[Auditbeat] Auditd: Change user fields to ECS #10456
Conversation
|
Pinging @elastic/secops |
| case "auid": | ||
| user.Put("audit.id", value) | ||
| default: | ||
| user.Put(id+".id", value) |
There was a problem hiding this comment.
If the ID field is unknown, it would be worth logging a warning, IMO.
I like that we're not losing the information, however. If for example ouid came up, stuff would be nested as user.ouid.id and user.ouid.name. Obviously not perfect, but a good fallback 👍
There was a problem hiding this comment.
If the ID field is unknown, it would be worth logging a warning, IMO.
There's no logging infrastructure at that point in the code at the moment. I personally wouldn't want to bring in that complexity for this one case. The current code does not log a warning either when this happens so we're not losing anything.
There was a problem hiding this comment.
Yeah, if you don't have logging infrastructure in here already, this is way out of scope indeed.
| - name: group | ||
| type: group | ||
| description: Saved group information. | ||
| fields: | ||
| - name: id | ||
| type: keyword | ||
| description: Saved group ID. | ||
| - name: name | ||
| type: keyword | ||
| description: Saved group name. |
There was a problem hiding this comment.
I find it confusing to have the effective & saved fields defined here, and the audit & filesystem fields defined only in the auditd module. Especially since they're defined mixed in the ECS user field set.
I think it would make most sense to have them grouped together here.
There was a problem hiding this comment.
I would assume Auditbeat's FIM has events with ouid and ogid (file owner). I think it would make sense to define them here as (and adjust FIM to use them ;-) ).
I've seen them pop up in the Filebeat auditd module, so you can pilfer the definitions from there.
There was a problem hiding this comment.
To clarify about FIM above: I would define the fields in this PR. Addressing whether FIM emits owner IDs in these fields can be addressed as a separate PR.
There was a problem hiding this comment.
I find it confusing to have the
effective&savedfields defined here, and theaudit&filesystemfields defined only in the auditd module. Especially since they're defined mixed in the ECSuserfield set.I think it would make most sense to have them grouped together here.
+1 I'll make the change
I would assume Auditbeat's FIM has events with
ouidandogid(file owner). I think it would make sense to define them here as (and adjust FIM to use them ;-) ).
I think we have a few options. But regardless, I don't think we should address it here in this PR.
The FIM file metadata has a uid, gid, owner, and group. This is also what is currently in ECS.
Our options for moving the fields:
- Move them under
user.*:user.id,user.name,user.group.id,user.group.name- no new definitions required, easy field names, but problematic if we ever have another user object (e.g. the user that modified the file) - Move them under
user.owner.*:user.owner.id,user.owner.name,user.owner.group.id,user.owner.group.name- more future proof, somewhat longer field names - Move them under
file.user.*:file.user.owner.id,file.user.owner.name,file.user.owner.group.id,file.user.owner.group.name - Move them under
file.owner.*:file.owner.id,file.owner.name,file.owner.group.id,file.owner.group.name
The benefit the last two options under file have is that it would allow us to keep the file object of the FIM module and the auditd.paths object (containing multiple files) of the Auditd module to share the same fields for users. They're a bit disparate at the moment, with FIM using uid/gid and Auditd using ouid/ogid for the same data.
Again, I think we should address this whole thing in another PR, including any field definitions.
There was a problem hiding this comment.
Thanks for moving the fields defs :-)
I agree the owner stuff is to be addressed in another PR, if we address it.
The discrepancy in representing users in file.* in ECS saddens me a bit, haha. This one slipped by. But I think we should leave it as is and concentrate on polishing everything that's already in flight, for FF. I don't think we should open this can of worms as well.
cwurm
force-pushed
the
auditd_user_ecs
branch
from
e9ada4c
to
290247d
Compare
Changes the UID and GID fields of the
auditdmodule to follow the new ECS format:Specifically, these fields are remapped:
user.auiduser.audit.iduser.uiduser.iduser.euiduser.effective.iduser.fsuiduser.filesystem.iduser.suiduser.saved.iduser.giduser.group.iduser.egiduser.effective.group.iduser.sgiduser.saved.group.iduser.fsgiduser.filesystem.group.iduser.name_map.auiduser.audit.nameuser.name_map.uiduser.nameuser.name_map.euiduser.effective.nameuser.name_map.fsuiduser.filesystem.nameuser.name_map.suiduser.saved.nameuser.name_map.giduser.group.nameuser.name_map.egiduser.effective.group.nameuser.name_map.sgiduser.saved.group.nameuser.name_map.fsgiduser.filesystem.group.nameFollow-up to #10195.
Field names should be the same as in the Filebeat auditd module after #10192.