Skip to content

[auditd_manager] New auditd manager package#2763

Merged
marc-gr merged 21 commits intoelastic:mainfrom
marc-gr:new_auditd-mgr
May 20, 2022
Merged

[auditd_manager] New auditd manager package#2763
marc-gr merged 21 commits intoelastic:mainfrom
marc-gr:new_auditd-mgr

Conversation

@marc-gr
Copy link
Contributor

@marc-gr marc-gr commented Mar 3, 2022
edited
Loading

What does this PR do?

Adds a new auditd_manager integration

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Closes #3011

image

image

image

image

@elasticmachine
Copy link

elasticmachine commented Mar 3, 2022
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-05-20T08:59:58.129+0000

  • Duration: 15 min 1 sec

Test stats 🧪

Test Results
Failed 0
Passed 35
Skipped 0
Total 35

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

marc-gr and others added 4 commits March 8, 2022 15:34
@marc-gr
fix dashboard indices
8030520
@marc-gr
Initial configuration template
5661d9b
@andrewkroh
Rename input, add os type condition
f91fe94 
Rename input to audit/auditd

Remove audit_rule_files. We want all config to be managed by the Agent so it shouldn't be reading from local files not managed by Agent.

Constrain the input to linux hosts.
@marc-gr
Update manifest and docs
4f54464
@marc-gr marc-gr marked this pull request as ready for review March 24, 2022 13:13
@marc-gr marc-gr requested review from a team as code owners March 24, 2022 13:13
@elasticmachine
Copy link

elasticmachine commented Mar 24, 2022

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

adriansr
adriansr suggested changes Mar 29, 2022
View reviewed changes
Copy link
Contributor

@adriansr adriansr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Had a quick look.

Needs manual update of .git/CODEOWNERS

adriansr
adriansr reviewed Mar 29, 2022
View reviewed changes
adriansr
adriansr reviewed Mar 29, 2022
View reviewed changes
@elasticmachine
Copy link

elasticmachine commented Apr 26, 2022
edited
Loading

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (2/2) 💚
Files 100.0% (2/2) 💚 3.731
Classes 100.0% (2/2) 💚 3.731
Methods 95.833% (23/24) 👍 7.804
Lines 97.355% (2319/2382) 👍 7.87
Conditionals 100.0% (0/0) 💚

@marc-gr marc-gr requested a review from adriansr May 19, 2022 10:49
adriansr
adriansr suggested changes May 19, 2022
View reviewed changes
packages/auditd_manager/data_stream/auditd/elasticsearch/ingest_pipeline/default.yml
}
}
}
handleMap(ctx);
Copy link
Contributor

@adriansr adriansr May 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this necessary to apply this for all fields in ctx, instead of a subset like ctx.auditd ?

Copy link
Contributor Author

@marc-gr marc-gr May 20, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the events come with also custom fields under user.* and file.*, since I was not able to generate many different samples, I am not 100% sure these are the only ones, so I tried to err on the more consistent way of dealing with them. If you prefer I can change it to operate on auditd, user, and file and we can deal with any other case found if any.

Copy link
Contributor

@adriansr adriansr May 20, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's ok then, let's keep it as is now.

efd6
efd6 reviewed May 20, 2022
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

efd6
efd6 approved these changes May 20, 2022
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after query about the painless is satisfied.

(and auditd_manager is rebuilt)

@marc-gr marc-gr requested a review from adriansr May 20, 2022 09:04
@marc-gr marc-gr merged commit 75bbe7d into elastic:main May 20, 2022
@marc-gr marc-gr deleted the new_auditd-mgr branch May 20, 2022 09:19
This was referenced May 22, 2022
Closed
Merged
@andrewkroh andrewkroh added Integration:auditd Auditd Logs Integration:auditd_manager Auditd Manager New Integration Issue or pull request for creating a new integration package. labels Aug 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 approved these changes

+1 more reviewer

@adriansr adriansr adriansr approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

enhancement New feature or request Integration:auditd_manager Auditd Manager Integration:auditd Auditd Logs New Integration Issue or pull request for creating a new integration package.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Auditd Manager Integration

5 participants

@marc-gr @elasticmachine @adriansr @efd6 @andrewkroh