Skip to content

Commit

Permalink
auditbeat/module - docs and comment nits (#36952)
Browse files Browse the repository at this point in the history
Really minor fixes to docs and comments in auditbeat/modules.
As I was reading the code I was applying some changes, so I figured
I should contribute them.

Removing an unnecessary cast revealed an incorrect operation between
`& ^` vs `&^`.  It looks like this was supposed to be a bitwise clear `&^` 
operation to remove ConfigChange and AttributesModified before the 
lookup from actionOrderMap.

---------

Co-authored-by: Dan Kortschak <[email protected]>
  • Loading branch information
andrewkroh and efd6 authored Oct 26, 2023
1 parent 2a26f9a commit b0455f4
Show file tree
Hide file tree
Showing 9 changed files with 25 additions and 24 deletions.
2 changes: 1 addition & 1 deletion auditbeat/docs/modules/file_integrity.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@ units are `b` (default), `kib`, `kb`, `mib`, `mb`, `gib`, `gb`, `tib`, `tb`,
*`max_file_size`*:: The maximum size of a file in bytes for which
{beatname_uc} will compute hashes and run file parsers. Files larger than this
size will not be hashed or analysed by configured file parsers. The default
value is 100 MiB. For convenience units can be specified as a suffix to the
value is 100 MiB. For convenience, units can be specified as a suffix to the
value. The supported units are `b` (default), `kib`, `kb`, `mib`, `mb`, `gib`,
`gb`, `tib`, `tb`, `pib`, `pb`, `eib`, and `eb`.

Expand Down
3 changes: 1 addition & 2 deletions auditbeat/module/auditd/audit_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -979,8 +979,7 @@ func determineSocketType(c *Config, log *logp.Logger) (string, error) {
if c.SocketType == "" {
return "", fmt.Errorf("failed to create audit client: %w", err)
}
// Ignore errors if a socket type has been specified. It will fail during
// further setup and its necessary for unit tests to pass
// Ignore errors if a socket type has been specified.
return c.SocketType, nil
}
defer client.Close()
Expand Down
2 changes: 1 addition & 1 deletion auditbeat/module/file_integrity/_meta/docs.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ units are `b` (default), `kib`, `kb`, `mib`, `mb`, `gib`, `gb`, `tib`, `tb`,
*`max_file_size`*:: The maximum size of a file in bytes for which
{beatname_uc} will compute hashes and run file parsers. Files larger than this
size will not be hashed or analysed by configured file parsers. The default
value is 100 MiB. For convenience units can be specified as a suffix to the
value is 100 MiB. For convenience, units can be specified as a suffix to the
value. The supported units are `b` (default), `kib`, `kb`, `mib`, `mb`, `gib`,
`gb`, `tib`, `tb`, `pib`, `pb`, `eib`, and `eb`.

Expand Down
2 changes: 1 addition & 1 deletion auditbeat/module/file_integrity/action.go
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ func (action Action) InOrder(existedBefore, existsNow bool) ActionArray {
hasConfigChange := action&ConfigChange != 0
hasUpdate := action&Updated != 0
hasAttrMod := action&AttributesModified != 0
action = Action(int(action) & int(^(ConfigChange | AttributesModified)))
action = Action(int(action) &^ (ConfigChange | AttributesModified))
if hasAttrMod {
action |= Updated
}
Expand Down
4 changes: 2 additions & 2 deletions auditbeat/module/file_integrity/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -91,8 +91,8 @@ type Config struct {
// Validate validates the config data and return an error explaining all the
// problems with the config. This method modifies the given config.
func (c *Config) Validate() error {
// Resolve symlinks and make filepaths absolute if possible
// anything that does not resolve will be logged during
// Resolve symlinks and make filepaths absolute if possible.
// Anything that does not resolve will be logged during
// scanning and metric set collection.
for i, p := range c.Paths {
p, err := filepath.EvalSymlinks(p)
Expand Down
8 changes: 4 additions & 4 deletions auditbeat/module/file_integrity/event.go
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ var typeNames = map[Type]string{
SymlinkType: "symlink",
}

// Digest is a output of a hash function.
// Digest is an output of a hash function.
type Digest []byte

// String returns the digest value in lower-case hexadecimal form.
Expand All @@ -110,7 +110,7 @@ func (d Digest) String() string {
// MarshalText encodes the digest to a hexadecimal representation of itself.
func (d Digest) MarshalText() ([]byte, error) { return []byte(d.String()), nil }

