Enhancements to auditbeat file metricset (#4796)

Modify `file.paths` to be a list instead of a dictionary.
Added `file.hash_types` config option for controlling the hash types.
Added new hash types.
Fixed `file.max_file_size` config option. It was missing the "file." prefix when reading the option.
Added the ability to specify byte unit suffixes to `file.max_file_size`.
Added documentation for the audit file metricset.

CHANGELOG.asciidoc

@@ -16,6 +16,10 @@ https://github.com/elastic/beats/compare/v6.0.0-beta1...master[Check the HEAD di
 
 - The log directory (`path.log`) for Windows services is now set to `C:\ProgramData\[beatname]\logs`. {issue}4764[4764]
 
+*Auditbeat*
+
+- Changed file metricset config to make `file.paths` a list instead of a dictionary. {pull}4796[4796]
+
 *Filebeat*
 
 *Heartbeat*
@@ -30,6 +34,11 @@ https://github.com/elastic/beats/compare/v6.0.0-beta1...master[Check the HEAD di
 
 *Affecting all Beats*
 - Fix go plugins not loaded when beat starts {pull}4799[4799]
+
+*Auditbeat*
+
+- Fix `file.max_file_size` config option for the audit file metricset. {pull}4796[4796]
+
 *Filebeat*
 
 - Fix issue where the `fileset.module` could have the wrong value. {issue}4761[4761]
@@ -48,6 +57,11 @@ https://github.com/elastic/beats/compare/v6.0.0-beta1...master[Check the HEAD di
 
 *Affecting all Beats*
 
+*Auditbeat*
+
+- Added `file.hash_types` config option for controlling the hash types. {pull}4796[4796]
+- Added the ability to specify byte unit suffixes to `file.max_file_size`. {pull}4796[4796]
+
 *Filebeat*
 
 *Heartbeat*

auditbeat/auditbeat.reference.yml

@@ -46,21 +46,22 @@ auditbeat.modules:
     #-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
 
 # The file integrity metricset sends events when files are changed (created,
-# updated, deleted). The events contain file metadata and hashes (MD5, SHA1, and
-# SHA256).
+# updated, deleted). The events contain file metadata and hashes.
 - module: audit
   metricsets: [file]
   file.paths:
-    binaries:
-    - /bin
-    - /usr/bin
-    - /sbin
-    - /usr/sbin
-    conf:
-    - /etc
+  - /bin
+  - /usr/bin
+  - /sbin
+  - /usr/sbin
+  - /etc
 
-  # Limit in bytes on the size of files that will be hashed.
-  file.max_file_size: 1073741824 # 1 GiB
+  # Limit on the size of files that will be hashed. Default is 100 MiB.
+  file.max_file_size: 100 MiB
+
+  # Hash types to compute when the file changes. Supported types are md5, sha1,
+  # sha224, sha256, sha384, sha512, sha512_224, and sha512_256. Default is sha1.
+  file.hash_types: [sha1]
 
 
 #================================ General ======================================

auditbeat/auditbeat.yml

@@ -21,13 +21,11 @@ auditbeat.modules:
 - module: audit
   metricsets: [file]
   file.paths:
-    binaries:
-    - /bin
-    - /usr/bin
-    - /sbin
-    - /usr/sbin
-    conf:
-    - /etc
+  - /bin
+  - /usr/bin
+  - /sbin
+  - /usr/sbin
+  - /etc
 
 
 

auditbeat/docs/auditbeat-modules-config.asciidoc

@@ -21,13 +21,11 @@ auditbeat.modules:
 - module: audit
   metricsets: [file]
   file.paths:
-    binaries:
-    - /bin
-    - /usr/bin
-    - /sbin
-    - /usr/sbin
-    conf:
-    - /etc
+  - /bin
+  - /usr/bin
+  - /sbin
+  - /usr/sbin
+  - /etc
 ----
 
 The configuration details vary by module. See the

auditbeat/docs/getting-started.asciidoc

@@ -152,13 +152,11 @@ auditbeat.modules:
 - module: audit
   metricsets: [file]
   file.paths:
-    binaries:
-    - /bin
-    - /usr/bin
-    - /sbin
-    - /usr/sbin
-    conf:
-    - /etc
+  - /bin
+  - /usr/bin
+  - /sbin
+  - /usr/sbin
+  - /etc
 -------------------------------------
 +
 If you accept the default configuration without specifying additional modules,

auditbeat/docs/modules/audit.asciidoc

@@ -32,13 +32,11 @@ auditbeat.modules:
 - module: audit
   metricsets: [file]
   file.paths:
-    binaries:
-    - /bin
-    - /usr/bin
-    - /sbin
-    - /usr/sbin
-    conf:
-    - /etc
+  - /bin
+  - /usr/bin
+  - /sbin
+  - /usr/sbin
+  - /etc
   
