Skip to content

[auditd_manager] Update fields and sample_event.json #12541

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mrodm merged 11 commits into from
Feb 24, 2025
Merged

[auditd_manager] Update fields and sample_event.json #12541

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
c7108b8
Update fields and sample_event.json
mrodm Jan 30, 2025
8780577
Add changelog entry
mrodm Jan 30, 2025
679518a
Test with elastic-package enabling mappings - PR 2381 5b3f7cdba24685a…
mrodm Feb 5, 2025
d2ba547
Update logstash owner in manifest
mrodm Feb 5, 2025
ea8565e
Revert "Update logstash owner in manifest"
mrodm Feb 7, 2025
1aa7413
Add dynamic template definition for the arguments to a syscall
mrodm Feb 21, 2025
56320c5
Remove previous definition for auditd.data.a0-N
mrodm Feb 24, 2025
ce55977
Add definitiosn for SELinux subject properties
mrodm Feb 24, 2025
15f4778
Update README with new SELinux subject properties
mrodm Feb 24, 2025
c458e45
Remove auditd.data.* definition
mrodm Feb 24, 2025
a5f28a5
Revert changes to test validation based on mappings
mrodm Feb 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .buildkite/pipeline.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ env:
ELASTIC_PACKAGE_DISABLE_ELASTIC_AGENT_WOLFI: "${ELASTIC_PACKAGE_DISABLE_ELASTIC_AGENT_WOLFI:-false}"
# Disable checking for newer versions
ELASTIC_PACKAGE_CHECK_UPDATE_DISABLED: "true"
# Select method to validate fields are documented
ELASTIC_PACKAGE_FIELD_VALIDATION_TEST_METHOD: "mappings"

steps:
- label: "Get reference from target branch"
Expand Down
2 changes: 1 addition & 1 deletion .buildkite/scripts/common.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -757,7 +757,7 @@ teardown_test_package() {
}

list_all_directories() {
find . -maxdepth 1 -mindepth 1 -type d | xargs -I {} basename {} | sort
find . -maxdepth 1 -mindepth 1 -type d | xargs -I {} basename {} | sort |grep auditd_manager

@mrodm mrodm Feb 11, 2025

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be removed changes in .buildkite/ folder.

}

check_package() {
Expand Down
2 changes: 2 additions & 0 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -231,3 +231,5 @@ require (
sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
sigs.k8s.io/yaml v1.4.0 // indirect
)

replace github.com/elastic/elastic-package => github.com/mrodm/elastic-package v0.53.1-0.20250205174526-5b3f7cdba246
4 changes: 2 additions & 2 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,8 +125,6 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp
github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
github.com/elastic/elastic-integration-corpus-generator-tool v0.10.0 h1:sx1lpZuTG5suJuvgix4FWQFCLFFbzkoOmPoHWYOPLCY=
github.com/elastic/elastic-integration-corpus-generator-tool v0.10.0/go.mod h1:2/30n+2QRzRzus4TPVUV1T3U/j8g2ItUgvP0pcpjLGk=
github.com/elastic/elastic-package v0.109.1 h1:ATZVgYOCI6L5Yr0NxjSX+MsuK4UvXkpu9tDkO4K2vgo=
github.com/elastic/elastic-package v0.109.1/go.mod h1:vmVYISfxBrl0ejjKbm/AG0drjrmevysVg2ZIP7yewLo=
github.com/elastic/go-elasticsearch/v7 v7.17.10 h1:TCQ8i4PmIJuBunvBS6bwT2ybzVFxxUhhltAs3Gyu1yo=
github.com/elastic/go-elasticsearch/v7 v7.17.10/go.mod h1:OJ4wdbtDNk5g503kvlHLyErCgQwwzmDtaFC4XyOxXA4=
github.com/elastic/go-licenser v0.4.2 h1:bPbGm8bUd8rxzSswFOqvQh1dAkKGkgAmrPxbUi+Y9+A=
Expand Down Expand Up @@ -372,6 +370,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G
github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0=
github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4=
github.com/mrodm/elastic-package v0.53.1-0.20250205174526-5b3f7cdba246 h1:EjWls8TjHBNk5E/caFYxZR7DkURTeDevDazWZgO1T7A=
github.com/mrodm/elastic-package v0.53.1-0.20250205174526-5b3f7cdba246/go.mod h1:vmVYISfxBrl0ejjKbm/AG0drjrmevysVg2ZIP7yewLo=
github.com/muesli/reflow v0.3.0 h1:IFsN6K9NfGtjeggFP+68I4chLZV2yIKsXJFNZ+eWh6s=
github.com/muesli/reflow v0.3.0/go.mod h1:pbwTDkVPibjO2kyvBQRBxTWEEGDGq0FlB1BIKtnHY/8=
github.com/muesli/termenv v0.15.2 h1:GohcuySI0QmI3wN8Ok9PtKGkgkFIk7y6Vpb5PvrY+Wo=
Expand Down
5 changes: 5 additions & 0 deletions packages/auditd_manager/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.18.3"
changes:
- description: "Updated field definitions for `auditd.data.*` fields"
type: bugfix
link: https://github.com/elastic/integrations/pull/12541
- version: "1.18.2"
changes:
- description: "Added Session data option"
Expand Down
12 changes: 7 additions & 5 deletions packages/auditd_manager/data_stream/auditd/fields/fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -623,9 +623,11 @@
- name: auditd.data.perm_mask
description: file permission mask that triggered a watch event
type: keyword
- name: auditd.data.a0-N
description: the arguments to a syscall
type: keyword
# this mapping does not generate a dynamic template, and the expected fields do not match
# should it be kept for documentation purposes?
# - name: auditd.data.a0-N
# description: the arguments to a syscall
# type: keyword

