[Auditbeat] Process: Add hash of executable (#11722)

Adds the hash(es) of the process executable to `process.hash.*`. The default is to add SHA-1 only as `process.hash.sha1`.
elastic · May 9, 2019 · c9ffceb · c9ffceb
1 parent cf5de0a
commit c9ffceb
Show file tree

Hide file tree

Showing 13 changed files with 686 additions and 18 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -154,6 +154,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Auditd module: Add `event.outcome` and `event.type` for ECS. {pull}11432[11432]
 - Package: Enable suse. {pull}11634[11634]
 - Add support to the system package dataset for the SUSE OS family. {pull}11634[11634]
+- Process: Add file hash of process executable. {pull}11722[11722]
 
 *Filebeat*
 

diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc
@@ -6540,6 +6540,157 @@ type: keyword
 ID uniquely identifying the process. It is computed as a SHA-256 hash of the host ID, PID, and process start time.
 
 
+--
+
+[float]
+== hash fields
+
+Hashes of the executable. The keys are algorithm names and the values are the hex encoded digest values.
+
+
+
+*`process.hash.blake2b_256`*::
++
+--
+type: keyword
+
+BLAKE2b-256 hash of the executable.
+
+--
+
+*`process.hash.blake2b_384`*::
++
+--
+type: keyword
+
+BLAKE2b-384 hash of the executable.
+
+--
+
+*`process.hash.blake2b_512`*::
++
+--
+type: keyword
+
+BLAKE2b-512 hash of the executable.
+
+--
+
+*`process.hash.md5`*::
++
+--
+type: keyword
+
+MD5 hash of the executable.
+
+--
+
+*`process.hash.sha1`*::
++
+--
+type: keyword
+
+SHA1 hash of the executable.
+
+--
+
+*`process.hash.sha224`*::
++
+--
+type: keyword
+
+SHA224 hash of the executable.
+
+--
+
+*`process.hash.sha256`*::
++
+--
+type: keyword
+
+SHA256 hash of the executable.
+
+--
+
+*`process.hash.sha384`*::
++
+--
+type: keyword
+
+SHA384 hash of the executable.
+
+--
+
+*`process.hash.sha3_224`*::
++
+--
+type: keyword
+
+SHA3_224 hash of the executable.
+
+--
+
+*`process.hash.sha3_256`*::
++
+--
+type: keyword
+
+SHA3_256 hash of the executable.
+
+--
+
+*`process.hash.sha3_384`*::
++
+--
+type: keyword
+
+SHA3_384 hash of the executable.
+
+--
+
+*`process.hash.sha3_512`*::
++
+--
+type: keyword
+
+SHA3_512 hash of the executable.
+
+--
+
+*`process.hash.sha512`*::
++
+--
+type: keyword
+
+SHA512 hash of the executable.
+
+--
+
+*`process.hash.sha512_224`*::
++
+--
+type: keyword
+
+SHA512/224 hash of the executable.
+
+--
+
+*`process.hash.sha512_256`*::
++
+--
+type: keyword
+
+SHA512/256 hash of the executable.
+
+--
+
+*`process.hash.xxh64`*::
++
+--
+type: keyword
+
+XX64 hash of the executable.
+
 --