From eb5f27de65a2fc8c25ccfbcf065fee9cca0599db Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Fri, 15 Oct 2021 08:04:26 -0400 Subject: [PATCH] [Auditbeat] Field cleanup for 8.0 (#28378) * Remove `hash.*` from Auditbeat file_integrity for 8.0 Relates #19039 * Remove non-ECS event.type from Auditbeat auditd module Removes the authentication_success and authentication_failure event.type values for user logins. Relates #19039 --- CHANGELOG.next.asciidoc | 3 ++- auditbeat/module/auditd/audit_linux.go | 27 ++----------------- auditbeat/module/auditd/audit_linux_test.go | 4 +-- .../testdata/userlogin.log-expected.json | 8 +++--- auditbeat/module/file_integrity/event.go | 2 -- auditbeat/module/file_integrity/event_test.go | 3 --- auditbeat/tests/system/test_file_integrity.py | 4 +-- 7 files changed, 11 insertions(+), 40 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 54ce9770bed5..1b3ef4c4e765 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -30,7 +30,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - File integrity dataset (macOS): Replace unnecessary `file.origin.raw` (type keyword) with `file.origin.text` (type `text`). {issue}12423[12423] {pull}15630[15630] - Change event.kind=error to event.kind=event to comply with ECS. {issue}18870[18870] {pull}20685[20685] - +- File integrity dataset: Remove non-ECS `hash.*` fields. Hashes are under `file.hash.*`. {issue}19039[19039] {pull}28378[28378] +- Auditd dataset: Removes the authentication_success and authentication_failure event.type values for user logins. {issue}19039[19039] {pull}28378[28378] *Filebeat* diff --git a/auditbeat/module/auditd/audit_linux.go b/auditbeat/module/auditd/audit_linux.go index 7324e423986d..2a45492d9fce 100644 --- a/auditbeat/module/auditd/audit_linux.go +++ b/auditbeat/module/auditd/audit_linux.go @@ -657,35 +657,12 @@ func buildMetricbeatEvent(msgs []*auparse.AuditMessage, config Config) mb.Event } func normalizeEventFields(event *aucoalesce.Event, m common.MapStr) { - // we need to merge types for backwards compatibility - types := event.ECS.Event.Type - - // Remove this block in 8.x - { - getFieldAsStr := func(key string) (s string, found bool) { - iface, err := m.GetValue(key) - if err != nil { - return - } - s, found = iface.(string) - return - } - oldCategory, ok1 := getFieldAsStr("event.category") - oldAction, ok2 := getFieldAsStr("event.action") - oldOutcome, ok3 := getFieldAsStr("event.outcome") - if ok1 && ok2 && ok3 { - if oldCategory == "user-login" && oldAction == "logged-in" { // USER_LOGIN - types = append(types, fmt.Sprintf("authentication_%s", oldOutcome)) - } - } - } - m.Put("event.kind", "event") if len(event.ECS.Event.Category) > 0 { m.Put("event.category", event.ECS.Event.Category) } - if len(types) > 0 { - m.Put("event.type", types) + if len(event.ECS.Event.Type) > 0 { + m.Put("event.type", event.ECS.Event.Type) } if event.ECS.Event.Outcome != "" { m.Put("event.outcome", event.ECS.Event.Outcome) diff --git a/auditbeat/module/auditd/audit_linux_test.go b/auditbeat/module/auditd/audit_linux_test.go index 17d8a25acb3b..38a3491fbf93 100644 --- a/auditbeat/module/auditd/audit_linux_test.go +++ b/auditbeat/module/auditd/audit_linux_test.go @@ -141,7 +141,7 @@ func TestLoginType(t *testing.T) { for idx, expected := range []common.MapStr{ { "event.category": []string{"authentication"}, - "event.type": []string{"start", "authentication_failure"}, + "event.type": []string{"start"}, "event.outcome": "failure", "user.effective.name": "(invalid user)", "user.id": nil, @@ -149,7 +149,7 @@ func TestLoginType(t *testing.T) { }, { "event.category": []string{"authentication"}, - "event.type": []string{"start", "authentication_success"}, + "event.type": []string{"start"}, "event.outcome": "success", "user.effective.name": "adrian", "user.audit.id": nil, diff --git a/auditbeat/module/auditd/testdata/userlogin.log-expected.json b/auditbeat/module/auditd/testdata/userlogin.log-expected.json index 43de97179d46..9befa9c95369 100644 --- a/auditbeat/module/auditd/testdata/userlogin.log-expected.json +++ b/auditbeat/module/auditd/testdata/userlogin.log-expected.json @@ -34,8 +34,7 @@ ], "outcome": "failure", "type": [ - "start", - "authentication_failure" + "start" ] }, "network": { @@ -98,8 +97,7 @@ ], "outcome": "success", "type": [ - "start", - "authentication_success" + "start" ] }, "network": { @@ -254,4 +252,4 @@ "name": "alice" } } -] \ No newline at end of file +] diff --git a/auditbeat/module/file_integrity/event.go b/auditbeat/module/file_integrity/event.go index f3d67d74ffc9..1bfc807dfa6d 100644 --- a/auditbeat/module/file_integrity/event.go +++ b/auditbeat/module/file_integrity/event.go @@ -312,8 +312,6 @@ func buildMetricbeatEvent(e *Event, existedBefore bool) mb.Event { hashes[string(hashType)] = digest } file["hash"] = hashes - // Remove this for 8.x - out.MetricSetFields.Put("hash", hashes) } out.MetricSetFields.Put("event.kind", "event") diff --git a/auditbeat/module/file_integrity/event_test.go b/auditbeat/module/file_integrity/event_test.go index dd57c590a41b..de14b3e2d13b 100644 --- a/auditbeat/module/file_integrity/event_test.go +++ b/auditbeat/module/file_integrity/event_test.go @@ -411,9 +411,6 @@ func TestBuildEvent(t *testing.T) { assertHasKey(t, fields, "file.hash.sha1") assertHasKey(t, fields, "file.hash.sha256") - // Remove in 8.x - assertHasKey(t, fields, "hash.sha1") - assertHasKey(t, fields, "hash.sha256") }) if runtime.GOOS == "windows" { t.Run("drive letter", func(t *testing.T) { diff --git a/auditbeat/tests/system/test_file_integrity.py b/auditbeat/tests/system/test_file_integrity.py index 8b47f9b22e91..4b12314be623 100644 --- a/auditbeat/tests/system/test_file_integrity.py +++ b/auditbeat/tests/system/test_file_integrity.py @@ -12,8 +12,8 @@ def escape_path(path): def has_file(objs, path, sha1hash): found = False for obj in objs: - if 'file.path' in obj and 'hash.sha1' in obj \ - and obj['file.path'].lower() == path.lower() and obj['hash.sha1'] == sha1hash: + if 'file.path' in obj and 'file.hash.sha1' in obj \ + and obj['file.path'].lower() == path.lower() and obj['file.hash.sha1'] == sha1hash: found = True break assert found, "File '{0}' with sha1sum '{1}' not found".format(path, sha1hash)