Create file.mach-o

[peasead]

Summary

The Mach Object (Mach-O) sub-field does not yet exist for the file top-level fieldset. This can be created to include more file attributes to aid in malware and file analysis.

Motivation:

In creating a VirusTotal Filebeat module, we identified opportunities to extend the file.* top-level fieldset with the creation of the Mach-O sub-field.

Detailed Design:

Name	Type	Description
file.mach-o.cpu	object	CPU information for the file.
file.mach-o.cpu.architecture	keyword	CPU architecture target for the file.
file.mach-o.cpu.byte_order	keyword	CPU byte order for the file.
file.mach-o.cpu.subtype	keyword	CPU subtype for the file.
file.mach-o.cpu.type	keyword	CPU type for the file.
file.mach-o.headers	object	Header information for the file.
file.mach-o.headers.commands	object	Header load commands for the file.
file.mach-o.headers.commands.number	long	Number of load commands for the Mach-O header.
file.mach-o.headers.commands.size	long	Size of load commands of the Mach-O header.
file.mach-o.headers.commands.type	keyword	Type of the load commands for the Mach-O header.
file.mach-o.headers.magic	keyword	Magic field of the Mach-O header.
file.mach-o.headers.flags	keyword	Flags set in the Mach-O header.
file.mach-o.segments	object	Segment information for the file.
file.mach-o.segments.vmaddr	keyword	Memory address of this segment.
file.mach-o.segments.name	keyword	Name of this segment.
file.mach-o.segments.vmsize	keyword	Memory size of this segment.
file.mach-o.segments.fileoff	keyword	File offset of this segment.
file.mach-o.segments.filesize	keyword	Amount of memory to map from the file.
file.mach-o.segments.sections	object	Section information for the segment of the file.
file.mach-o.segments.sections.flags	keyword	Section flags for the segment of the file.
file.mach-o.segments.sections.name	keyword	Section name for the segment of the file.
file.mach-o.segments.sections.type	keyword	Section type for the segment of the file.
file.mach-o.signature	object	Signature information for the file.
file.mach-o.signature.candidate_cd_hash	keyword	Code Digest (CD) SHA256 hash of the first 20-bytes of the file.
file.mach-o.signature.team_identifier	keyword	Team identifier of the code signing certificate.
file.mach-o.signature.sealed_resources	long	Version of the resource envelope for the code signing certificate.
file.mach-o.signature.cms_digest	keyword	Cryptographic Message Syntax (CMS) hash of the code signing certificate.
file.mach-o.signature.cms_digest_type	keyword	Cryptographic Message Syntax (CMS) type of the code signing certificate.
file.mach-o.signature.status	keyword	Verification information for the code signing certificate.
file.mach-o.signature.fingerprint	keyword	MD5 digest of the der-encoded certificate information.
file.mach-o.executable	object	Information about the executable segment for the file.
file.mach-o.executable.segment_base	keyword	Executable segment base size.
file.mach-o.executable.segment_limit	keyword	Executable segment limit size.
file.mach-o.executable.segment_flags	keyword	Executable segment flags.
file.mach-o.page_size	long	Page size of the file.

CC @dcode @devonakerr

[peasead]

7/1 - update

This RFC is in draft waiting on resources to identify and document data sources to move into the next RFC stage.

[peasead]

Closed this until ready to revisit.