x-pack/auditbeat/module/system/process Include Linux capabilities

haesbaert · haesbaert · commit 5aba12e66a94 · 2023-12-05T20:43:18.000+01:00
Include capabilities as described in: https://www.elastic.co/guide/en/ecs/master/ecs-process.html#field-process-thread-capabilities-effective Don't merge, this depends on two external PRs: elastic/go-sysinfo#196 elastic/go-sysinfo#197
diff --git a/x-pack/auditbeat/module/system/process/process.go b/x-pack/auditbeat/module/system/process/process.go
@@ -105,6 +105,7 @@ type Process struct {
 	UserInfo *types.UserInfo
 	User     *user.User
 	Group    *user.Group
+	CapabilityInfo *types.CapabilityInfo
 	Hashes   map[hasher.HashType]hasher.Digest
 	Error    error
 }
@@ -353,6 +354,17 @@ func (ms *MetricSet) processEvent(process *Process, eventType string, action eve
 		},
 	}
 
+	if process.CapabilityInfo != nil {
+		if len(process.CapabilityInfo.Effective) > 0 {
+			event.RootFields.Put("process.thread.capabilities.effective",
+				process.CapabilityInfo.Effective)
+		}
+		if len(process.CapabilityInfo.Permitted) > 0 {
+			event.RootFields.Put("process.thread.capabilities.permitted",
+				process.CapabilityInfo.Permitted)
+		}
+	}
+
 	if process.UserInfo != nil {
 		putIfNotEmpty(&event.RootFields, "user.id", process.UserInfo.UID)
 		putIfNotEmpty(&event.RootFields, "user.group.id", process.UserInfo.GID)
@@ -488,6 +500,13 @@ func (ms *MetricSet) getProcesses() ([]*Process, error) {
 			process.UserInfo = &userInfo
 		}
 
+		if capIface, ok := sysinfoProc.(types.Capabilities); ok {
+			process.CapabilityInfo, err = capIface.Capabilities();
+			if err != nil && process.Error == nil {
+				process.Error = fmt.Errorf("failed to load capabilities for PID %d: %w",
+					sysinfoProc.PID(), err)
+			}
+		}
 		// Exclude Linux kernel processes, they are not very interesting.
 		if runtime.GOOS == "linux" && userInfo.UID == "0" && process.Info.Exe == "" {
 			continue
