From 6b65bb86cc148064dc20eee2cc022e536d85821a Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Wed, 16 Oct 2024 09:53:26 +0200 Subject: [PATCH] [auditbeat] Use shared process cache in `add_session_metadata` processor (#40934) (#41250) This changes to use a shared process cache in the add_session_metadata processor. This cache is provided by quark and go-quark. The are currently several process caches in auditbeat. The long term intention is to move all process caches to the shared cache provided by quark. This will reduce resource usage, and improve maintainability by not having multiple implementations of a process cache within Auditbeat. With this change, the process cache that was previously being used by the ebpf backend is no longer used, and quark will provide process data that's required for enrichment. Rather than needing to track processes from within this processor, quark handles everything, so the processor will now only need to request process data from quark when enrichment happens. The add_session_metadata process DB code isn't removed, since it's still used by the procfs backend. That backend is intended to be used on systems that aren't supported by the modern backend. Still, quark also supports as far back as CentOS 7, so there will be few systems that will actually use the procfs backend now. The procfs backend could potentially be removed entirely, along with the process DB cache code in the processor, in the future. (cherry picked from commit 9992eb5e81a4df7c7301d20fbd84145219364516) Co-authored-by: Michael Wolf --- NOTICE.txt | 113 +--- dev-tools/notice/overrides.json | 1 + go.mod | 6 +- go.sum | 24 +- .../sessionmd/add_session_metadata.go | 70 ++- .../sessionmd/add_session_metadata_test.go | 2 +- .../docs/add_session_metadata.asciidoc | 35 +- .../processors/sessionmd/processdb/db.go | 13 +- .../sessionmd/processdb/entry_leader_test.go | 2 +- .../processors/sessionmd/procfs/procfs.go | 8 +- .../provider/ebpf_provider/ebpf_provider.go | 231 -------- .../kerneltracingprovider_linux.go | 528 ++++++++++++++++++ .../kerneltracingprovider_other.go | 31 + .../procfsprovider.go} | 40 +- .../procfsprovider_test.go} | 2 +- .../processors/sessionmd/provider/provider.go | 2 + .../processors/sessionmd/types/events.go | 4 +- .../processors/sessionmd/types/process.go | 3 + 18 files changed, 695 insertions(+), 420 deletions(-) delete mode 100644 x-pack/auditbeat/processors/sessionmd/provider/ebpf_provider/ebpf_provider.go create mode 100644 x-pack/auditbeat/processors/sessionmd/provider/kerneltracingprovider/kerneltracingprovider_linux.go create mode 100644 x-pack/auditbeat/processors/sessionmd/provider/kerneltracingprovider/kerneltracingprovider_other.go rename x-pack/auditbeat/processors/sessionmd/provider/{procfs_provider/procfs_provider.go => procfsprovider/procfsprovider.go} (78%) rename x-pack/auditbeat/processors/sessionmd/provider/{procfs_provider/procfs_provider_test.go => procfsprovider/procfsprovider_test.go} (99%) diff --git a/NOTICE.txt b/NOTICE.txt index 2617e49fd95f..617560593d82 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -14745,6 +14745,18 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +-------------------------------------------------------------------------------- +Dependency : github.com/elastic/go-quark +Version: v0.1.2 +Licence type (autodetected): Apache-2.0 +-------------------------------------------------------------------------------- + +Contents of probable licence file $GOMODCACHE/github.com/elastic/go-quark@v0.1.2/LICENSE.txt: + +Source code in this repository is licensed under the Apache License Version 2.0, +an Apache compatible license. + + -------------------------------------------------------------------------------- Dependency : github.com/elastic/go-seccomp-bpf Version: v1.4.0 @@ -23990,11 +24002,11 @@ Contents of probable licence file $GOMODCACHE/go.elastic.co/ecszap@v1.0.2/LICENS -------------------------------------------------------------------------------- Dependency : go.elastic.co/go-licence-detector -Version: v0.6.1 +Version: v0.7.0 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/go.elastic.co/go-licence-detector@v0.6.1/LICENSE: +Contents of probable licence file $GOMODCACHE/go.elastic.co/go-licence-detector@v0.7.0/LICENSE: Apache License @@ -40765,37 +40777,6 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. --------------------------------------------------------------------------------- -Dependency : github.com/gobuffalo/here -Version: v0.6.7 -Licence type (autodetected): MIT --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/gobuffalo/here@v0.6.7/LICENSE: - -The MIT License (MIT) - -Copyright (c) 2019 Mark Bates - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. - - -------------------------------------------------------------------------------- Dependency : github.com/goccy/go-json Version: v0.10.2 @@ -47523,41 +47504,6 @@ IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. --------------------------------------------------------------------------------- -Dependency : github.com/karrick/godirwalk -Version: v1.17.0 -Licence type (autodetected): BSD-2-Clause --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/karrick/godirwalk@v1.17.0/LICENSE: - -BSD 2-Clause License - -Copyright (c) 2017, Karrick McDermott -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - -* Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - -* Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - - -------------------------------------------------------------------------------- Dependency : github.com/kballard/go-shellquote Version: v0.0.0-20180428030007-95032a82bc51 @@ -48315,37 +48261,6 @@ The above copyright notice and this permission notice shall be included in all c THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. --------------------------------------------------------------------------------- -Dependency : github.com/markbates/pkger -Version: v0.17.1 -Licence type (autodetected): MIT --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/markbates/pkger@v0.17.1/LICENSE: - -The MIT License (MIT) - -Copyright (c) 2019 Mark Bates - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. - - -------------------------------------------------------------------------------- Dependency : github.com/martini-contrib/render Version: v0.0.0-20150707142108-ec18f8345a11 diff --git a/dev-tools/notice/overrides.json b/dev-tools/notice/overrides.json index bb82c97ebe40..a50cac02e0fb 100644 --- a/dev-tools/notice/overrides.json +++ b/dev-tools/notice/overrides.json @@ -19,3 +19,4 @@ {"name": "github.com/JohnCGriffin/overflow", "licenceType": "MIT"} {"name": "github.com/elastic/ebpfevents", "licenceType": "Apache-2.0"} {"name": "go.opentelemetry.io/collector/config/configopaque", "licenceType": "Apache-2.0"} +{"name": "github.com/elastic/go-quark", "licenceType": "Apache-2.0"} diff --git a/go.mod b/go.mod index 1386b60ac2ce..b2596d7f08d1 100644 --- a/go.mod +++ b/go.mod @@ -130,7 +130,7 @@ require ( github.com/ugorji/go/codec v1.1.8 github.com/vmware/govmomi v0.39.0 go.elastic.co/ecszap