@mrodm mrodm Jan 30, 2025

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What should it be done for this field definition ? Just remove it?

@jsoriano jsoriano Feb 7, 2025

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it work with a auditd.data.a* definition, specially to keep the documentation?

Suggested change
# this mapping does not generate a dynamic template, and the expected fields do not match
# should it be kept for documentation purposes?
# - name: auditd.data.a0-N
# description: the arguments to a syscall
# type: keyword
- name: auditd.data.a*
description: the arguments to a syscall
type: keyword

Though this would match also things that are not arguments.

So maybe this can be removed, yes.

- name: auditd.data.ses
description: login session ID
type: keyword
Expand Down Expand Up @@ -737,6 +739,6 @@
type: keyword
- name: auditd.data.result
type: keyword
- name: auditd.data
- name: auditd.data.*

@andrewkroh andrewkroh Feb 20, 2025
edited
Loading

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My interpretation of the original intent with auditd.data.a0-N is to path_match auditd.data.a* and set a dynamic keyword. So I am thinking we should make it auditd.data.a*. Ideally we could use a match regex to only map auditd.data.a\d+ to keyword, this way if there happens be some non-argument field we get alerted to it not having a specific mapping during testing.

There should be specific mappings for the other audit.data fields already. 🤞

@mrodm mrodm Feb 21, 2025
edited
Loading

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In that case, it would be needed to keep these two field definitions @andrewkroh :

- name: auditd.data.a*
  description: the arguments to a syscall
  type: keyword
- name: auditd.data.*
  description: Auditd related data
  type: keyword

Updated in 1aa7413

Currently, the second one auditd.data.* is still needed. If it is not added, there is an error in system tests:

[0] field "auditd.data.subj_user" is undefined

For the auditd.data.* field definition, it cannot be set flattened type as auditd.data (see https://github.com/elastic/integrations/pull/12541/files#r1946774552).

@andrewkroh andrewkroh Feb 21, 2025

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[0] field "auditd.data.subj_user" is undefined

It does look like we are missing mappings for the SELinux subject properties like seen in this data.

https://github.com/elastic/go-libaudit/blob/4d25ffb86b298209926340b85e9b3b19660f7994/auparse/testdata/test3.log.golden#L65-L69

Here are some additions that should cover these missing fields. Then auditd.data.* won't be needed for the tests to pass. 🤞

- name: auditd.data.subj_user
  type: keyword
  description: >
    The SELinux user identity. This represents the SELinux user role that is 
    assigned to the subject (user or process) performing an action. It's part 
    of the SELinux security context and is used to enforce policies that 
    restrict what actions a subject can perform.

- name: auditd.data.subj_role
  type: keyword
  description: >
    The SELinux role associated with the subject. The role determines the 
    capabilities a subject has within a given SELinux policy. Roles are used 
    to define higher-level security attributes in the context of the system's 
    security policies.

