All notable changes to this project will be documented in this file. This project adheres to Semantic Versioning.
- Remove github.com/Sirupsen/logrus dependency from examples. [#73]elastic#73
- Fixed syscall lookup for ppc64 and ppc64le. #71
- Added
SetImmutable
to the audit client for marking the audit settings as immutable within the kernel. #55 #68 - Added Vagrantfile for development ease. #61
- Added enrichment of arch, syscall, and sig to type=SECCOMP messages. #64
- Added support for big endian. #48
- Added semantic versioning support via go modules. #61
- Added ECS categorization support for events by record type and syscall. #62
- Fixed a typo in the action value associated with ROLE_REMOVE messages. #65
- Fixed a typo in the action value associated with ANOM_LINK messages. #66
- Fixed spelling of anomaly in aucoalesce package. #67
- Added method to convert kernel rules to text format in order to display them.
- Added support for setting the kernel's backlog wait time via the new SetBacklogWaitTime function. #34
- New method
GetStatusAsync
to perform asynchronous status checks. #37
- AuditClient
Close()
is now safe to call more than once. #35
- Added better error messages for when
NewAuditClient
fails due to the Linux kernel not supporting auditing (CONFIG_AUDIT=n). #32
- auparse - Fixed parsing of apparmor AVC messages. #25
- auparse - Update syscall and audit message type tables for Linux 4.16.
- aucoalesce - Cache UID/GID values for one minute. #24
- rules - Detect s390 or s390x as the runtime architecture (GOOS) and
automatically use the appropriate syscall name to number table without
requiring the rule to explicitly specify an arch (
-F arch=s390x
). #23
- auparse - Fixed an issue where the name value was not being hex decoded from PATH records. #20
- Added WaitForPendingACKs to receive pending ACK messages from the kernel. #14
- The AuditClient will unregister with the kernel if
SetPID
has been called. #19
- auparse - Fixed an issue where the proctitle value was being truncated. #15
- auparse - Fixed an issue where values were incorrectly interpretted as hex data. #13
- auparse - Fixed parsing of the
key
value when multiple keys are present. #16 - auparse - The
cmdline
key is no longer created for EXECVE records. #17 - aucoalesce - Changed the event format to have objects for user, process, file, and network data. #17
- Fixed an issue when an audit notification is received while waiting for the response to a control command.
- Add support for listening for audit messages using a multicast group. #9
- auparse - Apply hex decoding to CWD field. #10
- Add a package for building audit rules that can be added to the kernel.
- Add GetRules, DeleteRules, DeleteRule, and AddRule methods to AuditClient.
- auparse - Add conversion of POSIX exit code values to their name.
- Add SetFailure to AuditClient. #8
- auparse - Convert auid and session values of
4294967295
or-1
to "unset". #5 - auparse - Added
MarshallText
method to AuditMessageType to enable the value to be marshaled as a string in JSON. faabfa94ec9479bdc1ad6c0334ff178b8193fce5 - aucoalesce - Enhanced aucoalesce to normalize events. 666ff1c30fe624e9fcd9a108b20fceb82331f5fa
- Rename RawAuditMessage fields
MessageType
andRawData
toType
andData
respectively. 8622833714fccd7810669b1265df1c1f918ec0c4 - Make Reassembler concurrency-safe. c57b59c20a684e2a6298a1a5929a79192d76d61b
- auparse - Renamed
address_family
tofamily
in parsed sockaddr messages. 73f97b2f366e6e00acf2ddff4f6575432da3283e
- Added
libaudit.Reassembler
for reassembling out of order or interleaved messages and providing notification for lost events based on gaps in sequence numbers. a60bdd3b1b642cc80a3872d999114ae675456768 - auparse - Combine EXECVE arguments into a single field called
cmdline
. 468a9eb0898e0efd3c2fd7abf067519cb63fa6c3 - auparse - Split SELinux subjects into
subj_user
,subj_role
,subj_domain
,subj_level
, andsubj_category
. f3ed884a7c03ea75c9ec247251905aa1ec548959 - auparse - Replace auid values
4294967295
and-1
withunset
to convey the meaning of these values. #5 - aucoalesce - Added a new package to coalescing related messages into a single event. #1
- auparse - Changed the behavior of
ParseLogLine()
andParse()
to only parse the message header. To parse the message body, callData()
on the returnedAuditMessage
.
- Added AuditClient for communicating with the Linux Audit Framework in the Linux kernel.
- Added auparse package for parsing audit logs.