From b08a33c51f2c85bc3663b784464361681e9d1798 Mon Sep 17 00:00:00 2001 From: Nicholas Berlin <56366649+nicholasberlin@users.noreply.github.com> Date: Wed, 9 Aug 2023 09:03:58 -0400 Subject: [PATCH] Add process.thread.capabilities (#2245) * Add process.thread.capabilities * Add CHANGELOG.next.md entries * Add regex pattern * Add fields schema subset * Adding the result of make after updating the subset * Add capabilities to process.parent.thread * Add make results after adding caps to parent.thread --- CHANGELOG.next.md | 2 + docs/fields/field-details.asciidoc | 38 ++++++++++++ experimental/generated/beats/fields.ecs.yml | 36 ++++++++++++ experimental/generated/csv/fields.csv | 4 ++ experimental/generated/ecs/ecs_flat.yml | 58 +++++++++++++++++++ experimental/generated/ecs/ecs_nested.yml | 58 +++++++++++++++++++ .../composable/component/process.json | 24 ++++++++ .../elasticsearch/legacy/template.json | 24 ++++++++ generated/beats/fields.ecs.yml | 36 ++++++++++++ generated/csv/fields.csv | 4 ++ generated/ecs/ecs_flat.yml | 58 +++++++++++++++++++ generated/ecs/ecs_nested.yml | 58 +++++++++++++++++++ .../composable/component/process.json | 24 ++++++++ generated/elasticsearch/legacy/template.json | 24 ++++++++ schemas/process.yml | 24 ++++++++ schemas/subsets/main.yml | 8 +++ 16 files changed, 480 insertions(+) diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 20cb1a94a..31b18ae84 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -16,6 +16,8 @@ Thanks, you're awesome :-) --> #### Added * Added `container.security_context.privileged` to indicated whether a container was started in privileged mode. #2219, #2225 +* Added `process.thread.capabilities.permitted` to contain the current thread's possible capabilities. #2245 +* Added `process.thread.capabilities.effective` to contain the current thread's effective capabilities. #2245 #### Improvements * Permit `ignore_above` if explicitly set on a `flattened` field. #2248 diff --git a/docs/fields/field-details.asciidoc b/docs/fields/field-details.asciidoc index 3b7570163..e86e2f158 100644 --- a/docs/fields/field-details.asciidoc +++ b/docs/fields/field-details.asciidoc @@ -8449,6 +8449,44 @@ example: `2016-05-23T08:05:34.853Z` // =============================================================== +| +[[field-process-thread-capabilities-effective]] +<> + +a| This is the set of capabilities used by the kernel to perform permission checks for the thread. + +type: keyword + + +Note: this field should contain an array of values. + + + +example: `["CAP_BPF", "CAP_SYS_ADMIN"]` + +| extended + +// =============================================================== + +| +[[field-process-thread-capabilities-permitted]] +<> + +a| This is a limiting superset for the effective capabilities that the thread may assume. + +type: keyword + + +Note: this field should contain an array of values. + + + +example: `["CAP_BPF", "CAP_SYS_ADMIN"]` + +| extended + +// =============================================================== + | [[field-process-thread-id]] <> diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index bddf67659..79fc1fae3 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -7799,6 +7799,24 @@ ignore_above: 1024 description: Name of the group. default_field: false + - name: parent.thread.capabilities.effective + level: extended + type: keyword + ignore_above: 1024 + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + pattern: ^(CAP_[A-Z_]+|\d+)$ + default_field: false + - name: parent.thread.capabilities.permitted + level: extended + type: keyword + ignore_above: 1024 + description: This is a limiting superset for the effective capabilities that + the thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + pattern: ^(CAP_[A-Z_]+|\d+)$ + default_field: false - name: parent.thread.id level: extended type: long @@ -8524,6 +8542,24 @@ ignore_above: 1024 description: Name of the group. default_field: false + - name: thread.capabilities.effective + level: extended + type: keyword + ignore_above: 1024 + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + pattern: ^(CAP_[A-Z_]+|\d+)$ + default_field: false + - name: thread.capabilities.permitted + level: extended + type: keyword + ignore_above: 1024 + description: This is a limiting superset for the effective capabilities that + the thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + pattern: ^(CAP_[A-Z_]+|\d+)$ + default_field: false - name: thread.id level: extended type: long diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index ea92bdc24..ca3343bc7 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -887,6 +887,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.10.0-dev+exp,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. 8.10.0-dev+exp,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. 8.10.0-dev+exp,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group. +8.10.0-dev+exp,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks. +8.10.0-dev+exp,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume. 8.10.0-dev+exp,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. 8.10.0-dev+exp,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. 8.10.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title. @@ -987,6 +989,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.10.0-dev+exp,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. 8.10.0-dev+exp,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. 8.10.0-dev+exp,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group. +8.10.0-dev+exp,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks. +8.10.0-dev+exp,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume. 8.10.0-dev+exp,true,process,process.thread.id,long,extended,,4242,Thread ID. 8.10.0-dev+exp,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. 8.10.0-dev+exp,true,process,process.title,keyword,extended,,,Process title. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index 5a9f0cced..600e15123 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -11290,6 +11290,36 @@ process.parent.supplemental_groups.name: original_fieldset: group short: Name of the group. type: keyword +process.parent.thread.capabilities.effective: + dashed_name: process-parent-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.parent.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + type: keyword +process.parent.thread.capabilities.permitted: + dashed_name: process-parent-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that the + thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.parent.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + type: keyword process.parent.thread.id: dashed_name: process-parent-thread-id description: Thread ID. @@ -12469,6 +12499,34 @@ process.supplemental_groups.name: original_fieldset: group short: Name of the group. type: keyword +process.thread.capabilities.effective: + dashed_name: process-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + type: keyword +process.thread.capabilities.permitted: + dashed_name: process-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that the + thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + type: keyword process.thread.id: dashed_name: process-thread-id description: Thread ID. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 0a4cc7c98..22a415ce4 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -13507,6 +13507,36 @@ process: original_fieldset: group short: Name of the group. type: keyword + process.parent.thread.capabilities.effective: + dashed_name: process-parent-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.parent.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + type: keyword + process.parent.thread.capabilities.permitted: + dashed_name: process-parent-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that + the thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.parent.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + type: keyword process.parent.thread.id: dashed_name: process-parent-thread-id description: Thread ID. @@ -14687,6 +14717,34 @@ process: original_fieldset: group short: Name of the group. type: keyword + process.thread.capabilities.effective: + dashed_name: process-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + type: keyword + process.thread.capabilities.permitted: + dashed_name: process-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that + the thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + type: keyword process.thread.id: dashed_name: process-thread-id description: Thread ID. diff --git a/experimental/generated/elasticsearch/composable/component/process.json b/experimental/generated/elasticsearch/composable/component/process.json index 2bba95883..47e088ad0 100644 --- a/experimental/generated/elasticsearch/composable/component/process.json +++ b/experimental/generated/elasticsearch/composable/component/process.json @@ -1310,6 +1310,18 @@ }, "thread": { "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "id": { "type": "long" }, @@ -1777,6 +1789,18 @@ }, "thread": { "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "id": { "type": "long" }, diff --git a/experimental/generated/elasticsearch/legacy/template.json b/experimental/generated/elasticsearch/legacy/template.json index 17b103099..c205a8788 100644 --- a/experimental/generated/elasticsearch/legacy/template.json +++ b/experimental/generated/elasticsearch/legacy/template.json @@ -4031,6 +4031,18 @@ }, "thread": { "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "id": { "type": "long" }, @@ -4498,6 +4510,18 @@ }, "thread": { "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "id": { "type": "long" }, diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 17d08da26..377b2cae5 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -7749,6 +7749,24 @@ ignore_above: 1024 description: Name of the group. default_field: false + - name: parent.thread.capabilities.effective + level: extended + type: keyword + ignore_above: 1024 + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + pattern: ^(CAP_[A-Z_]+|\d+)$ + default_field: false + - name: parent.thread.capabilities.permitted + level: extended + type: keyword + ignore_above: 1024 + description: This is a limiting superset for the effective capabilities that + the thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + pattern: ^(CAP_[A-Z_]+|\d+)$ + default_field: false - name: parent.thread.id level: extended type: long @@ -8474,6 +8492,24 @@ ignore_above: 1024 description: Name of the group. default_field: false + - name: thread.capabilities.effective + level: extended + type: keyword + ignore_above: 1024 + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + pattern: ^(CAP_[A-Z_]+|\d+)$ + default_field: false + - name: thread.capabilities.permitted + level: extended + type: keyword + ignore_above: 1024 + description: This is a limiting superset for the effective capabilities that + the thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + pattern: ^(CAP_[A-Z_]+|\d+)$ + default_field: false - name: thread.id level: extended type: long diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index c41f61101..ae87c2044 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -880,6 +880,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.10.0-dev,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. 8.10.0-dev,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. 8.10.0-dev,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group. +8.10.0-dev,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks. +8.10.0-dev,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume. 8.10.0-dev,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. 8.10.0-dev,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. 8.10.0-dev,true,process,process.parent.title,keyword,extended,,,Process title. @@ -980,6 +982,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 8.10.0-dev,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. 8.10.0-dev,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. 