Changed auditd fields for ECS (#10195)

* Changed auditd fields for ECS

- Rename `process.cwd` to `process.working_directory` in auditd module.
- Change data type of `process.pid` and `process.ppid` to number in JSON output.
- Add user.id (same as UID) and user.name.
- Add group.id (same as GID) and group.name.

Issue #10111

* Change file.uid/file.gid to string in JSON output

The JSON data type was number but ECS says it should be a keyword which is a JSON string.

Fixes #9607

CHANGELOG.next.asciidoc

@@ -22,6 +22,11 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Auditbeat*
 - Rename `process.exe` to `process.executable` in auditd module to align with ECS. {pull}9949[9949]
+- Rename `process.cwd` to `process.working_directory` in auditd module to align with ECS. {pull}10195[10195]
+- Change data type of `process.pid` and `process.ppid` to number in JSON output
+  of the auditd module. {pull}10195[10195]
+- Change data type of `file.uid` and `file.gid` to string in JSON output of the
+  FIM module. {pull}10195[10195]
 
 *Filebeat*
 
@@ -137,6 +142,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 *Auditbeat*
 
 - Add system module. {pull}9546[9546]
+- Add `user.id` (UID) and `user.name` for ECS. {pull}10195[10195]
+- Add `group.id` (GID) and `group.name` for ECS. {pull}10195[10195]
 
 *Filebeat*
 

auditbeat/docs/breaking.asciidoc

@@ -7,9 +7,23 @@ In version 7.0 the following fields were renamed.
 [frame="topbot",options="header"]
 |======================
 |Old Field|New Field
+|`process.cwd`            |`process.working_directory`
 |`source.hostname`        |`source.domain`
 |======================
 
+The JSON data types produced by the output have been changed to align with
+the data types used in the Elasticsearch index template.
+
+.Type Changes in 7.0
+[frame="topbot",options="header"]
+|======================
+|Field|Old Type|New Type
+|`file.gid`     |number |string
+|`file.uid`     |number |string
+|`process.pid`  |string |number
+|`process.ppid` |string |number
+|======================
+
 == Breaking changes in 6.2
 
 As a general rule, we strive to keep backwards compatibility between minor

auditbeat/docs/fields.asciidoc

@@ -263,7 +263,9 @@ Process attributes.
 *`process.cwd`*::
 +
 --
-type: keyword
+type: alias
+
+alias to: process.working_directory
 
 The current working directory.
 

auditbeat/module/auditd/_meta/accept.json

@@ -37,14 +37,18 @@
         "module": "auditd",
         "type": "syscall"
     },
+    "group": {
+        "id": "0",
+        "name": "root"
+    },
     "network": {
         "direction": "incoming"
     },
     "process": {
         "executable": "/usr/sbin/sshd",
         "name": "sshd",
-        "pid": "1663",
-        "ppid": "1",
+        "pid": 1663,
+        "ppid": 1,
         "title": "(sshd)"
     },
     "service": {
@@ -64,6 +68,8 @@
         "fsgid": "0",
         "fsuid": "0",
         "gid": "0",
+        "id": "0",
+        "name": "root",
         "name_map": {
             "egid": "root",
             "euid": "root",

auditbeat/module/auditd/_meta/data.json

@@ -37,7 +37,7 @@
     },
     "process": {
         "executable": "/usr/sbin/sshd",
-        "pid": "12635"
+        "pid": 12635
     },
     "service": {
         "type": "auditd"
@@ -47,6 +47,8 @@
     },
     "user": {
         "auid": "unset",
+        "id": "0",
+        "name": "root",
         "name_map": {
             "uid": "root"
         },

auditbeat/module/auditd/_meta/execve.json

@@ -66,17 +66,20 @@
         "path": "/bin/uname",
         "uid": "0"
     },
+    "group": {
+        "id": "1002"
+    },
     "process": {
         "args": [
             "uname",
             "-a"
         ],
-        "cwd": "/home/andrew_kroh",
         "executable": "/bin/uname",
         "name": "uname",
-        "pid": "10043",
-        "ppid": "10027",
-        "title": "uname -a"
+        "pid": 10043,
+        "ppid": 10027,
+        "title": "uname -a",
+        "working_directory": "/home/andrew_kroh"
     },
     "service": {
         "type": "auditd"
@@ -91,6 +94,7 @@
         "fsgid": "1002",
         "fsuid": "1001",
         "gid": "1002",
+        "id": "1001",
         "sgid": "1002",
         "suid": "1001",
         "uid": "1001"

auditbeat/module/auditd/_meta/fields.yml

@@ -93,7 +93,9 @@
     description: Process attributes.
     fields:
     - name: cwd
-      type: keyword
+      type: alias
+      path: process.working_directory
+      migration: true
       description: The current working directory.
 
