[Auditbeat] Add system module package dataset ECS categorization fiel…

…ds (#18033) * [Auditbeat] Add system module package dataset ECS categorization fields * add changelog entry * Add ECS package fields
elastic · May 5, 2020 · 5a308fe · 5a308fe
1 parent dece318
commit 5a308fe
Show file tree

Hide file tree

Showing 7 changed files with 62 additions and 7 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -230,6 +230,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add system module process dataset ECS categorization fields. {pull}18032[18032]
 - Add system module socket dataset ECS categorization fields. {pull}18036[18036]
 - Add ECS categories for system module host dataset. {pull}18031[18031]
+- Add system module package dataset ECS categorization fields. {pull}18033[18033]
 
 *Filebeat*
 

diff --git a/x-pack/auditbeat/module/system/package/package.go b/x-pack/auditbeat/module/system/package/package.go
@@ -76,6 +76,21 @@ func (action eventAction) String() string {
 	}
 }
 
+func (action eventAction) Type() string {
+	switch action {
+	case eventActionExistingPackage:
+		return "info"
+	case eventActionPackageInstalled:
+		return "installation"
+	case eventActionPackageRemoved:
+		return "deletion"
+	case eventActionPackageUpdated:
+		return "change"
+	default:
+		return "info"
+	}
+}
+
 func init() {
 	mb.Registry.MustAddMetricSet(moduleName, metricsetName, New,
 		mb.DefaultMetricSet(),
@@ -107,6 +122,7 @@ type Package struct {
 	Summary     string
 	URL         string
 	Error       error
+	Type        string
 }
 
 // Hash creates a hash for Package.
@@ -119,41 +135,55 @@ func (pkg Package) Hash() uint64 {
 	return h.Sum64()
 }
 
-func (pkg Package) toMapStr() common.MapStr {
+func (pkg Package) toMapStr() (common.MapStr, common.MapStr) {
 	mapstr := common.MapStr{
 		"name":    pkg.Name,
 		"version": pkg.Version,
 	}
+	ecsMapstr := common.MapStr{
+		"name":    pkg.Name,
+		"version": pkg.Version,
+	}
 
 	if pkg.Release != "" {
 		mapstr.Put("release", pkg.Release)
 	}
 
 	if pkg.Arch != "" {
 		mapstr.Put("arch", pkg.Arch)
+		ecsMapstr.Put("architecture", pkg.License)
 	}
 
 	if pkg.License != "" {
 		mapstr.Put("license", pkg.License)
+		ecsMapstr.Put("license", pkg.License)
 	}
 
 	if !pkg.InstallTime.IsZero() {
 		mapstr.Put("installtime", pkg.InstallTime)
+		ecsMapstr.Put("installed", pkg.InstallTime)
 	}
 
 	if pkg.Size != 0 {
 		mapstr.Put("size", pkg.Size)
+		ecsMapstr.Put("size", pkg.Size)
 	}
 
 	if pkg.Summary != "" {
 		mapstr.Put("summary", pkg.Summary)
+		ecsMapstr.Put("description", pkg.Summary)
 	}
 
 	if pkg.URL != "" {
 		mapstr.Put("url", pkg.URL)
+		ecsMapstr.Put("reference", pkg.URL)
 	}
 
-	return mapstr
+	if pkg.Type != "" {
+		ecsMapstr.Put("type", pkg.Type)
+	}
+
+	return mapstr, ecsMapstr
 }
 
 // entityID creates an ID that uniquely identifies this package across machines.
@@ -340,15 +370,19 @@ func convertToPackage(cacheValues []interface{}) []*Package {
 }
 
 func (ms *MetricSet) packageEvent(pkg *Package, eventType string, action eventAction) mb.Event {
+	pkgFields, ecsPkgFields := pkg.toMapStr()
 	event := mb.Event{
 		RootFields: common.MapStr{
 			"event": common.MapStr{
-				"kind":   eventType,
-				"action": action.String(),
+				"kind":     eventType,
+				"category": []string{"package"},
+				"type":     []string{action.Type()},
+				"action":   action.String(),
 			},
+			"package": ecsPkgFields,
 			"message": packageMessage(pkg, action),
 		},
-		MetricSetFields: pkg.toMapStr(),
+		MetricSetFields: pkgFields,
 	}
 
