Add process.thread.capabilities

CHANGELOG.next.md

@@ -16,6 +16,8 @@ Thanks, you're awesome :-) -->
 
 #### Added
 * Added `container.security_context.privileged` to indicated whether a container was started in privileged mode. #2219, #2225
+* Added `process.thread.capabilities.permitted` to contain the current thread's possible capabilities. #2245
+* Added `process.thread.capabilities.effective` to contain the current thread's effective capabilities. #2245
 
 #### Improvements
 * Permit `ignore_above` if explicitly set on a `flattened` field. #2248

docs/fields/field-details.asciidoc

@@ -8449,6 +8449,44 @@ example: `2016-05-23T08:05:34.853Z`
 
 // ===============================================================
 
+|
+[[field-process-thread-capabilities-effective]]
+<<field-process-thread-capabilities-effective, process.thread.capabilities.effective>>
+
+a| This is the set of capabilities used by the kernel to perform permission checks for the thread.
+
+type: keyword
+
+
+Note: this field should contain an array of values.
+
+
+
+example: `["CAP_BPF", "CAP_SYS_ADMIN"]`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-process-thread-capabilities-permitted]]
+<<field-process-thread-capabilities-permitted, process.thread.capabilities.permitted>>
+
+a| This is a limiting superset for the effective capabilities that the thread may assume.
+
+type: keyword
+
+
+Note: this field should contain an array of values.
+
+
+
+example: `["CAP_BPF", "CAP_SYS_ADMIN"]`
+
+| extended
+
+// ===============================================================
+
 |
 [[field-process-thread-id]]
 <<field-process-thread-id, process.thread.id>>

experimental/generated/beats/fields.ecs.yml

@@ -7799,6 +7799,24 @@
       ignore_above: 1024
       description: Name of the group.
       default_field: false
+    - name: parent.thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: parent.thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
     - name: parent.thread.id
       level: extended
       type: long
@@ -8524,6 +8542,24 @@
       ignore_above: 1024
       description: Name of the group.
       default_field: false
+    - name: thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
     - name: thread.id
       level: extended
       type: long

experimental/generated/csv/fields.csv

@@ -887,6 +887,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.10.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
 8.10.0-dev+exp,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.10.0-dev+exp,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+8.10.0-dev+exp,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
 8.10.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID.
 8.10.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name.
 8.10.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title.
@@ -987,6 +989,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.10.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started.
 8.10.0-dev+exp,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.10.0-dev+exp,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group.
+8.10.0-dev+exp,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks.
+8.10.0-dev+exp,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume.
 8.10.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID.
 8.10.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name.
 8.10.0-dev+exp,true,process,process.title,keyword,extended,,,Process title.

experimental/generated/ecs/ecs_flat.yml

@@ -11290,6 +11290,36 @@ process.parent.supplemental_groups.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
+process.parent.thread.capabilities.effective:
+  dashed_name: process-parent-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.parent.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  type: keyword
+process.parent.thread.capabilities.permitted:
+  dashed_name: process-parent-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.parent.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  original_fieldset: process
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  type: keyword
 process.parent.thread.id:
   dashed_name: process-parent-thread-id
   description: Thread ID.
@@ -12469,6 +12499,34 @@ process.supplemental_groups.name:
   original_fieldset: group
   short: Name of the group.
   type: keyword
+process.thread.capabilities.effective:
+  dashed_name: process-thread-capabilities-effective
+  description: This is the set of capabilities used by the kernel to perform permission
+    checks for the thread.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.thread.capabilities.effective
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.effective
+  normalize:
+  - array
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities used for permission checks.
+  type: keyword
+process.thread.capabilities.permitted:
+  dashed_name: process-thread-capabilities-permitted
+  description: This is a limiting superset for the effective capabilities that the
+    thread may assume.
+  example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+  flat_name: process.thread.capabilities.permitted
+  ignore_above: 1024
+  level: extended
+  name: thread.capabilities.permitted
+  normalize:
+  - array
+  pattern: ^(CAP_[A-Z_]+|\d+)$
+  short: Array of capabilities a thread could assume.
+  type: keyword
 process.thread.id:
   dashed_name: process-thread-id
   description: Thread ID.

experimental/generated/ecs/ecs_nested.yml

@@ -13507,6 +13507,36 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
+    process.parent.thread.capabilities.effective:
+      dashed_name: process-parent-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.parent.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      type: keyword
+    process.parent.thread.capabilities.permitted:
+      dashed_name: process-parent-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.parent.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      original_fieldset: process
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      type: keyword
     process.parent.thread.id:
       dashed_name: process-parent-thread-id
       description: Thread ID.
@@ -14687,6 +14717,34 @@ process:
       original_fieldset: group
       short: Name of the group.
       type: keyword
+    process.thread.capabilities.effective:
+      dashed_name: process-thread-capabilities-effective
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.thread.capabilities.effective
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.effective
+      normalize:
+      - array
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities used for permission checks.
+      type: keyword
+    process.thread.capabilities.permitted:
+      dashed_name: process-thread-capabilities-permitted
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      flat_name: process.thread.capabilities.permitted
+      ignore_above: 1024
+      level: extended
+      name: thread.capabilities.permitted
+      normalize:
+      - array
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      short: Array of capabilities a thread could assume.
+      type: keyword
     process.thread.id:
       dashed_name: process-thread-id
       description: Thread ID.

experimental/generated/elasticsearch/composable/component/process.json

@@ -1310,6 +1310,18 @@
                 },
                 "thread": {
                   "properties": {
+                    "capabilities": {
+                      "properties": {
+                        "effective": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        },
+                        "permitted": {
+                          "ignore_above": 1024,
+                          "type": "keyword"
+                        }
+                      }
+                    },
                     "id": {
                       "type": "long"
                     },
@@ -1777,6 +1789,18 @@
             },
             "thread": {
               "properties": {
+                "capabilities": {
+                  "properties": {
+                    "effective": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    },
+                    "permitted": {
+                      "ignore_above": 1024,
+                      "type": "keyword"
+                    }
+                  }
+                },
                 "id": {
                   "type": "long"
                 },

experimental/generated/elasticsearch/legacy/template.json

@@ -4031,6 +4031,18 @@
               },
               "thread": {
                 "properties": {
+                  "capabilities": {
+                    "properties": {
+                      "effective": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      },
+                      "permitted": {
+                        "ignore_above": 1024,
+                        "type": "keyword"
+                      }
+                    }
+                  },
                   "id": {
                     "type": "long"
                   },
@@ -4498,6 +4510,18 @@
           },
           "thread": {
             "properties": {
+              "capabilities": {
+                "properties": {
+                  "effective": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  },
+                  "permitted": {
+                    "ignore_above": 1024,
+                    "type": "keyword"
+                  }
+                }
+              },
               "id": {
                 "type": "long"
               },

generated/beats/fields.ecs.yml

@@ -7749,6 +7749,24 @@
       ignore_above: 1024
       description: Name of the group.
       default_field: false
+    - name: parent.thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: parent.thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
     - name: parent.thread.id
       level: extended
       type: long
@@ -8474,6 +8492,24 @@
       ignore_above: 1024
       description: Name of the group.
       default_field: false
+    - name: thread.capabilities.effective
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is the set of capabilities used by the kernel to perform permission
+        checks for the thread.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
+    - name: thread.capabilities.permitted
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: This is a limiting superset for the effective capabilities that
+        the thread may assume.
+      example: '["CAP_BPF", "CAP_SYS_ADMIN"]'
+      pattern: ^(CAP_[A-Z_]+|\d+)$
+      default_field: false
     - name: thread.id
       level: extended
       type: long