go-libaudit

What's Changed

• Update syscall and arch tables by @andrewkroh in https://github.com/elastic/go-libaudit/pull/147
• Add normalization for exit_group syscall by @mjwolf in https://github.com/elastic/go-libaudit/pull/149
• Prepare v2.5.0 release by @mjwolf in https://github.com/elastic/go-libaudit/pull/150

New Contributors

• @mjwolf made their first contribution in https://github.com/elastic/go-libaudit/pull/149

Full Changelog: https://github.com/elastic/go-libaudit/compare/v2.4.0...v2.5.0

Added

• Support saddr_fam filters. #145

Changed

• Update Vagrant file gvm and ubuntu versions. #145

Changed

• Expanded the bitmask applied to ECS file.mode in the aucoalesce package so that the SUID, SGID, and sticky bits can be represented. #137

Changed

• Reduce allocations when converting bytes to strings for received messages. #116 #122

Changed

• Reduce heap allocations when parsing and enriching auditd events. #111

Fixed

• Fix change in behaviour that causes error when unmarshaling AuditStatus with a short buffer. #110
• Fix minimum AuditStatus length so that library can support kernels from 2.6.32. #113 #119
• Fix parsing of audit rules where arguments are quoted (like file paths containing spaces). #115

Added

• Add ECS mappings for more audit anomaly events. #70
• Add BacklogWaitTimeActual status field, which is available since Linux 5.9 #93
• Add ECS normalizations for TIME_ADJNTPVAL and TIME_INJOFFSET. #98
• Add support for exe filters in exclude rules (e.g. -a exclude,always -F exe=/bin/ls). #97

Changed

• Update syscall, arches, and audit msg type tables for Linux 5.16. #96
• Go 1.16 or newer is required because the project uses the embed package. #104
• Fixed error messages from AddRule() in the audit client. #103

Removed

• Removed support for resolving syscall numbers to names for the ia64 architecture. #96

[2.2.0]

Added

• Add user and group mapping for ECS 1.8 compatibility #86

Changed

• Change ECS category of USER_START and USER_END messages to session. #86

Added

• ECS 1.7 configuration categorization. #80

Changed

• Use ingress/egress instead of inbound/outbound for ECS 1.7. #80

Changed

• Use ECS recommended values for network direction. #75 #76

Removed

• Remove github.com/Sirupsen/logrus dependency from examples. #73

Changed

• Fixed syscall lookup for ppc64 and ppc64le. #71

Added

• Added SetImmutable to the audit client for marking the audit settings as immutable within the kernel. #55 #68
• Added Vagrantfile for development ease. #61
• Added enrichment of arch, syscall, and sig to type=SECCOMP messages. #64
• Added support for big endian. #48

Changed

• Added semantic versioning support via go modules. #61
• Added ECS categorization support for events by record type and syscall. #62
• Fixed a typo in the action value associated with ROLE_REMOVE messages. #65
• Fixed a typo in the action value associated with ANOM_LINK messages. #66
• Fixed spelling of anomaly in aucoalesce package. #67

Added

• Added method to convert kernel rules to text format in order to display them.

Changed

• aucoalesce - Made the user/group ID cache thread-safe. #42 #45

Added

• Added support for setting the kernel's backlog wait time via the new
  SetBacklogWaitTime function. #34
• New method GetStatusAsync to perform asynchronous status checks. #37

Changed

• AuditClient Close() is now safe to call more than once. #35

Added

• Added better error messages for when NewAuditClient fails due to the
  Linux kernel not supporting auditing (CONFIG_AUDIT=n). #32

Changed

• auparse - Fixed parsing of apparmor AVC messages. #25
• auparse - Update syscall and audit message type tables for Linux 4.16. #30
• aucoalesce - Cache UID/GID values for one minute. #24

Added

• rules - Detect s390 or s390x as the runtime architecture (GOOS) and
  automatically use the appropriate syscall name to number table without
  requiring the rule to explicitly specify an arch (-F arch=s390x). #23

Changed

• auparse - Fixed an issue where the name value was not being hex decoded from
  PATH records. #20

Added

• Added WaitForPendingACKs to receive pending ACK messages from the kernel. #14
• The AuditClient will unregister with the kernel if SetPID has been called. #19

Changed

• auparse - Fixed an issue where the proctitle value was being truncated. #15
• auparse - Fixed an issue where values were incorrectly interpretted as hex
  data. #13
• auparse - Fixed parsing of the key value when multiple keys are present. #16
• auparse - The cmdline key is no longer created for EXECVE records. #17
• aucoalesce - Changed the event format to have objects for user, process, file,
  and network data. #17
• Fixed an issue when an audit notification is received while waiting for the
  response to a control command.

Added

• Add support for listening for audit messages using a multicast group. #9

Changed

• auparse - Apply hex decoding to CWD field. #10