[Auditbeat] fim(kprobes): enrich file events by coupling add_process_metadata processor #38776
Conversation
botelastic
bot
added
the
needs_team
pkoutsovasilis
changed the title
|
This pull request does not have a backport label.
To fixup this pull request, you need to add the backport labels for the needed
|
pkoutsovasilis
added
enhancement
Team:Security-Linux Platform
botelastic
bot
removed
the
needs_team
|
Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform) |
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
|
Pinging @elastic/elastic-agent (Team:Elastic-Agent) |
…silis/fim-kprobes-process-metadata
There was a problem hiding this comment.
That's a pretty clean approach you took to add processors to MetricSets. I think we just need a few more details in the interface godocs as mentioned in my comment.
I tend to view Beats as being the building block to getting data ingested how you want it. So I am not in favor of turning extra fields on by default. For example, I would rather see events starting as empty documents and the inputs contributing the raw data. Anything else is opt-in by the user through processors whether that be agent metadata, host metadata, process metadata, etc (but I'm probably not the typical user).
Today's situation is that we have a lot of things that are on by default (or not even possible to disable like host.name or agent.* or even docker metadata when run under Elastic Agent) so if you want to opt-out your only solution is to delete the fields with a processor (which is wasteful).
But I understand the desire to have everything just work out of the box. It's hard to serve the two personas that want it to just work and want to be a composable ingest tool. So allow me to mention an alternative.
- Document within Auditbeat's FIM guide how to add the enrichment processor yourself. This gives the user full control over what fields are they wish to add. e.g.
processors:
- if.and:
- equals.event.module: file_integrity
- not.has_fields: [process.name]
- has_fields: [process.pid]
then:
add_process_metadata:
match_pids:
- process.pid- Add the processor to the Fleet FIM integration configuration. For a Fleet integration, the batteries should be included.
…silis/fim-kprobes-process-metadata # Conflicts: # libbeat/processors/add_process_metadata/add_process_metadata.go # libbeat/processors/add_process_metadata/config.go # libbeat/processors/add_process_metadata/gosysinfo_provider.go # metricbeat/mb/module/configuration.go
…metadata processor (#38776) * feat(processors/process_metadata): support reporting group id and name * feat(processors/process_metadata): support reporting process entity_id * feat(fim/kprobes): allow metricsSets to expose beat processors after initialisation * doc: update CHANGELOG.next.asciidoc * fix(linter): SA1015 prevent leaking the ticker * fix(linter): SA1019 mark metricbeat/mb deprecation warnings that are not removed yet * fix(linter): check for return err * fix(linter): prealloc slices * fix(linter): remove unused field * fix(linter): G601 prevent implicit memory aliasing in for loop * doc: update CHANGELOG.next.asciidoc * fix: update filebaet fields.asciidoc (unrelated to this work) * doc: remove irrelevant changes from CHANGELOG.next.asciidoc * feat(processor/metadata): introduce new type based allocation func * feat(fim/kprobe): instantiate new processor alongside a new kprobes event reader * fix(fim): remove redundant whitespace * doc(metricbeat): enrich documentation about Processors attached to a Metricbeat * fix(fim): gofumpt eventreader_kprobes.go * fix(add_process_metadata): gofmt add_process_metadata.go gosysinfo_provider.go * fix(lint): goimports eventreader_kprobes.go * fix(winlogbeat): generate include list [unrelated to this PR] (cherry picked from commit ca4adce) # Conflicts: # libbeat/processors/add_process_metadata/add_process_metadata.go # libbeat/processors/add_process_metadata/config.go # libbeat/processors/add_process_metadata/gosysinfo_provider.go # metricbeat/mb/module/configuration.go
Proposed commit message
This PR adds reporting of process.group.id, process.group.name and process.entity_id in
add_process_metadataprocessor. Also it changes the factory of MetricSets to allow the latter to specify Processors after successful instantiation; this is required as FIM has 3 different available backends, namelyfsnotify,kprobes,ebpfand only thekprobesone requires to haveadd_process_metadataprocessor. Utilising the former,kprobesbackend always adds a properly configuredadd_process_metadataprocessor. As a result, enriching kprobes file events with process-related data exhibits the same robustness levels of the currentadd_process_metadataprocessor. However, the current design is aligned with @nick-alayil and thesec-linux-platformwhich plan to increase the robustness ofadd_process_metadataprocessor in a separate effort.Checklist
I have made corresponding change to the default configuration filesI have added tests that prove my fix is effective or that my feature worksCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Author's Checklist
How to test this PR locally
Related issues
Screenshots