- name: auditd.data.subj_domain
  type: keyword
  description: >
    The SELinux domain or type assigned to the subject. The domain specifies
    the type of resource or process the subject is interacting with, helping 
    enforce domain-based access controls, which are crucial in limiting resource 
    access.

- name: auditd.data.subj_level
  type: keyword
  description: >
    The SELinux sensitivity level for the subject. It indicates the security 
    classification level, like `s0` or `s2`, that defines how data or processes 
    are handled based on confidentiality and integrity levels within the system.

- name: auditd.data.subj_category
  type: keyword
  description: >
    The SELinux category associated with the subject. It helps further refine 
    the level of access by classifying subjects into categories for 
    multi-level security (MLS). Categories are often used to label data 
    with additional attributes, like "high" or "low," enhancing granularity.

@mrodm mrodm Feb 24, 2025

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added those new fields for SELinux subject properties, thanks!

Just a couple of doubts:

@andrewkroh andrewkroh Feb 24, 2025
edited
Loading

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The auditd exe and proctitle fields have ECS equivalents which are process.executable and process.title. I would expect that those auditd fields are renamed so that we don't need audit.data mappings for them.

This is a better example of the data sent by auditbeat because it has some ECS mapping applied (whereas the auparse package is only concerned with parsing, not mapping to ECS):

@andrewkroh andrewkroh Feb 24, 2025
edited
Loading

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you confirm if it should be removed the auditd.data.* dynamic template after adding those SELinux subject properties?

I think audit.data.* should be removed to encourage developers to explicitly document the fields they are adding in tests. I don't see it impacting users because the dynamic mapping will still exist via all_strings_to_keywords.

description: Auditd related data
type: flattened
type: keyword

@mrodm mrodm Jan 30, 2025

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this field is declared as flattened, this is not created as mapping currently.

Probably, because there are other fields auditd.data.xxx.

If it set as a dynamic template, it keeps all the fields above plus the ones not able to match (auditd.data.a0-N)

@jsoriano jsoriano Feb 7, 2025

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If flattened is expected maybe this should be defined without the wildcard:

- name: auditd.data
  description: Auditd related data
  type: flattened

@mrodm mrodm Feb 7, 2025

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If that definition is changed as:

- name: auditd.data
  description: Auditd related data
  type: flattened

This mapping is not created. I think this is caused because there are other definitions present for auditd.data.<field> fields. For instance auditd.data.action (as keyword).

If it is required to be flattened, I'm afraid it should be needed to remove all the auditd.data.<field> definitions.

@jsoriano jsoriano Feb 7, 2025

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This mapping is not created. I think this is caused because there are other definitions present for auditd.data. fields. For instance auditd.data.action (as keyword).

On what version of the stack? This looks like a case of elastic/kibana#204104

@mrodm mrodm Feb 10, 2025

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did run the tests with 8.16.2 (Kibana version set in the manifest).

Just tested with 8.18.0-SNAPSHOT and it does not generate the flattened type for auditd.data neither.

