add_process_metadata: enrich process info with process owner (#21068)

[dddpaul]

Type: Enhancement

What does this PR do?

Enrich process metadata with process owner info.

Why is it important?

It's quite useful to know process owner, to control traffic, for example.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• [ ]

How to test this PR locally

1. Run packetbeat with simply config:

processors:
  - add_process_metadata:
      match_pids: [process.pid]

2. Exec some curl http://example.comfrom commandline

3. Flow type event will be enriched with process.username

Related issues

• Closes Packetbeat: enrich process info with process owner #21068

Use cases

Screenshots

Logs

[elasticmachine]

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

[elasticmachine]

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2021-07-15T13:44:42.696+0000

• Duration: 135 min 22 sec

• Commit: 06aa7b2

Test stats 🧪

Test	Results
Failed	0
Passed	49269
Skipped	5396
Total	54665

Trends 🧪

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test	Results
Failed	0
Passed	49269
Skipped	5396
Total	54665

[adriansr]

jenkins run the tests please

[adriansr]

Thanks for your contribution!

In addition to the comments I left, I think it's necessary to change the title/description of this PR. This isn't actually changing anything in Packetbeat, but updating the add_process_metadata processor to add an username field.

Also, it needs an entry in the CHANGELOG.next.asciidoc file, under Added > Affecting all Beats, so that users know about the new field.

[dddpaul]

Hi. I do not understand, what's next requirements? I've resolved all issues.

[dddpaul]

@adriansr Hi, could you review again please?

[adriansr]

jenkins run tests

[elasticmachine]

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test	Results
Failed	0
Passed	16400
Skipped	1342
Total	17742

[adriansr]

Apart from the CHANGELOG issue, we're discussing a possible rename of the field process.username to align with the Elastic Common Schema.

[adriansr]

This is in the wrong section, Breaking changes. It should be under Added > Affecting All Beats.

[dddpaul]

@adriansr I've placed this line to proper section.

[dddpaul]

What do you think is the proper field name for process owner? The options as I can see are:
process.username
process.owner
process.owner_name

Or process.owner should be an object with it's own fields?
process.owner.uid
process.owner.name
...

[dddpaul]

@adriansr ?

[adriansr]

Hi @dddpaul, we're still trying to figure out what makes more sense for this use case.

At some point, process.user.* made it into ECS, but then it was reverted. See this comment.
So to align with ECS, we could do two things:

1. Add user information to the top-level user object.
2. Add a custom object under process. For example owner.

The first makes more sense, but at the same time is more risky for a processor, as this will cause the processor execution to fail if the input document already contains a user.name or user.id. If overwrite_keys is set, then it will silently overwrite those keys, potentially breaking existing pipelines.

[andrewkroh]

As a general purpose processor I think it lacks the context to know if setting a ^user is the correct thing to do. So setting a key(s) under process is the safest thing to do and what I would most expect as a user.

Another alternative would be to offer an addition target_owner config option that indicates where (or if) process owner info is added to the event. The registered_domain and translate_sid processors take an approach like this.

[dddpaul]

Hi, @adriansr what's next steps?

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[adriansr]

Hi @dddpaul , I know this has been open for a long time, sorry about that. We are reviewing it.

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b feat/process_owner upstream/feat/process_owner
git merge upstream/master
git push upstream feat/process_owner

[adriansr]

/test

[andrewkroh]

LGTM