v1.0.2 - go.elastic.co/go-licence-detector v0.6.1 + go.elastic.co/go-licence-detector v0.7.0 go.etcd.io/bbolt v1.3.10 go.uber.org/multierr v1.11.0 go.uber.org/zap v1.27.0 @@ -192,6 +192,7 @@ require ( github.com/elastic/elastic-agent-libs v0.12.1 github.com/elastic/elastic-agent-system-metrics v0.11.1 github.com/elastic/go-elasticsearch/v8 v8.14.0 + github.com/elastic/go-quark v0.1.2 github.com/elastic/go-sfdc v0.0.0-20241010131323-8e176480d727 github.com/elastic/mito v1.15.0 github.com/elastic/tk-btf v0.1.0 @@ -296,7 +297,6 @@ require ( github.com/go-openapi/jsonreference v0.20.4 // indirect github.com/go-openapi/swag v0.22.9 // indirect github.com/go-resty/resty/v2 v2.13.1 // indirect - github.com/gobuffalo/here v0.6.7 // indirect github.com/goccy/go-json v0.10.2 // indirect github.com/godror/knownpb v0.1.0 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect @@ -328,7 +328,6 @@ require ( github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/karrick/godirwalk v1.17.0 // indirect github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect github.com/klauspost/asmfmt v1.3.2 // indirect github.com/klauspost/compress v1.17.9 // indirect @@ -337,7 +336,6 @@ require ( github.com/kylelemons/godebug v1.1.0 // indirect github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect github.com/mailru/easyjson v0.7.7 // indirect - github.com/markbates/pkger v0.17.1 // indirect github.com/mattn/go-ieproxy v0.0.1 // indirect github.com/mattn/go-isatty v0.0.20 // indirect github.com/mattn/go-runewidth v0.0.9 // indirect diff --git a/go.sum b/go.sum index 1576082bba41..856d68370d04 100644 --- a/go.sum +++ b/go.sum @@ -363,6 +363,8 @@ github.com/elastic/go-lumber v0.1.2-0.20220819171948-335fde24ea0f h1:TsPpU5EAwlt github.com/elastic/go-lumber v0.1.2-0.20220819171948-335fde24ea0f/go.mod h1:HHaWnZamYKWsR9/eZNHqRHob8iQDKnchHmmskT/SKko= github.com/elastic/go-perf v0.0.0-20191212140718-9c656876f595 h1:q8n4QjcLa4q39Q3fqHRknTBXBtegjriHFrB42YKgXGI= github.com/elastic/go-perf v0.0.0-20191212140718-9c656876f595/go.mod h1:s09U1b4P1ZxnKx2OsqY7KlHdCesqZWIhyq0Gs/QC/Us= +github.com/elastic/go-quark v0.1.2 h1:Hnov9q8D9ofS976SODWWYAZ23IpgPILxTUCiccmhw0c= +github.com/elastic/go-quark v0.1.2/go.mod h1:/ngqgumD/Z5vnFZ4XPN2kCbxnEfG5/Uc+bRvOBabVVA= github.com/elastic/go-seccomp-bpf v1.4.0 h1:6y3lYrEHrLH9QzUgOiK8WDqmPaMnnB785WxibCNIOH4= github.com/elastic/go-seccomp-bpf v1.4.0/go.mod h1:wIMxjTbKpWGQk4CV9WltlG6haB4brjSH/dvAohBPM1I= github.com/elastic/go-sfdc v0.0.0-20241010131323-8e176480d727 h1:yuiN60oaQUz2PtNpNhDI2H6zrCdfiiptmNdwV5WUaKA= @@ -461,9 +463,6 @@ github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LB github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= -github.com/gobuffalo/here v0.6.0/go.mod h1:wAG085dHOYqUpf+Ap+WOdrPTp5IYcDAs/x7PLa8Y5fM= -github.com/gobuffalo/here v0.6.7 h1:hpfhh+kt2y9JLDfhYUxxCRxQol540jsVfKUZzjlbp8o= -github.com/gobuffalo/here v0.6.7/go.mod h1:vuCfanjqckTuRlqAitJz6QC4ABNnS27wLb816UhsPcc= github.com/gocarina/gocsv v0.0.0-20170324095351-ffef3ffc77be h1:zXHeEEJ231bTf/IXqvCfeaqjLpXsq42ybLoT4ROSR6Y= github.com/gocarina/gocsv v0.0.0-20170324095351-ffef3ffc77be/go.mod h1:/oj50ZdPq/cUjA02lMZhijk5kR31SEydKyqah1OgBuo= github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU= @@ -542,7 +541,6 @@ github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/licenseclassifier v0.0.0-20200402202327-879cb1424de0/go.mod h1:qsqn2hxC+vURpyBRygGUuinTO42MFRLcsmQ/P8v94+M= github.com/google/licenseclassifier v0.0.0-20221004142553-c1ed8fcf4bab h1:okY7fFoWybMbxiHkaqStN4mxSrPfYmTZl5Zh32Z5FjY= github.com/google/licenseclassifier v0.0.0-20221004142553-c1ed8fcf4bab/go.mod h1:jkYIPv59uiw+1MxTWlqQEKebsUDV1DCXQtBBn5lVzf4= github.com/google/licenseclassifier/v2 v2.0.0-alpha.1/go.mod h1:YAgBGGTeNDMU+WfIgaFvjZe4rudym4f6nIn8ZH5X+VM= @@ -655,9 +653,6 @@ github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHm github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= -github.com/karrick/godirwalk v1.15.6/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk= -github.com/karrick/godirwalk v1.17.0 h1:b4kY7nqDdioR/6qnbHQyDvmA17u5G1cZ6J+CZXwSWoI= -github.com/karrick/godirwalk v1.17.0/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk= github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs= github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= @@ -691,9 +686,6 @@ github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg= github.com/magefile/mage v1.15.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/markbates/pkger v0.17.0/go.mod h1:0JoVlrol20BSywW79rN3kdFFsE5xYM+rSCQDXbLhiuI= -github.com/markbates/pkger v0.17.1 h1:/MKEtWqtc0mZvu9OinB9UzVN9iYCwLWuyUv4Bw+PCno= -github.com/markbates/pkger v0.17.1/go.mod h1:0JoVlrol20BSywW79rN3kdFFsE5xYM+rSCQDXbLhiuI= github.com/martini-contrib/render v0.0.0-20150707142108-ec18f8345a11 h1:YFh+sjyJTMQSYjKwM4dFKhJPJC/wfo98tPUc17HdoYw= github.com/martini-contrib/render v0.0.0-20150707142108-ec18f8345a11/go.mod h1:Ah2dBMoxZEqk118as2T4u4fjfXarE0pPnMJaArZQZsI= github.com/mattn/go-colorable v0.1.8/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= @@ -831,7 +823,6 @@ github.com/samuel/go-parser v0.0.0-20130731160455-ca8abbf65d0e h1:hUGyBE/4CXRPTh github.com/samuel/go-parser v0.0.0-20130731160455-ca8abbf65d0e/go.mod h1:Sb6li54lXV0yYEjI4wX8cucdQ9gqUJV3+Ngg3l9g30I= github.com/samuel/go-thrift v0.0.0-20140522043831-2187045faa54 h1:jbchLJWyhKcmOjkbC4zDvT/n5EEd7g6hnnF760rEyRA= github.com/samuel/go-thrift v0.0.0-20140522043831-2187045faa54/go.mod h1:Vrkh1pnjV9Bl8c3P9zH0/D4NlOHWP5d4/hF4YTULaec= -github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I= @@ -931,8 +922,8 @@ go.elastic.co/ecszap v1.0.2 h1:iW5OGx8IiokiUzx/shD4AJCPFMC9uUtr7ycaiEIU++I= go.elastic.co/ecszap v1.0.2/go.mod h1:dJkSlK3BTiwG/qXhCwe50Mz/jwu854vSip8sIeQhNZg= go.elastic.co/fastjson v1.1.0 h1:3MrGBWWVIxe/xvsbpghtkFoPciPhOCmjsR/HfwEeQR4= go.elastic.co/fastjson v1.1.0/go.mod h1:boNGISWMjQsUPy/t6yqt2/1Wx4YNPSe+mZjlyw9vKKI= -go.elastic.co/go-licence-detector v0.6.1 h1:T2PFHYdow+9mAjj6K5ehn5anTxtsURfom2P4S6PgMzg= -go.elastic.co/go-licence-detector v0.6.1/go.mod h1:qQ1clBRS2f0Ee5ie+y2LLYnyhSNJNm0Ha6d7SoYVtM4= +go.elastic.co/go-licence-detector v0.7.0 h1:qC31sfyfNcNx/zMYcLABU0ac3MbGHZgksCAb5lMDUMg= +go.elastic.co/go-licence-detector v0.7.0/go.mod h1:f5ty8pjynzQD8BcS+s0qtlOGKc35/HKQxCVi8SHhV5k= go.etcd.io/bbolt v1.3.10 h1:+BqfJTcCzTItrop8mq/lbzL8wSGtj94UO/3U31shqG0= go.etcd.io/bbolt v1.3.10/go.mod h1:bK3UQLPJZly7IlNmV7uVHJDxfe5aK9Ll93e/74Y9oEQ= go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80= @@ -1026,8 +1017,6 @@ golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0= golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1058,7 +1047,6 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= -golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk= golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= @@ -1078,8 +1066,6 @@ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20220513210516-0976fa681c29/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= -golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180810173357-98c5dad5d1a0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1178,7 +1164,6 @@ golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= golang.org/x/tools v0.25.0 h1:oFU9pkj/iJgs+0DT+VMHrx+oBKs/LJMV+Uvg78sl+fE= golang.org/x/tools v0.25.0/go.mod h1:/vtpO8WL1N9cQC3FN5zPqb//fRXskFHbLKk4OW1Q7rg= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1257,7 +1242,6 @@ gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= diff --git a/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go b/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go index 4fa86c25d029..28ef4697b79a 100644 --- a/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go +++ b/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go @@ -13,12 +13,14 @@ import ( "strconv" "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/libbeat/common/cfgwarn" "github.com/elastic/beats/v7/libbeat/processors" "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/processdb" "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/procfs" "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/provider" - "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/provider/ebpf_provider" - "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/provider/procfs_provider" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/provider/kerneltracingprovider" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/provider/procfsprovider" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/types" cfg "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/elastic-agent-libs/logp" "github.com/elastic/elastic-agent-libs/mapstr" @@ -35,13 +37,17 @@ func InitializeModule() { } type addSessionMetadata struct { + ctx context.Context + cancel context.CancelFunc config config logger *logp.Logger db *processdb.DB provider provider.Provider + backend string } func New(cfg *cfg.C) (beat.Processor, error) { + cfgwarn.Beta("add_session_metadata processor is a beta feature.") c := defaultConfig() if err := cfg.Unpack(&c); err != nil { return nil, fmt.Errorf("fail to unpack the %v configuration: %w", processorName, err) @@ -49,49 +55,59 @@ func New(cfg *cfg.C) (beat.Processor, error) { logger := logp.NewLogger(logName) - ctx := context.Background() + ctx, cancel := context.WithCancel(context.Background()) reader := procfs.NewProcfsReader(*logger) db, err := processdb.NewDB(reader, *logger) if err != nil { + cancel() return nil, fmt.Errorf("failed to create DB: %w", err) } - backfilledPIDs := db.ScrapeProcfs() - logger.Infof("backfilled %d processes", len(backfilledPIDs)) + if c.Backend != "kernel_tracing" { + backfilledPIDs := db.ScrapeProcfs() + logger.Infof("backfilled %d processes", len(backfilledPIDs)) + } var p provider.Provider switch c.Backend { case "auto": - p, err = ebpf_provider.NewProvider(ctx, logger, db) + p, err = kerneltracingprovider.NewProvider(ctx, logger) if err != nil { - // Most likely cause of error is not supporting ebpf on system, try procfs - p, err = procfs_provider.NewProvider(ctx, logger, db, reader, c.PIDField) + // Most likely cause of error is not supporting ebpf or kprobes on system, try procfs + p, err = procfsprovider.NewProvider(ctx, logger, db, reader, c.PIDField) if err != nil { + cancel() return nil, fmt.Errorf("failed to create provider: %w", err) } logger.Info("backend=auto using procfs") } else { - logger.Info("backend=auto using ebpf") + logger.Info("backend=auto using kernel_tracing") } - case "ebpf": - p, err = ebpf_provider.NewProvider(ctx, logger, db) + case "procfs": + p, err = procfsprovider.NewProvider(ctx, logger, db, reader, c.PIDField) if err != nil { - return nil, fmt.Errorf("failed to create ebpf provider: %w", err) + cancel() + return nil, fmt.Errorf("failed to create procfs provider: %w", err) } - case "procfs": - p, err = procfs_provider.NewProvider(ctx, logger, db, reader, c.PIDField) + case "kernel_tracing": + p, err = kerneltracingprovider.NewProvider(ctx, logger) if err != nil { - return nil, fmt.Errorf("failed to create ebpf provider: %w", err) + cancel() + return nil, fmt.Errorf("failed to create kernel_tracing provider: %w", err) } default: + cancel() return nil, fmt.Errorf("unknown backend configuration") } return &addSessionMetadata{ + ctx: ctx, + cancel: cancel, config: c, logger: logger, db: db, provider: p, + backend: c.Backend, }, nil } @@ -127,6 +143,7 @@ func (p *addSessionMetadata) Run(ev *beat.Event) (*beat.Event, error) { func (p *addSessionMetadata) Close() error { p.db.Close() + p.cancel() return nil } @@ -145,13 +162,24 @@ func (p *addSessionMetadata) enrich(ev *beat.Event) (*beat.Event, error) { return nil, fmt.Errorf("cannot parse pid field '%s': %w", p.config.PIDField, err) } - fullProcess, err := p.db.GetProcess(pid) - if err != nil { - e := fmt.Errorf("pid %v not found in db: %w", pid, err) - p.logger.Errorf("%v", e) - return nil, e + var fullProcess types.Process + if p.backend == "kernel_tracing" { + // kernel_tracing doesn't enrich with the processor DB; process info is taken directly from quark cache + proc, err := p.provider.GetProcess(pid) + if err != nil { + e := fmt.Errorf("pid %v not found in db: %w", pid, err) + p.logger.Warnw("PID not found in provider", "pid", pid, "error", err) + return nil, e + } + fullProcess = *proc + } else { + fullProcess, err = p.db.GetProcess(pid) + if err != nil { + e := fmt.Errorf("pid %v not found in db: %w", pid, err) + p.logger.Warnw("PID not found in provider", "pid", pid, "error", err) + return nil, e + } } - processMap := fullProcess.ToMap() if b, err := ev.Fields.HasKey("process"); !b || err != nil { diff --git a/x-pack/auditbeat/processors/sessionmd/add_session_metadata_test.go b/x-pack/auditbeat/processors/sessionmd/add_session_metadata_test.go index 95892482f80e..a993737611bd 100644 --- a/x-pack/auditbeat/processors/sessionmd/add_session_metadata_test.go +++ b/x-pack/auditbeat/processors/sessionmd/add_session_metadata_test.go @@ -361,7 +361,7 @@ func TestEnrich(t *testing.T) { require.Nil(t, err, "%s: enrich error: %w", tt.testName, err) require.NotNil(t, actual, "%s: returned nil event", tt.testName) - //Validate output + // Validate output if diff := cmp.Diff(tt.expected.Fields, actual.Fields, ignoreMissingFrom(tt.expected.Fields)); diff != "" { t.Errorf("field mismatch:\n%s", diff) } diff --git a/x-pack/auditbeat/processors/sessionmd/docs/add_session_metadata.asciidoc b/x-pack/auditbeat/processors/sessionmd/docs/add_session_metadata.asciidoc index d29c5d0ac80b..aaddde322c14 100644 --- a/x-pack/auditbeat/processors/sessionmd/docs/add_session_metadata.asciidoc +++ b/x-pack/auditbeat/processors/sessionmd/docs/add_session_metadata.asciidoc @@ -8,7 +8,7 @@ beta::[] The `add_session_metadata` processor enriches process events with additional information that users can see using the {security-guide}/session-view.html[Session View] tool in the -{elastic-sec} platform. +{elastic-sec} platform. NOTE: The current release of `add_session_metadata` processor for {auditbeat} is limited to virtual machines (VMs) and bare metal environments. @@ -27,9 +27,9 @@ auditbeat.modules: [[add-session-metadata-explained]] ==== How