Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Session view processor procfs #38799

Merged
merged 66 commits into from Apr 15, 2024
Merged

Session view processor procfs #38799

merged 66 commits into from Apr 15, 2024

Commits on Jan 10, 2024

  1. Add a add_session_metadata auditbeat processor 

    This processor will enrich process events with additional infomation needed to
enable session view in Kibana.

This processor can be run on Linux systems, and will use eBPF to enrich auditd events
for process exec and exit events. The additional fields that will be added are information
on process parent, session leader and process group leader.
    @mjwolf
    mjwolf committed Jan 10, 2024
    Configuration menu
    Copy the full SHA
    88d0a0e View commit details
    Browse the repository at this point in the history

Commits on Jan 12, 2024

  1. Add unit tests for add_session_metadata

    @mjwolf
    mjwolf committed Jan 12, 2024
    Configuration menu
    Copy the full SHA
    d5a01bf View commit details
    Browse the repository at this point in the history

Commits on Jan 15, 2024

  1. Calculate process entry leader 

    Calculate and append entry leader information to enriched processes.
    @mjwolf
    mjwolf committed Jan 15, 2024
    Configuration menu
    Copy the full SHA
    7cec455 View commit details
    Browse the repository at this point in the history

  2. Merge remote-tracking branch 'origin/main' into session_view_processo… 

    …r_ebpf
    @mjwolf
    mjwolf committed Jan 15, 2024
    Configuration menu
    Copy the full SHA
    7de480d View commit details
    Browse the repository at this point in the history

Commits on Jan 16, 2024

  1. Add entry leader tests

    @mjwolf
    mjwolf committed Jan 16, 2024
    Configuration menu
    Copy the full SHA
    782504c View commit details
    Browse the repository at this point in the history

  2. Update CHANGELOG

    @mjwolf
    mjwolf committed Jan 16, 2024
    Configuration menu
    Copy the full SHA
    6b7037b View commit details
    Browse the repository at this point in the history

Commits on Jan 17, 2024

  1. Merge branch 'main' into session_view_processor_ebpf

    @mjwolf
    mjwolf committed Jan 17, 2024
    Configuration menu
    Copy the full SHA
    0f610cb View commit details
    Browse the repository at this point in the history

  2. Apply suggestions from code review 

    Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
    @mjwolf @efd6
    mjwolf and efd6 committed Jan 17, 2024
    Configuration menu
    Copy the full SHA
    c688f5a View commit details
    Browse the repository at this point in the history

  3. Rework directory structure

    @mjwolf
    mjwolf committed Jan 17, 2024
    Configuration menu
    Copy the full SHA
    f35b4c7 View commit details
    Browse the repository at this point in the history

Commits on Jan 18, 2024

  1. Remove DB interface 

    Remove the DB interface, as there will only be one implementation for it
    @mjwolf
    mjwolf committed Jan 18, 2024
    Configuration menu
    Copy the full SHA
    bf38e89 View commit details
    Browse the repository at this point in the history

  2. Pass DB by reference in tests

    @mjwolf
    mjwolf committed Jan 18, 2024
    Configuration menu
    Copy the full SHA
    910aba2 View commit details
    Browse the repository at this point in the history

  3. Rework entry leader tests

    @mjwolf
    mjwolf committed Jan 18, 2024
    Configuration menu
    Copy the full SHA
    0cbb970 View commit details
    Browse the repository at this point in the history

  4. Reformat processor

    @mjwolf
    mjwolf committed Jan 18, 2024
    Configuration menu
    Copy the full SHA
    06b7064 View commit details
    Browse the repository at this point in the history

  5. Only build tests on Linux

    @mjwolf
    mjwolf committed Jan 18, 2024
    Configuration menu
    Copy the full SHA
    be57ad8 View commit details
    Browse the repository at this point in the history

  6. Add linux build directive to all files in processor

    @mjwolf
    mjwolf committed Jan 18, 2024
    Configuration menu
    Copy the full SHA
    9ad7811 View commit details
    Browse the repository at this point in the history

  7. Merge remote-tracking branch 'origin/main' into session_view_processo… 

    …r_ebpf
    @mjwolf
    mjwolf committed Jan 18, 2024
    Configuration menu
    Copy the full SHA
    f6aad7e View commit details
    Browse the repository at this point in the history

Commits on Jan 21, 2024

  1. Add Procfs provider for add_session_view processor 

    Add a procfs provider to the add_session_view processor, which can be used to gather
session metadata on systems where the ebpf implementation is not supported.
    @mjwolf
    mjwolf committed Jan 21, 2024
    Configuration menu
    Copy the full SHA
    3f0bdae View commit details
    Browse the repository at this point in the history

