[Auditbeat] fim(ebpf): enrich file events with container id (#38328)

* fim(ebpf): enrich file events with container id * fix(fim/ebpf): make container id event field ecs-compliant --------- Co-authored-by: Panos Koutsovasilis <[email protected]> (cherry picked from commit 5b0b682) # Conflicts: # NOTICE.txt # auditbeat/module/file_integrity/event.go # auditbeat/module/file_integrity/event_linux.go # auditbeat/module/file_integrity/event_linux_test.go # go.mod # go.sum
elastic · Apr 8, 2024 · 7a6f79d · 7a6f79d
1 parent a19ae24
commit 7a6f79d
Show file tree

Hide file tree

Showing 7 changed files with 167 additions and 0 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -109,6 +109,13 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 
 *Auditbeat*
 
+- Added `add_session_metadata` processor, which enables session viewer on Auditbeat data. {pull}37640[37640]
+- Add linux capabilities to processes in the system/process. {pull}37453[37453]
+- Add opt-in eBPF backend for file_integrity module. {pull}37223[37223]
+- Add linux capabilities to processes in the system/process. {pull}37453[37453]
+- Add opt-in eBPF backend for file_integrity module. {pull}37223[37223]
+- Add process data to file events (Linux only, eBPF backend). {pull}38199[38199]
+- Add container id to file events (Linux only, eBPF backend). {pull}38328[38328]
 
 *Filebeat*
 

diff --git a/NOTICE.txt b/NOTICE.txt
@@ -12257,11 +12257,19 @@ SOFTWARE.
 
 --------------------------------------------------------------------------------
 Dependency : github.com/elastic/ebpfevents
+<<<<<<< HEAD
 Version: v0.4.0
 Licence type (autodetected): Apache-2.0
 --------------------------------------------------------------------------------
 
 Contents of probable licence file $GOMODCACHE/github.com/elastic/[email protected]/LICENSE.txt:
+=======
+Version: v0.6.0
+Licence type (autodetected): Apache-2.0
+--------------------------------------------------------------------------------
+
+Contents of probable licence file $GOMODCACHE/github.com/elastic/[email protected]/LICENSE.txt:
+>>>>>>> 5b0b68240d ([Auditbeat] fim(ebpf): enrich file events with container id (#38328))
 
 The https://github.com/elastic/ebpfevents repository contains source code under
 various licenses:

diff --git a/auditbeat/module/file_integrity/event.go b/auditbeat/module/file_integrity/event.go
@@ -126,6 +126,7 @@ func (d Digest) MarshalText() ([]byte, error) { return []byte(d.String()), nil }
 
 // Event describes the filesystem change and includes metadata about the file.
 type Event struct {
+<<<<<<< HEAD
 	Timestamp     time.Time           `json:"timestamp"`             // Time of event.
 	Path          string              `json:"path"`                  // The path associated with the event.
 	TargetPath    string              `json:"target_path,omitempty"` // Target path for symlinks.
@@ -134,6 +135,18 @@ type Event struct {
 	Action        Action              `json:"action"`                // Action (like created, updated).
 	Hashes        map[HashType]Digest `json:"hash,omitempty"`        // File hashes.
 	ParserResults mapstr.M            `json:"file,omitempty"`        // Results from running file parsers.
+=======
+	Timestamp     time.Time           `json:"timestamp"`              // Time of event.
+	Path          string              `json:"path"`                   // The path associated with the event.
+	TargetPath    string              `json:"target_path,omitempty"`  // Target path for symlinks.
+	Info          *Metadata           `json:"info"`                   // File metadata (if the file exists).
+	Source        Source              `json:"source"`                 // Source of the event.
+	Action        Action              `json:"action"`                 // Action (like created, updated).
+	Hashes        map[HashType]Digest `json:"hash,omitempty"`         // File hashes.
+	ParserResults mapstr.M            `json:"file,omitempty"`         // Results from running file parsers.
+	Process       *Process            `json:"process,omitempty"`      // Process data. Available only on Linux when using the eBPF backend.
+	ContainerID   string              `json:"container_id,omitempty"` // Unique container ID. Available only on Linux when using the eBPF backend.
+>>>>>>> 5b0b68240d ([Auditbeat] fim(ebpf): enrich file events with container id (#38328))
 
