From 6bed16326f92e9f520039cac0c6cef5ab648a100 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Mon, 27 Apr 2020 13:11:56 -0400 Subject: [PATCH 1/6] Add categorization generator --- auditbeat/module/auditd/audit_linux.go | 56 +- auditbeat/module/auditd/audit_linux_test.go | 11 +- .../module/auditd/ecs_categorization.yml | 10 + .../module/auditd/mkecs_categorization.go | 330 +++++++ .../module/auditd/zecs_categorization.go | 907 ++++++++++++++++++ 5 files changed, 1290 insertions(+), 24 deletions(-) create mode 100644 auditbeat/module/auditd/ecs_categorization.yml create mode 100644 auditbeat/module/auditd/mkecs_categorization.go create mode 100644 auditbeat/module/auditd/zecs_categorization.go diff --git a/auditbeat/module/auditd/audit_linux.go b/auditbeat/module/auditd/audit_linux.go index 1cf0236d7f7..474aea2eea5 100644 --- a/auditbeat/module/auditd/audit_linux.go +++ b/auditbeat/module/auditd/audit_linux.go @@ -17,6 +17,8 @@ package auditd +//go:generate sh -c "go run mkecs_categorization.go -in ecs_categorization.yml -out zecs_categorization.go" + import ( "fmt" "os" @@ -473,11 +475,15 @@ func buildMetricbeatEvent(msgs []*auparse.AuditMessage, config Config) mb.Event if eventOutcome == "fail" { eventOutcome = "failure" } + ecsCategorization := getECSCategorization(auditEvent.Type) + // keep this for now, remove in 8.x + categories = append(ecsCategorization.Categories, auditEvent.Category.String()) out := mb.Event{ Timestamp: auditEvent.Timestamp, RootFields: common.MapStr{ "event": common.MapStr{ - "category": auditEvent.Category.String(), + "category": categories, + "type": ecsCategorization.Types, "action": auditEvent.Summary.Action, "outcome": eventOutcome, }, @@ -541,7 +547,7 @@ func buildMetricbeatEvent(msgs []*auparse.AuditMessage, config Config) mb.Event switch auditEvent.Category { case aucoalesce.EventTypeUserLogin: - // Customize event.type / event.category to match unified values. + // Remove this call in 8.x normalizeEventFields(out.RootFields) // Set ECS user fields from the attempted login account. if usernameOrID := auditEvent.Summary.Actor.Secondary; usernameOrID != "" { @@ -559,20 +565,15 @@ func buildMetricbeatEvent(msgs []*auparse.AuditMessage, config Config) mb.Event return out } -func resolveUsernameOrID(userOrID string) (usr *user.User, err error) { - usr, err = user.Lookup(userOrID) - if err == nil { - // User found by name - return - } - if _, ok := err.(user.UnknownUserError); !ok { - // Lookup failed by a reason other than user not found +func normalizeEventFields(m common.MapStr) { + getFieldAsStrs := func(key string) (s []string, found bool) { + iface, err := m.GetValue(key) + if err != nil { + return + } + s, found = iface.([]string) return } - return user.LookupId(userOrID) -} - -func normalizeEventFields(m common.MapStr) { getFieldAsStr := func(key string) (s string, found bool) { iface, err := m.GetValue(key) if err != nil { @@ -582,16 +583,33 @@ func normalizeEventFields(m common.MapStr) { return } - category, ok1 := getFieldAsStr("event.category") + categories, ok1 := getFieldAsStrs("event.category") action, ok2 := getFieldAsStr("event.action") outcome, ok3 := getFieldAsStr("event.outcome") - if !ok1 || !ok2 || !ok3 { + types, ok4 := getFieldAsStrs("event.type") + if !ok1 || !ok2 || !ok3 || !ok4 { + return + } + for _, category := range categories { + if category == "authentication" && action == "logged-in" { // USER_LOGIN + types = append(types, fmt.Sprintf("authentication_%s", outcome)) + m.Put("event.type", types) + return + } + } +} + +func resolveUsernameOrID(userOrID string) (usr *user.User, err error) { + usr, err = user.Lookup(userOrID) + if err == nil { + // User found by name return } - if category == "user-login" && action == "logged-in" { // USER_LOGIN - m.Put("event.category", "authentication") - m.Put("event.type", fmt.Sprintf("authentication_%s", outcome)) + if _, ok := err.