x-pack/auditbeat/module/system/process Report Linux capabilities

haesbaert · haesbaert · commit cb4cbb7c63a0 · 2023-12-06T11:30:16.000+01:00
Implements #36404 ECS: https://www.elastic.co/guide/en/ecs/master/ecs-process.html#field-process-thread-capabilities-effective Example output: ``` { "@timestamp": "2023-12-05T19:34:54.425Z", "@metadata": { "beat": "auditbeat", "type": "_doc", "version": "8.12.0" }, "process": { "thread": { "capabilities": { "effective": [ "CAP_DAC_READ_SEARCH", "CAP_SYS_RESOURCE" ], "permitted": [ "CAP_DAC_READ_SEARCH", "CAP_SYS_RESOURCE" ] } }, "entity_id": "DADEDQU03GoDNhc1", "pid": 2841325, "start": "2023-12-05T19:32:53.180Z", "args": [ "systemd-userwork: waiting..." ], ... ... ``` Don't merge, this depends on two external PRs: elastic/go-sysinfo#196 elastic/go-sysinfo#197 Next step is adding the same to add_process_metadata
diff --git a/x-pack/auditbeat/module/system/process/process.go b/x-pack/auditbeat/module/system/process/process.go
@@ -105,6 +105,7 @@ type Process struct {
 	UserInfo *types.UserInfo
 	User     *user.User
 	Group    *user.Group
+	CapabilityInfo *types.CapabilityInfo
 	Hashes   map[hasher.HashType]hasher.Digest
 	Error    error
 }
@@ -353,6 +354,17 @@ func (ms *MetricSet) processEvent(process *Process, eventType string, action eve
 		},
 	}
 
+	if process.CapabilityInfo != nil {
+		if len(process.CapabilityInfo.Effective) > 0 {
+			event.RootFields.Put("process.thread.capabilities.effective",
+				process.CapabilityInfo.Effective)
+		}
+		if len(process.CapabilityInfo.Permitted) > 0 {
+			event.RootFields.Put("process.thread.capabilities.permitted",
+				process.CapabilityInfo.Permitted)
+		}
+	}
+
 	if process.UserInfo != nil {
 		putIfNotEmpty(&event.RootFields, "user.id", process.UserInfo.UID)
 		putIfNotEmpty(&event.RootFields, "user.group.id", process.UserInfo.GID)
@@ -488,6 +500,13 @@ func (ms *MetricSet) getProcesses() ([]*Process, error) {
 			process.UserInfo = &userInfo
 		}
 
+		if capIface, ok := sysinfoProc.(types.Capabilities); ok {
+			process.CapabilityInfo, err = capIface.Capabilities();
+			if err != nil && process.Error == nil {
+				process.Error = fmt.Errorf("failed to load capabilities for PID %d: %w",
+					sysinfoProc.PID(), err)
+			}
+		}
 		// Exclude Linux kernel processes, they are not very interesting.
 		if runtime.GOOS == "linux" && userInfo.UID == "0" && process.Info.Exe == "" {
 			continue
