[Auditbeat] Field cleanup for 8.0 (#28378)

* Remove `hash.*` from Auditbeat file_integrity for 8.0 Relates #19039 * Remove non-ECS event.type from Auditbeat auditd module Removes the authentication_success and authentication_failure event.type values for user logins. Relates #19039
elastic · Oct 15, 2021 · cc7239a · cc7239a
1 parent a2fde72
commit cc7239a
Show file tree

Hide file tree

Showing 7 changed files with 11 additions and 40 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -30,7 +30,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 - File integrity dataset (macOS): Replace unnecessary `file.origin.raw` (type keyword) with `file.origin.text` (type `text`). {issue}12423[12423] {pull}15630[15630]
 - Change event.kind=error to event.kind=event to comply with ECS. {issue}18870[18870] {pull}20685[20685]
-
+- File integrity dataset: Remove non-ECS `hash.*` fields. Hashes are under `file.hash.*`. {issue}19039[19039] {pull}28378[28378]
+- Auditd dataset: Removes the authentication_success and authentication_failure event.type values for user logins. {issue}19039[19039] {pull}28378[28378]
 
 *Filebeat*
 

diff --git a/auditbeat/module/auditd/audit_linux.go b/auditbeat/module/auditd/audit_linux.go
@@ -657,35 +657,12 @@ func buildMetricbeatEvent(msgs []*auparse.AuditMessage, config Config) mb.Event
 }
 
 func normalizeEventFields(event *aucoalesce.Event, m common.MapStr) {
-	// we need to merge types for backwards compatibility
-	types := event.ECS.Event.Type
-
-	// Remove this block in 8.x
-	{
-		getFieldAsStr := func(key string) (s string, found bool) {
-			iface, err := m.GetValue(key)
-			if err != nil {
-				return
-			}
-			s, found = iface.(string)
-			return
-		}
-		oldCategory, ok1 := getFieldAsStr("event.category")
-		oldAction, ok2 := getFieldAsStr("event.action")
-		oldOutcome, ok3 := getFieldAsStr("event.outcome")
-		if ok1 && ok2 && ok3 {
-			if oldCategory == "user-login" && oldAction == "logged-in" { // USER_LOGIN
-				types = append(types, fmt.Sprintf("authentication_%s", oldOutcome))
-			}
-		}
-	}
-
 	m.Put("event.kind", "event")
 	if len(event.ECS.Event.Category) > 0 {
 		m.Put("event.category", event.ECS.Event.Category)
 	}
-	if len(types) > 0 {
-		m.Put("event.type", types)
+	if len(event.ECS.Event.Type) > 0 {
+		m.Put("event.type", event.ECS.Event.Type)
 	}
 	if event.ECS.Event.Outcome != "" {
 		m.Put("event.outcome", event.ECS.Event.Outcome)

diff --git a/auditbeat/module/auditd/audit_linux_test.go b/auditbeat/module/auditd/audit_linux_test.go
@@ -141,15 +141,15 @@ func TestLoginType(t *testing.T) {
 	for idx, expected := range []common.MapStr{
 		{
 			"event.category":      []string{"authentication"},
-			"event.type":          []string{"start", "authentication_failure"},
+			"event.type":          []string{"start"},
 			"event.outcome":       "failure",
 			"user.effective.name": "(invalid user)",
 			"user.id":             nil,
 			"session":             nil,
 		},
 		{
 			"event.category":      []string{"authentication"},
-			"event.type":          []string{"start", "authentication_success"},
+			"event.type":          []string{"start"},
 			"event.outcome":       "success",
 			"user.effective.name": "adrian",
 			"user.audit.id":       nil,

diff --git a/auditbeat/module/auditd/testdata/userlogin.log-expected.json b/auditbeat/module/auditd/testdata/userlogin.log-expected.json
@@ -34,8 +34,7 @@
       ],
       "outcome": "failure",
       "type": [
-        "start",
-        "authentication_failure"
+        "start"
       ]
     },
     "network": {
@@ -98,8 +97,7 @@
       ],
       "outcome": "success",
       "type": [
-        "start",
-        "authentication_success"
+        "start"
       ]
     },
     "network": {
@@ -254,4 +252,4 @@
       "name": "alice"
     }
   }
-]
+]
diff --git a/auditbeat/module/file_integrity/event.go b/auditbeat/module/file_integrity/event.go
@@ -312,8 +312,6 @@ func buildMetricbeatEvent(e *Event, existedBefore bool) mb.Event {
 			hashes[string(hashType)] = digest
 		}
 		file["hash"] = hashes
-		// Remove this for 8.x
-		out.MetricSetFields.Put("hash", hashes)
 	}
 
 	out.MetricSetFields.Put("event.kind", "event")

diff --git a/auditbeat/module/file_integrity/event_test.go b/auditbeat/module/file_integrity/event_test.go
@@ -411,9 +411,6 @@ func TestBuildEvent(t *testing.T) {
 
 		assertHasKey(t, fields, "file.hash.sha1")
 		assertHasKey(t, fields, "file.hash.sha256")
-		// Remove in 8.x
-		assertHasKey(t, fields, "hash.sha1")
-		assertHasKey(t, fields, "hash.sha256")
 	})
 	if runtime.GOOS == "windows" {
 		t.Run("drive letter", func(t *testing.T) {

diff --git a/auditbeat/tests/system/test_file_integrity.py b/auditbeat/tests/system/test_file_integrity.py
@@ -12,8 +12,8 @@ def escape_path(path):
 def has_file(objs, path, sha1hash):
     found = False
     for obj in objs:
-        if 'file.path' in obj and 'hash.sha1' in obj \
-                and obj['file.path'].lower() == path.lower() and obj['hash.sha1'] == sha1hash:
+        if 'file.path' in obj and 'file.hash.sha1' in obj \
+                and obj['file.path'].lower() == path.lower() and obj['file.hash.sha1'] == sha1hash:
             found = True
             break
     assert found, "File '{0}' with sha1sum '{1}' not found".format(path, sha1hash)