Commits on Jan 22, 2024

  1. Changes for PR feedback 

    * Changed to use time.Duration in timeutils for process start NS
* Used go-cmp library to compare ECS docs in tests
    @mjwolf
    mjwolf committed Jan 22, 2024
    Configuration menu
    Copy the full SHA
    3598b3c View commit details
    Browse the repository at this point in the history

  2. Merge branch 'elastic:main' into session_view_processor_ebpf

    @mjwolf
    mjwolf committed Jan 22, 2024
    Configuration menu
    Copy the full SHA
    743e8da View commit details
    Browse the repository at this point in the history

  3. Add empty file to add_session_metadata package

    @mjwolf
    mjwolf committed Jan 22, 2024
    Configuration menu
    Copy the full SHA
    17fdf1c View commit details
    Browse the repository at this point in the history

Commits on Jan 23, 2024

  1. Fix linter warnings 

    Fix linter warnings and upgrade go-libaudit to v2.5.0
    @mjwolf
    mjwolf committed Jan 23, 2024
    Configuration menu
    Copy the full SHA
    1ab4752 View commit details
    Browse the repository at this point in the history

  2. Merge branch 'main' into session_view_processor_ebpf

    @mjwolf
    mjwolf committed Jan 23, 2024
    Configuration menu
    Copy the full SHA
    23e097c View commit details
    Browse the repository at this point in the history

Commits on Jan 24, 2024

  1. Merge remote-tracking branch 'origin/main' into session_view_processo… 

    …r_ebpf
    @mjwolf
    mjwolf committed Jan 24, 2024
    Configuration menu
    Copy the full SHA
    882f8a4 View commit details
    Browse the repository at this point in the history

  2. Use single channel from epbevents 

    ebpfevents library has been updated to use a single channel. Updated to use
latest ebpfevents library and the single channel.
    @mjwolf
    mjwolf committed Jan 24, 2024
    Configuration menu
    Copy the full SHA
    145f627 View commit details
    Browse the repository at this point in the history

Commits on Jan 25, 2024

  1. Use watcher for ebpf events 

    Use watcher, which provides singleton access for ebpfevents
    @mjwolf
    mjwolf committed Jan 25, 2024
    Configuration menu
    Copy the full SHA
    e9aea4d View commit details
    Browse the repository at this point in the history

Commits on Jan 26, 2024

  1. remove seccomp init

    @mjwolf
    mjwolf committed Jan 26, 2024
    Configuration menu
    Copy the full SHA
    c001219 View commit details
    Browse the repository at this point in the history

  2. Update x-pack/auditbeat/internal/ebpf/watcher_linux.go 

    Co-authored-by: Mattia Meleleo <melmat@tuta.io>
    @mjwolf @mmat11
    mjwolf and mmat11 committed Jan 26, 2024
    Configuration menu
    Copy the full SHA
    a5986dd View commit details
    Browse the repository at this point in the history

Commits on Jan 27, 2024

  1. Merge remote-tracking branch 'origin/main' into session_view_processo… 

    …r_ebpf
    @mjwolf
    mjwolf committed Jan 27, 2024
    Configuration menu
    Copy the full SHA
    5658c76 View commit details
    Browse the repository at this point in the history

Commits on Jan 29, 2024

  1. Add seccomp policy modification

    @mjwolf
    mjwolf committed Jan 29, 2024
    Configuration menu
    Copy the full SHA
    d5da140 View commit details
    Browse the repository at this point in the history

  2. Merge branch 'session_view_processor_ebpf' of github.com:mjwolf/beats… 

    … into session_view_processor_ebpf
    @mjwolf
    mjwolf committed Jan 29, 2024
    Configuration menu
    Copy the full SHA
    ca81839 View commit details
    Browse the repository at this point in the history

  3. Merge remote-tracking branch 'origin/session_view_processor_ebpf' int… 

    …o session_view_processor_procfs
    @mjwolf
    mjwolf committed Jan 29, 2024
    Configuration menu
    Copy the full SHA
    b1ee150 View commit details
    Browse the repository at this point in the history

  4. Use buffered channel in watcher client

    @mjwolf
    mjwolf committed Jan 29, 2024
    Configuration menu
    Copy the full SHA
    7fe0ba4 View commit details
    Browse the repository at this point in the history

  5. Add auto implementation

    @mjwolf
    mjwolf committed Jan 29, 2024
    Configuration menu
    Copy the full SHA
    793b473 View commit details
    Browse the repository at this point in the history

