diff --git a/NOTICE.txt b/NOTICE.txt index c7a089fef75b..a83bc863b52b 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -21420,37 +21420,6 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. --------------------------------------------------------------------------------- -Dependency : github.com/mohae/deepcopy -Version: v0.0.0-20170929034955-c48cc78d4826 -Licence type (autodetected): MIT --------------------------------------------------------------------------------- - -Contents of probable licence file $GOMODCACHE/github.com/mohae/deepcopy@v0.0.0-20170929034955-c48cc78d4826/LICENSE: - -The MIT License (MIT) - -Copyright (c) 2014 Joel - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. - - -------------------------------------------------------------------------------- Dependency : github.com/olekukonko/tablewriter Version: v0.0.5 diff --git a/auditbeat/cmd/root.go b/auditbeat/cmd/root.go index 4c8c723c4539..0ddc7b8674da 100644 --- a/auditbeat/cmd/root.go +++ b/auditbeat/cmd/root.go @@ -30,9 +30,6 @@ import ( "github.com/elastic/beats/v7/metricbeat/beater" "github.com/elastic/beats/v7/metricbeat/mb/module" "github.com/elastic/elastic-agent-libs/mapstr" - - // Import processors - _ "github.com/elastic/beats/v7/x-pack/auditbeat/processors/add_session_metadata" ) const ( diff --git a/go.mod b/go.mod index af30b15cdf3f..7027313ca1fb 100644 --- a/go.mod +++ b/go.mod @@ -218,7 +218,6 @@ require ( github.com/gorilla/websocket v1.4.2 github.com/icholy/digest v0.1.22 github.com/lestrrat-go/jwx/v2 v2.0.19 - github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 github.com/otiai10/copy v1.12.0 github.com/pierrec/lz4/v4 v4.1.18 github.com/pkg/xattr v0.4.9 diff --git a/go.sum b/go.sum index 5f5fbebb0167..746d5023ae99 100644 --- a/go.sum +++ b/go.sum @@ -663,8 +663,6 @@ github.com/elastic/bayeux v1.0.5 h1:UceFq01ipmT3S8DzFK+uVAkbCdiPR0Bqei8qIGmUeY0= github.com/elastic/bayeux v1.0.5/go.mod h1:CSI4iP7qeo5MMlkznGvYKftp8M7qqP/3nzmVZoXHY68= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3 h1:lnDkqiRFKm0rxdljqrj3lotWinO9+jFmeDXIC4gvIQs= github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3/go.mod h1:aPqzac6AYkipvp4hufTyMj5PDIphF3+At8zr7r51xjY= -github.com/elastic/ebpfevents v0.3.2 h1:UJ8kW5jw2TpUR5MEMaZ1O62sK9JQ+5xTlj+YpQC6BXc= -github.com/elastic/ebpfevents v0.3.2/go.mod h1:o21z5xup/9dK8u0Hg9bZRflSqqj1Zu5h2dg2hSTcUPQ= github.com/elastic/ebpfevents v0.4.0 h1:M80eAeJnzvGQgU9cjJqkjFca9pjM3aq/TuZxJeom4bI= github.com/elastic/ebpfevents v0.4.0/go.mod h1:o21z5xup/9dK8u0Hg9bZRflSqqj1Zu5h2dg2hSTcUPQ= github.com/elastic/elastic-agent-autodiscover v0.6.7 h1:+KVjltN0rPsBrU8b156gV4lOTBgG/vt0efFCFARrf3g= @@ -1501,8 +1499,6 @@ github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3Rllmb github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/modocache/gover v0.0.0-20171022184752-b58185e213c5/go.mod h1:caMODM3PzxT8aQXRPkAt8xlV/e7d7w8GM5g0fa5F0D8= -github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 h1:RWengNIwukTxcDr9M+97sNutRR1RKhG96O6jWumTTnw= -github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8= github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc= github.com/montanaflynn/stats v0.6.6/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= diff --git a/x-pack/auditbeat/cmd/root.go b/x-pack/auditbeat/cmd/root.go index 60382602060e..4a9b32b56f14 100644 --- a/x-pack/auditbeat/cmd/root.go +++ b/x-pack/auditbeat/cmd/root.go @@ -20,6 +20,9 @@ import ( // Register Auditbeat x-pack modules. _ "github.com/elastic/beats/v7/x-pack/auditbeat/include" _ "github.com/elastic/beats/v7/x-pack/libbeat/include" + + // Import processors + _ "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd" ) // Name of the beat diff --git a/x-pack/auditbeat/processors/add_session_metadata/add_session_metadata.go b/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go similarity