 	// Metadata
 	rtt        time.Duration // Time taken to collect the info.
@@ -354,6 +367,31 @@ func buildMetricbeatEvent(e *Event, existedBefore bool) mb.Event {
 		}
 	}
 
+<<<<<<< HEAD
+=======
+	if e.Process != nil {
+		process := mapstr.M{
+			"pid":       e.Process.PID,
+			"name":      e.Process.Name,
+			"entity_id": e.Process.EntityID,
+			"user": mapstr.M{
+				"id":   e.Process.User.ID,
+				"name": e.Process.User.Name,
+			},
+			"group": mapstr.M{
+				"id":   e.Process.Group.ID,
+				"name": e.Process.Group.Name,
+			},
+		}
+
+		out.MetricSetFields.Put("process", process)
+	}
+
+	if e.ContainerID != "" {
+		out.MetricSetFields.Put("container.id", e.ContainerID)
+	}
+
+>>>>>>> 5b0b68240d ([Auditbeat] fim(ebpf): enrich file events with container id (#38328))
 	if len(e.Hashes) > 0 {
 		hashes := make(mapstr.M, len(e.Hashes))
 		for hashType, digest := range e.Hashes {

diff --git a/auditbeat/module/file_integrity/event_linux.go b/auditbeat/module/file_integrity/event_linux.go
@@ -23,12 +23,16 @@ import (
 	"os"
 	"os/user"
 	"path/filepath"
+	"regexp"
 	"strconv"
 	"time"
 
 	"github.com/elastic/ebpfevents"
 )
 
+// cgroupRegex captures 64-character lowercase hexadecimal container IDs found in cgroup paths.
+var cgroupRegex = regexp.MustCompile(`[-/]([0-9a-f]{64})(\.scope)?$`)
+
 // NewEventFromEbpfEvent creates a new Event from an ebpfevents.Event.
 func NewEventFromEbpfEvent(
 	ee ebpfevents.Event,
@@ -38,10 +42,19 @@ func NewEventFromEbpfEvent(
 	isExcludedPath func(string) bool,
 ) (Event, bool) {
 	var (
+<<<<<<< HEAD
 		path, target string
 		action       Action
 		metadata     Metadata
 		err          error
+=======
+		path, target, cgroupPath string
+		action                   Action
+		metadata                 Metadata
+		process                  Process
+		err                      error
+		errors                   []error
+>>>>>>> 5b0b68240d ([Auditbeat] fim(ebpf): enrich file events with container id (#38328))
 	)
 	switch ee.Type {
 	case ebpfevents.EventTypeFileCreate:
@@ -55,6 +68,19 @@ func NewEventFromEbpfEvent(
 		}
 		target = fileCreateEvent.SymlinkTargetPath
 		metadata, err = metadataFromFileCreate(fileCreateEvent)
+<<<<<<< HEAD
+=======
+		if err != nil {
+			errors = append(errors, err)
+		}
+
+		process, err = processFromFileCreate(fileCreateEvent)
+		if err != nil {
+			errors = append(errors, err)
+		}
+
+		cgroupPath = fileCreateEvent.CgroupPath
+>>>>>>> 5b0b68240d ([Auditbeat] fim(ebpf): enrich file events with container id (#38328))
 	case ebpfevents.EventTypeFileRename:
 		action = Moved
 
@@ -66,6 +92,19 @@ func NewEventFromEbpfEvent(
 		}
 		target = fileRenameEvent.SymlinkTargetPath
 		metadata, err = metadataFromFileRename(fileRenameEvent)
+<<<<<<< HEAD
+=======
+		if err != nil {
+			errors = append(errors, err)
+		}
+
+		process, err = processFromFileRename(fileRenameEvent)
+		if err != nil {
+			errors = append(errors, err)
+		}
+
+		cgroupPath = fileRenameEvent.CgroupPath
+>>>>>>> 5b0b68240d ([Auditbeat] fim(ebpf): enrich file events with container id (#38328))
 	case ebpfevents.EventTypeFileDelete:
 		action = Deleted
 