Commits on Jan 30, 2024

  1. Move ebpf watcher to libbeat

    @mjwolf
    mjwolf committed Jan 30, 2024
    Configuration menu
    Copy the full SHA
    9c59a7b View commit details
    Browse the repository at this point in the history

  2. Merge remote-tracking branch 'origin/session_view_processor_ebpf' int… 

    …o session_view_processor_procfs
    @mjwolf
    mjwolf committed Jan 30, 2024
    Configuration menu
    Copy the full SHA
    fc5a8e6 View commit details
    Browse the repository at this point in the history

Commits on Jan 31, 2024

  1. scrape missing ancestor procs from procfs

    @mjwolf
    mjwolf committed Jan 31, 2024
    Configuration menu
    Copy the full SHA
    02cb329 View commit details
    Browse the repository at this point in the history

Commits on Feb 1, 2024

  1. Merge remote-tracking branch 'origin/main' into session_view_processo… 

    …r_ebpf
    @mjwolf
    mjwolf committed Feb 1, 2024
    Configuration menu
    Copy the full SHA
    26d759b View commit details
    Browse the repository at this point in the history

  2. Remove error return value that was never used

    @mjwolf
    mjwolf committed Feb 1, 2024
    Configuration menu
    Copy the full SHA
    4a304df View commit details
    Browse the repository at this point in the history

Commits on Feb 2, 2024

  1. Merge remote-tracking branch 'origin/main' into session_view_processo… 

    …r_ebpf
    @mjwolf
    mjwolf committed Feb 2, 2024
    Configuration menu
    Copy the full SHA
    e7a45ea View commit details
    Browse the repository at this point in the history

  2. Make capNames an array

    @mjwolf
    mjwolf committed Feb 2, 2024
    Configuration menu
    Copy the full SHA
    5dbe5dd View commit details
    Browse the repository at this point in the history

  3. Merge branch 'session_view_processor_ebpf' into session_view_processo… 

    …r_procfs
    @mjwolf
    mjwolf committed Feb 2, 2024
    Configuration menu
    Copy the full SHA
    06e2c13 View commit details
    Browse the repository at this point in the history

Commits on Feb 5, 2024

  1. Merge branch 'main' into session_view_processor_ebpf

    @mjwolf
    mjwolf committed Feb 5, 2024
    Configuration menu
    Copy the full SHA
    d675c53 View commit details
    Browse the repository at this point in the history

  2. Merge branch 'main' into session_view_processor_ebpf

    @mjwolf
    mjwolf committed Feb 5, 2024
    Configuration menu
    Copy the full SHA
    1837289 View commit details
    Browse the repository at this point in the history

  3. Merge remote-tracking branch 'origin/session_view_processor_ebpf' int… 

    …o session_view_processor_procfs
    @mjwolf
    mjwolf committed Feb 5, 2024
    Configuration menu
    Copy the full SHA
    b09ca36 View commit details
    Browse the repository at this point in the history

Commits on Feb 6, 2024

  1. Merge branch 'main' into session_view_processor_ebpf

    @mjwolf
    mjwolf committed Feb 6, 2024
    Configuration menu
    Copy the full SHA
    7017a79 View commit details
    Browse the repository at this point in the history

Commits on Feb 7, 2024

  1. Merge remote-tracking branch 'origin/main' into session_view_processo… 

    …r_ebpf
    @mjwolf
    mjwolf committed Feb 7, 2024
    Configuration menu
    Copy the full SHA
    10e9525 View commit details
    Browse the repository at this point in the history

  2. Update ebpfevents lib

    @mjwolf
    mjwolf committed Feb 7, 2024
    Configuration menu
    Copy the full SHA
    eeab397 View commit details
    Browse the repository at this point in the history

Commits on Feb 20, 2024

  1. Merge remote-tracking branch 'origin/main' into session_view_processo… 

    …r_ebpf
    @mjwolf
    mjwolf committed Feb 20, 2024
    Configuration menu
    Copy the full SHA
    7de070e View commit details
    Browse the repository at this point in the history

  2. Rename package

    @mjwolf
    mjwolf committed Feb 20, 2024
    Configuration menu
    Copy the full SHA
    565eaa1 View commit details
    Browse the repository at this point in the history

  3. Merge branch 'elastic:main' into session_view_processor_ebpf

    @mjwolf
    mjwolf committed Feb 20, 2024
    Configuration menu
    Copy the full SHA
    12643f4 View commit details
    Browse the repository at this point in the history

