add_process_metadata - report linux capabilities #36403
Labels
Comments
botelastic
bot
added
the
needs_team
andrewkroh
added
the
Team:Security-Linux Platform
botelastic
bot
removed
the
needs_team
|
I think this has been implemented in #38252. Closing. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the enhancement:
The
add_process_metadataprocessor should be able to report the Linux capabilities associated with a process. ECS has these two new fields in 8.10.0.process.thread.capabilities.effectiveprocess.thread.capabilities.permittedThe data would be read from
/proc/<pid>/status. go-sysinfo supports fetching this data (source), but the returned strings are not in the exact format expected by ECS.Describe a specific use case for the enhancement or feature:
A user might want to enrich
auditdexecve events with Linux capability info.The text was updated successfully, but these errors were encountered: