Add rpm packaging rebase (#10429)

* Add RPM packages support to the package dataset

.travis.yml

@@ -183,6 +183,7 @@ addons:
       - xsltproc
       - libxml2-utils
       - libsystemd-journal-dev
+      - librpm-dev
 
 before_install:
   - python --version

auditbeat/Dockerfile

@@ -5,6 +5,7 @@ RUN \
       && apt-get install -y --no-install-recommends \
          python-pip \
          virtualenv \
+         librpm-dev \
       && rm -rf /var/lib/apt/lists/*
 
 RUN pip install --upgrade pip

x-pack/auditbeat/magefile.go

@@ -12,6 +12,8 @@ import (
 	"time"
 
 	"github.com/magefile/mage/mg"
+	"github.com/magefile/mage/sh"
+	"github.com/pkg/errors"
 
 	auditbeat "github.com/elastic/beats/auditbeat/scripts/mage"
 	"github.com/elastic/beats/dev-tools/mage"
@@ -20,6 +22,7 @@ import (
 func init() {
 	mage.BeatDescription = "Audit the activities of users and processes on your system."
 	mage.BeatLicense = "Elastic License"
+	mage.Platforms = mage.Platforms.Filter("!linux/ppc64 !linux/mips64")
 }
 
 // Aliases provides compatibility with CI while we transition all Beats
@@ -36,6 +39,9 @@ func Build() error {
 // GolangCrossBuild build the Beat binary inside of the golang-builder.
 // Do not use directly, use crossBuild instead.
 func GolangCrossBuild() error {
+	if d, ok := deps[mage.Platform.Name]; ok {
+		mg.Deps(d)
+	}
 	return mage.GolangCrossBuild(mage.DefaultGolangCrossBuildArgs())
 }
 
@@ -173,3 +179,83 @@ func PythonIntegTest(ctx context.Context) error {
 		return mage.PythonNoseTest(mage.DefaultPythonTestIntegrationArgs())
 	})
 }
+
+// -----------------------------------------------------------------------------
+// - Install the librpm-dev package
+var (
+	deps = map[string]func() error{
+		"linux/386":      installLinux386,
+		"linux/amd64":    installLinuxAMD64,
+		"linux/arm64":    installLinuxARM64,
+		"linux/armv5":    installLinuxARMLE,
+		"linux/armv6":    installLinuxARMLE,
+		"linux/armv7":    installLinuxARMHF,
+		"linux/mips":     installLinuxMIPS,
+		"linux/mipsle":   installLinuxMIPSLE,
+		"linux/mips64le": installLinuxMIPS64LE,
+		"linux/ppc64le":  installLinuxPPC64LE,
+		"linux/s390x":    installLinuxS390X,
+
+		//"linux/ppc64":  installLinuxPpc64,
+		//"linux/mips64": installLinuxMips64,
+	}
+)
+
+const (
+	librpmDevPkgName = "librpm-dev"
+)
+
+func installLinuxAMD64() error {
+	return installDependencies(librpmDevPkgName, "")
+}
+
+func installLinuxARM64() error {
+	return installDependencies(librpmDevPkgName+":arm64", "arm64")
+}
+
+func installLinuxARMHF() error {
+	return installDependencies(librpmDevPkgName+":armhf", "armhf")
+}
+
+func installLinuxARMLE() error {
+	return installDependencies(librpmDevPkgName+":armel", "armel")
+}
+
+func installLinux386() error {
+	return installDependencies(librpmDevPkgName+":i386", "i386")
+}
+
+func installLinuxMIPS() error {
+	return installDependencies(librpmDevPkgName+":mips", "mips")
+}
+
+func installLinuxMIPS64LE() error {
+	return installDependencies(librpmDevPkgName+":mips64el", "mips64el")
+}
+
+func installLinuxMIPSLE() error {
+	return installDependencies(librpmDevPkgName+":mipsel", "mipsel")
+}
+
+func installLinuxPPC64LE() error {
+	return installDependencies(librpmDevPkgName+":ppc64el", "ppc64el")
+}
+
+func installLinuxS390X() error {
+	return installDependencies(librpmDevPkgName+":s390x", "s390x")
+}
+
+func installDependencies(pkg, arch string) error {
+	if arch != "" {
+		err := sh.Run("dpkg", "--add-architecture", arch)
+		if err != nil {
+			return errors.Wrap(err, "error while adding architecture")
+		}
+	}
+
+	if err := sh.Run("apt-get", "update"); err != nil {
+		return err
+	}
+
+	return sh.Run("apt-get", "install", "-y", "--no-install-recommends", pkg)
+}

x-pack/auditbeat/module/system/package/_meta/docs.asciidoc

@@ -4,5 +4,5 @@ experimental[]
 
 This is the `package` dataset of the system module.
 