// Event describe the filesystem change and includes metadata about the file.
// Event describes the filesystem change and includes metadata about the file.
type Event struct {
Timestamp time.Time `json:"timestamp"` // Time of event.
Path string `json:"path"` // The path associated with the event.
Expand All @@ -119,7 +119,7 @@ type Event struct {
Source Source `json:"source"` // Source of the event.
Action Action `json:"action"` // Action (like created, updated).
Hashes map[HashType]Digest `json:"hash,omitempty"` // File hashes.
ParserResults mapstr.M `json:"file,omitempty"` // Results from runnimg file parsers.
ParserResults mapstr.M `json:"file,omitempty"` // Results from running file parsers.

// Metadata
rtt time.Duration // Time taken to collect the info.
Expand All @@ -142,7 +142,7 @@ type Metadata struct {
Mode os.FileMode `json:"mode"` // Permissions
SetUID bool `json:"setuid"` // setuid bit (POSIX only)
SetGID bool `json:"setgid"` // setgid bit (POSIX only)
Origin []string `json:"origin"` // External origin info for the file (MacOS only)
Origin []string `json:"origin"` // External origin info for the file (macOS only)
SELinux string `json:"selinux"` // security.selinux xattr value (Linux only)
POSIXACLAccess []byte `json:"posix_acl_access"` // system.posix_acl_access xattr value (Linux only)
}
Expand Down
2 changes: 1 addition & 1 deletion auditbeat/module/file_integrity/file_parsers.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ import (
"github.com/elastic/elastic-agent-libs/mapstr"
)

// FileParser is a file analyser the provides enrichment for file.* fields.
// FileParser is a file analyser providing enrichment for file.* fields.
type FileParser interface {
Parse(dst mapstr.M, path string) error
}
Expand Down
24 changes: 13 additions & 11 deletions auditbeat/module/file_integrity/fileorigin_darwin.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,27 +47,29 @@ var (
)

// GetFileOrigin fetches the kMDItemWhereFroms metadata for the given path. This
// is special metadata in the filesystem that encodes information of an external
// origin of this file. It is always encoded as a list of strings, with
// is special metadata in the filesystem that encodes information about the
// external origin of this file. It is always encoded as a list of strings, with
// different meanings depending on the origin:
//
// For files downloaded from a web browser, the first string is the URL for
// the source document. The second URL (optional), is the web address where the
// download link was followed:
// [ "https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.16", "https://www.kernel.org/" ]
//
// ["https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.16", "https://www.kernel.org/"]
//
// For files or directories transferred via Airdrop, the origin is one string
// with the name of the computer that sent the file:
// [ "Adrian's MacBook Pro" ]
//
// ["Adrian's MacBook Pro"]
//
// For files attached to e-mails (using Mail app), three strings are
// returned: Sender address, subject and e-mail identifier:
// [ "Adrian Serrano \[email protected]\u003e",
//
// "Sagrada Familia tickets",
// "message:%[email protected]%3E"
//
// ],
// [
// "Adrian Serrano \[email protected]\u003e",
// "Sagrada Familia tickets",
// "message:%[email protected]%3E"
// ],
//
// For all other files the result is an empty (nil) list.
func GetFileOrigin(path string) ([]string, error) {
Expand Down Expand Up @@ -108,8 +110,8 @@ func GetFileOrigin(path string) ([]string, error) {
return nil, fmt.Errorf("plist unmarshal failed: %w", err)
}

// The returned list seems to be padded with empty strings when some of
// the fields are missing (i.e. no context URL). Get rid of trailing empty
// The returned list seems to be padded with empty strings when some
// fields are missing (i.e. no context URL). Get rid of trailing empty
// strings:
n := len(urls)
for n > 0 && len(urls[n-1]) == 0 {
Expand Down
2 changes: 1 addition & 1 deletion auditbeat/module/file_integrity/metricset.go
Original file line number Diff line number Diff line change
Expand Up @@ -380,7 +380,7 @@ func store(b datastore.Bucket, e *Event) error {
return nil
}

// load loads an Event from the datastore. It return a nil Event if the key was
// load loads an Event from the datastore. It returns a nil Event if the key was
// not found. It returns an error if there was a failure reading from the
// datastore or decoding the data.
func load(b datastore.Bucket, path string) (*Event, error) {
Expand Down

0 comments on commit b0455f4

Please sign in to comment.