elasticmachine
commented
2 years ago Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
Open andrewkroh opened 2 years ago
elasticmachine
commented
2 years ago Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
elasticmachine
commented
9 months ago Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)
Describe the enhancement:
We previously had plans to deprecate the
system.packagedataset because in within the Elastic ecosystem we expected thatosquerybeatcould provide this data using various tables likerpm_packageanddeb_packages. However, because it cannot provide deltas between previous state and current state the data is not that useful on its own. So we want to improve the Auditbeat system.package dataset such that it can be supported as GA feature and exposed through Elastic Agent.[x] Create a beta Fleet integration for package monitoring that wraps the Auditbeat system.package dataset.
[ ] Add fsnotify support for triggering updates in near real-time.
[x] Migrate to using FlatBuffers and the means of encoding persistent state. This will ensure we have a stable schema for this data between versions and avoid accidental breakages.
[x] Update documentation for Auditbeat package dataset. Remove beta warnings and info in https://github.com/elastic/beats/blob/ba3bce42590dbf722061d7d92bfdb0bd903e9014/x-pack/auditbeat/module/system/package/package.go#L201, https://github.com/elastic/beats/blob/043e60d039352627fd95fec8f130fcd03777348d/x-pack/auditbeat/module/system/package/_meta/docs.asciidoc#L3
[x] Update documentation related to Auditbeat to Agent migration specifically related to
system.package. For reference this was added in https://github.com/elastic/observability-docs/pull/2270. Should be above Osquery line[x] Document the Fleet integration as GA using at least version 1.0.0 for the package.
Describe a specific use case for the enhancement or feature:
References