filebeat/input/internal/journald/pkg/journaldfield: add support for c…

…apability rendering (elastic#36470)
Scholar-Li · Feb 5, 2024 · e1d7cb8 · e1d7cb8
1 parent 6a71bdd
commit e1d7cb8
Show file tree

Hide file tree

Showing 3 changed files with 385 additions and 0 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -210,6 +210,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Add support for a simplified input configuraton when running under Elastic-Agent {pull}36390[36390]
 - Make HTTPJSON response body decoding errors more informative. {pull}36481[36481]
 - Allow fine-grained control of entity analytics API requests for Okta provider. {issue}36440[36440] {pull}36492[36492]
+- Add support for expanding `journald.process.capabilities` into the human-readable effective capabilities in the ECS `process.thread.capabilities.effective` field. {issue}36454[36454] {pull}36470[36470]
 
 *Auditbeat*
 

diff --git a/filebeat/input/journald/pkg/journalfield/conv.go b/filebeat/input/journald/pkg/journalfield/conv.go
@@ -19,6 +19,7 @@ package journalfield
 
 import (
 	"fmt"
+	"math/bits"
 	"regexp"
 	"strconv"
 	"strings"
@@ -116,6 +117,7 @@ func withECSEnrichment(fields mapstr.M) mapstr.M {
 	setGidUidFields("journald.object", fields)
 	setProcessFields("journald", fields)
 	setProcessFields("journald.object", fields)
+	expandCapabilities(fields)
 	return fields
 }
 
@@ -173,6 +175,87 @@ func setProcessFields(prefix string, fields mapstr.M) {
 	}
 }
 
+// expandCapabilites expands the hex string of capabilities bits in the
+// journald.process.capabilities field in-place into an array of conventional
+// capabilities names in process.thread.capabilities.effective. If a
+// capability is unknown it is rendered as the numeric value of the cap.
+// The original capabilities string is not altered. If any error is
+// encountered no modification is made to the fields.
+func expandCapabilities(fields mapstr.M) {
+	cs, err := fields.GetValue("journald.process.capabilities")
+	if err != nil {
+		return
+	}
+	c, ok := cs.(string)
+	if !ok {
+		return
+	}
+	w, err := strconv.ParseUint(c, 16, 64)
+	if err != nil {
+		return
+	}
+	if w == 0 {
+		return
+	}
+	caps := make([]string, 0, bits.OnesCount64(w))
+	for i := 0; w != 0; i++ {
+		if w&1 != 0 {
+			if i < len(capTable) {
+				caps = append(caps, capTable[i])
+			} else {
+				caps = append(caps, strconv.Itoa(i))
+			}
+		}
+		w >>= 1
+	}
+	fields.Put("process.thread.capabilities.effective", caps)
+}
+
+// include/uapi/linux/capability.h
+var capTable = [...]string{
+	0:  "CAP_CHOWN",
+	1:  "CAP_DAC_OVERRIDE",
+	2:  "CAP_DAC_READ_SEARCH",
+	3:  "CAP_FOWNER",
+	4:  "CAP_FSETID",
+	5:  "CAP_KILL",
+	6:  "CAP_SETGID",
+	7:  "CAP_SETUID",
+	8:  "CAP_SETPCAP",
+	9:  "CAP_LINUX_IMMUTABLE",
+	10: "CAP_NET_BIND_SERVICE",
+	11: "CAP_NET_BROADCAST",
+	12: "CAP_NET_ADMIN",
+	13: "CAP_NET_RAW",
+	14: "CAP_IPC_LOCK",
+	15: "CAP_IPC_OWNER",
+	16: "CAP_SYS_MODULE",
+	17: "CAP_SYS_RAWIO",
+	18: "CAP_SYS_CHROOT",
+	19: "CAP_SYS_PTRACE",
+	20: "CAP_SYS_PACCT",
+	21: "CAP_SYS_ADMIN",
+	22: "CAP_SYS_BOOT",
+	23: "CAP_SYS_NICE",
+	24: "CAP_SYS_RESOURCE",
+	25: "CAP_SYS_TIME",
+	26: "CAP_SYS_TTY_CONFIG",
+	27: "CAP_MKNOD",
+	28: "CAP_LEASE",
+	29: "CAP_AUDIT_WRITE",
+	30: "CAP_AUDIT_CONTROL",
+	31: "CAP_SETFCAP",
+	32: "CAP_MAC_OVERRIDE",
+	33: "CAP_MAC_ADMIN",
+	34: "CAP_SYSLOG",
+	35: "CAP_WAKE_ALARM",
+	36: "CAP_BLOCK_SUSPEND",
+	37: "CAP_AUDIT_READ",
+	38: "CAP_PERFMON",
+	39: "CAP_BPF",
+	40: "CAP_CHECKPOINT_RESTORE",
+}
+
 func getStringFromFields(key string, fields mapstr.M) string {
 	value, _ := fields.GetValue(key)
 	str, _ := value.(string)