Add ECS 1.8 session and map user and groups #86
Conversation
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
|
Add ECS user and group fields to aucoalesce.Event. Update normalizations to enable population of ECS user.* and group.* fields from event data (entity.*, object.*, uids and raw data). Also refactors the user/group ID lookup as sometimes it's necessary to lookup a user/group ID from a name.
adriansr
force-pushed
the
ecs_18_norms
branch
from
2edc0b1
to
91952da
Compare
There was a problem hiding this comment.
I'll work through a bit more of a detailed review in a bit, but general approach looks good to me, I did have a question about other effective/target users though, a quick pass through the normalization file and I'm wondering if the following should also be handled?
AUDIT_LOGINAUDIT_CHGRP_IDAUDIT_CHUSER_ID- syscalls:
chown,fchown,fchownat,lchown,setuid,seteuid,setfsuid,setreuid,setgid,setegid,setfsgid,setregid,setresuid,setresgid
WDYT?
adriansr
force-pushed
the
ecs_18_norms
branch
from
704845e
to
e5c1ed2
Compare
adriansr
force-pushed
the
ecs_18_norms
branch
from
fd9ea90
to
61b4ffa
Compare
Nit: Fixes an implicit rune to string conversion warning emitted by vet. There was no bug, but the implicit conversion is deprecated starting in Go 1.15. > rule/rule.go:367:29: conversion from untyped int to string yields a string of one rune, not a string of digits (did you mean fmt.Sprint(x)?)
adriansr
changed the title
adriansr
changed the title
|
Been discussing @andrewstucki requests via Slack. The current status of this PR is that everything that we can support is supported:
This one was (erroneously) ignored by Auditbeat. I've added support for it and will also update Auditbeat in elastic/beats#23594.
This ones don't contain any interesting information for ECS multiuser enrichment, only generic *id fields which were already supported.
We decided to leave file ownership syscalls for now, as it's not clear how/if they fit into ECS 1.8 multiuser at all.
The set*id syscalls are already supported through the generic *id fields. |
| @@ -1001,7 +1072,9 @@ normalizations: | |||
| - <<: *macro-user-session | |||
| record_types: USER_END | |||
| action: ended-session | |||
| ecs: *ecs-auth | |||
There was a problem hiding this comment.
This changes USER_START/USER_END messages from event.category: authentication to session.
I wonder if I should keep the former, event.category: [authentication, session]
WDYT @andrewstucki ?
There was a problem hiding this comment.
I'm leaning toward only session since there are separate events for authentication. If we had session earlier I assume that's the way we would have done it. It's a minor breaking change though.
There was a problem hiding this comment.
I'm fine with that change. Also, just in the interest of spreading the knowledge around, main place I could find a reference to AUDIT_USER_LOGIN is when login from shadow-utils returns successfully.
AUDIT_USER_START is predominantly an artifact of PAM and is called in pam_open_session:
Both work hand-in-hand, as you can see the invocation of pam_open_session here:
Seems to mirror exactly what's described in the audit framework docs
The next event can be AUDIT_USER_ROLE_CHANGE depending on whether a MAC framework that has the notion of roles is in use. It records what role has been assigned to the login session. This event is followed by AUDIT_USER_LOGIN to signify that the session that is being created is interactive. This is followed by AUDIT_USER_START to denote that the session has started.
README.md
Outdated
| target: {} | ||
| changes: {} | ||
| group: | ||
| effective: {} |
There was a problem hiding this comment.
I think the only one having effective etc is the user field https://www.elastic.co/guide/en/ecs/master/ecs-user-usage.html.
For the effective group would be something like user.effective.group.*
There was a problem hiding this comment.
Good catch. group.effective was unused, but group.target is used for group creation/deletion/changes.
I think the best for now is to set group.id in those cases? Because it's mapping actions like User A creates Group B. Another option is user.target.group? But that doesn't make a lot of sense without filling the user fields in user.target.
/cc @andrewstucki
There was a problem hiding this comment.
I think as far as user is modifying/creating a group does does not belong to a different user, is probably fine having both user and group at the root. Maybe @ebeahan can bring some guideline
There was a problem hiding this comment.
Yes, I agree with @marc-gr that using the top-level user.* and group.* is most appropriate in this case.
group.target is not defined by ECS.
| "user": { | ||
| "id": "unset", | ||
| "effective": { | ||
| "name": "(invalid user)" |
There was a problem hiding this comment.
does it make sense to actually enrich these if they're invalid/unset?
There was a problem hiding this comment.
This is a failed ssh login attempt using an invalid user, I think it's worth to report that back to the user instead of an empty user.
Add ECS user and group fields to aucoalesce.Event:
fields from event data (entity., object., uids and raw data).
lookup a user/group ID from a name.
Adds the new ECS
sessioncategorization to USER_START and USER_END messages.