the `add_session_metadata` processor works -Using the available Linux kernel technology, the processor collects comprehensive information on all running system processes, compiling this data into a process database. -When processing an event (such as those generated by the {auditbeat} `auditd` module), the processor queries this database to retrieve information about related processes, including the parent process, session leader, process group leader, and entry leader. -It then enriches the original event with this metadata, providing a more complete picture of process relationships and system activities. +Using the available Linux kernel technology, the processor collects comprehensive information on all running system processes, compiling this data into a process database. +When processing an event (such as those generated by the {auditbeat} `auditd` module), the processor queries this database to retrieve information about related processes, including the parent process, session leader, process group leader, and entry leader. +It then enriches the original event with this metadata, providing a more complete picture of process relationships and system activities. This enhanced data enables the powerful {security-guide}/session-view.html[Session View] tool in the {elastic-sec} platform, offering users deeper insights for analysis and investigation. @@ -40,17 +40,18 @@ This enhanced data enables the powerful {security-guide}/session-view.html[Sessi The `add_session_metadata` processor operates using various backend options. * `auto` is the recommended setting. - It attempts to use `ebpf` first, falling back to `procfs` if necessary, ensuring compatibility even on systems without `ebpf` support. -* `ebpf` collects process information with eBPF. - This backend requires a system with Linux kernel 5.10.16 or above, kernel support for eBPF enabled, and auditbeat running as superuser. -* `procfs` collects process information with the proc filesystem. - This is compatible with older systems that may not support ebpf. - To gather complete process info, auditbeat requires permissions to read all process data in procfs; for example, run as a superuser or have the `SYS_PTRACE` capability. + It attempts to use `kernel_tracing` first, falling back to `procfs` if necessary, ensuring compatibility even on systems without `kernel_tracing` support. +* `kernel_tracing` collects process information with eBPF or kprobes. + This backend will prefer to use eBPF, if eBPF is not supported kprobes will be used. eBPF requires a system with Linux kernel 5.10.16 or above, kernel support for eBPF enabled, and auditbeat running as superuser. + Kprobe support required Linux kernel 3.10.0 or above, and auditbeat running as a superuser. +* `procfs` collects process information with the proc filesystem. + This is compatible with older systems that may not support ebpf. + To gather complete process info, auditbeat requires permissions to read all process data in procfs; for example, run as a superuser or have the `SYS_PTRACE` capability. [[add-session-metadata-containers]] ===== Containers -If you are running {auditbeat} in a container, the container must run in the host's PID namespace. -With the `auto` or `ebpf` backend, these host directories must also be mounted to the same path within the container: `/sys/kernel/debug`, `/sys/fs/bpf`. +If you are running {auditbeat} in a container, the container must run in the host's PID namespace. +With the `auto` or `kernel_tracing` backend, these host directories must also be mounted to the same path within the container: `/sys/kernel/debug`, `/sys/fs/bpf`. [[add-session-metadata-enable]] ==== Enable and configure Session View in {auditbeat} @@ -58,10 +59,10 @@ With the `auto` or `ebpf` backend, these host directories must also be mounted t To configure and enable {security-guide}/session-view.html[Session View] functionality, you'll: * Add the `add_sessions_metadata` processor to your `auditbeat.yml` file. -* Configure audit rules in your `auditbeat.yml` file. +* Configure audit rules in your `auditbeat.yml` file. * Restart {auditbeat}. -We'll walk you through these steps in more detail. +We'll walk you through these steps in more detail. . Edit your `auditbeat.yml` file and add this info to the modules configuration section: + @@ -89,11 +90,11 @@ auditbeat.modules: -a always,exit -F arch=b64 -S setsid ------------------------------------- + -. Save your configuration changes. +. Save your configuration changes. + -. Restart {auditbeat}: +. Restart {auditbeat}: + [source,sh] ------------------------------------- sudo systemctl restart auditbeat -------------------------------------- \ No newline at end of file +------------------------------------- diff --git a/x-pack/auditbeat/processors/sessionmd/processdb/db.go b/x-pack/auditbeat/processors/sessionmd/processdb/db.go index 28c848ddfdbc..e18c247a8590 100644 --- a/x-pack/auditbeat/processors/sessionmd/processdb/db.go +++ b/x-pack/auditbeat/processors/sessionmd/processdb/db.go @@ -254,6 +254,13 @@ func (db *DB) InsertFork(fork types.ProcessForkEvent) { } } +func (db *DB) InsertProcess(process Process) { + db.mutex.Lock() + defer db.mutex.Unlock() + + db.insertProcess(process) +} + func (db *DB) insertProcess(process Process) { pid := process.PIDs.Tgid db.processes[pid] = process @@ -458,8 +465,8 @@ func fullProcessFromDBProcess(p Process) types.Process { } ret.Thread.Capabilities.Permitted, _ = capabilities.FromUint64(p.Creds.CapPermitted) ret.Thread.Capabilities.Effective, _ = capabilities.FromUint64(p.Creds.CapEffective) - ret.TTY.CharDevice.Major = p.CTTY.Major - ret.TTY.CharDevice.Minor = p.CTTY.Minor + ret.TTY.CharDevice.Major = uint16(p.CTTY.Major) + ret.TTY.CharDevice.Minor = uint16(p.CTTY.Minor) ret.ExitCode = p.ExitCode return ret @@ -736,7 +743,7 @@ func isFilteredExecutable(executable string) bool { return stringStartsWithEntryInList(executable, filteredExecutables[:]) } -func getTTYType(major uint16, minor uint16) TTYType { +func getTTYType(major uint32, minor uint32) TTYType { if major >= ptsMinMajor && major <= ptsMaxMajor { return Pts } diff --git a/x-pack/auditbeat/processors/sessionmd/processdb/entry_leader_test.go b/x-pack/auditbeat/processors/sessionmd/processdb/entry_leader_test.go index 74140f47f6cd..fa0bc6e17993 100644 --- a/x-pack/auditbeat/processors/sessionmd/processdb/entry_leader_test.go +++ b/x-pack/auditbeat/processors/sessionmd/processdb/entry_leader_test.go @@ -1491,7 +1491,7 @@ func TestPIDReuseNewSession(t *testing.T) { ExitCode: 0, }) - //2nd session + // 2nd session x1 := bashPID x2 := sshd0PID sshd0PID = command0PID diff --git a/x-pack/auditbeat/processors/sessionmd/procfs/procfs.go b/x-pack/auditbeat/processors/sessionmd/procfs/procfs.go index fc843373389d..b76dfdfdb485 100644 --- a/x-pack/auditbeat/processors/sessionmd/procfs/procfs.go +++ b/x-pack/auditbeat/processors/sessionmd/procfs/procfs.go @@ -18,12 +18,12 @@ import ( "github.com/elastic/elastic-agent-libs/logp" ) -func MajorTTY(ttyNr uint32) uint16 { - return uint16((ttyNr >> 8) & 0xff) +func