 ----
 

auditbeat/module/audit/_meta/config.yml.tpl

@@ -23,39 +23,37 @@
 
 {{ if .reference -}}
 # The file integrity metricset sends events when files are changed (created,
-# updated, deleted). The events contain file metadata and hashes (MD5, SHA1, and
-# SHA256).
+# updated, deleted). The events contain file metadata and hashes.
 {{ end -}}
 - module: audit
   metricsets: [file]
   {{ if eq .goos "darwin" -}}
   file.paths:
-    binaries:
-    - /bin
-    - /usr/bin
-    - /usr/local/bin
-    - /sbin
-    - /usr/sbin
-    - /usr/local/sbin
+  - /bin
+  - /usr/bin
+  - /usr/local/bin
+  - /sbin
+  - /usr/sbin
+  - /usr/local/sbin
   {{ else if eq .goos "windows" -}}
   file.paths:
-    windows:
-    - C:/windows
-    - C:/windows/system32
-    programs:
-    - C:/Program Files
-    - C:/Program Files (x86)
+  - C:/windows
+  - C:/windows/system32
+  - C:/Program Files
+  - C:/Program Files (x86)
   {{ else -}}
   file.paths:
-    binaries:
-    - /bin
-    - /usr/bin
-    - /sbin
-    - /usr/sbin
-    conf:
-    - /etc
+  - /bin
+  - /usr/bin
+  - /sbin
+  - /usr/sbin
+  - /etc
   {{ end -}}
   {{ if .reference }}
-  # Limit in bytes on the size of files that will be hashed.
-  file.max_file_size: 1073741824 # 1 GiB
+  # Limit on the size of files that will be hashed. Default is 100 MiB.
+  file.max_file_size: 100 MiB
+
+  # Hash types to compute when the file changes. Supported types are md5, sha1,
+  # sha224, sha256, sha384, sha512, sha512_224, and sha512_256. Default is sha1.
+  file.hash_types: [sha1]
   {{- end }}

auditbeat/module/audit/file/_meta/data.json

@@ -1,33 +1,35 @@
 {
-    "@timestamp": "2017-07-10T18:13:08.197Z",
-    "audit": {
-        "file": {
-            "action": "created",
-            "atime": "2017-07-10T18:13:08Z",
-            "ctime": "2017-07-10T18:13:08Z",
-            "gid": 20,
-            "group": "staff",
-            "hashed": true,
-            "inode": "11706872",
-            "md5": "5eb63bbbe01eeed093cb22bb8f5acdc3",
-            "mode": "0600",
-            "mtime": "2017-07-10T18:13:08Z",
-            "owner": "akroh",
-            "path": "/var/folders/8x/rnyk6yxn6w97lddn3bs02gf00000gn/T/audit-file232876074/file.data",
-            "sha1": "2aae6c35c94fcfb415dbe95f408b9ce91ee846ed",
-            "sha256": "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9",
-            "size": 11,
-            "type": "file",
-            "uid": 501
-        }
-    },
-    "beat": {
-        "hostname": "host.example.com",
-        "name": "host.example.com"
-    },
-    "metricset": {
-        "module": "audit",
-        "name": "file",
-        "rtt": 115
+  "@timestamp": "2017-07-31T14:40:28.173Z",
+  "@metadata": {
+    "beat": "noindex",
+    "type": "doc"
+  },
+  "audit": {
+    "file": {
+      "hashed": true,
+      "group": "staff",
+      "path": "/var/folders/8x/rnyk6yxn6w97lddn3bs02gf00000gn/T/audit-file927187403/file.data",
+      "inode": "12512120",
+      "size": 11,
+      "ctime": "2017-07-31T14:40:28.000Z",
+      "mode": "0600",
+      "owner": "akroh",
+      "atime": "2017-07-31T14:40:28.000Z",
+      "sha1": "2aae6c35c94fcfb415dbe95f408b9ce91ee846ed",
+      "action": "created",
+      "mtime": "2017-07-31T14:40:28.000Z",
+      "type": "file",
+      "uid": 501,
+      "gid": 20
     }
+  },
+  "metricset": {
+    "module": "audit",
+    "name": "file",
+    "rtt": 115
+  },
+  "beat": {
+    "name": "host.example.com",
+    "hostname": "host.example.com"
+  }
 }

auditbeat/module/audit/file/_meta/docs.asciidoc

@@ -1,36 +1,67 @@
 === Audit file metricset
 
 The `file` metricset sends events when a file is changed (created, updated, or
-deleted) on disk. The events contain file metadata and hashes (MD5, SHA1, and
-SHA256).
+deleted) on disk. The events contain file metadata and hashes.
+
+The metricset is implemented for Linux, macOS (Darwin), and Windows.
 
