From 5a308fe805ab1dc759ec2f23f5aad6ffdc4bfd10 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Tue, 5 May 2020 11:25:37 -0400 Subject: [PATCH] [Auditbeat] Add system module package dataset ECS categorization fields (#18033) * [Auditbeat] Add system module package dataset ECS categorization fields * add changelog entry * Add ECS package fields --- CHANGELOG.next.asciidoc | 1 + .../module/system/package/package.go | 48 ++++++++++++++++--- .../module/system/package/package_homebrew.go | 1 + .../system/package/package_homebrew_test.go | 8 ++++ .../module/system/package/package_test.go | 6 +++ .../module/system/package/rpm_common_test.go | 1 + .../module/system/package/rpm_linux.go | 4 +- 7 files changed, 62 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index e1c3e008396..f0d83f8e622 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -230,6 +230,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add system module process dataset ECS categorization fields. {pull}18032[18032] - Add system module socket dataset ECS categorization fields. {pull}18036[18036] - Add ECS categories for system module host dataset. {pull}18031[18031] +- Add system module package dataset ECS categorization fields. {pull}18033[18033] *Filebeat* diff --git a/x-pack/auditbeat/module/system/package/package.go b/x-pack/auditbeat/module/system/package/package.go index 4d051827314..b6b11593520 100644 --- a/x-pack/auditbeat/module/system/package/package.go +++ b/x-pack/auditbeat/module/system/package/package.go @@ -76,6 +76,21 @@ func (action eventAction) String() string { } } +func (action eventAction) Type() string { + switch action { + case eventActionExistingPackage: + return "info" + case eventActionPackageInstalled: + return "installation" + case eventActionPackageRemoved: + return "deletion" + case eventActionPackageUpdated: + return "change" + default: + return "info" + } +} + func init() { mb.Registry.MustAddMetricSet(moduleName, metricsetName, New, mb.DefaultMetricSet(), @@ -107,6 +122,7 @@ type Package struct { Summary string URL string Error error + Type string } // Hash creates a hash for Package. @@ -119,11 +135,15 @@ func (pkg Package) Hash() uint64 { return h.Sum64() } -func (pkg Package) toMapStr() common.MapStr { +func (pkg Package) toMapStr() (common.MapStr, common.MapStr) { mapstr := common.MapStr{ "name": pkg.Name, "version": pkg.Version, } + ecsMapstr := common.MapStr{ + "name": pkg.Name, + "version": pkg.Version, + } if pkg.Release != "" { mapstr.Put("release", pkg.Release) @@ -131,29 +151,39 @@ func (pkg Package) toMapStr() common.MapStr { if pkg.Arch != "" { mapstr.Put("arch", pkg.Arch) + ecsMapstr.Put("architecture", pkg.License) } if pkg.License != "" { mapstr.Put("license", pkg.License) + ecsMapstr.Put("license", pkg.License) } if !pkg.InstallTime.IsZero() { mapstr.Put("installtime", pkg.InstallTime) + ecsMapstr.Put("installed", pkg.InstallTime) } if pkg.Size != 0 { mapstr.Put("size", pkg.Size) + ecsMapstr.Put("size", pkg.Size) } if pkg.Summary != "" { mapstr.Put("summary", pkg.Summary) + ecsMapstr.Put("description", pkg.Summary) } if pkg.URL != "" { mapstr.Put("url", pkg.URL) + ecsMapstr.Put("reference", pkg.URL) } - return mapstr + if pkg.Type != "" { + ecsMapstr.Put("type", pkg.Type) + } + + return mapstr, ecsMapstr } // entityID creates an ID that uniquely identifies this package across machines. @@ -340,15 +370,19 @@ func convertToPackage(cacheValues []interface{}) []*Package { } func (ms *MetricSet) packageEvent(pkg *Package, eventType string, action eventAction) mb.Event { + pkgFields, ecsPkgFields := pkg.toMapStr() event := mb.Event{ RootFields: common.MapStr{ "event": common.MapStr{ - "kind": eventType, - "action": action.String(), + "kind": eventType, + "category": []string{"package"}, + "type": []string{action.Type()}, + "action": action.String(), }, + "package": ecsPkgFields, "message": packageMessage(pkg, action), }, - MetricSetFields: pkg.toMapStr(), + MetricSetFields: pkgFields, } if ms.HostID() != "" { @@ -538,7 +572,9 @@ func (ms *MetricSet) listDebPackages() ([]*Package, error) { value := strings.TrimSpace(words[1]) if pkg == nil { - pkg = &Package{} + pkg = &Package{ + Type: "dpkg", + } } switch strings.ToLower(words[0]) { diff --git a/x-pack/auditbeat/module/system/package/package_homebrew.go b/x-pack/auditbeat/module/system/package/package_homebrew.go index b5b8fa5b36d..063c99187a7 100644 --- a/x-pack/auditbeat/module/system/package/package_homebrew.go +++ b/x-pack/auditbeat/module/system/package/package_homebrew.go @@ -52,6 +52,7 @@ func listBrewPackages() ([]*Package, error) { Name: packageDir.Name(), Version: version.Name(), InstallTime: version.ModTime(), + Type: "brew", } // Read formula diff --git a/x-pack/auditbeat/module/system/package/package_homebrew_test.go b/x-pack/auditbeat/module/system/package/package_homebrew_test.go index 4dae9a22370..97fc149fe01 100644 --- a/x-pack/auditbeat/module/system/package/package_homebrew_test.go +++ b/x-pack/auditbeat/module/system/package/package_homebrew_test.go @@ -51,11 +51,19 @@ func TestHomebrew(t *testing.T) { if assert.Len(t, events, 1) { event := mbtest.StandardizeEvent(f, events[0], core.AddDatasetToEvent) + checkFieldValue(t, event, "event.kind", "state") + checkFieldValue(t, event, "event.category", []string{"package"}) + checkFieldValue(t, event, "event.type", []string{"info"}) checkFieldValue(t, event, "system.audit.package.name", "test-package") checkFieldValue(t, event, "system.audit.package.summary", "Test package") checkFieldValue(t, event, "system.audit.package.url", "https://www.elastic.co/") checkFieldValue(t, event, "system.audit.package.version", "1.0.0") checkFieldValue(t, event, "system.audit.package.entity_id", "Krm421rtYM4wgq1S") + checkFieldValue(t, event, "package.name", "test-package") + checkFieldValue(t, event, "package.description", "Test package") + checkFieldValue(t, event, "package.reference", "https://www.elastic.co/") + checkFieldValue(t, event, "package.version", "1.0.0") + checkFieldValue(t, event, "package.type", "brew") } } } diff --git a/x-pack/auditbeat/module/system/package/package_test.go b/x-pack/auditbeat/module/system/package/package_test.go index d1d8aa5e7f9..c2261015291 100644 --- a/x-pack/auditbeat/module/system/package/package_test.go +++ b/x-pack/auditbeat/module/system/package/package_test.go @@ -75,6 +75,12 @@ func TestDpkg(t *testing.T) { checkFieldValue(t, event, "system.audit.package.summary", "Test Package") checkFieldValue(t, event, "system.audit.package.url", "https://www.elastic.co/") checkFieldValue(t, event, "system.audit.package.version", "8.2.0-1ubuntu2~18.04") + checkFieldValue(t, event, "package.name", "test") + checkFieldValue(t, event, "package.size", uint64(269)) + checkFieldValue(t, event, "package.description", "Test Package") + checkFieldValue(t, event, "package.reference", "https://www.elastic.co/") + checkFieldValue(t, event, "package.version", "8.2.0-1ubuntu2~18.04") + checkFieldValue(t, event, "package.type", "dpkg") } } diff --git a/x-pack/auditbeat/module/system/package/rpm_common_test.go b/x-pack/auditbeat/module/system/package/rpm_common_test.go index 2e75d475811..ce384e9165c 100644 --- a/x-pack/auditbeat/module/system/package/rpm_common_test.go +++ b/x-pack/auditbeat/module/system/package/rpm_common_test.go @@ -41,6 +41,7 @@ func rpmPackagesByExec() ([]*Package, error) { // size - 6 URL: words[7], Summary: words[8], + Type: "rpm", } ts, err := strconv.ParseInt(words[5], 10, 64) if err != nil { diff --git a/x-pack/auditbeat/module/system/package/rpm_linux.go b/x-pack/auditbeat/module/system/package/rpm_linux.go index 46e4f34cbc4..76e10fd8164 100644 --- a/x-pack/auditbeat/module/system/package/rpm_linux.go +++ b/x-pack/auditbeat/module/system/package/rpm_linux.go @@ -357,7 +357,9 @@ func packageFromHeader(header C.Header, openedLibrpm *librpm) (*Package, error) } defer C.my_headerFree(openedLibrpm.headerFree, header) - pkg := Package{} + pkg := Package{ + Type: "rpm", + } name := C.my_headerGetString(openedLibrpm.headerGetString, header, RPMTAG_NAME) if name != nil {