   - name: source

auditbeat/module/auditd/audit_linux.go

@@ -486,6 +486,7 @@ func buildMetricbeatEvent(msgs []*auparse.AuditMessage, config Config) mb.Event
 
 	// Add root level fields.
 	addUser(auditEvent.User, out.RootFields)
+	addGroup(auditEvent.User, out.RootFields)
 	addProcess(auditEvent.Process, out.RootFields)
 	addFile(auditEvent.File, out.RootFields)
 	addAddress(auditEvent.Source, "source", out.RootFields)
@@ -546,6 +547,25 @@ func addUser(u aucoalesce.User, m common.MapStr) {
 			user["name_map"] = u.Names
 		}
 	}
+	if uid, found := u.IDs["uid"]; found {
+		user["id"] = uid
+	}
+	if uidName, found := u.Names["uid"]; found {
+		user["name"] = uidName
+	}
+}
+
+func addGroup(u aucoalesce.User, m common.MapStr) {
+	group := make(common.MapStr, 2)
+	if gid, found := u.IDs["gid"]; found {
+		group["id"] = gid
+	}
+	if gidName, found := u.Names["gid"]; found {
+		group["name"] = gidName
+	}
+	if len(group) > 0 {
+		m.Put("group", group)
+	}
 }
 
 func addProcess(p aucoalesce.Process, m common.MapStr) {
@@ -556,10 +576,14 @@ func addProcess(p aucoalesce.Process, m common.MapStr) {
 	process := common.MapStr{}
 	m.Put("process", process)
 	if p.PID != "" {
-		process["pid"] = p.PID
+		if pid, err := strconv.Atoi(p.PID); err == nil {
+			process["pid"] = pid
+		}
 	}
 	if p.PPID != "" {
-		process["ppid"] = p.PPID
+		if ppid, err := strconv.Atoi(p.PPID); err == nil {
+			process["ppid"] = ppid
+		}
 	}
 	if p.Title != "" {
 		process["title"] = p.Title
@@ -571,7 +595,7 @@ func addProcess(p aucoalesce.Process, m common.MapStr) {
 		process["executable"] = p.Exe
 	}
 	if p.CWD != "" {
-		process["cwd"] = p.CWD
+		process["working_directory"] = p.CWD
 	}
 	if len(p.Args) > 0 {
 		process["args"] = p.Args

auditbeat/module/auditd/audit_linux_test.go

@@ -222,7 +222,7 @@ func assertHasBinCatExecve(t *testing.T, events []mb.Event) {
 	t.Helper()
 
 	for _, e := range events {
-		v, err := e.RootFields.GetValue("process.exe")
+		v, err := e.RootFields.GetValue("process.executable")
 		if err == nil {
 			if exe, ok := v.(string); ok && exe == "/bin/cat" {
 				return

auditbeat/module/file_integrity/_meta/data.json

@@ -9,22 +9,26 @@
             "created",
             "updated"
         ],
+        "dataset": "file",
         "module": "file_integrity"
     },
     "file": {
-        "ctime": "2018-01-05T03:28:26Z",
-        "gid": 20,
+        "ctime": "2019-01-19T15:21:37.939882147Z",
+        "gid": "20",
         "group": "staff",
-        "inode": "20164115",
+        "inode": "8028777",
         "mode": "0600",
-        "mtime": "2018-01-05T03:28:26Z",
+        "mtime": "2019-01-19T15:21:37.939882147Z",
         "owner": "akroh",
-        "path": "/private/var/folders/8x/rnyk6yxn6w97lddn3bs02gf00000gn/T/audit-file864778064/file.data",
+        "path": "/private/var/folders/kx/7y5ztvx100z148jvds11c6rh0000gn/T/audit-file418060202/file.data",
         "size": 11,
         "type": "file",
-        "uid": 501
+        "uid": "501"
     },
     "hash": {
         "sha1": "2aae6c35c94fcfb415dbe95f408b9ce91ee846ed"
+    },
+    "service": {
+        "type": "file_integrity"
     }
 }

auditbeat/module/file_integrity/event.go

@@ -249,8 +249,8 @@ func buildMetricbeatEvent(e *Event, existedBefore bool) mb.Event {
 				file["uid"] = info.SID
 			}
 		} else {
-			file["uid"] = info.UID
-			file["gid"] = info.GID
+			file["uid"] = strconv.Itoa(int(info.UID))
+			file["gid"] = strconv.Itoa(int(info.GID))
 			file["mode"] = fmt.Sprintf("%#04o", uint32(info.Mode))
 		}
 

dev-tools/ecs-migration.yml

@@ -799,6 +799,10 @@
   to: process.executable
   alias: true
 
+- from: process.cwd
+  to: process.working_directory
+  alias: true
+
 
 # Metricbeat