-////
 [float]
 === How it works
 
-This metricset...
-////
+This metricset uses features of the operating system to monitor file changes in
+realtime. When the metricset starts it creates a subscription with the OS to
+receive notifications of changes to the specified files or directories. Upon
+receiving notification of a change the metricset will read the file's metadata
+and the compute a hash of the file's contents.
+
+This metricset does not perform an initial scan of the given paths to generate
+events for the files as they existed at start time. It is strictly driven by
+change notifications from the OS.
+
+The operating system features that power this feature are as follows.
+
+* Linux - `inotify` is used, and therefore the kernel must have inotify support.
+Inotify was initially merged into the 2.6.13 Linux kernel.
+* macOS (Darwin) - `kqueue` is used. It requires one file descriptor for each
+file so please check the `ulimit` values used with {beatname_uc}. The FSEvents
+API was considered for the implementation, but FSEvents coalesces multiple
+notifications into a single event which is inconsistent with the metricset's
+behavior on other operating systems.
+* Windows - `ReadDirectoryChangesW` is used.
+
+The file metricset should not be used to monitor paths on network file systems.
 
 [float]
 === Configuration options
 
 This metricset has some configuration options for tuning its behavior. The
-following example shows all configuration options with their default values.
+following example shows all configuration options with their default values for
+Linux.
 
 [source,yaml]
 ----
 - module: audit
   metricsets: [file]
   file.paths:
-    binaries:
-    - /bin
-    - /usr/bin
-    - /sbin
-    - /usr/sbin
-    conf:
-    - /etc
+  - /bin
+  - /usr/bin
+  - /sbin
+  - /usr/sbin
+  - /etc
+  file.max_file_size: 100 MiB
+  file.hash_types: [sha1]
 ----
 
+*`file.paths`*:: A list of paths (directories or files) to watch. The watches
+are non-recursive and globs are not supported. The specified paths should exist
+when the metricset is started.
+
+*`file.max_file_size`*:: The maximum size of a file in bytes for which
+{beatname_uc} will compute hashes. Files larger than this size will not be
+hashed. The default value is 100 MiB. For convenience units can be specified as
+a suffix to the value. The supported units are `b`, `kib`, `kb`, `mib`, `mb`,
+`gib`, `gb`, `tib`, `tb`, `pib`, `pb`, `eib`, and `eb`.
 
-*`file.paths`*:: A dictionary of arbitrary names (strings) to a list of paths
-(directories or files).
+*`file.hash_types`*:: A list of hash types to compute when the file changes.
+The supported hash types are md5, sha1, sha224, sha256, sha384, sha512,
+sha512_224, and sha512_256. The default value is sha1.

auditbeat/module/audit/file/config.go

@@ -0,0 +1,42 @@
+package file
+
+import (
+	"strings"
+
+	"github.com/dustin/go-humanize"
+	"github.com/joeshaw/multierror"
+	"github.com/pkg/errors"
+)
+
+type Config struct {
+	Paths            []string `config:"file.paths" validate:"required"`
+	HashTypes        []string `config:"file.hash_types"`
+	MaxFileSize      string   `config:"file.max_file_size"`
+	MaxFileSizeBytes uint64   `config:",ignore"`
+}
+
+func (c *Config) Validate() error {
+	var errs multierror.Errors
+	var err error
+
+	c.MaxFileSizeBytes, err = humanize.ParseBytes(c.MaxFileSize)
+	if err != nil {
+		errs = append(errs, errors.Wrap(err, "invalid file.max_file_size value"))
+	}
+
+	for _, ht := range c.HashTypes {
+		switch strings.ToLower(ht) {
+		case "md5", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512_224", "sha512_256":
+		default:
+			errs = append(errs, errors.Errorf("invalid hash type '%v'", ht))
+		}
+	}
+
+	return errs.Err()
+}
+
+var defaultConfig = Config{
+	MaxFileSize:      "100 MiB",
+	MaxFileSizeBytes: 100 * 1024 * 1024,
+	HashTypes:        []string{"sha1"},
+}