[New Integration] System Audit

[ShourieG]

Type of change

• Enhancement

What does this PR do?

Introduces a new integration for auditbeat system module called system_audit with package as the currently available
data stream. This integration will help users gather various package related information for their systems.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• Documentation
• Naming Conventions
• Code Quality

Sample Dashboards:

Package Dashboards : This is just one single dashboard broken up into 2 parts in this PR for clarity

Package Dashboard - 1 :

Package Dashboard - 2 :

System Audit Dashboard:

Test Results

Sample Log

      {
    "@timestamp": "2023-01-31T07:58:08.493Z",
    "agent": {
        "ephemeral_id": "a1ec9e1c-df20-4895-a21f-baf4f80d74dd",
        "id": "93885d02-89d7-4220-af7b-1b0353c44e81",
        "name": "docker-fleet-agent",
        "type": "auditbeat",
        "version": "8.5.1"
    },
    "data_stream": {
        "dataset": "system_audit.package",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.5.1"
    },
    "elastic_agent": {
        "id": "93885d02-89d7-4220-af7b-1b0353c44e81",
        "snapshot": false,
        "version": "8.5.1"
    },
    "event": {
        "action": "existing_package",
        "agent_id_status": "verified",
        "category": [
            "package"
        ],
        "dataset": "system_audit.package",
        "id": "6d79e5bc-1276-46a5-8c6a-5286edb045ef",
        "ingested": "2023-01-31T07:58:09Z",
        "kind": "state",
        "module": "system",
        "type": [
            "info"
        ]
    },
    "host": {
        "architecture": "x86_64",
        "containerized": false,
        "hostname": "docker-fleet-agent",
        "id": "75e38940166b4dbc90b6f5610e8e9c39",
        "ip": [
            "172.29.0.7"
        ],
        "mac": [
            "02-42-AC-1D-00-07"
        ],
        "name": "docker-fleet-agent",
        "os": {
            "codename": "focal",
            "family": "debian",
            "kernel": "5.15.49-linuxkit",
            "name": "Ubuntu",
            "platform": "ubuntu",
            "type": "linux",
            "version": "20.04.5 LTS (Focal Fossa)"
        }
    },
    "input": {
        "type": "audit/system"
    },
    "message": "Package adduser (3.118ubuntu2) is already installed",
    "package": {
        "architecture": "all",
        "description": "add and remove users and groups",
        "name": "adduser",
        "size": 624,
        "type": "dpkg",
        "version": "3.118ubuntu2"
    },
    "system_audit": {
        "package": {
            "arch": "all",
            "entity_id": "OnUSNhuUQkyYgoKf",
            "name": "adduser",
            "size": 624,
            "summary": "add and remove users and groups",
            "version": "3.118ubuntu2"
        }
    },
    "tags": [
        "audit-system-package"
    ]
}

Related issues

• Relates [Auditbeat] Prepare System Package to be GA

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-02-01T06:48:03.811+0000

• Duration: 14 min 10 sec

Test stats 🧪

Test	Results
Failed	0
Passed	16
Skipped	0
Total	16

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[ShourieG]

/test

[jamiehynds]

@ShourieG sorry I'm late to the party on this one - to date, we've avoided using Beats terminology as part of agent integrations, e.g. Network Packet Capture (Packetbeat) and Auditd Manager (Auditbeat). Could we adjust the name of this integration to ensure it doesn't include Auditbeat. We could go with something like 'System Auditing' and have 'Package' as a data stream. This would allow us to add other 'System modules' from Auditbeat down the line too.

WDYT of the 'System Auditing' name @jamesspi?

[ShourieG]

@jamiehynds There's already a System integration, but that uses filebeat modules. Hence named it System Package. There's no Auditbeat in the actual package name.
That's just the pr . The data stream is logs since it's system package logs.

This was done to distinguish it from the System integration which uses filebeat modules internally.

[jamiehynds]

@ShourieG thanks for clarifying that Auditbeat won't be included in the name. Although I think System Package is too similar to the System integration and will likely cause confusion. I was thinking 'System Audit/Auditing' as it allows us to add other modules from the Auditbeat system module (host,login,process,socket) down the line, rather than having a separate integration for each of these.

[ShourieG]

@jamiehynds sure, that makes sense. Will update it accordingly, no worries :)

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (1/1)	💚
Files	100.0% (1/1)	💚
Classes	100.0% (1/1)	💚
Methods	100.0% (5/5)	💚
Lines	100.0% (33/33)	💚 4.255
Conditionals	100.0% (0/0)	💚

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[ShourieG]

@efd6 have updated the PR with all the changes.

[ShourieG]

@efd6 resolved all the suggested changes

[efd6]

Thanks

[ShourieG]

@jamiehynds @epixa The auditbeat integration has been merged

[elasticmachine]

Package system_audit - 1.0.0 containing this change is available at https://epr.elastic.co/search?package=system_audit