From d1cafaed9b1830fdf1fd2105256ac7d936be2709 Mon Sep 17 00:00:00 2001 From: Christoph Wurm Date: Fri, 24 May 2019 16:08:02 -0700 Subject: [PATCH 1/3] Improve dpkg and add test. --- .../module/system/package/package.go | 18 ++++++- .../module/system/package/package_test.go | 47 +++++++++++++++++++ .../system/package/testdata/dpkg/status | 15 ++++++ 3 files changed, 78 insertions(+), 2 deletions(-) create mode 100644 x-pack/auditbeat/module/system/package/testdata/dpkg/status diff --git a/x-pack/auditbeat/module/system/package/package.go b/x-pack/auditbeat/module/system/package/package.go index 3b87cba6f739..190c7db79723 100644 --- a/x-pack/auditbeat/module/system/package/package.go +++ b/x-pack/auditbeat/module/system/package/package.go @@ -508,7 +508,7 @@ func listDebPackages() ([]*Package, error) { var packages []*Package var skipPackage bool - pkg := &Package{} + var pkg *Package scanner := bufio.NewScanner(file) for scanner.Scan() { line := scanner.Text() @@ -518,7 +518,7 @@ func listDebPackages() ([]*Package, error) { packages = append(packages, pkg) } skipPackage = false - pkg = &Package{} + pkg = nil continue } else if skipPackage { // Skipping this package - read on. @@ -534,6 +534,11 @@ func listDebPackages() ([]*Package, error) { return nil, fmt.Errorf("the following line was unexpected (no ':' found): '%s'", line) } value := strings.TrimSpace(words[1]) + + if pkg == nil { + pkg = &Package{} + } + switch strings.ToLower(words[0]) { case "package": pkg.Name = value @@ -553,12 +558,21 @@ func listDebPackages() ([]*Package, error) { if err != nil { return nil, errors.Wrapf(err, "error converting %s to int", value) } + case "homepage": + pkg.URL = value default: continue } } + if err = scanner.Err(); err != nil { return nil, errors.Wrapf(err, "error scanning file %v", dpkgStatusFile) } + + // Append last package if file ends without newline + if pkg != nil && !skipPackage { + packages = append(packages, pkg) + } + return packages, nil } diff --git a/x-pack/auditbeat/module/system/package/package_test.go b/x-pack/auditbeat/module/system/package/package_test.go index f194459346dd..61ddd0a0c64f 100644 --- a/x-pack/auditbeat/module/system/package/package_test.go +++ b/x-pack/auditbeat/module/system/package/package_test.go @@ -7,10 +7,14 @@ package pkg import ( + "path/filepath" "testing" + "github.com/stretchr/testify/assert" + "github.com/elastic/beats/auditbeat/core" abtest "github.com/elastic/beats/auditbeat/testing" + "github.com/elastic/beats/libbeat/logp" mbtest "github.com/elastic/beats/metricbeat/mb/testing" ) @@ -18,6 +22,8 @@ func TestData(t *testing.T) { defer abtest.SetupDataDir(t)() f := mbtest.NewReportingMetricSetV2(t, getConfig()) + defer f.(*MetricSet).bucket.DeleteBucket() + events, errs := mbtest.ReportingFetchV2(f) if len(errs) > 0 { t.Fatalf("received error: %+v", errs[0]) @@ -31,6 +37,47 @@ func TestData(t *testing.T) { mbtest.WriteEventToDataJSON(t, fullEvent, "") } +func TestDpkg(t *testing.T) { + logp.TestingSetup() + + defer abtest.SetupDataDir(t)() + + // Disable all except dpkg + rpmPathOld := rpmPath + dpkgPathOld := dpkgPath + brewPathOld := homebrewCellarPath + defer func() { + rpmPath = rpmPathOld + dpkgPath = dpkgPathOld + homebrewCellarPath = brewPathOld + }() + rpmPath = "/does/not/exist" + homebrewCellarPath = "/does/not/exist" + + var err error + dpkgPath, err = filepath.Abs("testdata/dpkg/") + if err != nil { + t.Fatal(err) + } + + f := mbtest.NewReportingMetricSetV2(t, getConfig()) + defer f.(*MetricSet).bucket.DeleteBucket() + + events, errs := mbtest.ReportingFetchV2(f) + if len(errs) > 0 { + t.Fatalf("received error: %+v", errs[0]) + } + + if assert.Len(t, events, 1) { + event := mbtest.StandardizeEvent(f, events[0], core.AddDatasetToEvent) + checkFieldValue(t, event, "system.audit.package.name", "test") + checkFieldValue(t, event, "system.audit.package.summary", "Test Package") + checkFieldValue(t, event, "system.audit.package.url", "https://www.elastic.co/") + checkFieldValue(t, event, "system.audit.package.version", "8.2.0-1ubuntu2~18.04") + checkFieldValue(t, event, "system.audit.package.entity_id", "+LbVb+f5cZZcYzCp") + } +} + func getConfig() map[string]interface{} { return map[string]interface{}{ "module": "system", diff --git a/x-pack/auditbeat/module/system/package/testdata/dpkg/status b/x-pack/auditbeat/module/system/package/testdata/dpkg/status new file mode 100644 index 000000000000..afa6b2a9f4cc --- /dev/null +++ b/x-pack/auditbeat/module/system/package/testdata/dpkg/status @@ -0,0 +1,15 @@ +Package: test +Status: install ok installed +Priority: optional +Section: libs +Installed-Size: 269 +Maintainer: <> +Architecture: amd64 +Multi-Arch: same +Source: test-0 +Version: 8.2.0-1ubuntu2~18.04 +Depends: <> +Description: Test Package + This is a test package. +Homepage: https://www.elastic.co/ +Original-Maintainer: <> From bc96bcfb7976f7065ee028af3737766f3ab42cec Mon Sep 17 00:00:00 2001 From: Christoph Wurm Date: Tue, 28 May 2019 15:27:29 -0700 Subject: [PATCH 2/3] Changelog --- CHANGELOG.next.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index c581c15598c4..df3b651a8436 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -91,6 +91,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix direction of incoming IPv6 sockets. {pull}12248[12248] - Package dataset: Close librpm handle. {pull}12215[12215] - Package dataset: Auto-detect package directories. {pull}12289[12289] +- Package dataset: Improve dpkg parsing. {pull}12325[12325] *Filebeat* From 594cc8f9d0dc071b50e2338339c111d3aeecb627 Mon Sep 17 00:00:00 2001 From: Christoph Wurm Date: Thu, 30 May 2019 12:39:27 -0700 Subject: [PATCH 3/3] Remove entity_id check. --- x-pack/auditbeat/module/system/package/package_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/x-pack/auditbeat/module/system/package/package_test.go b/x-pack/auditbeat/module/system/package/package_test.go index 61ddd0a0c64f..d82f5f3e1c01 100644 --- a/x-pack/auditbeat/module/system/package/package_test.go +++ b/x-pack/auditbeat/module/system/package/package_test.go @@ -74,7 +74,6 @@ func TestDpkg(t *testing.T) { checkFieldValue(t, event, "system.audit.package.summary", "Test Package") checkFieldValue(t, event, "system.audit.package.url", "https://www.elastic.co/") checkFieldValue(t, event, "system.audit.package.version", "8.2.0-1ubuntu2~18.04") - checkFieldValue(t, event, "system.audit.package.entity_id", "+LbVb+f5cZZcYzCp") } }