MajorTTY(ttyNr uint32) uint32 { + return (ttyNr >> 8) & 0xff } -func MinorTTY(ttyNr uint32) uint16 { - return uint16(((ttyNr & 0xfff00000) >> 20) | (ttyNr & 0xff)) +func MinorTTY(ttyNr uint32) uint32 { + return ((ttyNr >> 12) & 0xfff00) | (ttyNr & 0xff) } // this interface exists so that we can inject a mock procfs reader for deterministic testing diff --git a/x-pack/auditbeat/processors/sessionmd/provider/ebpf_provider/ebpf_provider.go b/x-pack/auditbeat/processors/sessionmd/provider/ebpf_provider/ebpf_provider.go deleted file mode 100644 index 31220465dfe4..000000000000 --- a/x-pack/auditbeat/processors/sessionmd/provider/ebpf_provider/ebpf_provider.go +++ /dev/null @@ -1,231 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -//go:build linux - -package ebpf_provider - -import ( - "context" - "fmt" - "time" - - "github.com/elastic/beats/v7/libbeat/beat" - "github.com/elastic/beats/v7/libbeat/ebpf" - "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/processdb" - "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/provider" - "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/types" - "github.com/elastic/ebpfevents" - "github.com/elastic/elastic-agent-libs/logp" -) - -const ( - name = "add_session_metadata" - eventMask = ebpf.EventMask(ebpfevents.EventTypeProcessFork | ebpfevents.EventTypeProcessExec | ebpfevents.EventTypeProcessExit) -) - -type prvdr struct { - ctx context.Context - logger *logp.Logger - db *processdb.DB -} - -func NewProvider(ctx context.Context, logger *logp.Logger, db *processdb.DB) (provider.Provider, error) { - p := prvdr{ - ctx: ctx, - logger: logger, - db: db, - } - - w, err := ebpf.GetWatcher() - if err != nil { - return nil, fmt.Errorf("get ebpf watcher: %w", err) - } - - records := w.Subscribe(name, eventMask) - - go func(logger logp.Logger) { - for { - r := <-records - if r.Error != nil { - logger.Warnw("received error from the ebpf subscription", "error", err) - continue - } - if r.Event == nil { - continue - } - ev := r.Event - switch ev.Type { - case ebpfevents.EventTypeProcessFork: - body, ok := ev.Body.(*ebpfevents.ProcessFork) - if !ok { - logger.Errorf("unexpected event body, got %T", ev.Body) - continue - } - pe := types.ProcessForkEvent{ - ParentPIDs: types.PIDInfo{ - Tid: body.ParentPids.Tid, - Tgid: body.ParentPids.Tgid, - Ppid: body.ParentPids.Ppid, - Pgid: body.ParentPids.Pgid, - Sid: body.ParentPids.Sid, - StartTimeNS: body.ParentPids.StartTimeNs, - }, - ChildPIDs: types.PIDInfo{ - Tid: body.ChildPids.Tid, - Tgid: body.ChildPids.Tgid, - Ppid: body.ChildPids.Ppid, - Pgid: body.ChildPids.Pgid, - Sid: body.ChildPids.Sid, - StartTimeNS: body.ChildPids.StartTimeNs, - }, - Creds: types.CredInfo{ - Ruid: body.Creds.Ruid, - Rgid: body.Creds.Rgid, - Euid: body.Creds.Euid, - Egid: body.Creds.Egid, - Suid: body.Creds.Suid, - Sgid: body.Creds.Sgid, - CapPermitted: body.Creds.CapPermitted, - CapEffective: body.Creds.CapEffective, - }, - } - p.db.InsertFork(pe) - case ebpfevents.EventTypeProcessExec: - body, ok := ev.Body.(*ebpfevents.ProcessExec) - if !ok { - logger.Errorf("unexpected event body") - continue - } - pe := types.ProcessExecEvent{ - PIDs: types.PIDInfo{ - Tid: body.Pids.Tid, - Tgid: body.Pids.Tgid, - Ppid: body.Pids.Ppid, - Pgid: body.Pids.Pgid, - Sid: body.Pids.Sid, - StartTimeNS: body.Pids.StartTimeNs, - }, - Creds: types.CredInfo{ - Ruid: body.Creds.Ruid, - Rgid: body.Creds.Rgid, - Euid: body.Creds.Euid, - Egid: body.Creds.Egid, - Suid: body.Creds.Suid, - Sgid: body.Creds.Sgid, - CapPermitted: body.Creds.CapPermitted, - CapEffective: body.Creds.CapEffective, - }, - CTTY: types.TTYDev{ - Major: body.CTTY.Major, - Minor: body.CTTY.Minor, - }, - CWD: body.Cwd, - Argv: body.Argv, - Env: body.Env, - Filename: body.Filename, - } - p.db.InsertExec(pe) - case ebpfevents.EventTypeProcessExit: - body, ok := ev.Body.(*ebpfevents.ProcessExit) - if !ok { - logger.Errorf("unexpected event body") - continue - } - pe := types.ProcessExitEvent{ - PIDs: types.PIDInfo{ - Tid: body.Pids.Tid, - Tgid: body.Pids.Tgid, - Ppid: body.Pids.Ppid, - Pgid: body.Pids.Pgid, - Sid: body.Pids.Sid, - StartTimeNS: body.Pids.StartTimeNs, - }, - ExitCode: body.ExitCode, - } - p.db.InsertExit(pe) - } - } - }(*p.logger) - - return &p, nil -} - -const ( - maxWaitLimit = 200 * time.Millisecond // Maximum time SyncDB will wait for process - combinedWaitLimit = 2 * time.Second // Multiple SyncDB calls will wait up to this amount within resetDuration - backoffDuration = 10 * time.Second // SyncDB will stop waiting for processes for this time - resetDuration = 5 * time.Second // After this amount of times with no backoffs, the combinedWait will be reset -) - -var ( - combinedWait = 0 * time.Millisecond - inBackoff = false - backoffStart = time.Now() - since = time.Now() - backoffSkipped = 0 -) - -// With ebpf, process events are pushed to the DB by the above goroutine, so this doesn't actually update the DB. -// It does to try sync the processor and ebpf events, so that the process is in the process db before continuing. -// -// It's possible that the event to enrich arrives before the process is inserted into the DB. In that case, this -// will block continuing the enrichment until the process is seen (or the timeout is reached). -// -// If for some reason a lot of time has been spent waiting for missing processes, this also has a backoff timer during -// which it will continue without waiting for missing events to arrive, so the processor doesn't become overly backed-up -// waiting for these processes, at the cost of possibly not enriching some processes. -func (s prvdr) SyncDB(ev *beat.Event, pid uint32) error { - if s.db.HasProcess(pid) { - return nil - } - - now := time.Now() - if inBackoff { - if now.Sub(backoffStart) > backoffDuration { - s.logger.Warnf("ended backoff, skipped %d processes", backoffSkipped) - inBackoff = false - combinedWait = 0 * time.Millisecond - } else { - backoffSkipped += 1 - return nil - } - } else { - if combinedWait > combinedWaitLimit { - s.logger.Warn("starting backoff") - inBackoff = true - backoffStart = now - backoffSkipped = 0 - return nil - } - // maintain a moving window of time for the delays we track - if now.Sub(since) > resetDuration { - since = now - combinedWait = 0 * time.Millisecond - } - } - - start := now - nextWait := 5 * time.Millisecond - for { - waited := time.Since(start) - if s.db.HasProcess(pid) { - s.logger.Debugf("got process that was missing after %v", waited) - combinedWait = combinedWait + waited - return nil - } - if waited >= maxWaitLimit { - e := fmt.Errorf("process %v was not seen after %v", pid, waited) - s.logger.Warnf("%v", e) - combinedWait = combinedWait + waited - return e - } - time.Sleep(nextWait) - if nextWait*2+waited > maxWaitLimit { - nextWait = maxWaitLimit - waited - } else { - nextWait = nextWait * 2 - } - } -} diff --git a/x-pack/auditbeat/processors/sessionmd/provider/kerneltracingprovider/kerneltracingprovider_linux.go b/x-pack/auditbeat/processors/sessionmd/provider/kerneltracingprovider/kerneltracingprovider_linux.go new file mode 100644 index 