From edf2ea54924e0890d0ccb601f32b03d518d7d227 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Wed, 7 Oct 2020 10:46:47 -0400 Subject: [PATCH] Remove dot from file.extension value in Auditbeat FIM The ECS file.extension field should not include the dot. For example the value should be "png" and not ".png". Relates elastic/ecs#1016 --- CHANGELOG.next.asciidoc | 1 + auditbeat/module/file_integrity/event.go | 2 +- auditbeat/module/file_integrity/event_test.go | 11 +++++++++-- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 6b4a999e0ec1..a0c25f3f62b0 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -32,6 +32,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Change event.kind=error to event.kind=event to comply with ECS. {issue}18870[18870] {pull}20685[20685] - Change network.direction values to ECS recommended values (inbound, outbound). {issue}12445[12445] {pull}20695[20695] - Docker container needs to be explicitly run as user root for auditing. {pull}21202[21202] +- File integrity dataset no longer includes the leading dot in `file.extension` values (e.g. it will report "png" instead of ".png") to comply with ECS. {pull}21644[21644] *Filebeat* diff --git a/auditbeat/module/file_integrity/event.go b/auditbeat/module/file_integrity/event.go index 41e4d5a3795b..1ee28b7ce350 100644 --- a/auditbeat/module/file_integrity/event.go +++ b/auditbeat/module/file_integrity/event.go @@ -257,7 +257,7 @@ func buildMetricbeatEvent(e *Event, existedBefore bool) mb.Event { if e.Info.Type == FileType { if extension := filepath.Ext(e.Path); extension != "" { - file["extension"] = extension + file["extension"] = strings.TrimLeft(extension, ".") } if mimeType := getMimeType(e.Path); mimeType != "" { file["mime_type"] = mimeType diff --git a/auditbeat/module/file_integrity/event_test.go b/auditbeat/module/file_integrity/event_test.go index 79d1309903df..efaafd02041e 100644 --- a/auditbeat/module/file_integrity/event_test.go +++ b/auditbeat/module/file_integrity/event_test.go @@ -28,6 +28,7 @@ import ( "time" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "github.com/elastic/beats/v7/libbeat/common" ) @@ -295,7 +296,11 @@ func TestBuildEvent(t *testing.T) { assertHasKey(t, fields, "event.type") assertHasKey(t, fields, "file.path") - assertHasKey(t, fields, "file.extension") + if assertHasKey(t, fields, "file.extension") { + ext, err := fields.GetValue("file.extension") + require.NoError(t, err) + assert.Equal(t, ext, "txt") + } assertHasKey(t, fields, "file.target_path") assertHasKey(t, fields, "file.inode") assertHasKey(t, fields, "file.uid") @@ -427,10 +432,12 @@ func mustDecodeHex(v string) []byte { return data } -func assertHasKey(t testing.TB, m common.MapStr, key string) { +func assertHasKey(t testing.TB, m common.MapStr, key string) bool { t.Helper() found, err := m.HasKey(key) if err != nil || !found { t.Errorf("key %v not found: %v", key, err) + return false } + return true }