(user.UnknownUserError); !ok { + // Lookup failed by a reason other than user not found + return } + return user.LookupId(userOrID) } func addUser(u aucoalesce.User, m common.MapStr) { diff --git a/auditbeat/module/auditd/audit_linux_test.go b/auditbeat/module/auditd/audit_linux_test.go index c8da4f06965..aaf0b522086 100644 --- a/auditbeat/module/auditd/audit_linux_test.go +++ b/auditbeat/module/auditd/audit_linux_test.go @@ -141,23 +141,24 @@ func TestLoginType(t *testing.T) { for idx, expected := range []common.MapStr{ { - "event.category": "authentication", - "event.type": "authentication_failure", + "event.category": []string{"authentication"}, + "event.type": []string{"authentication_failure"}, "event.outcome": "failure", "user.name": "(invalid user)", "user.id": nil, "session": nil, }, { - "event.category": "authentication", - "event.type": "authentication_success", + "event.category": []string{"authentication"}, + "event.type": []string{"authentication_success"}, "event.outcome": "success", "user.name": "adrian", "user.audit.id": nil, "auditd.session": nil, }, { - "event.category": "user-login", + "event.category": []string{"user-login"}, + "event.type": []string{}, "event.outcome": "success", "user.name": "root", "user.id": "0", diff --git a/auditbeat/module/auditd/ecs_categorization.yml b/auditbeat/module/auditd/ecs_categorization.yml new file mode 100644 index 00000000000..4d796baa398 --- /dev/null +++ b/auditbeat/module/auditd/ecs_categorization.yml @@ -0,0 +1,10 @@ +AUDIT_USER_LOGIN: + categories: + - authenticated + types: + - start +AUDIT_USER_AUTH: + categories: + - authenticated + types: + - info diff --git a/auditbeat/module/auditd/mkecs_categorization.go b/auditbeat/module/auditd/mkecs_categorization.go new file mode 100644 index 00000000000..480d1ece741 --- /dev/null +++ b/auditbeat/module/auditd/mkecs_categorization.go @@ -0,0 +1,330 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// +build ignore + +package main + +import ( + "bufio" + "bytes" + "flag" + "fmt" + "io" + "io/ioutil" + "net/http" + "os" + "os/exec" + "path/filepath" + "regexp" + "strconv" + "strings" + "text/template" + + "gopkg.in/yaml.v2" +) + +// Min and max record/message numbers. +const ( + minRecordNum = 1000 + maxRecordNum = 3000 +) + +type categorizationFields struct { + Name string `yaml:"-"` + CategoriesString string `yaml:"-"` + TypesString string `yaml:"-"` + Categories []string `yaml:"categories"` + Types []string `yaml:"types"` +} + +// TemplateParams is the data used in evaluating the template. +type TemplateParams struct { + Command string + FieldsByNumber map[int]categorizationFields +} + +const fileTemplate = ` +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by {{.Command}} - DO NOT EDIT. + +package auditd + +import ( + "github.com/elastic/go-libaudit/aucoalesce" +) + +type ecsCategorizationFields struct { + Categories []string + Types []string +} + +var ecsAuditdCategories = map[aucoalesce.AuditMessageType]ecsCategorizationFields{ +{{- range $recordNum, $recordType := .FieldsByNumber }} + auocoalesce.{{ $recordType.Name }}: ecsCategorizationFields{ // {{ $recordNum }} + Categories: []string{ {{ $recordType.CategoriesString }} }, + Types: []string{ {{ $recordType.TypesString }} }, + }, +{{- end }} +} + +func getECSCategorization(messageType aucoalesce.AuditMessageType) ecsCategorizationFields { + if found, ok := ecsAuditdCategories[messageType]; ok { + return found + } + return ecsCategorizationFields{} +} +` + +var tmpl = template.Must(template.New("message_types").Parse(fileTemplate)) + +var ( + headers = []string{ + `https://raw.githubusercontent.com/torvalds/linux/v4.16/include/uapi/linux/audit.h`, + `https://raw.githubusercontent.com/linux-audit/audit-userspace/4d933301b1835cafa08b9e9ef705c8fb6c96cb62/lib/libaudit.h`, + `https://raw.githubusercontent.com/linux-audit/audit-userspace/4d933301b1835cafa08b9e9ef705c8fb6c96cb62/lib/msg_typetab.h`, + } +) + +func DownloadFile(url, destinationDir string) (string, error) { + resp, err := http.Get(url) + if err != nil { + return "", fmt.Errorf("http get failed: %v", err) + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusOK { + return "", fmt.Errorf("download failed with http status %v", resp.StatusCode) + } + + name := filepath.Join(destinationDir, filepath.Base(url)) + f, err := os.Create(name) + if err != nil { + return "", fmt.Errorf("failed to create output file: %v", err) + } + + _, err = io.Copy(f, resp.Body) + if err != nil { + return "", fmt.Errorf("failed to write file to disk: %v", err) + } + + return name, nil +} + +var ( + // nameMappingRegex is used to parse name mappings from msg_typetab.h. + nameMappingRegex = regexp.MustCompile(`^_S\((AUDIT_\w+),\s+"(\w+)"`) + + // recordTypeDefinitionRegex is used to parse type definitions from audit + // header files. + recordTypeDefinitionRegex = regexp.MustCompile(`^#define\s+(AUDIT_\w+)\s+(\d+)`) +) + +func