Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add process.thread.capabilities #2245

Merged
merged 9 commits into from
Aug 9, 2023
Merged

Add process.thread.capabilities #2245

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
8e34dd1
Add process.thread.capabilities
nicholasberlin Jul 26, 2023
ce9dbe7
Add CHANGELOG.next.md entries
nicholasberlin Jul 27, 2023
02188a6
Add regex pattern
nicholasberlin Jul 28, 2023
b474683
Add fields schema subset
nicholasberlin Jul 28, 2023
53fefb7
Adding the result of make after updating the subset
nicholasberlin Jul 28, 2023
c895889
Merge branch 'main' of github.com:elastic/ecs into nberlin/add_proces…
nicholasberlin Jul 28, 2023
fa94deb
Add capabilities to process.parent.thread
nicholasberlin Jul 28, 2023
eb0b47e
Add make results after adding caps to parent.thread
nicholasberlin Jul 28, 2023
9c0b455
Merge branch 'main' of github.com:elastic/ecs into nberlin/add_proces…
nicholasberlin Aug 9, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.next.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ Thanks, you're awesome :-) -->

#### Added
* Added `container.security_context.privileged` to indicated whether a container was started in privileged mode. #2219, #2225
* Added `process.thread.capabilities.permitted` to contain the current thread's possible capabilities. #2245
* Added `process.thread.capabilities.effective` to contain the current thread's effective capabilities. #2245

#### Improvements

Expand Down
22 changes: 22 additions & 0 deletions schemas/process.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -202,6 +202,28 @@
description: >
Thread name.

- name: thread.capabilities.permitted
level: extended
type: keyword
short: Array of capabilities a thread could assume.
description: >
This is a limiting superset for the effective capabilities that the
thread may assume.
example: "[\"CAP_BPF\", \"CAP_SYS_ADMIN\"]"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is the format we expect to use then I recommend adding a pattern so that automated validation can yield warnings when the format is not followed. I am thinking ^(CAP_[A-Z_]+|\d+)$ which allows software to insert the capability number if it is unaware the associated name.

example:

ecs/schemas/source.yml

Line 70 in ce9dbe7

pattern: ^[A-F0-9]{2}(-[A-F0-9]{2}){5,}$

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

02188a6

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

super cool! @andrewkroh thanks for the suggestion

normalize:
- array

- name: thread.capabilities.effective
level: extended
type: keyword
short: Array of capabilities used for permission checks.
description: >
This is the set of capabilities used by the kernel to perform permission
checks for the thread.
example: "[\"CAP_BPF\", \"CAP_SYS_ADMIN\"]"
normalize:
- array

- name: start
level: extended
type: date
Expand Down