Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Auditbeat] Package: Improve dpkg parsing #12325

Merged
merged 3 commits into from
May 30, 2019
Merged

[Auditbeat] Package: Improve dpkg parsing #12325

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d1cafae
Improve dpkg and add test.
May 24, 2019
bc96bcf
Changelog
May 28, 2019
594cc8f
Remove entity_id check.
May 30, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Fix direction of incoming IPv6 sockets. {pull}12248[12248]
- Package dataset: Close librpm handle. {pull}12215[12215]
- Package dataset: Auto-detect package directories. {pull}12289[12289]
- Package dataset: Improve dpkg parsing. {pull}12325[12325]

*Filebeat*

Expand Down
18 changes: 16 additions & 2 deletions x-pack/auditbeat/module/system/package/package.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -508,7 +508,7 @@ func listDebPackages() ([]*Package, error) {

var packages []*Package
var skipPackage bool
pkg := &Package{}
var pkg *Package
scanner := bufio.NewScanner(file)
for scanner.Scan() {
line := scanner.Text()
Expand All @@ -518,7 +518,7 @@ func listDebPackages() ([]*Package, error) {
packages = append(packages, pkg)
}
skipPackage = false
pkg = &Package{}
pkg = nil
continue
} else if skipPackage {
// Skipping this package - read on.
Expand All @@ -534,6 +534,11 @@ func listDebPackages() ([]*Package, error) {
return nil, fmt.Errorf("the following line was unexpected (no ':' found): '%s'", line)
}
value := strings.TrimSpace(words[1])

if pkg == nil {
pkg = &Package{}
}

switch strings.ToLower(words[0]) {
case "package":
pkg.Name = value
Expand All @@ -553,12 +558,21 @@ func listDebPackages() ([]*Package, error) {
if err != nil {
return nil, errors.Wrapf(err, "error converting %s to int", value)
}
case "homepage":
pkg.URL = value
default:
continue
}
}

if err = scanner.Err(); err != nil {
return nil, errors.Wrapf(err, "error scanning file %v", dpkgStatusFile)
}

// Append last package if file ends without newline
if pkg != nil && !skipPackage {
packages = append(packages, pkg)
}

return packages, nil
}
46 changes: 46 additions & 0 deletions x-pack/auditbeat/module/system/package/package_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,17 +7,23 @@
package pkg

import (
"path/filepath"
"testing"

"github.com/stretchr/testify/assert"

"github.com/elastic/beats/auditbeat/core"
abtest "github.com/elastic/beats/auditbeat/testing"
"github.com/elastic/beats/libbeat/logp"
mbtest "github.com/elastic/beats/metricbeat/mb/testing"
)

func TestData(t *testing.T) {
defer abtest.SetupDataDir(t)()

f := mbtest.NewReportingMetricSetV2(t, getConfig())
defer f.(*MetricSet).bucket.DeleteBucket()

events, errs := mbtest.ReportingFetchV2(f)
if len(errs) > 0 {
t.Fatalf("received error: %+v", errs[0])
Expand All @@ -31,6 +37,46 @@ func TestData(t *testing.T) {
mbtest.WriteEventToDataJSON(t, fullEvent, "")
}

func TestDpkg(t *testing.T) {
logp.TestingSetup()

defer abtest.SetupDataDir(t)()

// Disable all except dpkg
rpmPathOld := rpmPath
dpkgPathOld := dpkgPath
brewPathOld := homebrewCellarPath
defer func() {
rpmPath = rpmPathOld
dpkgPath = dpkgPathOld
homebrewCellarPath = brewPathOld
}()
rpmPath = "/does/not/exist"
homebrewCellarPath = "/does/not/exist"

var err error
dpkgPath, err = filepath.Abs("testdata/dpkg/")
if err != nil {
t.Fatal(err)
}

f := mbtest.NewReportingMetricSetV2(t, getConfig())
defer f.(*MetricSet).bucket.DeleteBucket()

events, errs := mbtest.ReportingFetchV2(f)
if len(errs) > 0 {
t.Fatalf("received error: %+v", errs[0])
}

if assert.Len(t, events, 1) {
event := mbtest.StandardizeEvent(f, events[0], core.AddDatasetToEvent)
checkFieldValue(t, event, "system.audit.package.name", "test")
checkFieldValue(t, event, "system.audit.package.summary", "Test Package")
checkFieldValue(t, event, "system.audit.package.url", "https://www.elastic.co/")
checkFieldValue(t, event, "system.audit.package.version", "8.2.0-1ubuntu2~18.04")
}
}

func getConfig() map[string]interface{} {
return map[string]interface{}{
"module": "system",
Expand Down
15 changes: 15 additions & 0 deletions x-pack/auditbeat/module/system/package/testdata/dpkg/status
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
Package: test
Status: install ok installed
Priority: optional
Section: libs
Installed-Size: 269
Maintainer: <>
Architecture: amd64
Multi-Arch: same
Source: test-0
Version: 8.2.0-1ubuntu2~18.04
Depends: <>
Description: Test Package
This is a test package.
Homepage: https://www.elastic.co/
Original-Maintainer: <>