Complete mapping for `auditd.data` (8.18.0-SNAPSHOT) 
        "auditd": {
          "properties": {
            "data": {
              "properties": {
                "acct": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "acl": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "action": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "added": {
                  "type": "long"
                },
                "addr": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "apparmor": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "arch": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "argc": {
                  "type": "long"
                },
                "audit_backlog_limit": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "audit_backlog_wait_time": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "audit_enabled": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "audit_failure": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "audit_pid": {
                  "type": "long"
                },
                "auid": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "banners": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "bool": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "bus": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "cap_fe": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "cap_fi": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "cap_fp": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "cap_fver": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "cap_pe": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "cap_pi": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "cap_pp": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "capability": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "cgroup": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "changed": {
                  "type": "long"
                },
                "cipher": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "class": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "cmd": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "code": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "compat": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "daddr": {
                  "type": "ip"
                },
                "data": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "default_context": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "device": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "dir": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "direction": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "dmac": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "dport": {
                  "type": "long"
                },
                "enforcing": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "entries": {
                  "type": "long"
                },
                "exit": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "fam": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "family": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "fd": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "fe": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "feature": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "fi": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "file": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "flags": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "format": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "fp": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "frootid": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "fver": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "grantors": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "grp": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "hook": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "hostname": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "icmp_type": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "id": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "igid": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "img_ctx": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "inif": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "ino": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "inode_gid": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "inode_uid": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "invalid_context": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "ioctlcmd": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "ip": {
                  "type": "ip"
                },
                "ipid": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "ipx_net": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "items": {
                  "type": "long"
                },
                "iuid": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "kernel": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "kind": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "ksize": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "laddr": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "len": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "list": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "lport": {
                  "type": "long"
                },
                "mac": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "macproto": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "maj": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "major": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "minor": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "model": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "msg": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "nargs": {
                  "type": "long"
                },
                "net": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "new": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "new_chardev": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "new_disk": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "new_enabled": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "new_fs": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "new_gid": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "new_level": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "new_lock": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "new_log_passwd": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "new_mem": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "new_net": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "new_pe": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "new_pi": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "new_pp": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "new_range": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "new_rng": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "new_role": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "new_ses": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "new_seuser": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "new_vcpu": {
                  "type": "long"
                },
                "nlnk_fam": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "nlnk_grp": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "nlnk_pid": {
                  "type": "long"
                },
                "oauid": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "obj": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "obj_gid": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "obj_uid": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "ocomm": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "oflag": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "old": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "old_auid": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "old_chardev": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "old_disk": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "old_enabled": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "old_enforcing": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "old_fs": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "old_level": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "old_lock": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "old_log_passwd": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "old_mem": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "old_net": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "old_pa": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "old_pe": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "old_pi": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "old_pp": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "old_prom": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "old_range": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "old_rng": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "old_role": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "old_ses": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "old_seuser": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "old_val": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "old_vcpu": {
                  "type": "long"
                },
                "op": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "opid": {
                  "type": "long"
                },
                "oses": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "outif": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "pa": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "parent": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "pe": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "per": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "perm": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "perm_mask": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "permissive": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "pfs": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "pi": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "pp": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "printer": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "prom": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "proto": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "qbytes": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "range": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "reason": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "removed": {
                  "type": "long"
                },
                "res": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "reset": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "resrc": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "result": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "rport": {
                  "type": "long"
                },
                "sauid": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "scontext": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "selected_context": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "seperm": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "seperms": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "seqno": {
                  "type": "long"
                },
                "seresult": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "ses": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "seuser": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "sig": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "sigev_signo": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "smac": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "socket": {
                  "properties": {
                    "addr": {
                      "type": "keyword",
                      "ignore_above": 1024
                    },
                    "family": {
                      "type": "keyword",
                      "ignore_above": 1024
                    },
                    "path": {
                      "type": "keyword",
                      "ignore_above": 1024
                    },
                    "port": {
                      "type": "long"
                    },
                    "saddr": {
                      "type": "keyword",
                      "ignore_above": 1024
                    }
                  }
                },
                "spid": {
                  "type": "long"
                },
                "sport": {
                  "type": "long"
                },
                "state": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "subj": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "success": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "syscall": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "table": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "tclass": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "tcontext": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "terminal": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "tty": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "unit": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "uri": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "uuid": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "val": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "ver": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "virt": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "vm": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "vm_ctx": {
                  "type": "keyword",
                  "ignore_above": 1024
                },
                "vm_pid": {
                  "type": "long"
                },
                "watch": {
                  "type": "keyword",
                  "ignore_above": 1024
                }
              }
            }
          }
        }

Just realized that there are at least another group socket under auditd.data:

 - name: auditd.data.socket.port
   description: The port number.
   type: long
 - name: auditd.data.socket.saddr
   description: The raw socket address structure.
   type: keyword
 - name: auditd.data.socket.addr
   description: The remote address.
   type: keyword
 - name: auditd.data.socket.family
   description: The socket family (unix, ipv4, ipv6, netlink).
   type: keyword
 - name: auditd.data.socket.path
   description: This is the path associated with a unix socket.
   type: keyword

Could this auditd.data.socket field cause that it is better then set a dynamic template (keyword) instead for the missing fields (e.g. auditd.data.a0) ?

@jsoriano jsoriano Feb 10, 2025

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, it is probably not possible to merge a flattened with a group. The fleet code definitely does not support it, it only merges groups, objects and maybe nested. It would probably not make sense to merge a flattened with other types.

So we should probably avoid flattened in this case, using a wildcard and considering subobjects: false.

