Skip to content

Commit

Permalink
Changed auditd fields for ECS
Browse files Browse the repository at this point in the history
- Rename `process.cwd` to `process.working_directory` in auditd module.
- Change data type of `process.pid` and `process.ppid` to number in JSON output.
- Add user.id (same as UID) and user.name.
- Add group.id (same as GID) and group.name.

Issue #10111
  • Loading branch information
andrewkroh committed Jan 19, 2019
1 parent 4a837b7 commit 7f3c1dd
Show file tree
Hide file tree
Showing 11 changed files with 74 additions and 14 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d

*Auditbeat*
- Rename `process.exe` to `process.executable` in auditd module to align with ECS. {pull}9949[9949]
- Rename `process.cwd` to `process.working_directory` in auditd module to align with ECS. {pull}10195[10195]
- Change data type of `process.pid` and `process.ppid` to number in JSON output. {pull}10195[10195]

*Filebeat*

Expand Down Expand Up @@ -133,6 +135,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
*Auditbeat*

- Add system module. {pull}9546[9546]
- Add `user.id` (UID) and `user.name` for ECS. {pull}10195[10195]
- Add `group.id` (GID) and `group.name` for ECS. {pull}10195[10195]

*Filebeat*

Expand Down
12 changes: 12 additions & 0 deletions auditbeat/docs/breaking.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,21 @@ In version 7.0 the following fields were renamed.
[frame="topbot",options="header"]
|======================
|Old Field|New Field
|`process.cwd` |`process.working_directory`
|`source.hostname` |`source.domain`
|======================

The JSON data types produced by the output have been changed to align with
the data types used in the Elasticsearch index template.

.Type Changes in 7.0
[frame="topbot",options="header"]
|======================
|Field|Old Type|New Type
|`process.pid` |string |number
|`process.ppid` |string |number
|======================

== Breaking changes in 6.2

As a general rule, we strive to keep backwards compatibility between minor
Expand Down
4 changes: 3 additions & 1 deletion auditbeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -263,7 +263,9 @@ Process attributes.
*`process.cwd`*::
+
--
type: keyword
type: alias
alias to: process.working_directory
The current working directory.
Expand Down
10 changes: 8 additions & 2 deletions auditbeat/module/auditd/_meta/accept.json
Original file line number Diff line number Diff line change
Expand Up @@ -37,14 +37,18 @@
"module": "auditd",
"type": "syscall"
},
"group": {
"id": "0",
"name": "root"
},
"network": {
"direction": "incoming"
},
"process": {
"executable": "/usr/sbin/sshd",
"name": "sshd",
"pid": "1663",
"ppid": "1",
"pid": 1663,
"ppid": 1,
"title": "(sshd)"
},
"service": {
Expand All @@ -64,6 +68,8 @@
"fsgid": "0",
"fsuid": "0",
"gid": "0",
"id": "0",
"name": "root",
"name_map": {
"egid": "root",
"euid": "root",
Expand Down
4 changes: 3 additions & 1 deletion auditbeat/module/auditd/_meta/data.json
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@
},
"process": {
"executable": "/usr/sbin/sshd",
"pid": "12635"
"pid": 12635
},
"service": {
"type": "auditd"
Expand All @@ -47,6 +47,8 @@
},
"user": {
"auid": "unset",
"id": "0",
"name": "root",
"name_map": {
"uid": "root"
},
Expand Down
12 changes: 8 additions & 4 deletions auditbeat/module/auditd/_meta/execve.json
Original file line number Diff line number Diff line change
Expand Up @@ -66,17 +66,20 @@
"path": "/bin/uname",
"uid": "0"
},
"group": {
"id": "1002"
},
"process": {
"args": [
"uname",
"-a"
],
"cwd": "/home/andrew_kroh",
"executable": "/bin/uname",
"name": "uname",
"pid": "10043",
"ppid": "10027",
"title": "uname -a"
"pid": 10043,
"ppid": 10027,
"title": "uname -a",
"working_directory": "/home/andrew_kroh"
},
"service": {
"type": "auditd"
Expand All @@ -91,6 +94,7 @@
"fsgid": "1002",
"fsuid": "1001",
"gid": "1002",
"id": "1001",
"sgid": "1002",
"suid": "1001",
"uid": "1001"
Expand Down
4 changes: 3 additions & 1 deletion auditbeat/module/auditd/_meta/fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,9 @@
description: Process attributes.
fields:
- name: cwd
type: keyword
type: alias
path: process.working_directory
migration: true
description: The current working directory.

- name: source
Expand Down
30 changes: 27 additions & 3 deletions auditbeat/module/auditd/audit_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -486,6 +486,7 @@ func buildMetricbeatEvent(msgs []*auparse.AuditMessage, config Config) mb.Event

// Add root level fields.
addUser(auditEvent.User, out.RootFields)
addGroup(auditEvent.User, out.RootFields)
addProcess(auditEvent.Process, out.RootFields)
addFile(auditEvent.File, out.RootFields)
addAddress(auditEvent.Source, "source", out.RootFields)
Expand Down Expand Up @@ -546,6 +547,25 @@ func addUser(u aucoalesce.User, m common.MapStr) {
user["name_map"] = u.Names
}
}
if uid, found := u.IDs["uid"]; found {
user["id"] = uid
}
if uidName, found := u.Names["uid"]; found {
user["name"] = uidName
}
}

func addGroup(u aucoalesce.User, m common.MapStr) {
group := make(common.MapStr, 2)
if gid, found := u.IDs["gid"]; found {
group["id"] = gid
}
if gidName, found := u.Names["gid"]; found {
group["name"] = gidName
}
if len(group) > 0 {
m.Put("group", group)
}
}

func addProcess(p aucoalesce.Process, m common.MapStr) {
Expand All @@ -556,10 +576,14 @@ func addProcess(p aucoalesce.Process, m common.MapStr) {
process := common.MapStr{}
m.Put("process", process)
if p.PID != "" {
process["pid"] = p.PID
if pid, err := strconv.Atoi(p.PID); err == nil {
process["pid"] = pid
}
}
if p.PPID != "" {
process["ppid"] = p.PPID
if ppid, err := strconv.Atoi(p.PPID); err == nil {
process["ppid"] = ppid
}
}
if p.Title != "" {
process["title"] = p.Title
Expand All @@ -571,7 +595,7 @@ func addProcess(p aucoalesce.Process, m common.MapStr) {
process["executable"] = p.Exe
}
if p.CWD != "" {
process["cwd"] = p.CWD
process["working_directory"] = p.CWD
}
if len(p.Args) > 0 {
process["args"] = p.Args
Expand Down
2 changes: 1 addition & 1 deletion auditbeat/module/auditd/audit_linux_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -222,7 +222,7 @@ func assertHasBinCatExecve(t *testing.T, events []mb.Event) {
t.Helper()

for _, e := range events {
v, err := e.RootFields.GetValue("process.exe")
v, err := e.RootFields.GetValue("process.executable")
if err == nil {
if exe, ok := v.(string); ok && exe == "/bin/cat" {
return
Expand Down
2 changes: 1 addition & 1 deletion auditbeat/module/auditd/fields.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 4 additions & 0 deletions dev-tools/ecs-migration.yml
Original file line number Diff line number Diff line change
Expand Up @@ -799,6 +799,10 @@
to: process.executable
alias: true

- from: process.cwd
to: process.working_directory
alias: true


# Metricbeat

Expand Down

0 comments on commit 7f3c1dd

Please sign in to comment.