@@ -76,6 +115,16 @@ func NewEventFromEbpfEvent(
 			return event, false
 		}
 		target = fileDeleteEvent.SymlinkTargetPath
+<<<<<<< HEAD
+=======
+
+		process, err = processFromFileDelete(fileDeleteEvent)
+		if err != nil {
+			errors = append(errors, err)
+		}
+
+		cgroupPath = fileDeleteEvent.CgroupPath
+>>>>>>> 5b0b68240d ([Auditbeat] fim(ebpf): enrich file events with container id (#38328))
 	case ebpfevents.EventTypeFileModify:
 		fileModifyEvent := ee.Body.(*ebpfevents.FileModify)
 
@@ -93,6 +142,7 @@ func NewEventFromEbpfEvent(
 		}
 		target = fileModifyEvent.SymlinkTargetPath
 		metadata, err = metadataFromFileModify(fileModifyEvent)
+<<<<<<< HEAD
 	}
 
 	event := Event{
@@ -106,6 +156,30 @@ func NewEventFromEbpfEvent(
 	}
 	if err != nil {
 		event.errors = append(event.errors, err)
+=======
+		if err != nil {
+			errors = append(errors, err)
+		}
+
+		process, err = processFromFileModify(fileModifyEvent)
+		if err != nil {
+			errors = append(errors, err)
+		}
+
+		cgroupPath = fileModifyEvent.CgroupPath
+	}
+
+	event := Event{
+		Timestamp:   time.Now().UTC(),
+		Path:        path,
+		TargetPath:  target,
+		Info:        &metadata,
+		Source:      SourceEBPF,
+		Action:      action,
+		Process:     &process,
+		ContainerID: containerIDFromCgroupPath(cgroupPath),
+		errors:      errors,
+>>>>>>> 5b0b68240d ([Auditbeat] fim(ebpf): enrich file events with container id (#38328))
 	}
 
 	if event.Action == Deleted {
@@ -126,6 +200,14 @@ func NewEventFromEbpfEvent(
 	return event, true
 }
 
+func containerIDFromCgroupPath(path string) string {
+	matches := cgroupRegex.FindStringSubmatch(path)
+	if len(matches) > 1 {
+		return matches[1]
+	}
+	return ""
+}
+
 func metadataFromFileCreate(evt *ebpfevents.FileCreate) (Metadata, error) {
 	var md Metadata
 	fillExtendedAttributes(&md, evt.Path)

diff --git a/auditbeat/module/file_integrity/event_linux_test.go b/auditbeat/module/file_integrity/event_linux_test.go
@@ -30,6 +30,7 @@ import (
 )
 
 func TestNewEventFromEbpfEvent(t *testing.T) {
+	containerID := "d12fe576354a1805165303a4e34a69e5fe8db791ceb7e545f17811d1fbfba68f"
 	ebpfEvent := ebpfevents.Event{
 		Header: ebpfevents.Header{
 			Type: ebpfevents.EventTypeFileCreate,
@@ -45,6 +46,18 @@ func TestNewEventFromEbpfEvent(t *testing.T) {
 			},
 			Path:              "/foo",
 			SymlinkTargetPath: "/bar",
+<<<<<<< HEAD
+=======
+			Creds: ebpfevents.CredInfo{
+				Ruid: 1,
+				Rgid: 2,
+				Euid: uint32(os.Geteuid()),
+				Egid: uint32(os.Getegid()),
+				Suid: 5,
+				Sgid: 6,
+			},
+			CgroupPath: "/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod123.slice/cri-containerd-" + containerID + ".scope",
+>>>>>>> 5b0b68240d ([Auditbeat] fim(ebpf): enrich file events with container id (#38328))
 		},
 	}
 	expectedEvent := Event{
@@ -61,8 +74,15 @@ func TestNewEventFromEbpfEvent(t *testing.T) {
 			Group: "n/a",
 			Mode:  os.FileMode(0o644),
 		},
+<<<<<<< HEAD
 		Source: SourceEBPF,
 		errors: []error{user.UnknownUserIdError(3456)},
+=======
+		Process:     event.Process, // 1:1 copy this as it changes on every machine
+		ContainerID: containerID,
+		Source:      SourceEBPF,
+		errors:      nil,
+>>>>>>> 5b0b68240d ([Auditbeat] fim(ebpf): enrich file events with container id (#38328))
 	}
 