@mrodm mrodm Feb 11, 2025

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Keeping all the definitions present in the file (except auditd.data.a0-N), I think of these two options to update the definition for auditd.data.*:

  • Mapping all strings to keyword
- name: auditd.data.*
  description: Auditd related data
  type: keyword
  • Mapping everything as a keyword (even fields whose type would be long)
- name: auditd.data.*
  description: Auditd related data
  type: object
  object_type: keyword
  object_type_mapping_type: "*"

Maybe better use the first option, and if it is required, add new corresponding definitions in the future, as it happens for auditd.data.socket.port for instance. To have a better control in the fields. WDYT?

78 changes: 50 additions & 28 deletions packages/auditd_manager/data_stream/auditd/sample_event.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,22 +1,22 @@
{
"@timestamp": "2022-05-12T13:10:13.230Z",
"@timestamp": "2025-01-14T18:00:56.117Z",
"agent": {
"ephemeral_id": "cfe4170e-f9b4-435f-b19c-a0e75b573b3a",
"id": "753ce520-4f32-45b1-9212-c4dcc9d575a1",
"name": "custom-agent",
"ephemeral_id": "df24f825-df17-4f54-b3c4-3048edbdf123",
"id": "da084743-3b4d-43eb-a6c9-f26c44204375",
"name": "elastic-agent-90019",
"type": "auditbeat",
"version": "8.2.0"
"version": "8.16.0"
},
"auditd": {
"data": {
"a0": "a",
"a1": "c00024e8c0",
"a2": "38",
"a0": "10",
"a1": "c001144140",
"a2": "3c",
"a3": "0",
"arch": "x86_64",
"audit_pid": "22501",
"audit_pid": 2532842,

@mrodm mrodm Jan 30, 2025

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was required to re-generate the sample_event since this field is now a long (as in the field definition).