  4. Use consistant capitialization for initialisms

    @mjwolf
    mjwolf committed Feb 20, 2024
    Configuration menu
    Copy the full SHA
    1f05b14 View commit details
    Browse the repository at this point in the history

  5. Merge remote-tracking branch 'origin/main' into session_view_processo… 

    …r_ebpf
    @mjwolf
    mjwolf committed Feb 20, 2024
    Configuration menu
    Copy the full SHA
    0ecb7bf View commit details
    Browse the repository at this point in the history

  6. Merge branch 'session_view_processor_ebpf' of github.com:mjwolf/beats… 

    … into session_view_processor_ebpf
    @mjwolf
    mjwolf committed Feb 20, 2024
    Configuration menu
    Copy the full SHA
    fe4f0a3 View commit details
    Browse the repository at this point in the history

Commits on Feb 22, 2024

  1. Change some struct member visibility

    @mjwolf
    mjwolf committed Feb 22, 2024
    Configuration menu
    Copy the full SHA
    f2443cd View commit details
    Browse the repository at this point in the history

Commits on Mar 11, 2024

  1. Merge remote-tracking branch 'origin/main' into session_view_processo… 

    …r_ebpf
    @mjwolf
    mjwolf committed Mar 11, 2024
    Configuration menu
    Copy the full SHA
    9a52b90 View commit details
    Browse the repository at this point in the history

Commits on Mar 14, 2024

  1. Remove possibilities of panics 

    Remove possibe panics in program initialization, and handle unexpected events
more gracefully.
    @mjwolf
    mjwolf committed Mar 14, 2024
    Configuration menu
    Copy the full SHA
    36c8998 View commit details
    Browse the repository at this point in the history

  2. Merge remote-tracking branch 'origin/main' into session_view_processo… 

    …r_ebpf
    @mjwolf
    mjwolf committed Mar 14, 2024
    Configuration menu
    Copy the full SHA
    5f5f777 View commit details
    Browse the repository at this point in the history

  3. Merge remote-tracking branch 'origin/session_view_processor_ebpf' int… 

    …o session_view_processor_procfs
    @mjwolf
    mjwolf committed Mar 14, 2024
    Configuration menu
    Copy the full SHA
    b43e9bc View commit details
    Browse the repository at this point in the history

Commits on Mar 18, 2024

  1. Update procfs provider to work with other processor changes

    @mjwolf
    mjwolf committed Mar 18, 2024
    Configuration menu
    Copy the full SHA
    afe10b2 View commit details
    Browse the repository at this point in the history

Commits on Mar 19, 2024

  1. Retry scraping process if ancestry incomplete 

    If any process ancestry is incomplete, retry scraping the info from proc.

As procfs scraping can miss events, or not be updated when process re-parenting
happens, if any inconsistancy in the DB is found, rescrape to update the data.
    @mjwolf
    mjwolf committed Mar 19, 2024
    Configuration menu
    Copy the full SHA
    82572d2 View commit details
    Browse the repository at this point in the history

Commits on Apr 10, 2024

  1. Merge remote-tracking branch 'origin/main' into session_view_processo… 

    …r_procfs
    @mjwolf
    mjwolf committed Apr 10, 2024
    Configuration menu
    Copy the full SHA
    f2a538f View commit details
    Browse the repository at this point in the history

  2. Add changelog entry

    @mjwolf
    mjwolf committed Apr 10, 2024
    Configuration menu
    Copy the full SHA
    67004c4 View commit details
    Browse the repository at this point in the history

Commits on Apr 12, 2024

  1. Merge remote-tracking branch 'origin/main' into session_view_processo… 

    …r_procfs
    @mjwolf
    mjwolf committed Apr 12, 2024
    Configuration menu
    Copy the full SHA
    9229f97 View commit details
    Browse the repository at this point in the history

Commits on Apr 15, 2024

  1. Move test cases in separate functions

    @mjwolf
    mjwolf committed Apr 15, 2024
    Configuration menu
    Copy the full SHA
    16be56e View commit details
    Browse the repository at this point in the history

  2. Merge remote-tracking branch 'origin/main' into session_view_processo… 

    …r_procfs
    @mjwolf
    mjwolf committed Apr 15, 2024
    Configuration menu
    Copy the full SHA
    4603027 View commit details
    Browse the repository at this point in the history

  3. Merge branch 'main' into session_view_processor_procfs

    @mjwolf
    mjwolf committed Apr 15, 2024
    Configuration menu
    Copy the full SHA
    db82ab7 View commit details
    Browse the repository at this point in the history