beats icon indicating copy to clipboard operation
beats copied to clipboard

Published 20 hours ago verified publisher icon elastic

[Auditbeat] fim(ebpf): enrich file events with process data

Open mmat11 opened this issue 11 months ago • 9 comments

Proposed commit message

fim(ebpf): enrich file events with process data

Checklist

  • [x] My code follows the style guidelines of this project
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [x] I have made corresponding changes to the documentation
  • [x] I have made corresponding change to the default configuration files
  • [x] I have added tests that prove my fix is effective or that my feature works
  • [x] I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

  • [x] Make sure entity ID is calculated consistently everywhere // copied from https://github.com/elastic/beats/blob/main/x-pack/auditbeat/module/system/process/process.go#L139

Related issues

https://github.com/elastic/integrations/issues/7401

mmat11 avatar Mar 06 '24 15:03 mmat11

This pull request does not have a backport label. If this is a bug or security fix, could you label this PR @mmat11? 🙏. For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed branches, such as:

  • backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

mergify[bot] avatar Mar 06 '24 15:03 mergify[bot]

:green_heart: Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Duration: 180 min 13 sec

:grey_exclamation: Flaky test report

No test was executed to be analysed.

:robot: GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

elasticmachine avatar Mar 06 '24 15:03 elasticmachine

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

elasticmachine avatar Mar 08 '24 12:03 elasticmachine

Pinging @elastic/elastic-agent (Team:Elastic-Agent)

elasticmachine avatar Mar 11 '24 16:03 elasticmachine

@andrewkroh could you please have a look here for the "Beats Tech Leads" approval?

pierrehilbert avatar Mar 13 '24 08:03 pierrehilbert

Hello 👋 I will tidy up any remaining points of @mmat11 's work under this PR. I had a look and I have to ask here just to be sure; this PR introduces the process-related fields under the file ones (file.process.*). Tbh I would expect process.* to be part of the root of the event and thus be aligned with the add_process_metadata processors and the auditd events. Any thoughts on that @nicholasberlin @leehinman @andrewkroh ?

pkoutsovasilis avatar Mar 29 '24 07:03 pkoutsovasilis

Tbh I would expect process.* to be part of the root of the event

@pkoutsovasilis I think we should promote that up to the root of the event so that the data is aligned with ECS as much as possible.

andrewkroh avatar Apr 01 '24 20:04 andrewkroh

hmmm it seems like our CI is hitting this one. Specifically as captured in this comment go 1.21 is a development version of the language — not a released version and thus go mod tidy specifies the toolchain directive when run. I think the proper solution here is since we maintain a .go-version (I ve seen such PRs) this should be present in the go.mod with the patch version included. On the positive side, by doing so it is guaranteed that all developers are utilising the appropriate golang toolchain version that the project is built against 🙂

pkoutsovasilis avatar Apr 02 '24 11:04 pkoutsovasilis

@nicholasberlin @leehinman since I did some changes as proposed from @andrewkroh would you like to have another look on this PR? I also added a screenshot in the PR description how this appears through Kibana->Elasticsearch

pkoutsovasilis avatar Apr 02 '24 12:04 pkoutsovasilis

The failing step of the CI metricbeat-pythonIntegTest is failing for an already known, non-related to this PR, reason. As a result this PR can't be merged at least not with the usual flow 🥲

pkoutsovasilis avatar Apr 03 '24 10:04 pkoutsovasilis

This pull request is now in conflicts. Could you fix it? 🙏 To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b matt/fim-user-data upstream/matt/fim-user-data
git merge upstream/main
git push upstream matt/fim-user-data

mergify[bot] avatar Apr 03 '24 20:04 mergify[bot]

run docs-build rebuild

pkoutsovasilis avatar Apr 05 '24 09:04 pkoutsovasilis

run docs-build

alexsapran avatar Apr 05 '24 09:04 alexsapran