All notable changes to this project will be documented in this file. This project adheres to Semantic Versioning.
- Fix panic in
parseSockaddr
for malformed socket address. #152 - Set
SOCK_CLOEXEC
when creating the netlink socket to avoid leaking file descriptors. #165 - Update syscall tables. #167
- aucoalesce: Use ECS
event.type: end
instead ofstop
for SERVICE_STOP, DAEMON_ABORT, and DAEMON_END messages. #159
- Add ECS normalization for
exit_group
syscall. #149
- Update syscall and architecture tables. #147
- Support
saddr_fam
filters. #145
- Update Vagrant file gvm and ubuntu versions. #145
- Expanded the bitmask applied to ECS
file.mode
in the aucoalesce package so that the SUID, SGID, and sticky bits can be represented. #137
- Reduce heap allocations when parsing and enriching auditd events. #111
- Fix change in behaviour that causes error when unmarshaling
AuditStatus
with a short buffer. #110 - Fix minimum
AuditStatus
length so that library can support kernels from 2.6.32. #113 #119 - Fix parsing of audit rules where arguments are quoted (like file paths containing spaces). #115
- Add ECS mappings for more audit anomaly events. #70
- Add
BacklogWaitTimeActual
status field, which is available since Linux 5.9 #93 - Add ECS normalizations for
TIME_ADJNTPVAL
andTIME_INJOFFSET
. #98 - Add support for exe filters in exclude rules (e.g.
-a exclude,always -F exe=/bin/ls
). #97
- Update syscall, arches, and audit msg type tables for Linux 5.16. #96
- Go 1.16 or newer is required because the project uses the embed package. #104
- Fixed error messages from
AddRule()
in the audit client. #103
- Removed support for resolving syscall numbers to names for the ia64 architecture. #96
- Add user and group mapping for ECS 1.8 compatibility #86
- Change ECS category of USER_START and USER_END messages to
session
. #86
- ECS 1.7
configuration
categorization. #80
- Use ingress/egress instead of inbound/outbound for ECS 1.7. #80
- Remove github.com/Sirupsen/logrus dependency from examples. #73
- Fixed syscall lookup for ppc64 and ppc64le. #71
- Added
SetImmutable
to the audit client for marking the audit settings as immutable within the kernel. #55 #68 - Added Vagrantfile for development ease. #61
- Added enrichment of arch, syscall, and sig to type=SECCOMP messages. #64
- Added support for big endian. #48
- Added semantic versioning support via go modules. #61
- Added ECS categorization support for events by record type and syscall. #62
- Fixed a typo in the action value associated with ROLE_REMOVE messages. #65
- Fixed a typo in the action value associated with ANOM_LINK messages. #66
- Fixed spelling of anomaly in aucoalesce package. #67
- Added method to convert kernel rules to text format in order to display them.
- Added support for setting the kernel's backlog wait time via the new SetBacklogWaitTime function. #34
- New method
GetStatusAsync
to perform asynchronous status checks. #37
- AuditClient
Close()
is now safe to call more than once. #35
- Added better error messages for when
NewAuditClient
fails due to the Linux kernel not supporting auditing (CONFIG_AUDIT=n). #32
- auparse - Fixed parsing of apparmor AVC messages. #25
- auparse - Update syscall and audit message type tables for Linux 4.16.
- aucoalesce - Cache UID/GID values for one minute. #24
- rules - Detect s390 or s390x as the runtime architecture (GOOS) and
automatically use the appropriate syscall name to number table without
requiring the rule to explicitly specify an arch (
-F arch=s390x
). #23
- auparse - Fixed an issue where the name value was not being hex decoded from PATH records. #20
- Added WaitForPendingACKs to receive pending ACK messages from the kernel. #14
- The AuditClient will unregister with the kernel if
SetPID
has been called. #19
- auparse - Fixed an issue where the proctitle value was being truncated. #15
- auparse - Fixed an issue where values were incorrectly interpretted as hex data. #13
- auparse - Fixed parsing of the
key
value when multiple keys are present. #16 - auparse - The
cmdline
key is no longer created for EXECVE records. #17 - aucoalesce - Changed the event format to have objects for user, process, file, and network data. #17
- Fixed an issue when an audit notification is received while waiting for the response to a control command.
- Add support for listening for audit messages using a multicast group. #9
- auparse - Apply hex decoding to CWD field. #10
- Add a package for building audit rules that can be added to the kernel.
- Add GetRules, DeleteRules, DeleteRule, and AddRule methods to AuditClient.
- auparse - Add conversion of POSIX exit code values to their name.
- Add SetFailure to AuditClient. #8
- auparse - Convert auid and session values of
4294967295
or-1
to "unset". #5 - auparse - Added
MarshallText
method to AuditMessageType to enable the value to be marshaled as a string in JSON. faabfa94ec9479bdc1ad6c0334ff178b8193fce5 - aucoalesce - Enhanced aucoalesce to normalize events. 666ff1c30fe624e9fcd9a108b20fceb82331f5fa
- Rename RawAuditMessage fields
MessageType
andRawData
toType
andData
respectively. 8622833714fccd7810669b1265df1c1f918ec0c4 - Make Reassembler concurrency-safe. c57b59c20a684e2a6298a1a5929a79192d76d61b
- auparse - Renamed
address_family
tofamily
in parsed sockaddr messages. 73f97b2f366e6e00acf2ddff4f6575432da3283e
- Added
libaudit.Reassembler
for reassembling out of order or interleaved messages and providing notification for lost events based on gaps in sequence numbers. a60bdd3b1b642cc80a3872d999114ae675456768 - auparse - Combine EXECVE arguments into a single field called
cmdline
. 468a9eb0898e0efd3c2fd7abf067519cb63fa6c3 - auparse - Split SELinux subjects into
subj_user
,subj_role
,subj_domain
,subj_level
, andsubj_category
. f3ed884a7c03ea75c9ec247251905aa1ec548959 - auparse - Replace auid values
4294967295
and-1
withunset
to convey the meaning of these values. #5 - aucoalesce - Added a new package to coalescing related messages into a single event. #1
- auparse - Changed the behavior of
ParseLogLine()
andParse()
to only parse the message header. To parse the message body, callData()
on the returnedAuditMessage
.
- Added AuditClient for communicating with the Linux Audit Framework in the Linux kernel.
- Added auparse package for parsing audit logs.