index 92% rename from x-pack/auditbeat/processors/add_session_metadata/add_session_metadata.go rename to x-pack/auditbeat/processors/sessionmd/add_session_metadata.go index e3b58cb54a07..2663dd42276f 100644 --- a/x-pack/auditbeat/processors/add_session_metadata/add_session_metadata.go +++ b/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go @@ -4,7 +4,7 @@ //go:build linux -package add_session_metadata +package sessionmd import ( "context" @@ -15,10 +15,10 @@ import ( "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/processors" - "github.com/elastic/beats/v7/x-pack/auditbeat/processors/add_session_metadata/processdb" - "github.com/elastic/beats/v7/x-pack/auditbeat/processors/add_session_metadata/procfs" - "github.com/elastic/beats/v7/x-pack/auditbeat/processors/add_session_metadata/provider" - "github.com/elastic/beats/v7/x-pack/auditbeat/processors/add_session_metadata/provider/ebpf_provider" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/processdb" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/procfs" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/provider" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/provider/ebpf_provider" "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/elastic-agent-libs/logp" "github.com/elastic/elastic-agent-libs/mapstr" @@ -179,9 +179,7 @@ func (p *addSessionMetadata) replaceFields(ev *beat.Event) error { return nil //nolint:nilerr // processor can be called on unsupported events; not an error } switch syscall { - case "execveat": - fallthrough - case "execve": + case "execveat", "execve": ev.Fields.Put("event.action", []string{"exec", "fork"}) ev.Fields.Put("event.type", []string{"start"}) diff --git a/x-pack/auditbeat/processors/add_session_metadata/add_session_metadata_test.go b/x-pack/auditbeat/processors/sessionmd/add_session_metadata_test.go similarity index 95% rename from x-pack/auditbeat/processors/add_session_metadata/add_session_metadata_test.go rename to x-pack/auditbeat/processors/sessionmd/add_session_metadata_test.go index c6dc1a31703a..d56c390efd40 100644 --- a/x-pack/auditbeat/processors/add_session_metadata/add_session_metadata_test.go +++ b/x-pack/auditbeat/processors/sessionmd/add_session_metadata_test.go @@ -4,7 +4,7 @@ //go:build linux -package add_session_metadata +package sessionmd import ( "testing" @@ -13,9 +13,9 @@ import ( "github.com/stretchr/testify/assert" "github.com/elastic/beats/v7/libbeat/beat" - "github.com/elastic/beats/v7/x-pack/auditbeat/processors/add_session_metadata/processdb" - "github.com/elastic/beats/v7/x-pack/auditbeat/processors/add_session_metadata/procfs" - "github.com/elastic/beats/v7/x-pack/auditbeat/processors/add_session_metadata/types" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/processdb" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/procfs" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/types" "github.com/elastic/elastic-agent-libs/logp" "github.com/elastic/elastic-agent-libs/mapstr" ) diff --git a/x-pack/auditbeat/processors/add_session_metadata/config.go b/x-pack/auditbeat/processors/sessionmd/config.go similarity index 95% rename from x-pack/auditbeat/processors/add_session_metadata/config.go rename to x-pack/auditbeat/processors/sessionmd/config.go index 08a8276946cf..845d7821e2d7 100644 --- a/x-pack/auditbeat/processors/add_session_metadata/config.go +++ b/x-pack/auditbeat/processors/sessionmd/config.go @@ -4,7 +4,7 @@ //go:build linux -package add_session_metadata +package sessionmd // Config for add_session_metadata processor. type Config struct { diff --git a/x-pack/auditbeat/processors/add_session_metadata/add_session_metadata_other.go b/x-pack/auditbeat/processors/sessionmd/doc.go similarity index 60% rename from x-pack/auditbeat/processors/add_session_metadata/add_session_metadata_other.go rename to