readMessageTypeTable() (map[string]string, error) { + f, err := os.Open("msg_typetab.h") + if err != nil { + return nil, err + } + defer f.Close() + + constantToStringName := map[string]string{} + s := bufio.NewScanner(f) + for s.Scan() { + matches := nameMappingRegex.FindStringSubmatch(s.Text()) + if len(matches) == 3 { + constantToStringName[matches[1]] = matches[2] + } + } + + return constantToStringName, nil +} + +func readRecordTypes() (map[string]int, error) { + out, err := exec.Command("gcc", "-E", "-dD", "libaudit.h", "audit.h").Output() + if err != nil { + return nil, err + } + + recordTypeToNum := map[string]int{} + s := bufio.NewScanner(bytes.NewReader(out)) + for s.Scan() { + matches := recordTypeDefinitionRegex.FindStringSubmatch(s.Text()) + if len(matches) != 3 { + continue + } + recordNum, _ := strconv.Atoi(matches[2]) + + // Filter constants. + if recordNum >= minRecordNum && recordNum <= maxRecordNum { + recordTypeToNum[matches[1]] = recordNum + } + } + + return recordTypeToNum, nil +} + +func categorizationFieldFor(recordType string, schema map[string]categorizationFields) categorizationFields { + if found, ok := schema[recordType]; ok { + categoryStrings := []string{} + typeStrings := []string{} + for _, category := range found.Categories { + categoryStrings = append(categoryStrings, fmt.Sprintf("\"%s\"", category)) + } + for _, typeString := range found.Types { + typeStrings = append(typeStrings, fmt.Sprintf("\"%s\"", typeString)) + } + return categorizationFields{ + Name: recordType, + CategoriesString: strings.Join(categoryStrings, ", "), + TypesString: strings.Join(typeStrings, ", "), + } + } + return categorizationFields{ + Name: recordType, + } +} + +func run() error { + // Open input file. + in, err := os.Open(flagIn) + if err != nil { + return err + } + defer in.Close() + + inData, err := ioutil.ReadAll(in) + if err != nil { + return err + } + + schema := make(map[string]categorizationFields) + if err := yaml.Unmarshal(inData, &schema); err != nil { + return err + } + + tmp, err := ioutil.TempDir("", "mk_audit_msg_types") + if err != nil { + return err + } + defer os.RemoveAll(tmp) + + // Download header files from the Linux audit project. + var files []string + for _, url := range headers { + f, err := DownloadFile(url, tmp) + if err != nil { + return fmt.Errorf("download failed for %v: %v", url, err) + } + files = append(files, f) + } + + if err := os.Chdir(tmp); err != nil { + return err + } + + recordTypeToStringName, err := readMessageTypeTable() + if err != nil { + return err + } + + recordTypeToNum, err := readRecordTypes() + if err != nil { + return err + } + + numToRecordType := map[int]categorizationFields{} + for recordType := range recordTypeToStringName { + num, found := recordTypeToNum[recordType] + if !found { + return fmt.Errorf("missing definition of %v", recordType) + } + numToRecordType[num] = categorizationFieldFor(recordType, schema) + } + + for recordType, num := range recordTypeToNum { + // Do not replace existing mappings. + if _, found := numToRecordType[num]; found { + continue + } + numToRecordType[num] = categorizationFieldFor(recordType, schema) + } + + // Create output file. + f, err := os.Create(flagOut) + if err != nil { + return err + } + + // Evaluate template. + r := TemplateParams{ + Command: filepath.Base(os.Args[0]), + FieldsByNumber: numToRecordType, + } + if err := tmpl.Execute(f, r); err != nil { + f.Close() + return err + } + f.Close() + + if _, err := exec.Command("go", "fmt", flagOut).Output(); err != nil { + return nil + } + + return nil +} + +var flagIn string +var flagOut string + +func main() { + flag.StringVar(&flagIn, "in", "ecs_categorization.yml", "input file") + flag.StringVar(&flagOut, "out", "zecs_categorization.go", "output file") + flag.Parse() + + var err error + flagIn, err = filepath.Abs(flagIn) + if err != nil { + fmt.Fprintf(os.Stderr, "error: %v\n", err) + os.Exit(1) + } + flagOut, err = filepath.Abs(flagOut) + if err != nil { + fmt.Fprintf(os.Stderr, "error: %v\n", err) + os.Exit(1) + } + + if err := run(); err != nil { + fmt.Fprintf(os.Stderr, "error: %v\n", err) + os.Exit(1) + } +} diff --git a/auditbeat/module/auditd/zecs_categorization.go b/auditbeat/module/auditd/zecs_categorization.go new file mode 100644 index 00000000000..3ae76315cf3 --- /dev/null +++ b/auditbeat/module/auditd/zecs_categorization.go @@ -0,0 +1,907 