 	if ms.HostID() != "" {
@@ -538,7 +572,9 @@ func (ms *MetricSet) listDebPackages() ([]*Package, error) {
 		value := strings.TrimSpace(words[1])
 
 		if pkg == nil {
-			pkg = &Package{}
+			pkg = &Package{
+				Type: "dpkg",
+			}
 		}
 
 		switch strings.ToLower(words[0]) {

diff --git a/x-pack/auditbeat/module/system/package/package_homebrew.go b/x-pack/auditbeat/module/system/package/package_homebrew.go
@@ -52,6 +52,7 @@ func listBrewPackages() ([]*Package, error) {
 				Name:        packageDir.Name(),
 				Version:     version.Name(),
 				InstallTime: version.ModTime(),
+				Type:        "brew",
 			}
 
 			// Read formula

diff --git a/x-pack/auditbeat/module/system/package/package_homebrew_test.go b/x-pack/auditbeat/module/system/package/package_homebrew_test.go
@@ -51,11 +51,19 @@ func TestHomebrew(t *testing.T) {
 
 		if assert.Len(t, events, 1) {
 			event := mbtest.StandardizeEvent(f, events[0], core.AddDatasetToEvent)
+			checkFieldValue(t, event, "event.kind", "state")
+			checkFieldValue(t, event, "event.category", []string{"package"})
+			checkFieldValue(t, event, "event.type", []string{"info"})
 			checkFieldValue(t, event, "system.audit.package.name", "test-package")
 			checkFieldValue(t, event, "system.audit.package.summary", "Test package")
 			checkFieldValue(t, event, "system.audit.package.url", "https://www.elastic.co/")
 			checkFieldValue(t, event, "system.audit.package.version", "1.0.0")
 			checkFieldValue(t, event, "system.audit.package.entity_id", "Krm421rtYM4wgq1S")
+			checkFieldValue(t, event, "package.name", "test-package")
+			checkFieldValue(t, event, "package.description", "Test package")
+			checkFieldValue(t, event, "package.reference", "https://www.elastic.co/")
+			checkFieldValue(t, event, "package.version", "1.0.0")
+			checkFieldValue(t, event, "package.type", "brew")
 		}
 	}
 }

diff --git a/x-pack/auditbeat/module/system/package/package_test.go b/x-pack/auditbeat/module/system/package/package_test.go
@@ -75,6 +75,12 @@ func TestDpkg(t *testing.T) {
 		checkFieldValue(t, event, "system.audit.package.summary", "Test Package")
 		checkFieldValue(t, event, "system.audit.package.url", "https://www.elastic.co/")
 		checkFieldValue(t, event, "system.audit.package.version", "8.2.0-1ubuntu2~18.04")
+		checkFieldValue(t, event, "package.name", "test")
+		checkFieldValue(t, event, "package.size", uint64(269))
+		checkFieldValue(t, event, "package.description", "Test Package")
+		checkFieldValue(t, event, "package.reference", "https://www.elastic.co/")
+		checkFieldValue(t, event, "package.version", "8.2.0-1ubuntu2~18.04")
+		checkFieldValue(t, event, "package.type", "dpkg")
 	}
 }
 

diff --git a/x-pack/auditbeat/module/system/package/rpm_common_test.go b/x-pack/auditbeat/module/system/package/rpm_common_test.go
@@ -41,6 +41,7 @@ func rpmPackagesByExec() ([]*Package, error) {
 			// size - 6
 			URL:     words[7],
 			Summary: words[8],
+			Type:    "rpm",
 		}
 		ts, err := strconv.ParseInt(words[5], 10, 64)
 		if err != nil {

diff --git a/x-pack/auditbeat/module/system/package/rpm_linux.go b/x-pack/auditbeat/module/system/package/rpm_linux.go
@@ -357,7 +357,9 @@ func packageFromHeader(header C.Header, openedLibrpm *librpm) (*Package, error)
 	}
 	defer C.my_headerFree(openedLibrpm.headerFree, header)
 
-	pkg := Package{}
+	pkg := Package{
+		Type: "rpm",
+	}
 
 	name := C.my_headerGetString(openedLibrpm.headerGetString, header, RPMTAG_NAME)
 	if name != nil {