Skip to content

Commit

Permalink
[Auditbeat] Add system module user dataset ECS categorization fields (e…
Browse files Browse the repository at this point in the history
…lastic#18035)

* [Auditbeat] Add system module user dataset ECS categorization fields

* add changelog entry

* Add user.group and related.user fields

* Remove group name that may not match across test environments

* Modify test so it doesn't pick up real user events

(cherry picked from commit 000bbc6)
  • Loading branch information
Andrew Stucki committed May 5, 2020
1 parent de2248f commit c86f431
Show file tree
Hide file tree
Showing 3 changed files with 65 additions and 5 deletions.
5 changes: 5 additions & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -283,6 +283,11 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Fix syscall kprobe arguments for 32-bit systems in socket module. {pull}17500[17500]
- Fix memory leak on when we miss socket close kprobe events. {pull}17500[17500]
- Add system module process dataset ECS categorization fields. {pull}18032[18032]
- Add system module socket dataset ECS categorization fields. {pull}18036[18036]
- Add ECS categories for system module host dataset. {pull}18031[18031]
- Add system module package dataset ECS categorization fields. {pull}18033[18033]
- Add system module login dataset ECS categorization fields. {pull}18034[18034]
- Add system module user dataset ECS categorization fields. {pull}18035[18035]

*Filebeat*

Expand Down
48 changes: 46 additions & 2 deletions x-pack/auditbeat/module/system/user/user.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,23 @@ func (action eventAction) String() string {
}
}

func (action eventAction) Type() string {
switch action {
case eventActionExistingUser:
return "info"
case eventActionUserAdded:
return "creation"
case eventActionUserRemoved:
return "deletion"
case eventActionUserChanged:
return "change"
case eventActionPasswordChanged:
return "change"
default:
return "info"
}
}

type passwordType uint8

const (
Expand Down Expand Up @@ -164,6 +181,7 @@ func (user User) toMapStr() common.MapStr {
groupMapStr = append(groupMapStr, common.MapStr{
"name": group.Name,
"gid": group.Gid,
"id": group.Gid,
})
}
evt.Put("group", groupMapStr)
Expand All @@ -172,6 +190,15 @@ func (user User) toMapStr() common.MapStr {
return evt
}

func (user User) PrimaryGroup() *user.Group {
for _, group := range user.Groups {
if group.Gid == user.GID {
return group
}
}
return nil
}

// entityID creates an ID that uniquely identifies this user across machines.
func (u User) entityID(hostID string) string {
h := system.NewEntityHash()
Expand Down Expand Up @@ -430,13 +457,18 @@ func (ms *MetricSet) userEvent(user *User, eventType string, action eventAction)
event := mb.Event{
RootFields: common.MapStr{
"event": common.MapStr{
"kind": eventType,
"action": action.String(),
"kind": eventType,
"category": []string{"iam"},
"type": []string{action.Type()},
"action": action.String(),
},
"user": common.MapStr{
"id": user.UID,
"name": user.Name,
},
"related": common.MapStr{
"user": []string{user.Name},
},
"message": userMessage(user, action),
},
MetricSetFields: user.toMapStr(),
Expand All @@ -446,6 +478,18 @@ func (ms *MetricSet) userEvent(user *User, eventType string, action eventAction)
event.RootFields.Put("user.entity_id", user.entityID(ms.HostID()))
}

primaryGroup := user.PrimaryGroup()
if primaryGroup != nil {
event.RootFields.Put("user.group", common.MapStr{
"id": primaryGroup.Gid,
"name": primaryGroup.Name,
})
} else if user.GID != "" { // fallback to just filling out the GID
event.RootFields.Put("user.group", common.MapStr{
"id": user.GID,
})
}

return event
}

Expand Down
17 changes: 14 additions & 3 deletions x-pack/auditbeat/module/system/user/user_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ import (
"testing"
"time"

"github.com/stretchr/testify/require"

"github.com/elastic/beats/v7/auditbeat/core"
abtest "github.com/elastic/beats/v7/auditbeat/testing"
mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing"
Expand All @@ -36,7 +38,16 @@ func TestData(t *testing.T) {
}

for _, e := range events {
if name, _ := e.RootFields.GetValue("user.name"); name == "elastic" {
if name, _ := e.RootFields.GetValue("user.name"); name == "__elastic" {
relatedNames, err := e.RootFields.GetValue("related.user")
require.NoError(t, err)
require.Equal(t, []string{"__elastic"}, relatedNames)
groupName, err := e.RootFields.GetValue("user.group.name")
require.NoError(t, err)
require.Equal(t, "__elastic", groupName)
groupID, err := e.RootFields.GetValue("user.group.id")
require.NoError(t, err)
require.Equal(t, "1001", groupID)
fullEvent := mbtest.StandardizeEvent(f, e, core.AddDatasetToEvent)
mbtest.WriteEventToDataJSON(t, fullEvent, "")
return
Expand All @@ -48,13 +59,13 @@ func TestData(t *testing.T) {

func testUser() *User {
return &User{
Name: "elastic",
Name: "__elastic",
UID: "9999",
GID: "1001",
Groups: []*user.Group{
&user.Group{
Gid: "1001",
Name: "elastic",
Name: "__elastic",
},
&user.Group{
Gid: "1002",
Expand Down

0 comments on commit c86f431

Please sign in to comment.