000000000000..966f4b36c30c --- /dev/null +++ b/x-pack/auditbeat/processors/sessionmd/provider/kerneltracingprovider/kerneltracingprovider_linux.go @@ -0,0 +1,528 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +//go:build linux && (amd64 || arm64) && cgo + +package kerneltracingprovider + +import ( + "context" + "encoding/base64" + "fmt" + "os" + "os/user" + "path/filepath" + "strconv" + "strings" + "sync" + "time" + + quark "github.com/elastic/go-quark" + + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/provider" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/types" + "github.com/elastic/elastic-agent-libs/logp" +) + +type prvdr struct { + ctx context.Context + logger *logp.Logger + qq *quark.Queue + qqMtx *sync.Mutex + combinedWait time.Duration + inBackoff bool + backoffStart time.Time + since time.Time + backoffSkipped int +} + +type TTYType int + +const ( + TTYUnknown TTYType = iota + Pts + TTY + TTYConsole +) + +const ( + Init = "init" + Sshd = "sshd" + Ssm = "ssm" + Container = "container" + Terminal = "terminal" + Kthread = "kthread" + EntryConsole = "console" + EntryUnknown = "unknown" +) + +const ( + ptsMinMajor = 136 + ptsMaxMajor = 143 + ttyMajor = 4 + consoleMaxMinor = 63 + ttyMaxMinor = 255 +) + +var ( + bootID string + pidNsInode uint64 +) + +func readBootID() (string, error) { + bootID, err := os.ReadFile("/proc/sys/kernel/random/boot_id") + if err != nil { + return "", fmt.Errorf("could not read /proc/sys/kernel/random/boot_id, process entity IDs will not be correct: %w", err) + } + + return strings.TrimRight(string(bootID), "\n"), nil +} + +func readPIDNsInode() (uint64, error) { + var ret uint64 + + pidNsInodeRaw, err := os.Readlink("/proc/self/ns/pid") + if err != nil { + return 0, fmt.Errorf("could not read /proc/self/ns/pid: %w", err) + } + + if _, err = fmt.Sscanf(pidNsInodeRaw, "pid:[%d]", &ret); err != nil { + return 0, fmt.Errorf("could not parse contents of /proc/self/ns/pid (%q): %w", pidNsInodeRaw, err) + } + + return ret, nil +} + +func NewProvider(ctx context.Context, logger *logp.Logger) (provider.Provider, error) { + attr := quark.DefaultQueueAttr() + attr.Flags = quark.QQ_ALL_BACKENDS | quark.QQ_ENTRY_LEADER | quark.QQ_NO_SNAPSHOT + qq, err := quark.OpenQueue(attr, 64) + if err != nil { + return nil, fmt.Errorf("open queue: %w", err) + } + + p := &prvdr{ + ctx: ctx, + logger: logger, + qq: qq, + qqMtx: new(sync.Mutex), + combinedWait: 0 * time.Millisecond, + inBackoff: false, + backoffStart: time.Now(), + since: time.Now(), + backoffSkipped: 0, + } + + go func(ctx context.Context, qq *quark.Queue, logger *logp.Logger, p *prvdr) { + defer qq.Close() + for ctx.Err() == nil { + p.qqMtx.Lock() + events, err := qq.GetEvents() + p.qqMtx.Unlock() + if err != nil { + logger.Errorw("get events from quark, no more process enrichment from this processor will be done", "error", err) + break + } + if len(events) == 0 { + err = qq.Block() + if err != nil { + logger.Errorw("quark block, no more process enrichment from this processor will be done", "error", err) + break + } + } + } + }(ctx, qq, logger, p) + + bootID, err = readBootID() + if err != nil { + p.logger.Errorw("failed to read boot ID, entity ID will not be correct", "error", err) + } + pidNsInode, err = readPIDNsInode() + if err != nil { + p.logger.Errorw("failed to read PID namespace inode, entity ID will not be correct", "error", err) + } + + return p, nil +} + +const ( + maxWaitLimit = 1200 * time.Millisecond // Maximum time SyncDB will wait for process + combinedWaitLimit = 15 * time.Second // Multiple SyncDB calls will wait up to this amount within resetDuration + backoffDuration = 10 * time.Second // SyncDB will stop waiting for processes for this time + resetDuration = 5 * time.Second // After this amount of times with no backoffs, the combinedWait will be reset +) + +func (p *prvdr) SyncDB(_ *beat.Event, pid uint32) error { + p.qqMtx.Lock() + defer p.qqMtx.Unlock() + + // Use qq.Lookup, not lookupLocked, in this function. Mutex is locked for entire function + + if _, found := p.qq.Lookup(int(pid)); found { + return nil + } + + now := time.Now() + if p.inBackoff { + if now.Sub(p.backoffStart) > backoffDuration { + p.logger.Warnw("ended backoff, skipped processes", "backoffSkipped", p.backoffSkipped) + p.inBackoff = false + p.combinedWait = 0 * time.Millisecond + } else { + p.backoffSkipped += 1 + return nil + } + } else { + if p.combinedWait > combinedWaitLimit { + p.logger.Warn("starting backoff") + p.inBackoff = true + p.backoffStart = now + p.backoffSkipped = 0 + return nil + } + // maintain a moving window of time for the delays we track + if now.Sub(p.since) > resetDuration { + p.since = now + p.combinedWait = 0 * time.Millisecond + } + } + + start := now + nextWait := 5 * time.Millisecond + for { + waited := time.Since(start) + if _, found := p.qq.Lookup(int(pid)); found { + p.logger.Debugw("got process that was missing ", "waited", waited) + p.combinedWait = p.combinedWait + waited + return nil + } + if waited >= maxWaitLimit { + p.combinedWait = p.combinedWait + waited + return fmt.Errorf("process %v was not seen after %v", pid, waited) + } + time.Sleep(nextWait) + if nextWait*2+waited > maxWaitLimit { + nextWait = maxWaitLimit - waited + } else { + nextWait = nextWait * 2 + } + } +} + +func (p *prvdr) GetProcess(pid uint32) (*types.Process, error) { + proc, found := p.lookupLocked(pid) + if !found { + return nil, fmt.Errorf("PID %d not found in cache", pid) + } + + interactive := interactiveFromTTY(types.TTYDev{ + Major: proc.Proc.TtyMajor, + Minor: proc.Proc.TtyMinor, + }) + + start := time.Unix(0, int64(proc.Proc.TimeBoot)) + + ret := types.Process{ + PID: proc.Pid, + Start: &start, + Name: basename(proc.Filename), + Executable: proc.Filename, + Args: proc.Cmdline, + WorkingDirectory: proc.Cwd, + Interactive: &interactive, + } + + euid := proc.Proc.Euid + egid := proc.Proc.Egid + ret.User.ID = strconv.FormatUint(uint64(euid), 10) + username, ok := getUserName(ret.User.ID) + if ok { + ret.User.Name = username + } + ret.Group.ID = strconv.FormatUint(uint64(egid), 10) + groupname, ok := getGroupName(ret.Group.ID) + if ok { + ret.Group.Name = groupname + } + ret.TTY.CharDevice.Major = uint16(proc.Proc.TtyMajor) + ret.TTY.CharDevice.Minor = uint16(proc.Proc.TtyMinor) + if proc.Exit.Valid { + end := time.Unix(0, int64(proc.Exit.ExitTimeProcess)) + ret.ExitCode = proc.Exit.ExitCode + ret.End = &end + } + ret.EntityID = calculateEntityIDv1(pid, *ret.Start) + + p.fillParent(&ret, proc.Proc.Ppid) + p.fillGroupLeader(&ret, proc.Proc.Pgid) + p.fillSessionLeader(&ret, proc.Proc.Sid) + p.fillEntryLeader(&ret, proc.Proc.EntryLeader) + setEntityID(&ret) + setSameAsProcess(&ret) + return &ret, nil +} + +func (p prvdr) lookupLocked(pid uint32) (quark.Process, bool) { + p.qqMtx.Lock() + defer p.qqMtx.Unlock() + + return p.qq.Lookup(int(pid)) +} + +func (p prvdr) fillParent(process *types.Process, ppid uint32) { + proc, found := p.lookupLocked(ppid) + if !found { + return + } + + start := time.Unix(0, int64(proc.Proc.TimeBoot)) + interactive := interactiveFromTTY(types.TTYDev{ + Major: proc.Proc.TtyMajor, + Minor: proc.Proc.TtyMinor, + }) + euid := proc.Proc.Euid + egid := proc.Proc.Egid + process.Parent.PID = proc.Pid + process.Parent.Start = &start + process.Parent.Name = basename(proc.Filename) + process.Parent.Executable = proc.Filename + process.Parent.Args = proc.Cmdline + process.Parent.WorkingDirectory = proc.Cwd + process.Parent.Interactive = &interactive + process.Parent.User.ID = strconv.FormatUint(uint64(euid), 10) + username, ok := getUserName(process.Parent.User.ID) + if ok { + process.Parent.User.Name = username + } + process.Parent.Group.ID = strconv.FormatUint(uint64(egid), 10) + groupname, ok := getGroupName(process.Parent.Group.ID) + if ok { + process.Parent.Group.Name = groupname + } + process.Parent.EntityID = calculateEntityIDv1(ppid, *process.Start) +} + +func (p prvdr) fillGroupLeader(process *types.Process, pgid uint32) { + proc, found := p.lookupLocked(pgid) + if !found { + return + } + + start := time.Unix(0, int64(proc.Proc.TimeBoot)) + + interactive := interactiveFromTTY(types.TTYDev{ + Major: proc.Proc.TtyMajor, + Minor: proc.Proc.TtyMinor, + }) + euid := proc.Proc.Euid + egid := proc.Proc.Egid + process.GroupLeader.PID = proc.Pid + process.GroupLeader.Start = &start + process.GroupLeader.Name = basename(proc.Filename) + process.GroupLeader.Executable = proc.Filename + process.GroupLeader.Args = proc.Cmdline + process.GroupLeader.WorkingDirectory = proc.Cwd + process.GroupLeader.Interactive = &interactive + process.GroupLeader.User.ID = strconv.FormatUint(uint64(euid), 10) + username, ok := getUserName(process.GroupLeader.User.ID) + if ok { + process.GroupLeader.User.Name = username + } + process.GroupLeader.Group.ID = strconv.FormatUint(uint64(egid), 10) + groupname, ok := getGroupName(process.GroupLeader.Group.ID) + if ok { + process.GroupLeader.Group.Name = groupname + } + process.GroupLeader.EntityID = calculateEntityIDv1(pgid, *process.GroupLeader.Start) +} + +func (p prvdr) fillSessionLeader(process *types.Process, sid uint32) { + proc, found := p.lookupLocked(sid) + if !found { + return + } + + start := time.Unix(0, int64(proc.Proc.TimeBoot)) + + interactive := interactiveFromTTY(types.TTYDev{ + Major: proc.Proc.TtyMajor, + Minor: proc.Proc.TtyMinor, + }) + euid := proc.Proc.Euid + egid := proc.Proc.Egid + process.SessionLeader.PID = proc.Pid + process.SessionLeader.Start = &start + process.SessionLeader.Name = basename(proc.Filename) + process.SessionLeader.Executable = proc.Filename + process.SessionLeader.Args = proc.Cmdline + process.SessionLeader.WorkingDirectory = proc.Cwd + process.SessionLeader.Interactive = &interactive + process.SessionLeader.User.ID = strconv.FormatUint(uint64(euid), 10) + username, ok := getUserName(process.SessionLeader.User.ID) + if ok { + process.SessionLeader.User.Name = username + } + process.SessionLeader.Group.ID = strconv.FormatUint(uint64(egid), 10) + groupname, ok := getGroupName(process.SessionLeader.Group.ID) + if ok { + process.SessionLeader.Group.Name = groupname + } + process.SessionLeader.EntityID = calculateEntityIDv1(sid, *process.SessionLeader.Start) +} + +func (p prvdr) fillEntryLeader(process *types.Process, elid uint32) { + proc, found := p.lookupLocked(elid) + if !found { + return + } + + start := time.Unix(0, int64(proc.Proc.TimeBoot)) + + interactive := interactiveFromTTY(types.TTYDev{ + Major: proc.Proc.TtyMajor, + Minor: proc.Proc.TtyMinor, + }) + + euid := proc.Proc.Euid + egid := proc.Proc.Egid + process.EntryLeader.PID = proc.Pid + process.EntryLeader.Start = &start + process.EntryLeader.WorkingDirectory = proc.Cwd + process.EntryLeader.Interactive = &interactive + process.EntryLeader.User.ID = strconv.FormatUint(uint64(euid), 10) + username, ok := getUserName(process.EntryLeader.User.ID) + if ok { + process.EntryLeader.User.Name = username + } + process.EntryLeader.Group.ID = strconv.FormatUint(uint64(egid), 10) + groupname, ok := getGroupName(process.EntryLeader.Group.ID) + if ok { + process.EntryLeader.Group.Name = groupname + } + + process.EntryLeader.EntityID = calculateEntityIDv1(elid, *process.EntryLeader.Start) + process.EntryLeader.EntryMeta.Type = getEntryTypeName(proc.Proc.EntryLeaderType) +} + +func setEntityID(process *types.Process) { + if process.PID != 0 && process.Start != nil { + process.EntityID = calculateEntityIDv1(process.PID, *process.Start) + } + + if process.Parent.PID != 0 && process.Parent.Start != nil { + process.Parent.EntityID = calculateEntityIDv1(process.Parent.PID, *process.Parent.Start) + } + + if process.GroupLeader.PID != 0 && process.GroupLeader.Start != nil { + process.GroupLeader.EntityID = calculateEntityIDv1(process.GroupLeader.PID, *process.GroupLeader.Start) + } + + if process.SessionLeader.PID != 0 && process.SessionLeader.Start != nil { + process.SessionLeader.EntityID = calculateEntityIDv1(process.SessionLeader.PID, *process.SessionLeader.Start) + } + + if process.EntryLeader.PID != 0 && process.EntryLeader.Start != nil { + process.EntryLeader.EntityID = calculateEntityIDv1(process.EntryLeader.PID, *process.EntryLeader.Start) + } +} + +func setSameAsProcess(process *types.Process) { + if process.GroupLeader.PID != 0 && process.GroupLeader.Start != nil { + sameAsProcess := process.PID == process.GroupLeader.PID + process.GroupLeader.SameAsProcess = &sameAsProcess + } + + if process.SessionLeader.PID != 0 && process.SessionLeader.Start != nil { + sameAsProcess := process.PID == process.SessionLeader.PID + process.SessionLeader.SameAsProcess = &sameAsProcess + } + + if process.EntryLeader.PID != 0 && process.EntryLeader.Start != nil { + sameAsProcess := process.PID == process.EntryLeader.PID + process.EntryLeader.SameAsProcess = &sameAsProcess + } +} + +func interactiveFromTTY(tty types.TTYDev) bool { + return TTYUnknown != getTTYType(tty.Major, tty.Minor) +} + +func getTTYType(major uint32, minor uint32) TTYType { + if major >= ptsMinMajor && major <= ptsMaxMajor { + return Pts + } + + if ttyMajor == major { + if minor <= consoleMaxMinor { + return TTYConsole + } else if minor > consoleMaxMinor && minor <= ttyMaxMinor { + return TTY + } + } + + return TTYUnknown +} + +func calculateEntityIDv1(pid uint32, startTime time.Time) string { + return base64.StdEncoding.EncodeToString( + []byte( + fmt.Sprintf("%d__%s__%d__%d", + pidNsInode, + bootID, + uint64(pid), + uint64(startTime.Unix()), + ), + ), + ) +} + +// `path.Base` returns a '.' for empty strings, this just special cases that +// situation to return an empty string +func basename(pathStr string) string { + if pathStr == "" { + return "" + } + + return filepath.Base(pathStr) +} + +// getUserName will return the name associated with the user ID, if it exists +func getUserName(id string) (string, bool) { + user, err := user.LookupId(id) + if err != nil { + return "", false + } + return user.Username, true +} + +// getGroupName will return the name associated with the group ID, if it exists +func getGroupName(id string) (string, bool) { + group, err := user.LookupGroupId(id) + if err != nil { + return "", false + } + return group.Name, true +} + +func getEntryTypeName(entryType uint32) string { + switch int(entryType) { + case quark.QUARK_ELT_INIT: + return Init + case quark.QUARK_ELT_SSHD: + return Sshd + case quark.QUARK_ELT_SSM: + return Ssm + case quark.QUARK_ELT_CONTAINER: + return Container + case quark.QUARK_ELT_TERM: + return Terminal + case quark.QUARK_ELT_CONSOLE: + return EntryConsole + case quark.QUARK_ELT_KTHREAD: + return Kthread + default: + return "unknown" + } +} diff --git a/x-pack/auditbeat/processors/sessionmd/provider/kerneltracingprovider/kerneltracingprovider_other.go b/x-pack/auditbeat/processors/sessionmd/provider/kerneltracingprovider/kerneltracingprovider_other.go new file mode 100644 index 000000000000..e895a696747d --- /dev/null +++ b/x-pack/auditbeat/processors/sessionmd/provider/kerneltracingprovider/kerneltracingprovider_other.go @@ -0,0 +1,31 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +//go:build linux && !