fim(ebpf): enrich file events with process data

elastic · Mar 6, 2024 · 36c6ecd · 36c6ecd
1 parent ae312c5
commit 36c6ecd
Show file tree

Hide file tree

Showing 11 changed files with 451 additions and 66 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -147,6 +147,7 @@ Setting environmental variable ELASTIC_NETINFO:false in Elastic Agent pod will d
 
 - Add linux capabilities to processes in the system/process. {pull}37453[37453]
 - Add opt-in eBPF backend for file_integrity module. {pull}37223[37223]
+- Add process data to file events (Linux only, eBPF backend). {pull}38199[38199]
 
 *Filebeat*
 
@@ -285,51 +286,3 @@ Setting environmental variable ELASTIC_NETINFO:false in Elastic Agent pod will d
 
 
 ==== Known Issues
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc
@@ -18578,6 +18578,76 @@ type: keyword
 
 --
 
+[float]
+=== process
+
+These fields contains process and user information. Available only on Linux when using the eBPF backend.
+
+
+
+*`process.entity_id`*::
++
+--
+Globally unique identifier for a process.
+
+type: keyword
+
+--
+
+*`process.executable`*::
++
+--
+Process command.
+
+type: keyword
+
+--
+
+*`process.pid`*::
++
+--
+PID.
+
+type: integer
+
+--
+
+*`process.user.id`*::
++
+--
+User ID (euid).
+
+type: integer
+
+--
+
+*`process.user.name`*::
++
+--
+User name.
+
+type: keyword
+
+--
+
+*`process.group.id`*::
++
+--
+Group ID (egid).
+
+type: integer
+
+--
+
+*`process.group.name`*::
++
+--
+Group name.
+
+type: keyword
+
+--
+
 [[exported-fields-host-processor]]
 == Host fields
 

diff --git a/auditbeat/module/file_integrity/_meta/fields.yml b/auditbeat/module/file_integrity/_meta/fields.yml
@@ -411,3 +411,38 @@
     - name: xxh64
       type: keyword
       description: XX64 hash of the file.
+
+  - name: process
+    type: group
+    description: >
+      These fields contains process and user information.
+      Available only on Linux when using the eBPF backend.
+
+    fields:
+    - name: entity_id
+      type: keyword
+      description: Globally unique identifier for a process.
+
+    - name: executable
+      type: keyword
+      description: Process command.
+
+    - name: pid
+      type: integer
+      description: PID.
+
+    - name: user.id
+      type: integer
+      description: User ID (euid).
+
+    - name: user.name
+      type: keyword
+      description: User name.
+
+    - name: group.id
+      type: integer
+      description: Group ID (egid).
+
+    - name: group.name
+      type: keyword
+      description: Group name.
diff --git a/auditbeat/module/file_integrity/event.go b/auditbeat/module/file_integrity/event.go
@@ -134,13 +134,42 @@ type Event struct {
 	Action        Action              `json:"action"`                // Action (like created, updated).
 	Hashes        map[HashType]Digest `json:"hash,omitempty"`        // File hashes.
 	ParserResults mapstr.M            `json:"file,omitempty"`        // Results from running file parsers.
+	Process       Process             `json:"process,omitempty"`     // Process data. Available only on Linux when using the eBPF backend.
+	// TODO(matt): ContainerID string `json:"container_id,omitempty"` // Unique container ID. Available only on Linux when using the eBPF backend.
 
 	// Metadata
 	rtt        time.Duration // Time taken to collect the info.
 	errors     []error       // Errors that occurred while collecting the info.
 	hashFailed bool          // Set when hashing the file failed.
 }
 
+// Process contain information about a process.
+// These fields can help you correlate metrics information with a process id/name from a log message.  The `process.pid` often stays in the metric itself and is copied to the global field for correlation.
+type Process struct {
+	// Unique identifier for the process.
+	// The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
+	// Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
+	EntityID string `json:"entity_id,omitempty"`
+	// Process name. Sometimes called program name or similar.
+	Name string `json:"name,omitempty"`
+	// The effective user (euid).
+	User struct {
+		// Unique identifier of the user.
+		ID string `json:"id,omitempty"`
+		// Short name or login of the user.
+		Name string `json:"name,omitempty"`
+	} `json:"user,omitempty"`
+	// The effective group (egid).
+	Group struct {
+		// Unique identifier for the group on the system/platform.
+		ID string `json:"id,omitempty"`
+		// Name of the group.
+		Name string `json:"name,omitempty"`
+	} `json:"group,omitempty"`
+	// Process id.
+	PID uint32 `json:"pid,omitempty"`
+}
+
 // Metadata contains file metadata.
 type Metadata struct {
 	Inode          uint64      `json:"inode"`

diff --git a/auditbeat/module/file_integrity/event_linux.go b/auditbeat/module/file_integrity/event_linux.go
@@ -26,6 +26,7 @@ import (
 	"strconv"
 	"time"
 
+	"github.com/elastic/beats/v7/libbeat/ebpf/sys"
 	"github.com/elastic/ebpfevents"
 )
 
