From 6c0b740e2f85c2ae13493a06432d90dbe3fabe19 Mon Sep 17 00:00:00 2001 From: Christiano Haesbaert Date: Mon, 15 Jan 2024 16:45:03 +0100 Subject: [PATCH 1/8] libbeat/processors/add_process_metada: add capabilities to process metadata Extends process metadata with effective and permitted capabilities. --- .../add_process_metadata.go | 7 +++ .../add_process_metadata_test.go | 45 +++++++++++++++++++ .../processors/add_process_metadata/config.go | 6 +++ .../gosysinfo_provider.go | 6 +++ 4 files changed, 64 insertions(+) diff --git a/libbeat/processors/add_process_metadata/add_process_metadata.go b/libbeat/processors/add_process_metadata/add_process_metadata.go index 60a533a8e77..054d6d133e6 100644 --- a/libbeat/processors/add_process_metadata/add_process_metadata.go +++ b/libbeat/processors/add_process_metadata/add_process_metadata.go @@ -73,6 +73,7 @@ type processMetadata struct { env map[string]string startTime time.Time pid, ppid int + capEffective, capPermitted []string // fields mapstr.M } @@ -332,6 +333,12 @@ func (p *processMetadata) toMap() mapstr.M { } process["owner"] = user } + if len(p.capEffective) > 0 { + process.Put("thread.capabilities.effective", p.capEffective) + } + if len(p.capPermitted) > 0 { + process.Put("thread.capabilities.permitted", p.capPermitted) + } return mapstr.M{ "process": process, diff --git a/libbeat/processors/add_process_metadata/add_process_metadata_test.go b/libbeat/processors/add_process_metadata/add_process_metadata_test.go index 9dd1a7eb4dd..80e3ea49999 100644 --- a/libbeat/processors/add_process_metadata/add_process_metadata_test.go +++ b/libbeat/processors/add_process_metadata/add_process_metadata_test.go @@ -30,6 +30,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common/capabilities" conf "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/elastic-agent-libs/logp" "github.com/elastic/elastic-agent-libs/mapstr" @@ -40,6 +41,10 @@ import ( func TestAddProcessMetadata(t *testing.T) { logp.TestingSetup(logp.WithSelectors(processorName)) + capMock, err := capabilities.FromUint64(0xabacabb) + if err != nil { + t.Fatal(err) + } startTime := time.Now() testProcs := testProvider{ 1: { @@ -58,6 +63,8 @@ func TestAddProcessMetadata(t *testing.T) { startTime: startTime, username: "root", userid: "0", + capEffective: capMock, + capPermitted: capMock, }, 3: { name: "systemd", @@ -75,6 +82,8 @@ func TestAddProcessMetadata(t *testing.T) { startTime: startTime, username: "user", userid: "1001", + capEffective: capMock, + capPermitted: capMock, }, } @@ -162,6 +171,12 @@ func TestAddProcessMetadata(t *testing.T) { "name": "root", "id": "0", }, + "thread": mapstr.M{ + "capabilities": mapstr.M{ + "effective": capMock, + "permitted": capMock, + }, + }, }, "container": mapstr.M{ "id": "b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", @@ -247,6 +262,12 @@ func TestAddProcessMetadata(t *testing.T) { "name": "root", "id": "0", }, + "thread": mapstr.M{ + "capabilities": mapstr.M{ + "effective": capMock, + "permitted": capMock, + }, + }, }, "container": mapstr.M{ "id": "b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", @@ -287,6 +308,12 @@ func TestAddProcessMetadata(t *testing.T) { "name": "root", "id": "0", }, + "thread": mapstr.M{ + "capabilities": mapstr.M{ + "effective": capMock, + "permitted": capMock, + }, + }, }, "container": mapstr.M{ "id": "b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", @@ -328,6 +355,12 @@ func TestAddProcessMetadata(t *testing.T) { "name": "root", "id": "0", }, + "thread": mapstr.M{ + "capabilities": mapstr.M{ + "effective": capMock, + "permitted": capMock, + }, + }, }, }, }, @@ -520,6 +553,12 @@ func TestAddProcessMetadata(t *testing.T) { "name": "root", "id": "0", }, + "thread": mapstr.M{ + "capabilities": mapstr.M{ + "effective": capMock, + "permitted": capMock, + }, + }, }, "container": mapstr.M{ "id": "b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1", @@ -645,6 +684,12 @@ func TestAddProcessMetadata(t *testing.T) { "name": "user", "id": "1001", }, + "thread": mapstr.M{ + "capabilities": mapstr.M{ + "effective": capMock, + "permitted": capMock, + }, + }, }, }, }, diff --git a/libbeat/processors/add_process_metadata/config.go b/libbeat/processors/add_process_metadata/config.go index f16ba6771a8..1f2e9920da1 100644 --- a/libbeat/processors/add_process_metadata/config.go +++ b/libbeat/processors/add_process_metadata/config.go @@ -85,6 +85,12 @@ var defaultFields = mapstr.M{ "name": nil, "id": nil, }, + "thread": mapstr.M{ + "capabilities": mapstr.M{ + "effective": nil, + "permitted": nil, + }, + }, }, "container": mapstr.M{ "id": nil, diff --git a/libbeat/processors/add_process_metadata/gosysinfo_provider.go b/libbeat/processors/add_process_metadata/gosysinfo_provider.go index ecc94233dce..80f809ccad7 100644 --- a/libbeat/processors/add_process_metadata/gosysinfo_provider.go +++ b/libbeat/processors/add_process_metadata/gosysinfo_provider.go @@ -21,6 +21,7 @@ import ( "os/user" "strings" + "github.com/elastic/beats/v7/libbeat/common/capabilities" "github.com/elastic/go-sysinfo" "github.com/elastic/go-sysinfo/types" ) @@ -52,6 +53,9 @@ func (p gosysinfoProvider) GetProcessMetadata(pid int) (result *processMetadata, } } + capPermitted, _ := capabilities.FromPid(capabilities.Permitted, pid) + capEffective, _ := capabilities.FromPid(capabilities.Effective, pid) + r := processMetadata{ name: info.Name, args: info.Args, @@ -60,6 +64,8 @@ func (p gosysinfoProvider) GetProcessMetadata(pid int) (result *processMetadata, exe: info.Exe, pid: info.PID, ppid: info.PPID, + capEffective: capEffective, + capPermitted: capPermitted, startTime: info.StartTime, username: username, userid: userid, From 58ec06f35a8692d09d31cae931b12cfafc7154c9 Mon Sep 17 00:00:00 2001 From: Christiano Haesbaert Date: Mon, 11 Mar 2024 13:26:16 +0100 Subject: [PATCH 2/8] Add Changelog while here zap the extra newline --- CHANGELOG.next.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index faa7f439ce9..bd2bebc9552 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -203,8 +203,8 @@ Setting environmental variable ELASTIC_NETINFO:false in Elastic Agent pod will d *Libbeat* - Add watcher that can be used to monitor Linux kernel events. {pull}37833[37833] - - Added support for ETW reader. {pull}36914[36914] +- Add support for linux capabilities in add_process_metadata. {pull}38252[38252] *Heartbeat* - Added status to monitor run log report. From a6ca13fcaa13868630b733965185ea9915d19c2b Mon Sep 17 00:00:00 2001 From: Christiano Haesbaert Date: Mon, 11 Mar 2024 13:34:46 +0100 Subject: [PATCH 3/8] please the linter --- .../add_process_metadata_test.go | 20 +++++++++---------- .../gosysinfo_provider.go | 20 +++++++++---------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/libbeat/processors/add_process_metadata/add_process_metadata_test.go b/libbeat/processors/add_process_metadata/add_process_metadata_test.go index 80e3ea49999..8adef5b82b3 100644 --- a/libbeat/processors/add_process_metadata/add_process_metadata_test.go +++ b/libbeat/processors/add_process_metadata/add_process_metadata_test.go @@ -58,11 +58,11 @@ func TestAddProcessMetadata(t *testing.T) { "BOOT_IMAGE": "/boot/vmlinuz-4.11.8-300.fc26.x86_64", "LANG": "en_US.UTF-8", }, - pid: 1, - ppid: 0, - startTime: startTime, - username: "root", - userid: "0", + pid: 1, + ppid: 0, + startTime: startTime, + username: "root", + userid: "0", capEffective: capMock, capPermitted: capMock, }, @@ -77,11 +77,11 @@ func TestAddProcessMetadata(t *testing.T) { "BOOT_IMAGE": "/boot/vmlinuz-4.11.8-300.fc26.x86_64", "LANG": "en_US.UTF-8", }, - pid: 1, - ppid: 0, - startTime: startTime, - username: "user", - userid: "1001", + pid: 1, + ppid: 0, + startTime: startTime, + username: "user", + userid: "1001", capEffective: capMock, capPermitted: capMock, }, diff --git a/libbeat/processors/add_process_metadata/gosysinfo_provider.go b/libbeat/processors/add_process_metadata/gosysinfo_provider.go index 80f809ccad7..34ee12bcb5f 100644 --- a/libbeat/processors/add_process_metadata/gosysinfo_provider.go +++ b/libbeat/processors/add_process_metadata/gosysinfo_provider.go @@ -57,18 +57,18 @@ func (p gosysinfoProvider) GetProcessMetadata(pid int) (result *processMetadata, capEffective, _ := capabilities.FromPid(capabilities.Effective, pid) r := processMetadata{ - name: info.Name, - args: info.Args, - env: env, - title: strings.Join(info.Args, " "), - exe: info.Exe, - pid: info.PID, - ppid: info.PPID, + name: info.Name, + args: info.Args, + env: env, + title: strings.Join(info.Args, " "), + exe: info.Exe, + pid: info.PID, + ppid: info.PPID, capEffective: capEffective, capPermitted: capPermitted, - startTime: info.StartTime, - username: username, - userid: userid, + startTime: info.StartTime, + username: username, + userid: userid, } r.fields = r.toMap() return &r, nil From 4eb35fdecbfbdeecf9d2b7e8b6edd8ff0bc6bddc Mon Sep 17 00:00:00 2001 From: Christiano Haesbaert Date: Tue, 19 Mar 2024 07:10:51 +0100 Subject: [PATCH 4/8] Update libbeat/processors/add_process_metadata/add_process_metadata_test.go Co-authored-by: Tiago Queiroz --- .../add_process_metadata/add_process_metadata_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libbeat/processors/add_process_metadata/add_process_metadata_test.go b/libbeat/processors/add_process_metadata/add_process_metadata_test.go index 8adef5b82b3..81816f1a87a 100644 --- a/libbeat/processors/add_process_metadata/add_process_metadata_test.go +++ b/libbeat/processors/add_process_metadata/add_process_metadata_test.go @@ -43,7 +43,7 @@ func TestAddProcessMetadata(t *testing.T) { capMock, err := capabilities.FromUint64(0xabacabb) if err != nil { - t.Fatal(err) + t.Fatalf("could not instantiate capabilities: %s", err) } startTime := time.Now() testProcs := testProvider{ From a748678233070213ea343f16f09a943796017067 Mon Sep 17 00:00:00 2001 From: Christiano Haesbaert Date: Fri, 22 Mar 2024 19:02:27 +0100 Subject: [PATCH 5/8] Comment on why we ignore errors on capabilities. --- libbeat/processors/add_process_metadata/gosysinfo_provider.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libbeat/processors/add_process_metadata/gosysinfo_provider.go b/libbeat/processors/add_process_metadata/gosysinfo_provider.go index 34ee12bcb5f..70d6e2a2c33 100644 --- a/libbeat/processors/add_process_metadata/gosysinfo_provider.go +++ b/libbeat/processors/add_process_metadata/gosysinfo_provider.go @@ -53,6 +53,9 @@ func (p gosysinfoProvider) GetProcessMetadata(pid int) (result *processMetadata, } } + // Capabilities are linux only and other systems will fail + // with ErrUnsupported. In the event of any errors, we simply + // don't report the capabilities. capPermitted, _ := capabilities.FromPid(capabilities.Permitted, pid) capEffective, _ := capabilities.FromPid(capabilities.Effective, pid) From 43f0737f634e39bcf38196e724bcf73a316f8de8 Mon Sep 17 00:00:00 2001 From: Christiano Haesbaert Date: Mon, 25 Mar 2024 18:59:03 +0100 Subject: [PATCH 6/8] kick ci From 379c46bc5a95e500399fdab592b8735d53bfd93a Mon Sep 17 00:00:00 2001 From: Christiano Haesbaert Date: Wed, 3 Apr 2024 11:13:24 +0200 Subject: [PATCH 7/8] fixup roundtripper.go that failed fmt check --- x-pack/filebeat/input/internal/httplog/roundtripper.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/x-pack/filebeat/input/internal/httplog/roundtripper.go b/x-pack/filebeat/input/internal/httplog/roundtripper.go index e8d5f8765ca..642245603f8 100644 --- a/x-pack/filebeat/input/internal/httplog/roundtripper.go +++ b/x-pack/filebeat/input/internal/httplog/roundtripper.go @@ -17,10 +17,11 @@ import ( "strconv" "time" - "github.com/elastic/elastic-agent-libs/logp" "go.uber.org/atomic" "go.uber.org/zap" "go.uber.org/zap/zapcore" + + "github.com/elastic/elastic-agent-libs/logp" ) var _ http.RoundTripper = (*LoggingRoundTripper)(nil) From 7f9ac9f9fa9d6c63b83bf100085c6133bffd77d8 Mon Sep 17 00:00:00 2001 From: Christiano Haesbaert Date: Wed, 3 Apr 2024 13:17:29 +0200 Subject: [PATCH 8/8] kick ci