Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Auditbeat] fim(ebpf): enrich file events with process data #38199

Merged
merged 19 commits into from
Apr 5, 2024

Conversation

mmat11
Copy link
Contributor

@mmat11 mmat11 commented Mar 6, 2024

Proposed commit message

fim(ebpf): enrich file events with process data

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

Related issues

elastic/integrations#7401

Screenshot

Screenshot 2024-04-02 at 2 31 57 PM

@mmat11 mmat11 requested review from a team as code owners March 6, 2024 15:08
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Mar 6, 2024
@mergify mergify bot assigned mmat11 Mar 6, 2024
Copy link
Contributor

mergify bot commented Mar 6, 2024

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @mmat11? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

@mmat11 mmat11 force-pushed the matt/fim-user-data branch from 83d9ec6 to 36c6ecd Compare March 6, 2024 15:12
@elasticmachine
Copy link
Collaborator

elasticmachine commented Mar 6, 2024

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Duration: 180 min 13 sec

❕ Flaky test report

No test was executed to be analysed.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@mmat11 mmat11 force-pushed the matt/fim-user-data branch 8 times, most recently from ae5dd9b to f11bcbd Compare March 7, 2024 18:39
@mmat11 mmat11 added the Team:Security-Linux Platform Linux Platform Team in Security Solution label Mar 8, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Mar 8, 2024
@mmat11 mmat11 requested a review from andrewkroh March 8, 2024 12:45
auditbeat/_meta/fields.common.yml Outdated Show resolved Hide resolved
auditbeat/docs/fields.asciidoc Outdated Show resolved Hide resolved
auditbeat/module/file_integrity/event.go Show resolved Hide resolved
auditbeat/module/file_integrity/event.go Show resolved Hide resolved
@mmat11 mmat11 force-pushed the matt/fim-user-data branch from afe8971 to 7ada154 Compare March 11, 2024 15:01
Copy link
Contributor

@nicholasberlin nicholasberlin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM FWIW

@pierrehilbert pierrehilbert added the Team:Elastic-Agent Label for the Agent team label Mar 11, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/elastic-agent (Team:Elastic-Agent)

Copy link
Contributor

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good.

Just a couple of questions. process.pid matching the ECS type is the biggest question.

auditbeat/_meta/fields.common.yml Outdated Show resolved Hide resolved
auditbeat/module/file_integrity/event.go Outdated Show resolved Hide resolved
@mmat11 mmat11 force-pushed the matt/fim-user-data branch 2 times, most recently from c98f693 to 9bc78d4 Compare March 12, 2024 13:35
@pkoutsovasilis pkoutsovasilis force-pushed the matt/fim-user-data branch 2 times, most recently from 58cd307 to bd4cf98 Compare April 4, 2024 18:47
@pkoutsovasilis
Copy link
Contributor

run docs-build rebuild

@alexsapran
Copy link
Contributor

run docs-build

Copy link
Collaborator

@pierrehilbert pierrehilbert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thx for your work and investigations!

@pkoutsovasilis pkoutsovasilis merged commit dbdaac3 into main Apr 5, 2024
125 checks passed
@pkoutsovasilis pkoutsovasilis deleted the matt/fim-user-data branch April 5, 2024 10:19
@@ -1,4 +1,5 @@
FROM golang:1.21.8
COPY --from=docker:26.0.0-alpine3.19 /usr/local/bin/docker /usr/local/bin/
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we leave a comment (with a TODO perhaps that it will be addressed via #38678) ?

@faec faec added the backport-v8.13.0 Automated backport with mergify label Apr 5, 2024
mergify bot pushed a commit that referenced this pull request Apr 5, 2024
* fim(ebpf): enrich file events with process data

* apply review suggestions

* apply review suggestions

* fix(fim/ebpf): move process fields to event root and insert them so keys do not contain dots

* fix(fim/ebpf): refactor HostID to utilise sync.OnceValue and expose boot time

* fix(fim/ebpf): refactor TicksPerSecond to utilise sync.OnceValue

* fix(fim/ebpf): remove empty slice allocation

* chore: go mod tidy

* fix: explicitly set go 1.21.8 in go.mod

* fix(fim/ebpf): nil slice of errors in TestNewEventFromEbpfEvent

* fix(fim/ebpf): remove re-declaration of already ecs included fields

* fix(fim/ebpf): utilise OnceValues to declutter the code

* fix(fim/ebpf): remove x-pack import from OSS package

* fix(fim/ebpf): propagate process fields changes to integration tests

* chore: go mod tidy

* ci: temporary solution to outdated docker compose python library

* ci: transition to a fixed tag for docker image instead of a rolling one

---------

Co-authored-by: Panos Koutsovasilis <panos.koutsovasilis@elastic.co>
Co-authored-by: Pierre HILBERT <pierre.hilbert@elastic.co>
(cherry picked from commit dbdaac3)

# Conflicts:
#	go.mod
#	go.sum
cmacknz added a commit to cmacknz/beats that referenced this pull request Apr 5, 2024
cmacknz added a commit that referenced this pull request Apr 5, 2024
…38743)

* Manual port of docker CI fix from #38199

* Fix order in requirements.txt.
mergify bot pushed a commit that referenced this pull request Apr 5, 2024
…38743)

* Manual port of docker CI fix from #38199

* Fix order in requirements.txt.