@@ -41,7 +42,9 @@ func NewEventFromEbpfEvent(
 		path, target string
 		action       Action
 		metadata     Metadata
+		process      Process
 		err          error
+		errors       = make([]error, 0)
 	)
 	switch ee.Type {
 	case ebpfevents.EventTypeFileCreate:
@@ -54,7 +57,16 @@ func NewEventFromEbpfEvent(
 			return event, false
 		}
 		target = fileCreateEvent.SymlinkTargetPath
+
 		metadata, err = metadataFromFileCreate(fileCreateEvent)
+		if err != nil {
+			errors = append(errors, err)
+		}
+
+		process, err = processFromFileCreate(fileCreateEvent)
+		if err != nil {
+			errors = append(errors, err)
+		}
 	case ebpfevents.EventTypeFileRename:
 		action = Moved
 
@@ -65,7 +77,16 @@ func NewEventFromEbpfEvent(
 			return event, false
 		}
 		target = fileRenameEvent.SymlinkTargetPath
+
 		metadata, err = metadataFromFileRename(fileRenameEvent)
+		if err != nil {
+			errors = append(errors, err)
+		}
+
+		process, err = processFromFileRename(fileRenameEvent)
+		if err != nil {
+			errors = append(errors, err)
+		}
 	case ebpfevents.EventTypeFileDelete:
 		action = Deleted
 
@@ -76,6 +97,11 @@ func NewEventFromEbpfEvent(
 			return event, false
 		}
 		target = fileDeleteEvent.SymlinkTargetPath
+
+		process, err = processFromFileDelete(fileDeleteEvent)
+		if err != nil {
+			errors = append(errors, err)
+		}
 	case ebpfevents.EventTypeFileModify:
 		fileModifyEvent := ee.Body.(*ebpfevents.FileModify)
 
@@ -92,7 +118,16 @@ func NewEventFromEbpfEvent(
 			return event, false
 		}
 		target = fileModifyEvent.SymlinkTargetPath
+
 		metadata, err = metadataFromFileModify(fileModifyEvent)
+		if err != nil {
+			errors = append(errors, err)
+		}
+
+		process, err = processFromFileModify(fileModifyEvent)
+		if err != nil {
+			errors = append(errors, err)
+		}
 	}
 
 	event := Event{
@@ -102,10 +137,8 @@ func NewEventFromEbpfEvent(
 		Info:       &metadata,
 		Source:     SourceEBPF,
 		Action:     action,
-		errors:     make([]error, 0),
-	}
-	if err != nil {
-		event.errors = append(event.errors, err)
+		Process:    process,
+		errors:     errors,
 	}
 
 	if event.Action == Deleted {
@@ -115,7 +148,6 @@ func NewEventFromEbpfEvent(
 		case FileType:
 			fillHashes(&event, path, maxFileSize, hashTypes, fileParsers)
 		case SymlinkType:
-			var err error
 			event.TargetPath, err = filepath.EvalSymlinks(event.Path)
 			if err != nil {
 				event.errors = append(event.errors, err)
@@ -147,6 +179,59 @@ func metadataFromFileModify(evt *ebpfevents.FileModify) (Metadata, error) {
 	return md, err
 }
 
+func newProcess(pid uint32, start uint64, comm string, euid, egid uint32) (Process, error) {
+	var (
+		p   Process
+		err error
+	)
+
+	t, err := sys.TimeFromNsSinceBoot(start)
+	if err != nil {
+		return p, err
+	}
+
+	p.EntityID, err = sys.EntityID(pid, t)
+	if err != nil {
+		return p, err
+	}
+	p.Name = comm
+	p.PID = pid
+
+	p.User.ID = strconv.FormatUint(uint64(euid), 10)
+	u, err := user.LookupId(p.User.ID)
+	if err == nil {
+		p.User.Name = u.Name
+	} else {
+		p.User.Name = "n/a"
+	}
+
+	p.Group.ID = strconv.FormatUint(uint64(egid), 10)
+	g, err := user.LookupId(p.Group.ID)
+	if err == nil {
+		p.Group.Name = g.Name
+	} else {
+		p.Group.Name = "n/a"
+	}
+
+	return p, err
+}
+
+func processFromFileCreate(evt *ebpfevents.FileCreate) (Process, error) {
+	return newProcess(evt.Pids.Tgid, evt.Pids.StartTimeNs, evt.Comm, evt.Creds.Euid, evt.Creds.Egid)
+}
+
+func processFromFileRename(evt *ebpfevents.FileRename) (Process, error) {
+	return newProcess(evt.Pids.Tgid, evt.Pids.StartTimeNs, evt.Comm, evt.Creds.Euid, evt.Creds.Egid)
+}
+
+func processFromFileModify(evt *ebpfevents.FileModify) (Process, error) {
+	return newProcess(evt.Pids.Tgid, evt.Pids.StartTimeNs, evt.Comm, evt.Creds.Euid, evt.Creds.Egid)
+}
+
+func processFromFileDelete(evt *ebpfevents.FileDelete) (Process, error) {
+	return newProcess(evt.Pids.Tgid, evt.Pids.StartTimeNs, evt.Comm, evt.Creds.Euid, evt.Creds.Egid)
+}
+
 func fillFileInfo(md *Metadata, finfo ebpfevents.FileInfo) error {
 	md.Inode = finfo.Inode
 	md.UID = finfo.Uid

diff --git a/auditbeat/module/file_integrity/fields.go b/auditbeat/module/file_integrity/fields.go