8.10.0-dev,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group. +8.10.0-dev,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks. +8.10.0-dev,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume. 8.10.0-dev,true,process,process.thread.id,long,extended,,4242,Thread ID. 8.10.0-dev,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. 8.10.0-dev,true,process,process.title,keyword,extended,,,Process title. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 845d61ece..a0379a21b 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -11221,6 +11221,36 @@ process.parent.supplemental_groups.name: original_fieldset: group short: Name of the group. type: keyword +process.parent.thread.capabilities.effective: + dashed_name: process-parent-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.parent.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + type: keyword +process.parent.thread.capabilities.permitted: + dashed_name: process-parent-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that the + thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.parent.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + type: keyword process.parent.thread.id: dashed_name: process-parent-thread-id description: Thread ID. @@ -12400,6 +12430,34 @@ process.supplemental_groups.name: original_fieldset: group short: Name of the group. type: keyword +process.thread.capabilities.effective: + dashed_name: process-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + type: keyword +process.thread.capabilities.permitted: + dashed_name: process-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that the + thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + type: keyword process.thread.id: dashed_name: process-thread-id description: Thread ID. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index a34185add..4f8291e4a 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -13427,6 +13427,36 @@ process: original_fieldset: group short: Name of the group. type: keyword + process.parent.thread.capabilities.effective: + dashed_name: process-parent-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.parent.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + type: keyword + process.parent.thread.capabilities.permitted: + dashed_name: process-parent-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that + the thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.parent.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + original_fieldset: process + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + type: keyword process.parent.thread.id: dashed_name: process-parent-thread-id description: Thread ID. @@ -14607,6 +14637,34 @@ process: original_fieldset: group short: Name of the group. type: keyword + process.thread.capabilities.effective: + dashed_name: process-thread-capabilities-effective + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.thread.capabilities.effective + ignore_above: 1024 + level: extended + name: thread.capabilities.effective + normalize: + - array + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities used for permission checks. + type: keyword + process.thread.capabilities.permitted: + dashed_name: process-thread-capabilities-permitted + description: This is a limiting superset for the effective capabilities that + the thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + flat_name: process.thread.capabilities.permitted + ignore_above: 1024 + level: extended + name: thread.capabilities.permitted + normalize: + - array + pattern: ^(CAP_[A-Z_]+|\d+)$ + short: Array of capabilities a thread could assume. + type: keyword process.thread.id: dashed_name: process-thread-id description: Thread ID. diff --git a/generated/elasticsearch/composable/component/process.json b/generated/elasticsearch/composable/component/process.json index 3e18a2e5c..219e8aae4 100644 --- a/generated/elasticsearch/composable/component/process.json +++ b/generated/elasticsearch/composable/component/process.json @@ -1310,6 +1310,18 @@ }, "thread": { "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "id": { "type": "long" }, @@ -1777,6 +1789,18 @@ }, "thread": { "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "id": { "type": "long" }, diff --git a/generated/elasticsearch/legacy/template.json b/generated/elasticsearch/legacy/template.json index c12bbf937..203e7b89d 100644 --- a/generated/elasticsearch/legacy/template.json +++ b/generated/elasticsearch/legacy/template.json @@ -3989,6 +3989,18 @@ }, "thread": { "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "id": { "type": "long" }, @@ -4456,6 +4468,18 @@ }, "thread": { "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "id": { "type": "long" }, diff --git a/schemas/process.yml b/schemas/process.yml index 9b42a21d4..674cfae2b 100644 --- a/schemas/process.yml +++ b/schemas/process.yml @@ -202,6 +202,30 @@ description: > Thread name. + - name: thread.capabilities.permitted + level: extended + type: keyword + short: Array of capabilities a thread could assume. + pattern: ^(CAP_[A-Z_]+|\d+)$ + description: > + This is a limiting superset for the effective capabilities that the + thread may assume. + example: "[\"CAP_BPF\", \"CAP_SYS_ADMIN\"]" + normalize: + - array + + - name: thread.capabilities.effective + level: extended + type: keyword + short: Array of capabilities used for permission checks. + pattern: ^(CAP_[A-Z_]+|\d+)$ + description: > + This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: "[\"CAP_BPF\", \"CAP_SYS_ADMIN\"]" + normalize: + - array + - name: start level: extended type: date diff --git a/schemas/subsets/main.yml b/schemas/subsets/main.yml index 50312f7b0..0b953e321 100644 --- a/schemas/subsets/main.yml +++ b/schemas/subsets/main.yml @@ -309,6 +309,10 @@ fields: fields: id: {} name: {} + capabilities: + fields: + effective: {} + permitted: {} title: {} tty: fields: @@ -443,6 +447,10 @@ fields: fields: id: {} name: {} + capabilities: + fields: + effective: {} + permitted: {} title: {} tty: fields: "*"