(cherry picked from commit 33b776a)

# Conflicts:
#	libbeat/tests/system/requirements.txt
#	libbeat/tests/system/requirements_aix.txt
#	metricbeat/Dockerfile
pierrehilbert pushed a commit that referenced this pull request Apr 7, 2024
…ocker-compose package (#38746)

* [7.17] Fix Python systems tests with forked docker-compose package (#38743)

* Manual port of docker CI fix from #38199

* Fix order in requirements.txt.

(cherry picked from commit 33b776a)

# Conflicts:
#	libbeat/tests/system/requirements.txt
#	libbeat/tests/system/requirements_aix.txt
#	metricbeat/Dockerfile

* Resolve conflicts

* Restore uintentionally removed packages

* Remove duplicate package.

* Add dropped docker copy

---------

Co-authored-by: Craig MacKenzie <craig.mackenzie@elastic.co>
zeynepyz pushed a commit to zeynepyz/beats that referenced this pull request Apr 7, 2024
…38199)

* fim(ebpf): enrich file events with process data

* apply review suggestions

* apply review suggestions

* fix(fim/ebpf): move process fields to event root and insert them so keys do not contain dots

* fix(fim/ebpf): refactor HostID to utilise sync.OnceValue and expose boot time

* fix(fim/ebpf): refactor TicksPerSecond to utilise sync.OnceValue

* fix(fim/ebpf): remove empty slice allocation

* chore: go mod tidy

* fix: explicitly set go 1.21.8 in go.mod

* fix(fim/ebpf): nil slice of errors in TestNewEventFromEbpfEvent

* fix(fim/ebpf): remove re-declaration of already ecs included fields

* fix(fim/ebpf): utilise OnceValues to declutter the code

* fix(fim/ebpf): remove x-pack import from OSS package

* fix(fim/ebpf): propagate process fields changes to integration tests

* chore: go mod tidy

* ci: temporary solution to outdated docker compose python library

* ci: transition to a fixed tag for docker image instead of a rolling one

---------

Co-authored-by: Panos Koutsovasilis <panos.koutsovasilis@elastic.co>
Co-authored-by: Pierre HILBERT <pierre.hilbert@elastic.co>
mergify bot pushed a commit that referenced this pull request Apr 8, 2024
…38743)

* Manual port of docker CI fix from #38199

* Fix order in requirements.txt.

(cherry picked from commit 33b776a)

# Conflicts:
#	libbeat/tests/system/requirements.txt
#	libbeat/tests/system/requirements_aix.txt
#	metricbeat/Dockerfile
pkoutsovasilis added a commit that referenced this pull request Apr 9, 2024
…h process data (#38742)

* [Auditbeat] fim(ebpf): enrich file events with process data (#38199)

* fim(ebpf): enrich file events with process data

* apply review suggestions

* apply review suggestions

* fix(fim/ebpf): move process fields to event root and insert them so keys do not contain dots

* fix(fim/ebpf): refactor HostID to utilise sync.OnceValue and expose boot time

* fix(fim/ebpf): refactor TicksPerSecond to utilise sync.OnceValue

* fix(fim/ebpf): remove empty slice allocation

* chore: go mod tidy

* fix: explicitly set go 1.21.8 in go.mod

* fix(fim/ebpf): nil slice of errors in TestNewEventFromEbpfEvent

* fix(fim/ebpf): remove re-declaration of already ecs included fields

* fix(fim/ebpf): utilise OnceValues to declutter the code

* fix(fim/ebpf): remove x-pack import from OSS package

* fix(fim/ebpf): propagate process fields changes to integration tests

* chore: go mod tidy

* ci: temporary solution to outdated docker compose python library

* ci: transition to a fixed tag for docker image instead of a rolling one

---------

Co-authored-by: Panos Koutsovasilis <panos.koutsovasilis@elastic.co>
Co-authored-by: Pierre HILBERT <pierre.hilbert@elastic.co>
(cherry picked from commit dbdaac3)

# Conflicts:
#	go.mod
#	go.sum

* fix: resolve conflicts

---------

Co-authored-by: Mattia Meleleo <melmat@tuta.io>
Co-authored-by: Panos Koutsovasilis <panos.koutsovasilis@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport-v8.13.0 Automated backport with mergify Team:Elastic-Agent Label for the Agent team Team:Security-Linux Platform Linux Platform Team in Security Solution
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants