diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 6840ef4ed533..11e20daeacb7 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -128,6 +128,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] - auditd: Update syscall names for Linux 6.11. {pull}41558[41558] - hasher: Geneneral improvements and fixes. {pull}41863[41863] - hasher: Add a cached hasher for upcoming backend. {pull}41952[41952] +- Split common tty definitions. {pull}42004[42004] *Filebeat* diff --git a/auditbeat/helper/tty/tty.go b/auditbeat/helper/tty/tty.go new file mode 100644 index 000000000000..509fa6b9aa68 --- /dev/null +++ b/auditbeat/helper/tty/tty.go @@ -0,0 +1,76 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package tty + +type TTYType int + +const ( + TTYUnknown TTYType = iota + Pts + TTY + TTYConsole +) + +const ( + ptsMinMajor = 136 + ptsMaxMajor = 143 + ttyMajor = 4 + consoleMaxMinor = 63 + ttyMaxMinor = 255 +) + +type TTYDev struct { + Minor uint32 + Major uint32 + Winsize TTYWinsize + Termios TTYTermios +} + +type TTYWinsize struct { + Rows uint16 + Cols uint16 +} + +type TTYTermios struct { + CIflag uint32 + COflag uint32 + CLflag uint32 + CCflag uint32 +} + +// interactiveFromTTY returns if this is an interactive tty device. +func InteractiveFromTTY(tty TTYDev) bool { + return TTYUnknown != GetTTYType(tty.Major, tty.Minor) +} + +// getTTYType returns the type of a TTY device based on its major and minor numbers. +func GetTTYType(major uint32, minor uint32) TTYType { + if major >= ptsMinMajor && major <= ptsMaxMajor { + return Pts + } + + if ttyMajor == major { + if minor <= consoleMaxMinor { + return TTYConsole + } else if minor > consoleMaxMinor && minor <= ttyMaxMinor { + return TTY + } + } + + return TTYUnknown +} diff --git a/x-pack/auditbeat/processors/sessionmd/processdb/db.go b/x-pack/auditbeat/processors/sessionmd/processdb/db.go index 1f97f7d0fd58..e9e53eb965ac 100644 --- a/x-pack/auditbeat/processors/sessionmd/processdb/db.go +++ b/x-pack/auditbeat/processors/sessionmd/processdb/db.go @@ -20,6 +20,7 @@ import ( "sync" "time" + "github.com/elastic/beats/v7/auditbeat/helper/tty" "github.com/elastic/beats/v7/libbeat/common/capabilities" "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/procfs" "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/timeutils" @@ -27,15 +28,6 @@ import ( "github.com/elastic/elastic-agent-libs/logp" ) -type TTYType int - -const ( - TTYUnknown TTYType = iota - Pts - TTY - TTYConsole -) - type EntryType string const ( @@ -67,18 +59,13 @@ var filteredExecutables = [...]string{ } const ( - ptsMinMajor = 136 - ptsMaxMajor = 143 - ttyMajor = 4 - consoleMaxMinor = 63 - ttyMaxMinor = 255 - retryCount = 2 + retryCount = 2 ) type Process struct { PIDs types.PIDInfo Creds types.CredInfo - CTTY types.TTYDev + CTTY tty.TTYDev Argv []string Cwd string Env map[string]string @@ -142,8 +129,8 @@ func credInfoFromProto(p types.CredInfo) types.CredInfo { } } -func ttyTermiosFromProto(p types.TTYTermios) types.TTYTermios { - return types.TTYTermios{ +func ttyTermiosFromProto(p tty.TTYTermios) tty.TTYTermios { + return tty.TTYTermios{ CIflag: p.CIflag, COflag: p.COflag, CLflag: p.CLflag, @@ -151,15 +138,15 @@ func ttyTermiosFromProto(p types.TTYTermios) types.TTYTermios { } } -func ttyWinsizeFromProto(p types.TTYWinsize) types.TTYWinsize { - return types.TTYWinsize{ +func ttyWinsizeFromProto(p tty.TTYWinsize) tty.TTYWinsize { + return tty.TTYWinsize{ Rows: p.Rows, Cols: p.Cols, } } -func ttyDevFromProto(p types.TTYDev) types.TTYDev { - return types.TTYDev{ +func ttyDevFromProto(p tty.TTYDev) tty.TTYDev { + return tty.TTYDev{ Major: p.Major, Minor: p.Minor, Winsize: ttyWinsizeFromProto(p.Winsize), @@ -319,15 +306,15 @@ func (db *DB) evaluateEntryLeader(p Process) *uint32 { // could be an entry leader if p.PIDs.Tgid == p.PIDs.Sid { - ttyType := getTTYType(p.CTTY.Major, p.CTTY.Minor) + ttyType := tty.GetTTYType(p.CTTY.Major, p.CTTY.Minor) procBasename := basename(p.Filename) switch { - case ttyType == TTY: + case ttyType == tty.TTY: db.createEntryLeader(pid, Terminal) db.logger.Debugf("entry_eval %d: entry type is terminal", p.PIDs.Tgid) return &pid - case ttyType == TTYConsole && procBasename == "login": + case ttyType == tty.TTYConsole && procBasename == "login": db.createEntryLeader(pid, EntryConsole) db.logger.Debugf("entry_eval %d: entry type is console", p.PIDs.Tgid) return &pid @@ -338,7 +325,7 @@ func (db *DB) evaluateEntryLeader(p Process) *uint32 { case !isFilteredExecutable(procBasename): if parent, ok := db.processes[p.PIDs.Ppid]; ok { parentBasename := basename(parent.Filename) - if ttyType == Pts && parentBasename == "ssm-session-worker" { + if ttyType == tty.Pts && parentBasename == "ssm-session-worker" { db.createEntryLeader(pid, Ssm) db.logger.Debugf("entry_eval %d: entry type is ssm", p.PIDs.Tgid) return &pid @@ -433,13 +420,9 @@ func (db *DB) InsertExit(exit types.ProcessExitEvent) { }) } -func interactiveFromTTY(tty types.TTYDev) bool { - return TTYUnknown != getTTYType(tty.Major, tty.Minor) -} - func fullProcessFromDBProcess(p Process) types.Process { reducedPrecisionStartTime := timeutils.ReduceTimestampPrecision(p.PIDs.StartTimeNS) - interactive := interactiveFromTTY(p.CTTY) + interactive := tty.InteractiveFromTTY(p.CTTY) ret := types.Process{ PID: p.PIDs.Tgid, @@ -475,7 +458,7 @@ func fullProcessFromDBProcess(p Process) types.Process { func fillParent(process *types.Process, parent Process) { reducedPrecisionStartTime := timeutils.ReduceTimestampPrecision(parent.PIDs.StartTimeNS) - interactive := interactiveFromTTY(parent.CTTY) + interactive := tty.InteractiveFromTTY(parent.CTTY) euid := parent.Creds.Euid egid := parent.Creds.Egid process.Parent.PID = parent.PIDs.Tgid @@ -500,7 +483,7 @@ func fillParent(process *types.Process, parent Process) { func fillGroupLeader(process *types.Process, groupLeader Process) { reducedPrecisionStartTime := timeutils.ReduceTimestampPrecision(groupLeader.PIDs.StartTimeNS) - interactive := interactiveFromTTY(groupLeader.CTTY) + interactive := tty.InteractiveFromTTY(groupLeader.CTTY) euid := groupLeader.Creds.Euid egid := groupLeader.Creds.Egid process.GroupLeader.PID = groupLeader.PIDs.Tgid @@ -525,7 +508,7 @@ func fillGroupLeader(process *types.Process, groupLeader Process) { func fillSessionLeader(process *types.Process, sessionLeader Process) { reducedPrecisionStartTime := timeutils.ReduceTimestampPrecision(sessionLeader.PIDs.StartTimeNS) - interactive := interactiveFromTTY(sessionLeader.CTTY) + interactive := tty.InteractiveFromTTY(sessionLeader.CTTY) euid := sessionLeader.Creds.Euid egid := sessionLeader.Creds.Egid process.SessionLeader.PID = sessionLeader.PIDs.Tgid @@ -550,7 +533,7 @@ func fillSessionLeader(process *types.Process, sessionLeader Process) { func fillEntryLeader(process *types.Process, entryType EntryType, entryLeader Process) { reducedPrecisionStartTime := timeutils.ReduceTimestampPrecision(entryLeader.PIDs.StartTimeNS) - interactive := interactiveFromTTY(entryLeader.CTTY) + interactive := tty.InteractiveFromTTY(entryLeader.CTTY) euid := entryLeader.Creds.Euid egid := entryLeader.Creds.Egid process.EntryLeader.PID = entryLeader.PIDs.Tgid @@ -743,22 +726,6 @@ func isFilteredExecutable(executable string) bool { return stringStartsWithEntryInList(executable, filteredExecutables[:]) } -func getTTYType(major uint32, minor uint32) TTYType { - if major >= ptsMinMajor && major <= ptsMaxMajor { - return Pts - } - - if ttyMajor == major { - if minor <= consoleMaxMinor { - return TTYConsole - } else if minor > consoleMaxMinor && minor <= ttyMaxMinor { - return TTY - } - } - - return TTYUnknown -} - func (db *DB) Close() { close(db.stopChan) } diff --git a/x-pack/auditbeat/processors/sessionmd/processdb/db_test.go b/x-pack/auditbeat/processors/sessionmd/processdb/db_test.go index 086c694f51fa..5cd1eed1ffcb 100644 --- a/x-pack/auditbeat/processors/sessionmd/processdb/db_test.go +++ b/x-pack/auditbeat/processors/sessionmd/processdb/db_test.go @@ -11,14 +11,15 @@ import ( "github.com/stretchr/testify/require" + "github.com/elastic/beats/v7/auditbeat/helper/tty" "github.com/elastic/elastic-agent-libs/logp" ) var logger = logp.NewLogger("processdb") func TestGetTTYType(t *testing.T) { - require.Equal(t, TTYConsole, getTTYType(4, 0)) - require.Equal(t, Pts, getTTYType(136, 0)) - require.Equal(t, TTY, getTTYType(4, 64)) - require.Equal(t, TTYUnknown, getTTYType(1000, 1000)) + require.Equal(t, tty.TTYConsole, tty.GetTTYType(4, 0)) + require.Equal(t, tty.Pts, tty.GetTTYType(136, 0)) + require.Equal(t, tty.TTY, tty.GetTTYType(4, 64)) + require.Equal(t, tty.TTYUnknown, tty.GetTTYType(1000, 1000)) } diff --git a/x-pack/auditbeat/processors/sessionmd/processdb/entry_leader_test.go b/x-pack/auditbeat/processors/sessionmd/processdb/entry_leader_test.go index fa0bc6e17993..a3315d61b4c4 100644 --- a/x-pack/auditbeat/processors/sessionmd/processdb/entry_leader_test.go +++ b/x-pack/auditbeat/processors/sessionmd/processdb/entry_leader_test.go @@ -12,6 +12,7 @@ import ( "github.com/stretchr/testify/require" + "github.com/elastic/beats/v7/auditbeat/helper/tty" "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/procfs" "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/types" ) @@ -201,7 +202,7 @@ func TestSingleProcessSessionLeaderEntryTypeTerminal(t *testing.T) { Tgid: pid, Sid: pid, }, - CTTY: types.TTYDev{ + CTTY: tty.TTYDev{ Major: 4, Minor: 64, }, @@ -225,7 +226,7 @@ func TestSingleProcessSessionLeaderLoginProcess(t *testing.T) { Tgid: pid, Sid: pid, }, - CTTY: types.TTYDev{ + CTTY: tty.TTYDev{ Major: 4, Minor: 62, }, @@ -255,7 +256,7 @@ func TestSingleProcessSessionLeaderChildOfInit(t *testing.T) { Sid: pid, Ppid: 1, }, - CTTY: types.TTYDev{ + CTTY: tty.TTYDev{ Major: 136, Minor: 62, }, @@ -294,7 +295,7 @@ func TestSingleProcessSessionLeaderChildOfSsmSessionWorker(t *testing.T) { Sid: bashPID, Ppid: ssmPID, }, - CTTY: types.TTYDev{ + CTTY: tty.TTYDev{ Major: 136, Minor: 62, }, @@ -329,7 +330,7 @@ func TestSingleProcessSessionLeaderChildOfSshd(t *testing.T) { Sid: bashPID, Ppid: sshdPID, }, - CTTY: types.TTYDev{ + CTTY: tty.TTYDev{ Major: 136, Minor: 62, }, @@ -364,7 +365,7 @@ func TestSingleProcessSessionLeaderChildOfContainerdShim(t *testing.T) { Sid: bashPID, Ppid: containerdShimPID, }, - CTTY: types.TTYDev{ + CTTY: tty.TTYDev{ Major: 136, Minor: 62, }, @@ -400,7 +401,7 @@ func TestSingleProcessSessionLeaderChildOfRunc(t *testing.T) { Sid: bashPID, Ppid: runcPID, }, - CTTY: types.TTYDev{ + CTTY: tty.TTYDev{ Major: 136, Minor: 62, }, @@ -428,7 +429,7 @@ func TestSingleProcessEmptyProcess(t *testing.T) { Tgid: pid, Sid: pid, }, - CTTY: types.TTYDev{ + CTTY: tty.TTYDev{ Major: 136, Minor: 62, }, @@ -471,7 +472,7 @@ func TestSingleProcessOverwriteOldEntryLeader(t *testing.T) { Sid: ssmPID, Ppid: ssmPID, }, - CTTY: types.TTYDev{ + CTTY: tty.TTYDev{ Major: 136, Minor: 62, }, @@ -492,7 +493,7 @@ func TestSingleProcessOverwriteOldEntryLeader(t *testing.T) { Sid: bashPID, Ppid: ssmPID, }, - CTTY: types.TTYDev{ + CTTY: tty.TTYDev{ Major: 136, Minor: 62, }, diff --git a/x-pack/auditbeat/processors/sessionmd/procfs/procfs.go b/x-pack/auditbeat/processors/sessionmd/procfs/procfs.go index 992e24858363..2d5d26bc3883 100644 --- a/x-pack/auditbeat/processors/sessionmd/procfs/procfs.go +++ b/x-pack/auditbeat/processors/sessionmd/procfs/procfs.go @@ -13,6 +13,7 @@ import ( "github.com/prometheus/procfs" "golang.org/x/sys/unix" + "github.com/elastic/beats/v7/auditbeat/helper/tty" "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/timeutils" "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/types" "github.com/elastic/elastic-agent-libs/logp" @@ -47,7 +48,7 @@ type Stat procfs.ProcStat type ProcessInfo struct { PIDs types.PIDInfo Creds types.CredInfo - CTTY types.TTYDev + CTTY tty.TTYDev Argv []string Cwd string Env map[string]string @@ -165,7 +166,7 @@ func (r ProcfsReader) getProcessInfo(proc procfs.Proc) (ProcessInfo, error) { Sid: uint32(stat.Session), }, Creds: creds, - CTTY: types.TTYDev{ + CTTY: tty.TTYDev{ Major: MajorTTY(uint32(stat.TTY)), Minor: MinorTTY(uint32(stat.TTY)), }, diff --git a/x-pack/auditbeat/processors/sessionmd/provider/kerneltracingprovider/kerneltracingprovider_linux.go b/x-pack/auditbeat/processors/sessionmd/provider/kerneltracingprovider/kerneltracingprovider_linux.go index d3ec4ba7bd3d..e57c5d693557 100644 --- a/x-pack/auditbeat/processors/sessionmd/provider/kerneltracingprovider/kerneltracingprovider_linux.go +++ b/x-pack/auditbeat/processors/sessionmd/provider/kerneltracingprovider/kerneltracingprovider_linux.go @@ -20,6 +20,7 @@ import ( quark "github.com/elastic/go-quark" + "github.com/elastic/beats/v7/auditbeat/helper/tty" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/provider" "github.com/elastic/beats/v7/x-pack/auditbeat/processors/sessionmd/types" @@ -38,15 +39,6 @@ type prvdr struct { backoffSkipped int } -type TTYType int - -const ( - TTYUnknown TTYType = iota - Pts - TTY - TTYConsole -) - const ( Init = "init" Sshd = "sshd" @@ -58,14 +50,6 @@ const ( EntryUnknown = "unknown" ) -const ( - ptsMinMajor = 136 - ptsMaxMajor = 143 - ttyMajor = 4 - consoleMaxMinor = 63 - ttyMaxMinor = 255 -) - var ( bootID string pidNsInode uint64 @@ -241,7 +225,7 @@ func (p *prvdr) GetProcess(pid