{
+							"name": "root",
+							"id":   "0",
+						},
 					},
 					"container": common.MapStr{
 						"id": "b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1",
@@ -286,6 +302,10 @@ func TestAddProcessMetadata(t *testing.T) {
 							"BOOT_IMAGE": "/boot/vmlinuz-4.11.8-300.fc26.x86_64",
 							"LANG":       "en_US.UTF-8",
 						},
+						"owner": common.MapStr{
+							"name": "root",
+							"id":   "0",
+						},
 					},
 				},
 			},
@@ -474,6 +494,10 @@ func TestAddProcessMetadata(t *testing.T) {
 					"pid":        1,
 					"ppid":       0,
 					"start_time": startTime,
+					"owner": common.MapStr{
+						"name": "root",
+						"id":   "0",
+					},
 				},
 				"container": common.MapStr{
 					"id": "b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1",
@@ -593,6 +617,10 @@ func TestAddProcessMetadata(t *testing.T) {
 					"pid":        1,
 					"ppid":       0,
 					"start_time": startTime,
+					"owner": common.MapStr{
+						"name": "user",
+						"id":   "1001",
+					},
 				},
 			},
 		},
@@ -646,6 +674,26 @@ func TestAddProcessMetadata(t *testing.T) {
 				},
 			},
 		},
+		{
+			description: "only user",
+			config: common.MapStr{
+				"match_pids":     []string{"ppid"},
+				"target":         "",
+				"include_fields": []string{"process.owner"},
+			},
+			event: common.MapStr{
+				"ppid": "1",
+			},
+			expected: common.MapStr{
+				"ppid": "1",
+				"process": common.MapStr{
+					"owner": common.MapStr{
+						"id":   "0",
+						"name": "root",
+					},
+				},
+			},
+		},
 	} {
 		t.Run(test.description, func(t *testing.T) {
 			config, err := common.NewConfigFrom(test.config)

diff --git a/libbeat/processors/add_process_metadata/config.go b/libbeat/processors/add_process_metadata/config.go
@@ -69,6 +69,10 @@ var defaultFields = common.MapStr{
 		"pid":        nil,
 		"ppid":       nil,
 		"start_time": nil,
+		"owner": common.MapStr{
+			"name": nil,
+			"id":   nil,
+		},
 	},
 	"container": common.MapStr{
 		"id": nil,

diff --git a/libbeat/processors/add_process_metadata/docs/add_process_metadata.asciidoc b/libbeat/processors/add_process_metadata/docs/add_process_metadata.asciidoc
@@ -27,6 +27,10 @@ The fields added to the event look as follows:
   "pid":   1,
   "ppid":  0,
   "start_time": "2018-08-22T08:44:50.684Z",
+  "owner": {
+    "name": "root",
+    "id": "0"
+  }
 },
 "container": {
   "id": "b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1"

diff --git a/libbeat/processors/add_process_metadata/gosigar_provider.go b/libbeat/processors/add_process_metadata/gosigar_provider.go
@@ -60,6 +60,7 @@ func (p gosigarProvider) GetProcessMetadata(pid int) (result *processMetadata, e
 		env:       procEnv.Vars,
 		pid:       pid,
 		ppid:      procState.Ppid,
+		username:  procState.Username,
 		startTime: time.Unix(int64(procTime.StartTime/1000), int64(procTime.StartTime%1000)*1000000),
 	}
 	r.fields = r.toMap()