-It is implemented for Linux distributions using dpkg as their package manager,
-and for Homebrew on macOS (Darwin).
+It is implemented for Linux distributions using dpkg or rpm as their package
+manager, and for Homebrew on macOS (Darwin).

x-pack/auditbeat/module/system/package/package.go

@@ -190,7 +190,7 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) {
 	ms.osFamily = osInfo.Family
 	switch osInfo.Family {
 	case redhat:
-		return nil, fmt.Errorf("RPM support is not yet implemented")
+		// ok
 	case debian:
 		if _, err := os.Stat(dpkgStatusFile); err != nil {
 			return nil, errors.Wrapf(err, "error looking up %s", dpkgStatusFile)
@@ -412,8 +412,10 @@ func (ms *MetricSet) savePackagesToDisk(packages []*Package) error {
 func getPackages(osFamily string) (packages []*Package, err error) {
 	switch osFamily {
 	case redhat:
-		// TODO: Implement RPM
-		err = errors.New("RPM not yet supported")
+		packages, err = listRPMPackages()
+		if err != nil {
+			err = errors.Wrap(err, "error getting RPM packages")
+		}
 	case debian:
 		packages, err = listDebPackages()
 		if err != nil {

x-pack/auditbeat/module/system/package/package_windows.go

@@ -4,7 +4,7 @@
 
 // +build windows
 
-package socket
+package pkg
 
 import (
 	"fmt"

x-pack/auditbeat/module/system/package/rpm_common_test.go

@@ -0,0 +1,69 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+// +build !windows
+
+package pkg
+
+import (
+	"fmt"
+	"os/exec"
+	"strconv"
+	"strings"
+	"time"
+)
+
+func rpmPackagesByExec() ([]*Package, error) {
+	format := "%{NAME}|%{VERSION}|%{RELEASE}|%{ARCH}|%{LICENSE}|%{INSTALLTIME}|%{SIZE}|%{URL}|%{SUMMARY}\\n"
+	out, err := exec.Command("/usr/bin/rpm", "--qf", format, "-qa").Output()
+	if err != nil {
+		return nil, fmt.Errorf("Error running rpm -qa command: %v", err)
+	}
+
+	lines := strings.Split(string(out), "\n")
+	var packages []*Package
+	for _, line := range lines {
+		if len(strings.TrimSpace(line)) == 0 {
+			continue
+		}
+		words := strings.SplitN(line, "|", 9)
+		if len(words) < 9 {
+			return nil, fmt.Errorf("line '%s' doesn't have enough elements", line)
+		}
+		pkg := Package{
+			Name:    words[0],
+			Version: words[1],
+			Release: words[2],
+			Arch:    words[3],
+			License: words[4],
+			// install time - 5
+			// size - 6
+			URL:     words[7],
+			Summary: words[8],
+		}
+		ts, err := strconv.ParseInt(words[5], 10, 64)
+		if err != nil {
+			return nil, fmt.Errorf("error converting %s to string: %v", words[5], err)
+		}
+		pkg.InstallTime = time.Unix(ts, 0)
+
+		pkg.Size, err = strconv.ParseUint(words[6], 10, 64)
+		if err != nil {
+			return nil, fmt.Errorf("error converting %s to string: %v", words[6], err)
+		}
+
+		// Avoid "(none)" in favor of empty strings
+		if pkg.URL == "(none)" {
+			pkg.URL = ""
+		}
+		if pkg.Arch == "(none)" {
+			pkg.Arch = ""
+		}
+
+		packages = append(packages, &pkg)
+
+	}
+
+	return packages, nil
+}