 	event, ok := NewEventFromEbpfEvent(

diff --git a/go.mod b/go.mod
@@ -200,8 +200,13 @@ require (
 	github.com/aws/smithy-go v1.13.5
 	github.com/awslabs/kinesis-aggregation/go/v2 v2.0.0-20220623125934-28468a6701b5
 	github.com/elastic/bayeux v1.0.5
+<<<<<<< HEAD
 	github.com/elastic/ebpfevents v0.4.0
 	github.com/elastic/elastic-agent-autodiscover v0.6.7
+=======
+	github.com/elastic/ebpfevents v0.6.0
+	github.com/elastic/elastic-agent-autodiscover v0.6.8
+>>>>>>> 5b0b68240d ([Auditbeat] fim(ebpf): enrich file events with container id (#38328))
 	github.com/elastic/elastic-agent-libs v0.7.5
 	github.com/elastic/elastic-agent-shipper-client v0.5.1-0.20230228231646-f04347b666f3
 	github.com/elastic/elastic-agent-system-metrics v0.9.2

diff --git a/go.sum b/go.sum
@@ -663,10 +663,17 @@ github.com/elastic/bayeux v1.0.5 h1:UceFq01ipmT3S8DzFK+uVAkbCdiPR0Bqei8qIGmUeY0=
 github.com/elastic/bayeux v1.0.5/go.mod h1:CSI4iP7qeo5MMlkznGvYKftp8M7qqP/3nzmVZoXHY68=
 github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3 h1:lnDkqiRFKm0rxdljqrj3lotWinO9+jFmeDXIC4gvIQs=
 github.com/elastic/dhcp v0.0.0-20200227161230-57ec251c7eb3/go.mod h1:aPqzac6AYkipvp4hufTyMj5PDIphF3+At8zr7r51xjY=
+<<<<<<< HEAD
 github.com/elastic/ebpfevents v0.4.0 h1:M80eAeJnzvGQgU9cjJqkjFca9pjM3aq/TuZxJeom4bI=
 github.com/elastic/ebpfevents v0.4.0/go.mod h1:o21z5xup/9dK8u0Hg9bZRflSqqj1Zu5h2dg2hSTcUPQ=
 github.com/elastic/elastic-agent-autodiscover v0.6.7 h1:+KVjltN0rPsBrU8b156gV4lOTBgG/vt0efFCFARrf3g=
 github.com/elastic/elastic-agent-autodiscover v0.6.7/go.mod h1:hFeFqneS2r4jD0/QzGkrNk0YVdN0JGh7lCWdsH7zcI4=
+=======
+github.com/elastic/ebpfevents v0.6.0 h1:BrL3m7JFK7U6h2jkbk3xAWWs//IZnugCHEDds5u2v68=
+github.com/elastic/ebpfevents v0.6.0/go.mod h1:ESG9gw7N+n5yCCMgdg1IIJENKWSmX7+X0Fi9GUs9nvU=
+github.com/elastic/elastic-agent-autodiscover v0.6.8 h1:BSXz+QwjZAEt08G+T3GDGl14Bh9a6zD8luNCvZut/b8=
+github.com/elastic/elastic-agent-autodiscover v0.6.8/go.mod h1:hFeFqneS2r4jD0/QzGkrNk0YVdN0JGh7lCWdsH7zcI4=
+>>>>>>> 5b0b68240d ([Auditbeat] fim(ebpf): enrich file events with container id (#38328))
 github.com/elastic/elastic-agent-client/v7 v7.8.1 h1:J9wZc/0mUvSEok0X5iR5+n60Jgb+AWooKddb3XgPWqM=
 github.com/elastic/elastic-agent-client/v7 v7.8.1/go.mod h1:axl1nkdqc84YRFkeJGD9jExKNPUrOrzf3DFo2m653nY=
 github.com/elastic/elastic-agent-libs v0.7.5 h1:4UMqB3BREvhwecYTs/L23oQp1hs/XUkcunPlmTZn5yg=