libbeat/processors/add_process_metada: add capabilities to process me…

[haesbaert]

Proposed commit message

Extends process metadata with effective and permitted capabilities.

Errors from capabilities.FromPid() are ignored since it returns a nil slice, which results in len() == 0 which supresses any output. A possible common error is getting ESRCH as the process might have already exited.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

processors:
  - add_process_metadata:
      overwrite_keys: true
      match_pids: ["process.pid"]

auditbeat.modules:
- module: system
  datasets:
    - socket
  period: 10s # The frequency at which the datasets check for changes
  state.period: 20s

output.console:
  pretty: true

Related issues

Part of https://github.com/elastic/security-team/issues/4375
Related to #37453

Screenshots

output.txt

[elasticmachine]

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @haesbaert? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Duration: 133 min 9 sec

❕ Flaky test report

No test was executed to be analysed.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[haesbaert]

The Windows errors seem to be unrelated, apparently the CI can't find the go binary and whatnot

[elasticmachine]

Pinging @elastic/elastic-agent (Team:Elastic-Agent)

[belimawr]

BuildKite should not prevent the PR from be merged yet. Once you get the approvals and Jenkins is green you should be able to merge it.

[haesbaert]

BuildKite should not prevent the PR from be merged yet. Once you get the approvals and Jenkins is green you should be able to merge it.

Awesome, thanks :)

[stanek-michal]

LGTM

[haesbaert]

Merging is blocked as waiting a review from @fearful-symmetry , is this because we need a reviewer from each team?

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 13eb6f7

History

• 💚 Build #2504 succeeded 9e9a4df
• 💚 Build #2296 succeeded 4eb35fd
• 💔 Build #1947 failed a6ca13f

cc @haesbaert

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 13eb6f7

History

• 💚 Build #1272 succeeded 9e9a4df
• 💚 Build #1066 succeeded 4eb35fd

cc @haesbaert

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 13eb6f7

History

• 💚 Build #1230 succeeded 9e9a4df
• 💚 Build #1024 succeeded 4eb35fd

cc @haesbaert

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 13eb6f7

History

• 💚 Build #1665 succeeded 9e9a4df
• 💚 Build #1459 succeeded 4eb35fd
• 💚 Build #1110 succeeded a6ca13f

cc @haesbaert

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 13eb6f7

History

• 💚 Build #2509 succeeded 9e9a4df
• 💚 Build #2303 succeeded 4eb35fd
• 💚 Build #1954 succeeded a6ca13f

cc @haesbaert

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 13eb6f7

History

• 💚 Build #1227 succeeded 9e9a4df
• 💚 Build #1021 succeeded 4eb35fd

cc @haesbaert

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 13eb6f7

History

• 💚 Build #2799 succeeded 9e9a4df
• 💔 Build #2593 failed 4eb35fd
• 💔 Build #2244 failed a6ca13f
• 💔 Build #2243 failed 58ec06f

cc @haesbaert

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 13eb6f7

History

• 💚 Build #1240 succeeded 9e9a4df
• 💚 Build #1034 succeeded 4eb35fd

cc @haesbaert

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 13eb6f7

History

• 💚 Build #3720 succeeded 9e9a4df
• 💚 Build #3514 succeeded 4eb35fd
• 💚 Build #3161 succeeded a6ca13f

cc @haesbaert

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 13eb6f7

History

• 💚 Build #4153 succeeded 9e9a4df
• 💔 Build #3946 failed 4eb35fd
• 💔 Build #3585 failed a6ca13f
• 💔 Build #3584 failed 58ec06f

cc @haesbaert

[fearful-symmetry]

Is there a reason why we're not checking the errors here?

[haesbaert]

If it fails, we don't include the capabilities, same outcome if the capabilities were empty. There are valid/normal reasons for it to fail, like the process being gone by the time we try to fetch it. Also on Windows/OS X i fails with ErrUnsupported.

[fearful-symmetry]

Can we add a quick comment to that effect?

[haesbaert]

Done.

[haesbaert]

/test