[Auditbeat] User metricset: Fetch groups by user

[cwurm]

Currently, the user metricset reads all users, then reads all groups and their members and matches one to the other. This can be a problem when groups have a lot of members (see #9679).

This changes to looking up groups of individual users.

It also changes the types of the system.audit.user.uid and system.audit.user.gid fields from integer to keyword to accommodate Windows in the future (Go's User and Group structs use strings, so does ECS user.id/group.id).

Because the internal structure of the User struct changes, this invalidates previous beat.db files. I have not added any conversion logic this time since this metricset is not released yet - but we will have to do it in the future.

Fixes #9679.

[elasticmachine]

Pinging @elastic/secops

[webmat]

The issue's paste of the error truncates the interesting bits, alas 😂

Looking at the failure in TEST-go-unit.out from the zip file (pasted below, non-truncated for posterity), it looks to me like there's actually two errors:

• error while reading group file, which you're addressing here
• failed to get users , from user:291

I'm not actually sure how to interpret the full stack trace. Is this two goroutines failing at roughly the same time? Or is one failure causing the other?

The tests are now passing, so this looks promising. But I think someone else should have a look as well, to get another opinion.

=== RUN   TestData
--- FAIL: TestData (0.05s)
    user_test.go:20: received error: numerical result out of range
        error while reading group file
        github.com/elastic/beats/x-pack/auditbeat/module/system/user.readGroupFile
        	/var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/x-pack/auditbeat/label/ubuntu/src/github.com/elastic/beats/x-pack/auditbeat/module/system/user/users_linux.go:153
        github.com/elastic/beats/x-pack/auditbeat/module/system/user.enrichWithGroups
        	/var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/x-pack/auditbeat/label/ubuntu/src/github.com/elastic/beats/x-pack/auditbeat/module/system/user/users_linux.go:95
        github.com/elastic/beats/x-pack/auditbeat/module/system/user.GetUsers
        	/var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/x-pack/auditbeat/label/ubuntu/src/github.com/elastic/beats/x-pack/auditbeat/module/system/user/users_linux.go:36
        github.com/elastic/beats/x-pack/auditbeat/module/system/user.(*MetricSet).reportState
        	/var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/x-pack/auditbeat/label/ubuntu/src/github.com/elastic/beats/x-pack/auditbeat/module/system/user/user.go:289
        github.com/elastic/beats/x-pack/auditbeat/module/system/user.(*MetricSet).Fetch
        	/var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/x-pack/auditbeat/label/ubuntu/src/github.com/elastic/beats/x-pack/auditbeat/module/system/user/user.go:270
        github.com/elastic/beats/metricbeat/mb/testing.ReportingFetchV2
        	/var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/x-pack/auditbeat/label/ubuntu/src/github.com/elastic/beats/metricbeat/mb/testing/modules.go:203
        github.com/elastic/beats/x-pack/auditbeat/module/system/user.TestData
        	/var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/x-pack/auditbeat/label/ubuntu/src/github.com/elastic/beats/x-pack/auditbeat/module/system/user/user_test.go:18
        testing.tRunner
        	/var/lib/jenkins/.gvm/versions/go1.11.3.linux.amd64/src/testing/testing.go:827
        runtime.goexit
        	/var/lib/jenkins/.gvm/versions/go1.11.3.linux.amd64/src/runtime/asm_amd64.s:1333
        failed to get users
        github.com/elastic/beats/x-pack/auditbeat/module/system/user.(*MetricSet).reportState
        	/var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/x-pack/auditbeat/label/ubuntu/src/github.com/elastic/beats/x-pack/auditbeat/module/system/user/user.go:291
        github.com/elastic/beats/x-pack/auditbeat/module/system/user.(*MetricSet).Fetch
        	/var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/x-pack/auditbeat/label/ubuntu/src/github.com/elastic/beats/x-pack/auditbeat/module/system/user/user.go:270
        github.com/elastic/beats/metricbeat/mb/testing.ReportingFetchV2
        	/var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/x-pack/auditbeat/label/ubuntu/src/github.com/elastic/beats/metricbeat/mb/testing/modules.go:203
        github.com/elastic/beats/x-pack/auditbeat/module/system/user.TestData
        	/var/lib/jenkins/workspace/elastic+beats+pull-request+multijob-linux/beat/x-pack/auditbeat/label/ubuntu/src/github.com/elastic/beats/x-pack/auditbeat/module/system/user/user_test.go:18
        testing.tRunner
        	/var/lib/jenkins/.gvm/versions/go1.11.3.linux.amd64/src/testing/testing.go:827
        runtime.goexit
        	/var/lib/jenkins/.gvm/versions/go1.11.3.linux.amd64/src/runtime/asm_amd64.s:1333
FAIL
FAIL	github.com/elastic/beats/x-pack/auditbeat/module/system/user	0.064s

[webmat]

@cw Be careful about that x-pack/auditbeat/include/fields.go conflict. That file should have been deleted in #9724, so it's no longer being generated. So rebasing this will give you a merge conflict that make update won't overwrite.

Just delete that file and you're good. I just spent 1h+ figuring this out ;-)

[cwurm]

Thanks @webmat - I've just rebased, hopefully successfully.

[andrewkroh]

LGTM