uint32) (*types.Process, error) { return nil, fmt.Errorf("PID %d not found in cache", pid) } - interactive := interactiveFromTTY(types.TTYDev{ + interactive := tty.InteractiveFromTTY(tty.TTYDev{ Major: proc.Proc.TtyMajor, Minor: proc.Proc.TtyMinor, }) @@ -303,7 +287,7 @@ func (p prvdr) fillParent(process *types.Process, ppid uint32) { } start := time.Unix(0, int64(proc.Proc.TimeBoot)) - interactive := interactiveFromTTY(types.TTYDev{ + interactive := tty.InteractiveFromTTY(tty.TTYDev{ Major: proc.Proc.TtyMajor, Minor: proc.Proc.TtyMinor, }) @@ -338,7 +322,7 @@ func (p prvdr) fillGroupLeader(process *types.Process, pgid uint32) { start := time.Unix(0, int64(proc.Proc.TimeBoot)) - interactive := interactiveFromTTY(types.TTYDev{ + interactive := tty.InteractiveFromTTY(tty.TTYDev{ Major: proc.Proc.TtyMajor, Minor: proc.Proc.TtyMinor, }) @@ -373,7 +357,7 @@ func (p prvdr) fillSessionLeader(process *types.Process, sid uint32) { start := time.Unix(0, int64(proc.Proc.TimeBoot)) - interactive := interactiveFromTTY(types.TTYDev{ + interactive := tty.InteractiveFromTTY(tty.TTYDev{ Major: proc.Proc.TtyMajor, Minor: proc.Proc.TtyMinor, }) @@ -408,7 +392,7 @@ func (p prvdr) fillEntryLeader(process *types.Process, elid uint32) { start := time.Unix(0, int64(proc.Proc.TimeBoot)) - interactive := interactiveFromTTY(types.TTYDev{ + interactive := tty.InteractiveFromTTY(tty.TTYDev{ Major: proc.Proc.TtyMajor, Minor: proc.Proc.TtyMinor, }) @@ -475,28 +459,6 @@ func setSameAsProcess(process *types.Process) { } } -// interactiveFromTTY returns if this is an interactive tty device. -func interactiveFromTTY(tty types.TTYDev) bool { - return TTYUnknown != getTTYType(tty.Major, tty.Minor) -} - -// getTTYType returns the type of a TTY device based on its major and minor numbers. -func getTTYType(major uint32, minor uint32) TTYType { - if major >= ptsMinMajor && major <= ptsMaxMajor { - return Pts - } - - if ttyMajor == major { - if minor <= consoleMaxMinor { - return TTYConsole - } else if minor > consoleMaxMinor && minor <= ttyMaxMinor { - return TTY - } - } - - return TTYUnknown -} - // calculateEntityIDv1 calculates the entity ID for a process. // This is a globally unique identifier for the process. func calculateEntityIDv1(pid uint32, startTime time.Time) string { diff --git a/x-pack/auditbeat/processors/sessionmd/types/events.go b/x-pack/auditbeat/processors/sessionmd/types/events.go index 857ab8fa2c10..2f5cc3109e9d 100644 --- a/x-pack/auditbeat/processors/sessionmd/types/events.go +++ b/x-pack/auditbeat/processors/sessionmd/types/events.go @@ -6,6 +6,8 @@ package types //go:generate stringer -linecomment=true -type=Type,HookPoint,Field -output=gen_types_string.go +import "github.com/elastic/beats/v7/auditbeat/helper/tty" + type Type uint64 const ( @@ -47,25 +49,6 @@ type CredInfo struct { CapEffective uint64 } -type TTYWinsize struct { - Rows uint16 - Cols uint16 -} - -type TTYTermios struct { - CIflag uint32 - COflag uint32 - CLflag uint32 - CCflag uint32 -} - -type TTYDev struct { - Minor uint32 - Major uint32 - Winsize TTYWinsize - Termios TTYTermios -} - type ProcessForkEvent struct { ParentPIDs PIDInfo ChildPIDs PIDInfo @@ -75,7 +58,7 @@ type ProcessForkEvent struct { type ProcessExecEvent struct { PIDs PIDInfo Creds CredInfo - CTTY TTYDev + CTTY tty.TTYDev // varlen fields CWD string