[Auditbeat] Cherry-pick #9963 to 6.x: Add user information to process…

…es (#10395) Adds real, effective, and saved UID and GID information to the process dataset. (cherry picked from commit fa40a54, then adjusted)
elastic · Jan 31, 2019 · 7f27b94 · 7f27b94
1 parent 8b235a9
commit 7f27b94
Show file tree

Hide file tree

Showing 9 changed files with 367 additions and 78 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -141,6 +141,7 @@ https://github.com/elastic/beats/compare/v6.6.0...6.x[Check the HEAD diff]
 *Auditbeat*
 
 - Add system module. {pull}9546[9546]
+- System module `process` dataset: Add user information to processes. {pull}9963[9963]
 
 *Filebeat*
 

diff --git a/auditbeat/_meta/fields.common.yml b/auditbeat/_meta/fields.common.yml
@@ -99,6 +99,22 @@
         description: >
           Short name or login of the user.
 
+      - name: group
+        title: Group
+        description: >
+          The group fields are meant to represent groups that are relevant to the
+          event.
+        type: group
+        fields:
+          - name: id
+            type: keyword
+            description: >
+              Unique identifier for the group on the system/platform.
+          - name: name
+            type: keyword
+            description: >
+              Name of the group.
+
   - name: file
     type: group
     description: File attributes.
@@ -204,3 +220,38 @@
         type: keyword
         example: s0
         description: The object's SELinux level.
+
+  - name: user
+    type: group
+    description: User information.
+    fields:
+
+    - name: effective
+      type: group
+      description: Effective user information.
+      fields:
+      - name: id
+        type: keyword
+        description: Effective user ID.
+      - name: group
+        type: group
+        description: Effective group information.
+        fields:
+        - name: id
+          type: keyword
+          description: Effective group ID.
+
+    - name: saved
+      type: group
+      description: Saved user information.
+      fields:
+      - name: id
+        type: keyword
+        description: Saved user ID.
+      - name: group
+        type: group
+        description: Saved group information.
+        fields:
+        - name: id
+          type: keyword
+          description: Saved group ID.
diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc
@@ -3019,6 +3019,33 @@ example: albert
 Short name or login of the user.
 
 
+--
+
+[float]
+== group fields
+
+The group fields are meant to represent groups that are relevant to the event.
+
+
+
+*`user.group.id`*::
++
+--
+type: keyword
+
+Unique identifier for the group on the system/platform.
+
+
+--
+
+*`user.group.name`*::
++
+--
+type: keyword
+
+Name of the group.
+
+
 --
 
 [float]
@@ -3243,6 +3270,72 @@ The object's SELinux level.
 
 --
 
+[float]
+== user fields
+
+User information.
+
+
+[float]
+== effective fields
+
+Effective user information.
+
+
+*`user.effective.id`*::
++
+--
+type: keyword
+
+Effective user ID.
+
+--
+
+[float]
+== group fields
+
+Effective group information.
+
+
+*`user.effective.group.id`*::
++
+--
+type: keyword
+
+Effective group ID.
+
+--
+
+[float]
+== saved fields
+
+Saved user information.
+
+
+*`user.saved.id`*::
++
+--
+type: keyword
+
+Saved user ID.
+
+--
+
+[float]
+== group fields
+
+Saved group information.
+
+
+*`user.saved.group.id`*::
++
+--
+type: keyword
+
+Saved group ID.
+
+--
+
 [[exported-fields-docker-processor]]
 == Docker fields
 

diff --git a/auditbeat/include/fields.go b/auditbeat/include/fields.go
diff --git a/x-pack/auditbeat/module/system/process/_meta/data.json b/x-pack/auditbeat/module/system/process/_meta/data.json
@@ -5,25 +5,44 @@
         "name": "host.example.com"
     },
     "event": {
-        "action": "existing_process",
+        "action": "process_started",
         "dataset": "process",
-        "id": "5795d53b-f7c2-463c-9c04-f316ae876d51",
-        "module": "system",
-        "kind": "state"
+        "kind": "event",
+        "module": "system"
     },
-    "message": "Process zsh (PID: 2363) is RUNNING",
+    "message": "Process zsh (PID: 12936) by user elastic STARTED",
     "process": {
         "args": [
-            "/usr/bin/zsh"
+            "zsh"
         ],
         "executable": "/bin/zsh",
         "name": "zsh",
-        "pid": 2363,
-        "ppid": 2362,
-        "start": "2018-12-10T16:36:25.21Z",
-        "working_directory": "/home/elastic"
+        "pid": 12936,
+        "ppid": 3858,
+        "start": "2019-01-21T15:01:54.782288Z",
+        "working_directory": "/Users/elastic"
     },
     "service": {
         "type": "system"
+    },
+    "user": {
+        "effective": {
+            "group": {
+                "id": "1000"
+            },
+            "id": "1000"
+        },
+        "group": {
+            "id": "1000",
+            "name": "elastic"
+        },
+        "id": "1000",
+        "name": "elastic",
+        "saved": {
+            "group": {
+                "id": "1000"
+            },
+            "id": "1000"
+        }
     }
 }