Keep exit event process in DB

With the add_session_metadata processor, don't remove processes from the process
db when the process has exited.

The processor can be run on an fork/exec events after the process has actually
exited, so the process must remain in the DB after it has exited, so the info
can be used in enrichment of these events.

Now the process is kept in the DB, and the exit code is appended, so the exit
code is also now properly enriched for exit events.

x-pack/auditbeat/processors/sessionmd/add_session_metadata.go

@@ -70,6 +70,9 @@ func New(cfg *cfg.C) (beat.Processor, error) {
 			if err != nil {
 				return nil, fmt.Errorf("failed to create provider: %w", err)
 			}
+			logger.Info("backend=auto using procfs")
+		} else {
+			logger.Info("backend=auto using ebpf")
 		}
 	case "ebpf":
 		p, err = ebpf_provider.NewProvider(ctx, logger, db)

x-pack/auditbeat/processors/sessionmd/processdb/db.go

@@ -82,6 +82,7 @@ type Process struct {
 	Cwd      string
 	Env      map[string]string
 	Filename string
+	ExitCode int32
 }
 
 var (
@@ -406,7 +407,14 @@ func (db *DB) InsertExit(exit types.ProcessExitEvent) {
 	defer db.mutex.Unlock()
 
 	pid := exit.PIDs.Tgid
-	delete(db.processes, pid)
+	process, ok := db.processes[pid]
+	if !ok {
+		db.logger.Errorf("could not insert exit, pid %v not found in db", pid)
+	}
+
+	process.ExitCode = exit.ExitCode
+	db.processes[pid] = process
+
 	delete(db.entryLeaders, pid)
 	delete(db.entryLeaderRelationships, pid)
 }
@@ -437,6 +445,7 @@ func fullProcessFromDBProcess(p Process) types.Process {
 	ret.Thread.Capabilities.Effective, _ = capabilities.FromUint64(p.Creds.CapEffective)
 	ret.TTY.CharDevice.Major = p.CTTY.Major
 	ret.TTY.CharDevice.Minor = p.CTTY.Minor
+	ret.ExitCode = p.ExitCode
 
 	return ret
 }
@@ -556,22 +565,7 @@ func (db *DB) GetProcess(pid uint32) (types.Process, error) {
 
 	process, ok := db.processes[pid]
 	if !ok {
-		procInfo, err := db.procfs.GetProcess(pid)
-		if err != nil {
-			return types.Process{}, errors.New("process not found in db (scraping from proc failed)")
-		}
-		process := Process{
-			PIDs:     pidInfoFromProto(procInfo.PIDs),
-			Creds:    credInfoFromProto(procInfo.Creds),
-			CTTY:     ttyDevFromProto(procInfo.CTTY),
-			Argv:     procInfo.Argv,
-			Cwd:      procInfo.Cwd,
-			Env:      procInfo.Env,
-			Filename: procInfo.Filename,
-		}
-		db.insertProcess(process)
-
-		process = db.processes[pid]
+		return types.Process{}, errors.New("process not found")
 	}
 
 	ret := fullProcessFromDBProcess(process)

x-pack/auditbeat/processors/sessionmd/types/process.go

@@ -33,7 +33,7 @@ type Process struct {
 
 	// The exit code of the process, if this is a termination event.
 	// The field should be absent if there is no exit code for the event (e.g. process start).
-	ExitCode *int64 `json:"exit_code,omitempty"`
+	ExitCode int32 `json:"exit_code,omitempty"`
 
 	// Whether the process is connected to an interactive shell.
 	// Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive.