diff --git a/filebeat/input/journald/pkg/journalfield/conv.go b/filebeat/input/journald/pkg/journalfield/conv.go index a6a9b78bcbf2..bd7403ae142f 100644 --- a/filebeat/input/journald/pkg/journalfield/conv.go +++ b/filebeat/input/journald/pkg/journalfield/conv.go @@ -213,47 +213,47 @@ func expandCapabilities(fields mapstr.M) { // include/uapi/linux/capability.h var capTable = [...]string{ - 0: "cap_chown", - 1: "cap_dac_override", - 2: "cap_dac_read_search", - 3: "cap_fowner", - 4: "cap_fsetid", - 5: "cap_kill", - 6: "cap_setgid", - 7: "cap_setuid", - 8: "cap_setpcap", - 9: "cap_linux_immutable", - 10: "cap_net_bind_service", - 11: "cap_net_broadcast", - 12: "cap_net_admin", - 13: "cap_net_raw", - 14: "cap_ipc_lock", - 15: "cap_ipc_owner", - 16: "cap_sys_module", - 17: "cap_sys_rawio", - 18: "cap_sys_chroot", - 19: "cap_sys_ptrace", - 20: "cap_sys_pacct", - 21: "cap_sys_admin", - 22: "cap_sys_boot", - 23: "cap_sys_nice", - 24: "cap_sys_resource", - 25: "cap_sys_time", - 26: "cap_sys_tty_config", - 27: "cap_mknod", - 28: "cap_lease", - 29: "cap_audit_write", - 30: "cap_audit_control", - 31: "cap_setfcap", - 32: "cap_mac_override", - 33: "cap_mac_admin", - 34: "cap_syslog", - 35: "cap_wake_alarm", - 36: "cap_block_suspend", - 37: "cap_audit_read", - 38: "cap_perfmon", - 39: "cap_bpf", - 40: "cap_checkpoint_restore", + 0: "CAP_CHOWN", + 1: "CAP_DAC_OVERRIDE", + 2: "CAP_DAC_READ_SEARCH", + 3: "CAP_FOWNER", + 4: "CAP_FSETID", + 5: "CAP_KILL", + 6: "CAP_SETGID", + 7: "CAP_SETUID", + 8: "CAP_SETPCAP", + 9: "CAP_LINUX_IMMUTABLE", + 10: "CAP_NET_BIND_SERVICE", + 11: "CAP_NET_BROADCAST", + 12: "CAP_NET_ADMIN", + 13: "CAP_NET_RAW", + 14: "CAP_IPC_LOCK", + 15: "CAP_IPC_OWNER", + 16: "CAP_SYS_MODULE", + 17: "CAP_SYS_RAWIO", + 18: "CAP_SYS_CHROOT", + 19: "CAP_SYS_PTRACE", + 20: "CAP_SYS_PACCT", + 21: "CAP_SYS_ADMIN", + 22: "CAP_SYS_BOOT", + 23: "CAP_SYS_NICE", + 24: "CAP_SYS_RESOURCE", + 25: "CAP_SYS_TIME", + 26: "CAP_SYS_TTY_CONFIG", + 27: "CAP_MKNOD", + 28: "CAP_LEASE", + 29: "CAP_AUDIT_WRITE", + 30: "CAP_AUDIT_CONTROL", + 31: "CAP_SETFCAP", + 32: "CAP_MAC_OVERRIDE", + 33: "CAP_MAC_ADMIN", + 34: "CAP_SYSLOG", + 35: "CAP_WAKE_ALARM", + 36: "CAP_BLOCK_SUSPEND", + 37: "CAP_AUDIT_READ", + 38: "CAP_PERFMON", + 39: "CAP_BPF", + 40: "CAP_CHECKPOINT_RESTORE", } func getStringFromFields(key string, fields mapstr.M) string { diff --git a/filebeat/input/journald/pkg/journalfield/conv_expand_test.go b/filebeat/input/journald/pkg/journalfield/conv_expand_test.go index 0362541fe39f..c43e57a1c494 100644 --- a/filebeat/input/journald/pkg/journalfield/conv_expand_test.go +++ b/filebeat/input/journald/pkg/journalfield/conv_expand_test.go @@ -30,7 +30,9 @@ var expandCapabilitiesTests = []struct { src mapstr.M want mapstr.M }{ - // All test cases were constructed based on behaviour of capsh --decode . + // All test cases were constructed based on behaviour of capsh --decode , + // with the exception that the CONSTANT names are used instead of the canonical lowercase names in order + // to conform with ECS directions. { name: "none", src: mapstr.M{ @@ -67,7 +69,7 @@ var expandCapabilitiesTests = []struct { "thread": mapstr.M{ "capabilities": mapstr.M{ "effective": []string{ - "cap_chown", + "CAP_CHOWN", }, }, }, @@ -93,7 +95,7 @@ var expandCapabilitiesTests = []struct { "thread": mapstr.M{ "capabilities": mapstr.M{ "effective": []string{ - "cap_chown", + "CAP_CHOWN", }, }, }, @@ -119,47 +121,47 @@ var expandCapabilitiesTests = []struct { "thread": mapstr.M{ "capabilities": mapstr.M{ "effective": []string{ - "cap_chown", - "cap_dac_override", - "cap_dac_read_search", - "cap_fowner", - "cap_fsetid", - "cap_kill", - "cap_setgid", - "cap_setuid", - "cap_setpcap", - "cap_linux_immutable", - "cap_net_bind_service", - "cap_net_broadcast", - "cap_net_admin", - "cap_net_raw", - "cap_ipc_lock", - "cap_ipc_owner", - "cap_sys_module", - "cap_sys_rawio", - "cap_sys_chroot", - "cap_sys_ptrace", - "cap_sys_pacct", - "cap_sys_admin", - "cap_sys_boot", - "cap_sys_nice", - "cap_sys_resource", - "cap_sys_time", - "cap_sys_tty_config", - "cap_mknod", - "cap_lease", - "cap_audit_write", - "cap_audit_control", - "cap_setfcap", - "cap_mac_override", - "cap_mac_admin", - "cap_syslog", - "cap_wake_alarm", - "cap_block_suspend", - "cap_audit_read", - "cap_perfmon", - "cap_bpf", - "cap_checkpoint_restore", + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ", + "CAP_PERFMON", + "CAP_BPF", + "CAP_CHECKPOINT_RESTORE", }, }, }, @@ -185,47 +187,47 @@ var expandCapabilitiesTests = []struct { "thread": mapstr.M{ "capabilities": mapstr.M{ "effective": []string{ - "cap_chown", - "cap_dac_override", - "cap_dac_read_search", - "cap_fowner", - "cap_fsetid", - "cap_kill", - "cap_setgid", - "cap_setuid", - "cap_setpcap", - "cap_linux_immutable", - "cap_net_bind_service", - "cap_net_broadcast", - "cap_net_admin", - "cap_net_raw", - "cap_ipc_lock", - "cap_ipc_owner", - "cap_sys_module", - "cap_sys_rawio", - "cap_sys_chroot", - "cap_sys_ptrace", - "cap_sys_pacct", - "cap_sys_admin", - "cap_sys_boot", - "cap_sys_nice", - "cap_sys_resource", - "cap_sys_time", - "cap_sys_tty_config", - "cap_mknod", - "cap_lease", - "cap_audit_write", - "cap_audit_control", - "cap_setfcap", - "cap_mac_override", - "cap_mac_admin", - "cap_syslog", - "cap_wake_alarm", - "cap_block_suspend", - "cap_audit_read", - "cap_perfmon", - "cap_bpf", - "cap_checkpoint_restore", + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_FSETID", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETPCAP", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_RAWIO", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_PACCT", + "CAP_SYS_ADMIN", + "CAP_SYS_BOOT", + "CAP_SYS_NICE", + "CAP_SYS_RESOURCE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_WRITE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", + "CAP_MAC_OVERRIDE", + "CAP_MAC_ADMIN", + "CAP_SYSLOG", + "CAP_WAKE_ALARM", + "CAP_BLOCK_SUSPEND", + "CAP_AUDIT_READ", + "CAP_PERFMON", + "CAP_BPF", + "CAP_CHECKPOINT_RESTORE", "41", "42", }, @@ -253,30 +255,30 @@ var expandCapabilitiesTests = []struct { "thread": mapstr.M{ "capabilities": mapstr.M{ "effective": []string{ - "cap_chown", - "cap_dac_override", - "cap_dac_read_search", - "cap_fowner", - "cap_kill", - "cap_setgid", - "cap_setuid", - "cap_linux_immutable", - "cap_net_bind_service", - "cap_net_broadcast", - "cap_net_admin", - "cap_net_raw", - "cap_ipc_owner", - "cap_sys_module", - "cap_sys_chroot", - "cap_sys_ptrace", - "cap_sys_admin", - "cap_sys_nice", - "cap_sys_time", - "cap_sys_tty_config", - "cap_mknod", - "cap_lease", - "cap_audit_control", - "cap_setfcap", + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_DAC_READ_SEARCH", + "CAP_FOWNER", + "CAP_KILL", + "CAP_SETGID", + "CAP_SETUID", + "CAP_LINUX_IMMUTABLE", + "CAP_NET_BIND_SERVICE", + "CAP_NET_BROADCAST", + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_OWNER", + "CAP_SYS_MODULE", + "CAP_SYS_CHROOT", + "CAP_SYS_PTRACE", + "CAP_SYS_ADMIN", + "CAP_SYS_NICE", + "CAP_SYS_TIME", + "CAP_SYS_TTY_CONFIG", + "CAP_MKNOD", + "CAP_LEASE", + "CAP_AUDIT_CONTROL", + "CAP_SETFCAP", }, }, },