Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add attested user and groups to process #2050

Merged
merged 6 commits into from
Sep 20, 2022
Merged

Add attested user and groups to process #2050

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
36fc18f
Add attested user and group to process
daniel-almeida Sep 13, 2022
b0d3464
Drop auid, make attested groups an array, and clarify that attestatio…
daniel-almeida Sep 15, 2022
e5a4e50
Update short description and add process.attested_user and attested_g…
daniel-almeida Sep 19, 2022
9ceafd7
subset file updated for process.entry_leader.attested_user and attest…
Sep 20, 2022
56563ba
updates from make
kgeller Sep 20, 2022
ffac777
Merge branch 'main' into add-process-attested-user
kgeller Sep 20, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions docs/fields/field-details.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4621,6 +4621,8 @@ type: keyword
The `group` fields are expected to be nested at:


* `process.attested_group`

* `process.group`

* `process.real_group`
Expand Down Expand Up @@ -7759,6 +7761,22 @@ Note also that the `process` fields may be used directly at the root of the even
// ===============================================================


| `process.attested_group.*`
| <<ecs-group,group>>| beta:[ Reusing the `group` fields in this location is currently considered beta.]

The attested group (agid).

// ===============================================================


| `process.attested_user.*`
| <<ecs-user,user>>| beta:[ Reusing the `user` fields in this location is currently considered beta.]

The attested user (auid). Identifies the attested used associated with the process.

// ===============================================================


| `process.code_signature.*`
| <<ecs-code_signature,code_signature>>
| These fields contain information about binary code signatures.
Expand Down Expand Up @@ -11498,6 +11516,8 @@ The `user` fields are expected to be nested at:

* `destination.user`

* `process.attested_user`

* `process.real_user`

* `process.saved_user`
Expand Down
22 changes: 22 additions & 0 deletions experimental/generated/ecs/ecs_nested.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6029,6 +6029,11 @@ group:
normalize:
- array
short_override: An array of supplemental groups.
- as: attested_group
at: process
beta: Reusing the `group` fields in this location is currently considered beta.
full: process.attested_group
short_override: The attested group (agid).
top_level: true
short: User's group relevant to the event.
title: Group
Expand Down Expand Up @@ -12344,6 +12349,8 @@ process:
group: 2
name: process
nestings:
- process.attested_group
- process.attested_user
- process.code_signature
- process.elf
- process.entry_leader
Expand Down Expand Up @@ -12458,6 +12465,10 @@ process:
- array
schema_name: group
short: An array of supplemental groups.
- beta: Reusing the `group` fields in this location is currently considered beta.
full: process.attested_group
schema_name: group
short: The attested group (agid).
- full: process.hash
schema_name: hash
short: Hashes, usually file hashes.
Expand Down Expand Up @@ -12487,6 +12498,11 @@ process:
full: process.real_user
schema_name: user
short: The real user (ruid). Identifies the real owner of the process.
- beta: Reusing the `user` fields in this location is currently considered beta.
full: process.attested_user
schema_name: user
short: The attested user (auid). Identifies the attested used associated with
the process.
- full: process.parent
schema_name: process
short: Information about the parent process.
Expand Down Expand Up @@ -21668,6 +21684,12 @@ user:
beta: Reusing the `user` fields in this location is currently considered beta.
full: process.real_user
short_override: The real user (ruid). Identifies the real owner of the process.
- as: attested_user
at: process
beta: Reusing the `user` fields in this location is currently considered beta.
full: process.attested_user
short_override: The attested user (auid). Identifies the attested used associated
with the process.
top_level: true
reused_here:
- full: user.group
Expand Down
22 changes: 22 additions & 0 deletions generated/ecs/ecs_nested.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5949,6 +5949,11 @@ group:
normalize:
- array
short_override: An array of supplemental groups.
- as: attested_group
at: process
beta: Reusing the `group` fields in this location is currently considered beta.
full: process.attested_group
short_override: The attested group (agid).
top_level: true
short: User's group relevant to the event.
title: Group
Expand Down Expand Up @@ -12180,6 +12185,8 @@ process:
group: 2
name: process
nestings:
- process.attested_group
- process.attested_user
- process.code_signature
- process.elf
- process.entry_leader
Expand Down Expand Up @@ -12294,6 +12301,10 @@ process:
- array
schema_name: group
short: An array of supplemental groups.
- beta: Reusing the `group` fields in this location is currently considered beta.
full: process.attested_group
schema_name: group
short: The attested group (agid).
- full: process.hash
schema_name: hash
short: Hashes, usually file hashes.
Expand Down Expand Up @@ -12323,6 +12334,11 @@ process:
full: process.real_user
schema_name: user
short: The real user (ruid). Identifies the real owner of the process.
- beta: Reusing the `user` fields in this location is currently considered beta.
full: process.attested_user
schema_name: user
short: The attested user (auid). Identifies the attested used associated with
the process.
- full: process.parent
schema_name: process
short: Information about the parent process.
Expand Down Expand Up @@ -21091,6 +21107,12 @@ user:
beta: Reusing the `user` fields in this location is currently considered beta.
full: process.real_user
short_override: The real user (ruid). Identifies the real owner of the process.
- as: attested_user
at: process
beta: Reusing the `user` fields in this location is currently considered beta.
full: process.attested_user
short_override: The attested user (auid). Identifies the attested used associated
with the process.
top_level: true
reused_here:
- full: user.group
Expand Down
4 changes: 4 additions & 0 deletions schemas/group.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,10 @@
beta: Reusing the `group` fields in this location is currently considered beta.
normalize:
- array
- at: process
as: attested_group
short_override: The attested group (agid).
beta: Reusing the `group` fields in this location is currently considered beta.

fields:

Expand Down
4 changes: 4 additions & 0 deletions schemas/user.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,10 @@
as: real_user
short_override: The real user (ruid). Identifies the real owner of the process.
beta: Reusing the `user` fields in this location is currently considered beta.
- at: process
as: attested_user
short_override: The attested user (auid). Identifies the attested used associated with the process.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, i know there isn't a ton of space for descriptions on nested fields. "short only", but I wonder if we can explain what attested means. e.g via 2factor mechanisms etc...

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"externally" attested is the key aspect ie they have done something to prove to an external source (e.g. pw & 2nd factor) that they are who claim to be and authorized to obtain the role/identity stated here.

beta: Reusing the `user` fields in this location is currently considered beta.

type: group
fields:
Expand Down