x-pack/auditbeat/processors/sessionmd/doc.go index 5269e7c707c8..6067081c82cb 100644 --- a/x-pack/auditbeat/processors/add_session_metadata/add_session_metadata_other.go +++ b/x-pack/auditbeat/processors/sessionmd/doc.go @@ -2,6 +2,6 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -//go:build !linux - -package add_session_metadata +// sessionmd provides a Beat processor that can enrich process event documents with +// additional session metadata for the processes. +package sessionmd diff --git a/x-pack/auditbeat/processors/add_session_metadata/processdb/db.go b/x-pack/auditbeat/processors/sessionmd/processdb/db.go similarity index 98% rename from x-pack/auditbeat/processors/add_session_metadata/processdb/db.go rename to x-pack/auditbeat/processors/sessionmd/processdb/db.go index ab679f6f9f37..ce67059639b1 100644 --- a/x-pack/auditbeat/processors/add_session_metadata/processdb/db.go +++ b/x-pack/auditbeat/processors/sessionmd/processdb/db.go @@ -20,9 +20,9 @@ import ( "sync" "time" - "github.com/elastic/beats/v7/x-pack/auditbeat/processors/add_session_metadata/procfs" - "github.com/elastic/beats/v7/x-pack/auditbeat/processors/add_session_metadata/timeutils" - "github.com/elastic/beats/v7/x-pack/auditbeat/processors/add_session_metadata/types" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/procfs" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/timeutils" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/types" "github.com/elastic/elastic-agent-libs/logp" ) diff --git a/x-pack/auditbeat/processors/add_session_metadata/processdb/db_test.go b/x-pack/auditbeat/processors/sessionmd/processdb/db_test.go similarity index 100% rename from x-pack/auditbeat/processors/add_session_metadata/processdb/db_test.go rename to x-pack/auditbeat/processors/sessionmd/processdb/db_test.go diff --git a/x-pack/auditbeat/processors/add_session_metadata/processdb/entry_leader_test.go b/x-pack/auditbeat/processors/sessionmd/processdb/entry_leader_test.go similarity index 99% rename from x-pack/auditbeat/processors/add_session_metadata/processdb/entry_leader_test.go rename to x-pack/auditbeat/processors/sessionmd/processdb/entry_leader_test.go index 9538dd44149a..5e28cec8f162 100644 --- a/x-pack/auditbeat/processors/add_session_metadata/processdb/entry_leader_test.go +++ b/x-pack/auditbeat/processors/sessionmd/processdb/entry_leader_test.go @@ -12,8 +12,8 @@ import ( "github.com/stretchr/testify/require" - "github.com/elastic/beats/v7/x-pack/auditbeat/processors/add_session_metadata/procfs" - "github.com/elastic/beats/v7/x-pack/auditbeat/processors/add_session_metadata/types" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/procfs" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/types" ) const ( diff --git a/x-pack/auditbeat/processors/add_session_metadata/procfs/mock.go b/x-pack/auditbeat/processors/sessionmd/procfs/mock.go similarity index 100% rename from x-pack/auditbeat/processors/add_session_metadata/procfs/mock.go rename to x-pack/auditbeat/processors/sessionmd/procfs/mock.go diff --git a/x-pack/auditbeat/processors/add_session_metadata/procfs/procfs.go b/x-pack/auditbeat/processors/sessionmd/procfs/procfs.go similarity index 97% rename from x-pack/auditbeat/processors/add_session_metadata/procfs/procfs.go rename to x-pack/auditbeat/processors/sessionmd/procfs/procfs.go index a22c7320ff69..29dfc1fe3970 100644 --- a/x-pack/auditbeat/processors/add_session_metadata/procfs/procfs.go +++ b/x-pack/auditbeat/processors/sessionmd/procfs/procfs.go @@ -14,8 +14,8 @@ import ( "github.com/prometheus/procfs" "golang.org/x/sys/unix" - "github.com/elastic/beats/v7/x-pack/auditbeat/processors/add_session_metadata/timeutils" - "github.com/elastic/beats/v7/x-pack/auditbeat/processors/add_session_metadata/types" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/timeutils" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/types" "github.com/elastic/elastic-agent-libs/logp" ) diff --git a/x-pack/auditbeat/processors/add_session_metadata/provider/ebpf_provider/ebpf_provider.go b/x-pack/auditbeat/processors/sessionmd/provider/ebpf_provider/ebpf_provider.go similarity index 88% rename from x-pack/auditbeat/processors/add_session_metadata/provider/ebpf_provider/ebpf_provider.go rename to x-pack/auditbeat/processors/sessionmd/provider/ebpf_provider/ebpf_provider.go index 8233b451c230..15c180068a53 100644 --- a/x-pack/auditbeat/processors/add_session_metadata/provider/ebpf_provider/ebpf_provider.go +++ b/x-pack/auditbeat/processors/sessionmd/provider/ebpf_provider/ebpf_provider.go @@ -10,13 +10,11 @@ import ( "context" "fmt" - "github.com/mohae/deepcopy" - "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/ebpf" - "github.com/elastic/beats/v7/x-pack/auditbeat/processors/add_session_metadata/processdb" - "github.com/elastic/beats/v7/x-pack/auditbeat/processors/add_session_metadata/provider" - "github.com/elastic/beats/v7/x-pack/auditbeat/processors/add_session_metadata/types" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/processdb" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/provider" + "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/types" "github.com/elastic/ebpfevents" "github.com/elastic/elastic-agent-libs/logp" ) @@ -50,7 +48,7 @@ func NewProvider(ctx context.Context, logger *logp.Logger, db *processdb.DB) (pr for { r := <-records if r.Error != nil { - logger.Errorf("recv'd error: %w", err) + logger.Warnw("received error from the ebpf subscription", "error", err) continue } if r.Event == nil { @@ -61,7 +59,7 @@ func NewProvider(ctx context.Context, logger *logp.Logger, db *processdb.DB) (pr case ebpfevents.EventTypeProcessFork: body, ok := ev.Body.(*ebpfevents.ProcessFork) if !ok { - logger.Errorf("unexpected event body") + logger.Errorf("unexpected event body, got %T", ev.Body) continue } pe := types.ProcessForkEvent{ @@ -123,8 +121,8 @@ func NewProvider(ctx context.Context, logger *logp.Logger, db *processdb.DB) (pr Minor: body.CTTY.Minor, }, Cwd: body.Cwd, - Argv: deepcopy.Copy(body.Argv).([]string), - Env: deepcopy.Copy(body.Env).(map[string]string), + Argv: body.Argv, + Env: body.Env, Filename: body.Filename, } p.db.InsertExec(pe) diff --git a/x-pack/auditbeat/processors/add_session_metadata/provider/provider.go b/x-pack/auditbeat/processors/sessionmd/provider/provider.go similarity index 100% rename from x-pack/auditbeat/processors/add_session_metadata/provider/provider.go rename to x-pack/auditbeat/processors/sessionmd/provider/provider.go diff --git a/x-pack/auditbeat/processors/add_session_metadata/timeutils/time.go b/x-pack/auditbeat/processors/sessionmd/timeutils/time.go similarity index 100% rename from x-pack/auditbeat/processors/add_session_metadata/timeutils/time.go rename to x-pack/auditbeat/processors/sessionmd/timeutils/time.go diff --git a/x-pack/auditbeat/processors/add_session_metadata/timeutils/time_test.go b/x-pack/auditbeat/processors/sessionmd/timeutils/time_test.go similarity index 100% rename from x-pack/auditbeat/processors/add_session_metadata/timeutils/time_test.go rename to x-pack/auditbeat/processors/sessionmd/timeutils/time_test.go diff --git a/x-pack/auditbeat/processors/add_session_metadata/types/events.go b/x-pack/auditbeat/processors/sessionmd/types/events.go similarity index 100% rename from x-pack/auditbeat/processors/add_session_metadata/types/events.go rename to x-pack/auditbeat/processors/sessionmd/types/events.go diff --git a/x-pack/auditbeat/processors/add_session_metadata/types/process.go b/x-pack/auditbeat/processors/sessionmd/types/process.go similarity index 100% rename from x-pack/auditbeat/processors/add_session_metadata/types/process.go rename to x-pack/auditbeat/processors/sessionmd/types/process.go