Perform UID_GROUPS enrichment even if translate.userdb is not set.

threathunters-io · Mar 15, 2024 · 889bb96 · 889bb96
1 parent 11afcd4
commit 889bb96
Showing 1 changed file with 17 additions and 8 deletions.
diff --git a/src/coalesce.rs b/src/coalesce.rs
@@ -362,14 +362,6 @@ impl<'a, 'ev> Coalesce<'a, 'ev> {
  format!("unknown({})", d)
  };
  rec.push((Key::NameTranslated(r.clone()), Value::from(translated)));
- if self.settings.enrich_uid_groups && r.as_slice() == b"uid" {
- if let Some(names) = self.userdb.get_user_groups(*d as _) {
- rec.push((
- Key::Literal("UID_GROUPS"),
- Value::List(names.iter().map(|n| Value::from(n.as_bytes())).collect()),
- ));
- }
- }
  true
  }
  (Key::NameGID(r), Value::Number(Number::Dec(d))) => {
@@ -387,6 +379,22 @@ impl<'a, 'ev> Coalesce<'a, 'ev> {
  }
  }
 
+ fn add_record_uid_groups(&mut self, rec: &mut Record, key: &Key, value: &Value) {
+ if !self.settings.enrich_uid_groups {
+ return;
+ }
+ if let (Key::NameUID(r), Value::Number(Number::Dec(d))) = (key, value) {
+ if r.as_slice() == b"uid" {
+ if let Some(names) = self.userdb.get_user_groups(*d as _) {
+ rec.push((
+ Key::Literal("UID_GROUPS"),
+ Value::List(names.iter().map(|n| Value::from(n.as_bytes())).collect()),
+ ));
+ }
+ }
+ }
+ }
+
  /// Enrich "pid" entries using `ppid`, `exe`, `ID` (generating
  /// event id) from the shadow process table
  fn enrich_pid(&mut self, rv: &mut Record, k: &Key, v: &Value) {
@@ -703,6 +711,7 @@ impl<'a, 'ev> Coalesce<'a, 'ev> {
  };
  }
  _ => {
+ self.add_record_uid_groups(&mut nrv, k, v);
  if self.add_record_userdb(&mut nrv, k, v) && self.settings.drop_translated {
  return false;
  }