-
Notifications
You must be signed in to change notification settings - Fork 445
Expand file tree
/
Copy pathprocess.yml
More file actions
152 lines (126 loc) · 6.81 KB
/
process.yml
File metadata and controls
152 lines (126 loc) · 6.81 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
# Licensed to Elasticsearch B.V. under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. Elasticsearch B.V. licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
---
- name: process
reusable:
top_level: true
expected:
- at: process
as: entry_leader
short_override: First process from terminal or remote access via SSH, SSM, etc OR a service directly started by the init process.
- at: process
as: session_leader
short_override: Often the same as entry_leader. When it differs, it represents a session started within another session. e.g. using tmux
- at: process
as: group_leader
short_override: Information about the process group leader. In some cases this may be the same as the top level process.
- at: process.parent
as: group_leader
short_override: Information about the parent's process group leader. Only pid, start and entity_id fields are set.
- at: process.entry_leader
as: parent
short_override: Information about the entry leader's parent process. Only pid, start and entity_id fields are set.
- at: process.session_leader
as: parent
short_override: Information about the session leader's parent process. Only pid, start and entity_id fields are set.
- at: process.entry_leader.parent
as: session_leader
short_override: Information about the parent session of the entry leader. Only pid, start and entity_id fields are set.
- at: process.session_leader.parent
as: session_leader
short_override: Information about the parent session of the session leader. Only pid, start and entity_id fields are set.
- at: process
as: previous
short_override: An array of previous executions for the process, including the initial fork. Only executable and args are set.
fields:
# Deprecation note: Because we are nesting process.group_leader above, it makes sense to deprecate process.pgid as this information can be accessed via process.group_leader.pid
# - name: pgid #to be removed
- name: interactive
level: extended
type: boolean
example: true
short: Whether the process is connected to an interactive shell.
description: >
Whether the process is connected to an interactive shell.
Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive.
Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.
- name: same_as_process
level: extended
type: boolean
example: true
short: This boolean is used to identify if a leader process is the same as the top level process.
description: >
This boolean is used to identify if a leader process is the same as the top level process.
For example, if process.group_leader.same_as_process = true, it means the process event in question is the leader of its process group. Details under process.* like pid would be the same under process.group_leader.*
The same applies for both process.session_leader and process.entry_leader.
This field exists to the benefit of EQL and other rule engines since it's not possible to compare equality between two fields in a single document.
e.g
process.entity_id = process.group_leader.entity_id (top level process is the process group leader)
OR
process.entity_id = process.entry_leader.entity_id (top level process is the entry session leader)
Instead these rules could be written like:
process.group_leader.same_as_process: true
OR
process.entry_leader.same_as_process: true
Note: This field is only set on process.entry_leader, process.session_leader and process.group_leader.
- name: env_vars
level: extended
type: object
short: Environment variables set at the time of the event.
description: >
Environment variables set at the time of the event.
May be filtered to protect sensitive information.
example: >
{
"USER": "elastic",
"LANG": "en_US.UTF-8",
"HOME": "/home/elastic"
}
- name: entry_meta.type
level: extended
type: keyword
short: The entry type for the entry session leader.
description: >
The entry type for the entry session leader.
Values include: init(e.g systemd), sshd, ssm, kubelet, teleport, terminal, console
- name: entry_meta.source
level: extended
type: source
short: Entry point information for a session.
description: >
Entry point information for a session.
Remote client information such as ip, port and geo location.
- name: tty
level: extended
type: object
short: Information about the controlling TTY device.
description: >
Information about the controlling TTY device. If set, the process belongs to an interactive session.
- name: tty.char_device.major
level: extended
type: long
short: The TTY character device's major number.
description: >
The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0. For more details see https://www.kernel.org/doc/html/v4.11/admin-guide/devices.html
example: 1
- name: tty.char_device.minor
level: extended
type: long
short: The TTY character device's minor number.
description: >
The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.
example: 128