add_process_metadata processor adds container id even if process metadata not accessible

[jtinkus]

• Enhancement

What does this PR do?

Changed add_process_metadata processor to get both process metadata and container id and not error out if only one is available.

Why is it important?

If container is non-privileged, then process metadata for external processes is not fully readable (no access to /proc/pid/exe and /proc/pid/cwd) and code errors out before even trying to get container id. Same time container id is still accessible in /proc/pid/cgroup file. Now process metadata is skipped for such processes, but container id is still added.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• [] I have made corresponding changes to the documentation
• [] I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• [] I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Minor fix, probably no need for doc or changelog.

Author's Checklist

• [ ]

How to test this PR locally

Run AuditBeat in non-privileged container in k8s cluster.

Configure add_process_metadata processor in yaml file, for example:

- add_process_metadata:
     match_pids: [process.ppid]
     target: process.parent
     cgroup_regex: \/.+\/.+\/.+\/([0-9a-f]{64}).*

This should add process.parent.container.id field to event even if other process metadata for given ppid is not accessible due non-privileged container rights. In such case there is no other process metadata added except container.id.

Related issues

Use cases

Screenshots

Logs

[elasticmachine]

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

[elasticmachine]

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

[elasticmachine]

💚 Build Succeeded

Expand to view the summary

Build stats

• Build Cause: [ChrsMark commented: jenkins run the tests please]

• Start Time: 2020-08-03T12:53:27.196+0000

• Duration: 66 min 17 sec

Test stats 🧪

Test	Results
Failed	0
Passed	14469
Skipped	1373
Total	15842

[jtinkus]

@exekias proposal for minor fix in the code you have reviewed before.

[elasticmachine]

Pinging @elastic/integrations-platforms (Team:Platforms)

[exekias]

Thank you so much for contributing 🎉 ! I left a question, could you also please add a CHANGELOG entry?

@jsoriano This is one of the places where privileged mode was needed, note anymore if this goes in 🙂

[ChrsMark]

LGTM, extra thanks for the unit tests!

[ChrsMark]

jenkins run the tests please

[jtinkus]

Seems that PR is now waiting approval from @exekias

[ChrsMark]

@exekias will be out for some days so I'm merging this one to avoid waiting.
Thank you @jtinkus for contributing this! Could you also share your manual testing process on the description of this PR (How to test this PR locally)?