((amd64 || arm64) && cgo) + +package kerneltracingprovider + +import ( + "context" + "fmt" + + "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/provider" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/types" + "github.com/elastic/elastic-agent-libs/logp" +) + +type prvdr struct{} + +func NewProvider(ctx context.Context, logger *logp.Logger) (provider.Provider, error) { + return prvdr{}, fmt.Errorf("build type not supported, cgo required") +} + +func (p prvdr) SyncDB(event *beat.Event, pid uint32) error { + return fmt.Errorf("build type not supported") +} + +func (p prvdr) GetProcess(pid uint32) (*types.Process, error) { + return nil, fmt.Errorf("build type not supported") +} diff --git a/x-pack/auditbeat/processors/sessionmd/provider/procfs_provider/procfs_provider.go b/x-pack/auditbeat/processors/sessionmd/provider/procfsprovider/procfsprovider.go similarity index 78% rename from x-pack/auditbeat/processors/sessionmd/provider/procfs_provider/procfs_provider.go rename to x-pack/auditbeat/processors/sessionmd/provider/procfsprovider/procfsprovider.go index 4380bc2ccae4..4934a79fc52c 100644 --- a/x-pack/auditbeat/processors/sessionmd/provider/procfs_provider/procfs_provider.go +++ b/x-pack/auditbeat/processors/sessionmd/provider/procfsprovider/procfsprovider.go @@ -4,7 +4,7 @@ //go:build linux -package procfs_provider +package procfsprovider import ( "context" @@ -40,8 +40,12 @@ func NewProvider(ctx context.Context, logger *logp.Logger, db *processdb.DB, rea }, nil } +func (p prvdr) GetProcess(pid uint32) (*types.Process, error) { + return nil, fmt.Errorf("not implemented") +} + // SyncDB will update the process DB with process info from procfs or the event itself -func (s prvdr) SyncDB(ev *beat.Event, pid uint32) error { +func (p prvdr) SyncDB(ev *beat.Event, pid uint32) error { syscall, err := ev.GetValue(syscallField) if err != nil { return fmt.Errorf("event not supported, no syscall data") @@ -50,17 +54,17 @@ func (s prvdr) SyncDB(ev *beat.Event, pid uint32) error { switch syscall { case "execveat", "execve": pe := types.ProcessExecEvent{} - proc_info, err := s.reader.GetProcess(pid) + procInfo, err := p.reader.GetProcess(pid) if err == nil { - pe.PIDs = proc_info.PIDs - pe.Creds = proc_info.Creds - pe.CTTY = proc_info.CTTY - pe.CWD = proc_info.Cwd - pe.Argv = proc_info.Argv - pe.Env = proc_info.Env - pe.Filename = proc_info.Filename + pe.PIDs = procInfo.PIDs + pe.Creds = procInfo.Creds + pe.CTTY = procInfo.CTTY + pe.CWD = procInfo.Cwd + pe.Argv = procInfo.Argv + pe.Env = procInfo.Env + pe.Filename = procInfo.Filename } else { - s.logger.Warnf("couldn't get process info from proc for pid %v: %v", pid, err) + p.logger.Warnw("couldn't get process info from proc for pid", "pid", pid, "error", err) // If process info couldn't be taken from procfs, populate with as much info as // possible from the event pe.PIDs.Tgid = pid @@ -77,7 +81,7 @@ func (s prvdr) SyncDB(ev *beat.Event, pid uint32) error { } pe.PIDs.Ppid = uint32(i) - parent, err = s.db.GetProcess(pe.PIDs.Ppid) + parent, err = p.db.GetProcess(pe.PIDs.Ppid) if err != nil { goto out } @@ -87,10 +91,14 @@ func (s prvdr) SyncDB(ev *beat.Event, pid uint32) error { if err != nil { goto out } - pe.CWD = intr.(string) + if str, ok := intr.(string); ok { + pe.CWD = str + } else { + goto out + } out: } - s.db.InsertExec(pe) + p.db.InsertExec(pe) if err != nil { return fmt.Errorf("insert exec to db: %w", err) } @@ -100,7 +108,7 @@ func (s prvdr) SyncDB(ev *beat.Event, pid uint32) error { Tgid: pid, }, } - s.db.InsertExit(pe) + p.db.InsertExit(pe) case "setsid": intr, err := ev.Fields.GetValue("auditd.result") if err != nil { @@ -117,7 +125,7 @@ func (s prvdr) SyncDB(ev *beat.Event, pid uint32) error { Sid: pid, }, } - s.db.InsertSetsid(setsid_ev) + p.db.InsertSetsid(setsid_ev) } } return nil diff --git a/x-pack/auditbeat/processors/sessionmd/provider/procfs_provider/procfs_provider_test.go b/x-pack/auditbeat/processors/sessionmd/provider/procfsprovider/procfsprovider_test.go similarity index 99% rename from x-pack/auditbeat/processors/sessionmd/provider/procfs_provider/procfs_provider_test.go rename to x-pack/auditbeat/processors/sessionmd/provider/procfsprovider/procfsprovider_test.go index 455cb3c0433a..42f19f488ce4 100644 --- a/x-pack/auditbeat/processors/sessionmd/provider/procfs_provider/procfs_provider_test.go +++ b/x-pack/auditbeat/processors/sessionmd/provider/procfsprovider/procfsprovider_test.go @@ -4,7 +4,7 @@ //go:build linux -package procfs_provider +package procfsprovider import ( "context" diff --git a/x-pack/auditbeat/processors/sessionmd/provider/provider.go b/x-pack/auditbeat/processors/sessionmd/provider/provider.go index e95da3ec2006..4ac9530cfeaa 100644 --- a/x-pack/auditbeat/processors/sessionmd/provider/provider.go +++ b/x-pack/auditbeat/processors/sessionmd/provider/provider.go @@ -8,9 +8,11 @@ package provider import ( "github.com/elastic/beats/v7/libbeat/beat" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/types" ) // SyncDB should ensure the DB is in a state to handle the event before returning. type Provider interface { SyncDB(event *beat.Event, pid uint32) error + GetProcess(pid uint32) (*types.Process, error) } diff --git a/x-pack/auditbeat/processors/sessionmd/types/events.go b/x-pack/auditbeat/processors/sessionmd/types/events.go index 5f8d67d763f1..857ab8fa2c10 100644 --- a/x-pack/auditbeat/processors/sessionmd/types/events.go +++ b/x-pack/auditbeat/processors/sessionmd/types/events.go @@ -60,8 +60,8 @@ type TTYTermios struct { } type TTYDev struct { - Minor uint16 - Major uint16 + Minor uint32 + Major uint32 Winsize TTYWinsize Termios TTYTermios } diff --git a/x-pack/auditbeat/processors/sessionmd/types/process.go b/x-pack/auditbeat/processors/sessionmd/types/process.go index 8f52a9c5aa59..a437f35310f3 100644 --- a/x-pack/auditbeat/processors/sessionmd/types/process.go +++ b/x-pack/auditbeat/processors/sessionmd/types/process.go @@ -448,6 +448,9 @@ func (p *Process) ToMap() mapstr.M { if p.EntryLeader.Start != nil { process.Put("entry_leader.start", p.EntryLeader.Start) } + if p.End != nil { + process.Put("end", p.End) + } return process }