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by mkecs_categorization - DO NOT EDIT. + +package auditd + +import ( + "github.com/elastic/go-libaudit/aucoalesce" +) + +type ecsCategorizationFields struct { + Categories []string + Types []string +} + +var ecsAuditdCategories = map[aucoalesce.AuditMessageType]ecsCategorizationFields{ + auocoalesce.AUDIT_GET: ecsCategorizationFields{ // 1000 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_SET: ecsCategorizationFields{ // 1001 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_LIST: ecsCategorizationFields{ // 1002 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ADD: ecsCategorizationFields{ // 1003 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_DEL: ecsCategorizationFields{ // 1004 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_USER: ecsCategorizationFields{ // 1005 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_LOGIN: ecsCategorizationFields{ // 1006 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_WATCH_INS: ecsCategorizationFields{ // 1007 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_WATCH_REM: ecsCategorizationFields{ // 1008 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_WATCH_LIST: ecsCategorizationFields{ // 1009 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_SIGNAL_INFO: ecsCategorizationFields{ // 1010 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ADD_RULE: ecsCategorizationFields{ // 1011 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_DEL_RULE: ecsCategorizationFields{ // 1012 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_LIST_RULES: ecsCategorizationFields{ // 1013 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_TRIM: ecsCategorizationFields{ // 1014 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_MAKE_EQUIV: ecsCategorizationFields{ // 1015 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_TTY_GET: ecsCategorizationFields{ // 1016 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_TTY_SET: ecsCategorizationFields{ // 1017 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_SET_FEATURE: ecsCategorizationFields{ // 1018 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_GET_FEATURE: ecsCategorizationFields{ // 1019 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_USER_AUTH: ecsCategorizationFields{ // 1100 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_USER_ACCT: ecsCategorizationFields{ // 1101 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_USER_MGMT: ecsCategorizationFields{ // 1102 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_CRED_ACQ: ecsCategorizationFields{ // 1103 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_CRED_DISP: ecsCategorizationFields{ // 1104 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_USER_START: ecsCategorizationFields{ // 1105 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_USER_END: ecsCategorizationFields{ // 1106 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_USER_AVC: ecsCategorizationFields{ // 1107 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_USER_CHAUTHTOK: ecsCategorizationFields{ // 1108 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_USER_ERR: ecsCategorizationFields{ // 1109 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_CRED_REFR: ecsCategorizationFields{ // 1110 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_USYS_CONFIG: ecsCategorizationFields{ // 1111 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_USER_LOGIN: ecsCategorizationFields{ // 1112 + Categories: []string{"authenticated"}, + Types: []string{"start"}, + }, + auocoalesce.AUDIT_USER_LOGOUT: ecsCategorizationFields{ // 1113 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ADD_USER: ecsCategorizationFields{ // 1114 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_DEL_USER: ecsCategorizationFields{ // 1115 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ADD_GROUP: ecsCategorizationFields{ // 1116 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_DEL_GROUP: ecsCategorizationFields{ // 1117 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_DAC_CHECK: ecsCategorizationFields{ // 1118 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_CHGRP_ID: ecsCategorizationFields{ // 1119 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_TEST: ecsCategorizationFields{ // 1120 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_TRUSTED_APP: ecsCategorizationFields{ // 1121 