"auid": "unset",
"exit": "56",
"exit": "60",
"old": "0",
"op": "set",
"result": "success",
Expand All @@ -25,23 +25,24 @@
"family": "netlink",
"saddr": "100000000000000000000000"
},
"subj_user": "docker-default",
"syscall": "sendto",
"tty": "(none)"
},
"message_type": "config_change",
"messages": [
"type=CONFIG_CHANGE msg=audit(1652361013.230:94471): op=set audit_pid=22501 old=0 auid=4294967295 ses=4294967295 res=1",
"type=SYSCALL msg=audit(1652361013.230:94471): arch=c000003e syscall=44 success=yes exit=56 a0=a a1=c00024e8c0 a2=38 a3=0 items=0 ppid=9509 pid=22501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"auditbeat\" exe=\"/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat\" key=(null)",
"type=SOCKADDR msg=audit(1652361013.230:94471): saddr=100000000000000000000000",
"type=PROCTITLE msg=audit(1652361013.230:94471): proctitle=2F7573722F73686172652F656C61737469632D6167656E742F646174612F656C61737469632D6167656E742D6239613238612F696E7374616C6C2F6175646974626561742D382E322E302D6C696E75782D7838365F36342F617564697462656174002D63006175646974626561742E656C61737469632D6167656E742E796D6C"
"type=CONFIG_CHANGE msg=audit(1736877656.117:1197107): op=set audit_pid=2532842 old=0 auid=4294967295 ses=4294967295 subj=docker-default res=1",
"type=SYSCALL msg=audit(1736877656.117:1197107): arch=c000003e syscall=44 success=yes exit=60 a0=10 a1=c001144140 a2=3c a3=0 items=0 ppid=2531521 pid=2532842 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"agentbeat\" exe=\"/usr/share/elastic-agent/data/elastic-agent-3f07f2/components/agentbeat\" subj=docker-default key=(null)",
"type=SOCKADDR msg=audit(1736877656.117:1197107): saddr=100000000000000000000000",
"type=PROCTITLE msg=audit(1736877656.117:1197107): proctitle=2F7573722F73686172652F656C61737469632D6167656E742F646174612F656C61737469632D6167656E742D3366303766322F636F6D706F6E656E74732F6167656E746265617400617564697462656174002D450073657475702E696C6D2E656E61626C65643D66616C7365002D450073657475702E74656D706C6174652E65"
],
"result": "success",
"summary": {
"actor": {
"primary": "unset",
"secondary": "root"
},
"how": "/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat",
"how": "/usr/share/elastic-agent/data/elastic-agent-3f07f2/components/agentbeat",
"object": {
"primary": "set",
"type": "audit-config"
Expand All @@ -63,21 +64,24 @@
},
"id": "0",
"name": "root"
},
"selinux": {
"user": "docker-default"
}
}
},
"data_stream": {
"dataset": "auditd_manager.auditd",
"namespace": "ep",
"namespace": "73800",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "753ce520-4f32-45b1-9212-c4dcc9d575a1",
"id": "da084743-3b4d-43eb-a6c9-f26c44204375",
"snapshot": false,
"version": "8.2.0"
"version": "8.16.0"
},
"event": {
"action": "changed-audit-configuration",
Expand All @@ -88,32 +92,50 @@
"network"
],
"dataset": "auditd_manager.auditd",
"ingested": "2022-05-12T13:10:16Z",
"ingested": "2025-01-14T18:00:59Z",
"kind": "event",
"module": "auditd",
"original": "type=CONFIG_CHANGE msg=audit(1652361013.230:94471): op=set audit_pid=22501 old=0 auid=4294967295 ses=4294967295 res=1\ntype=SYSCALL msg=audit(1652361013.230:94471): arch=c000003e syscall=44 success=yes exit=56 a0=a a1=c00024e8c0 a2=38 a3=0 items=0 ppid=9509 pid=22501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"auditbeat\" exe=\"/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat\" key=(null)\ntype=SOCKADDR msg=audit(1652361013.230:94471): saddr=100000000000000000000000\ntype=PROCTITLE msg=audit(1652361013.230:94471): proctitle=2F7573722F73686172652F656C61737469632D6167656E742F646174612F656C61737469632D6167656E742D6239613238612F696E7374616C6C2F6175646974626561742D382E322E302D6C696E75782D7838365F36342F617564697462656174002D63006175646974626561742E656C61737469632D6167656E742E796D6C",
"original": "type=CONFIG_CHANGE msg=audit(1736877656.117:1197107): op=set audit_pid=2532842 old=0 auid=4294967295 ses=4294967295 subj=docker-default res=1\ntype=SYSCALL msg=audit(1736877656.117:1197107): arch=c000003e syscall=44 success=yes exit=60 a0=10 a1=c001144140 a2=3c a3=0 items=0 ppid=2531521 pid=2532842 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"agentbeat\" exe=\"/usr/share/elastic-agent/data/elastic-agent-3f07f2/components/agentbeat\" subj=docker-default key=(null)\ntype=SOCKADDR msg=audit(1736877656.117:1197107): saddr=100000000000000000000000\ntype=PROCTITLE msg=audit(1736877656.117:1197107): proctitle=2F7573722F73686172652F656C61737469632D6167656E742F646174612F656C61737469632D6167656E742D3366303766322F636F6D706F6E656E74732F6167656E746265617400617564697462656174002D450073657475702E696C6D2E656E61626C65643D66616C7365002D450073657475702E74656D706C6174652E65",
"outcome": "success",
"sequence": 94471,
"sequence": 1197107,
"type": [
"change",
"connection",
"info"
]
},
"host": {
"name": "custom-agent"
"architecture": "x86_64",
"containerized": false,
"hostname": "elastic-agent-90019",
"ip": [
"192.168.176.2",
"192.168.144.5"
],
"mac": [
"02-42-C0-A8-90-05",
"02-42-C0-A8-B0-02"
],
"name": "elastic-agent-90019",
"os": {
"kernel": "6.8.0-51-generic",
"name": "Wolfi",
"platform": "wolfi",
"type": "linux",
"version": "20230201"
}
},
"network": {
"direction": "egress"
},
"process": {
"executable": "/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat",
"name": "auditbeat",
"executable": "/usr/share/elastic-agent/data/elastic-agent-3f07f2/components/agentbeat",
"name": "agentbeat",
"parent": {
"pid": 9509
"pid": 2531521
},
"pid": 22501,
"title": "/usr/share/elastic-agent/data/elastic-agent-b9a28a/install/auditbeat-8.2.0-linux-x86_64/auditbeat -c auditbeat.elastic-agent.yml"
"pid": 2532842,
"title": "/usr/share/elastic-agent/data/elastic-agent-3f07f2/components/agentbeat auditbeat -E setup.ilm.enabled=false -E setup.template.e"
},
"service": {
"type": "auditd"
Expand All @@ -130,4 +152,4 @@
"id": "0",
"name": "root"
}
}
}
Loading