Releases · elastic/go-libaudit · GitHub

18 Mar 15:26

fearful-symmetry

v2.6.2 Latest

Latest

What's Changed

Update catalog-info file with correct system property by @ev1yehor in #172
Add link and linkat syscalls to normalizations by @rafiyr in #177
Fix filter by arch on ppc64le by @djoreilly in #175
Use non-blocking send on pid unset, retry on close by @fearful-symmetry in #176

New Contributors

@ev1yehor made their first contribution in #172
@rafiyr made their first contribution in #177
@fearful-symmetry made their first contribution in #176

Full Changelog: v2.6.1...v2.6.2

Contributors

djoreilly, rafiyr, and 2 other contributors

Assets 2

22 Nov 14:52

andrewkroh

2.6.1

Changed

rule: On s390x, fix handling of rules with filters like -F arch=b64 or -F arch=b32. #164
aucoalesce: Fix bug affecting event normalization caused by upgrade to yaml.v3. #170

Assets 2

06 Nov 15:13

andrewkroh

2.6.0

Known Issues

#169

Changed

Fix panic in parseSockaddr for malformed socket address. #152
Set SOCK_CLOEXEC when creating the netlink socket to avoid leaking file descriptors. #165
Update syscall tables. #167
aucoalesce: Use ECS event.type: end instead of stop for SERVICE_STOP, DAEMON_ABORT, and DAEMON_END messages. #159

Assets 2

23 Jan 16:16

mjwolf

2.5.0

Added

Add ECS normalization for exit_group syscall. #149

Changed

Update syscall and architecture tables. #147

Assets 2

24 Oct 05:59

efd6

2.4.0

Added

Support saddr_fam filters. #145

Changed

Update Vagrant file gvm and ubuntu versions. #145

Assets 2

10 Aug 21:35

andrewkroh

2.3.3

Changed

Expanded the bitmask applied to ECS file.mode in the aucoalesce package so that the SUID, SGID, and sticky bits can be represented. #137

Assets 2

24 Aug 21:26

andrewkroh

2.3.2

Changed

Reduce allocations when converting bytes to strings for received messages. #116 #122

Assets 2

20 Jul 16:26

andrewkroh

2.3.1

Changed

Reduce heap allocations when parsing and enriching auditd events. #111

Fixed

Fix change in behaviour that causes error when unmarshaling AuditStatus with a short buffer. #110
Fix minimum AuditStatus length so that library can support kernels from 2.6.32. #113 #119
Fix parsing of audit rules where arguments are quoted (like file paths containing spaces). #115

Assets 2

04 May 16:18

andrewkroh

2.3.0

Added

Add ECS mappings for more audit anomaly events. #70
Add BacklogWaitTimeActual status field, which is available since Linux 5.9 #93
Add ECS normalizations for TIME_ADJNTPVAL and TIME_INJOFFSET. #98
Add support for exe filters in exclude rules (e.g. -a exclude,always -F exe=/bin/ls). #97

Changed

Update syscall, arches, and audit msg type tables for Linux 5.16. #96
Go 1.16 or newer is required because the project uses the embed package. #104
Fixed error messages from AddRule() in the audit client. #103

Removed

Removed support for resolving syscall numbers to names for the ia64 architecture. #96

Assets 2

03 Feb 08:03

adriansr

2.2.0

[2.2.0]

Added

Add user and group mapping for ECS 1.8 compatibility #86

Changed

Change ECS category of USER_START and USER_END messages to session. #86

Assets 2