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_USER_SELINUX_ERR: ecsCategorizationFields{ // 1122 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_USER_CMD: ecsCategorizationFields{ // 1123 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_USER_TTY: ecsCategorizationFields{ // 1124 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_CHUSER_ID: ecsCategorizationFields{ // 1125 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_GRP_AUTH: ecsCategorizationFields{ // 1126 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_SYSTEM_BOOT: ecsCategorizationFields{ // 1127 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_SYSTEM_SHUTDOWN: ecsCategorizationFields{ // 1128 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_SYSTEM_RUNLEVEL: ecsCategorizationFields{ // 1129 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_SERVICE_START: ecsCategorizationFields{ // 1130 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_SERVICE_STOP: ecsCategorizationFields{ // 1131 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_GRP_MGMT: ecsCategorizationFields{ // 1132 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_GRP_CHAUTHTOK: ecsCategorizationFields{ // 1133 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_MAC_CHECK: ecsCategorizationFields{ // 1134 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ACCT_LOCK: ecsCategorizationFields{ // 1135 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ACCT_UNLOCK: ecsCategorizationFields{ // 1136 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_USER_DEVICE: ecsCategorizationFields{ // 1137 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_SOFTWARE_UPDATE: ecsCategorizationFields{ // 1138 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_LAST_USER_MSG: ecsCategorizationFields{ // 1199 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_DAEMON_START: ecsCategorizationFields{ // 1200 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_DAEMON_END: ecsCategorizationFields{ // 1201 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_DAEMON_ABORT: ecsCategorizationFields{ // 1202 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_DAEMON_CONFIG: ecsCategorizationFields{ // 1203 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_DAEMON_RECONFIG: ecsCategorizationFields{ // 1204 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_DAEMON_ROTATE: ecsCategorizationFields{ // 1205 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_DAEMON_RESUME: ecsCategorizationFields{ // 1206 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_DAEMON_ACCEPT: ecsCategorizationFields{ // 1207 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_DAEMON_CLOSE: ecsCategorizationFields{ // 1208 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_DAEMON_ERR: ecsCategorizationFields{ // 1209 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_LAST_DAEMON: ecsCategorizationFields{ // 1299 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_SYSCALL: ecsCategorizationFields{ // 1300 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_PATH: ecsCategorizationFields{ // 1302 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_IPC: ecsCategorizationFields{ // 1303 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_SOCKETCALL: ecsCategorizationFields{ // 1304 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_CONFIG_CHANGE: ecsCategorizationFields{ // 1305 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_SOCKADDR: ecsCategorizationFields{ // 1306 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_CWD: ecsCategorizationFields{ // 1307 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_EXECVE: ecsCategorizationFields{ // 1309 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_IPC_SET_PERM: ecsCategorizationFields{ // 1311 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_MQ_OPEN: ecsCategorizationFields{ // 1312 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_MQ_SENDRECV: ecsCategorizationFields{ // 1313 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_MQ_NOTIFY: ecsCategorizationFields{ // 1314 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_MQ_GETSETATTR: ecsCategorizationFields{ // 1315 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_KERNEL_OTHER: ecsCategorizationFields{ // 1316 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_FD_PAIR: ecsCategorizationFields{ // 1317 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_OBJ_PID: ecsCategorizationFields{ // 1318 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_TTY: ecsCategorizationFields{ // 1319 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_EOE: ecsCategorizationFields{ // 1320 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_BPRM_FCAPS: ecsCategorizationFields{ // 1321 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_CAPSET: ecsCategorizationFields{ // 1322 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_MMAP: ecsCategorizationFields{ // 1323 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_NETFILTER_PKT: ecsCategorizationFields{ // 1324 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_NETFILTER_CFG: ecsCategorizationFields{ // 1325 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_SECCOMP: ecsCategorizationFields{ // 1326 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_PROCTITLE: ecsCategorizationFields{ // 1327 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_FEATURE_CHANGE: ecsCategorizationFields{ // 1328 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_REPLACE: ecsCategorizationFields{ // 1329 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_KERN_MODULE: ecsCategorizationFields{ // 1330 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_FANOTIFY: ecsCategorizationFields{ // 1331 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_LAST_EVENT: ecsCategorizationFields{ // 1399 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_AVC: ecsCategorizationFields{ // 1400 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_SELINUX_ERR: ecsCategorizationFields{ // 1401 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_AVC_PATH: ecsCategorizationFields{ // 1402 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_MAC_POLICY_LOAD: ecsCategorizationFields{ // 1403 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_MAC_STATUS: ecsCategorizationFields{ // 1404 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_MAC_CONFIG_CHANGE: ecsCategorizationFields{ // 1405 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_MAC_UNLBL_ALLOW: ecsCategorizationFields{ // 1406 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_MAC_CIPSOV4_ADD: ecsCategorizationFields{ // 1407 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_MAC_CIPSOV4_DEL: ecsCategorizationFields{ // 1408 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_MAC_MAP_ADD: ecsCategorizationFields{ // 1409 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_MAC_MAP_DEL: ecsCategorizationFields{ // 1410 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_MAC_IPSEC_ADDSA: ecsCategorizationFields{ // 1411 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_MAC_IPSEC_DELSA: ecsCategorizationFields{ // 1412 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_MAC_IPSEC_ADDSPD: ecsCategorizationFields{ // 1413 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_MAC_IPSEC_DELSPD: ecsCategorizationFields{ // 1414 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_MAC_IPSEC_EVENT: ecsCategorizationFields{ // 1415 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_MAC_UNLBL_STCADD: ecsCategorizationFields{ // 1416 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_MAC_UNLBL_STCDEL: ecsCategorizationFields{ // 1417 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_MAC_CALIPSO_ADD: ecsCategorizationFields{ // 1418 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_MAC_CALIPSO_DEL: ecsCategorizationFields{ // 1419 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_LAST_SELINUX: ecsCategorizationFields{ // 1499 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_AA: ecsCategorizationFields{ // 1500 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_APPARMOR_AUDIT: ecsCategorizationFields{ // 1501 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_APPARMOR_ALLOWED: ecsCategorizationFields{ // 1502 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_APPARMOR_DENIED: ecsCategorizationFields{ // 1503 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_APPARMOR_HINT: ecsCategorizationFields{ // 1504 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_APPARMOR_STATUS: ecsCategorizationFields{ // 1505 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_APPARMOR_ERROR: ecsCategorizationFields{ // 1506 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_LAST_APPARMOR: ecsCategorizationFields{ // 1599 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_FIRST_KERN_CRYPTO_MSG: ecsCategorizationFields{ // 1600 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_LAST_KERN_CRYPTO_MSG: ecsCategorizationFields{ // 1699 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ANOM_PROMISCUOUS: ecsCategorizationFields{ // 1700 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ANOM_ABEND: ecsCategorizationFields{ // 1701 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ANOM_LINK: ecsCategorizationFields{ // 1702 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_LAST_KERN_ANOM_MSG: ecsCategorizationFields{ // 1799 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_INTEGRITY_DATA: ecsCategorizationFields{ // 1800 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_INTEGRITY_METADATA: ecsCategorizationFields{ // 1801 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_INTEGRITY_STATUS: ecsCategorizationFields{ // 1802 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_INTEGRITY_HASH: ecsCategorizationFields{ // 1803 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_INTEGRITY_PCR: ecsCategorizationFields{ // 1804 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_INTEGRITY_RULE: ecsCategorizationFields{ // 1805 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_INTEGRITY_EVM_XATTR: ecsCategorizationFields{ // 1806 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_INTEGRITY_POLICY_RULE: ecsCategorizationFields{ // 1807 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_INTEGRITY_LAST_MSG: ecsCategorizationFields{ // 1899 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_KERNEL: ecsCategorizationFields{ // 2000 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ANOM_LOGIN_FAILURES: ecsCategorizationFields{ // 2100 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ANOM_LOGIN_TIME: ecsCategorizationFields{ // 2101 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ANOM_LOGIN_SESSIONS: ecsCategorizationFields{ // 2102 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ANOM_LOGIN_ACCT: ecsCategorizationFields{ // 2103 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ANOM_LOGIN_LOCATION: ecsCategorizationFields{ // 2104 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ANOM_MAX_DAC: ecsCategorizationFields{ // 2105 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ANOM_MAX_MAC: ecsCategorizationFields{ // 2106 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ANOM_AMTU_FAIL: ecsCategorizationFields{ // 2107 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ANOM_RBAC_FAIL: ecsCategorizationFields{ // 2108 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ANOM_RBAC_INTEGRITY_FAIL: ecsCategorizationFields{ // 2109 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ANOM_CRYPTO_FAIL: ecsCategorizationFields{ // 2110 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ANOM_ACCESS_FS: ecsCategorizationFields{ // 2111 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ANOM_EXEC: ecsCategorizationFields{ // 2112 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ANOM_MK_EXEC: ecsCategorizationFields{ // 2113 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ANOM_ADD_ACCT: ecsCategorizationFields{ // 2114 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ANOM_DEL_ACCT: ecsCategorizationFields{ // 2115 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ANOM_MOD_ACCT: ecsCategorizationFields{ // 2116 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ANOM_ROOT_TRANS: ecsCategorizationFields{ // 2117 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ANOM_LOGIN_SERVICE: ecsCategorizationFields{ // 2118 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_LAST_ANOM_MSG: ecsCategorizationFields{ // 2199 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_RESP_ANOMALY: ecsCategorizationFields{ // 2200 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_RESP_ALERT: ecsCategorizationFields{ // 2201 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_RESP_KILL_PROC: ecsCategorizationFields{ // 2202 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_RESP_TERM_ACCESS: ecsCategorizationFields{ // 2203 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_RESP_ACCT_REMOTE: ecsCategorizationFields{ // 2204 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_RESP_ACCT_LOCK_TIMED: ecsCategorizationFields{ // 2205 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_RESP_ACCT_UNLOCK_TIMED: ecsCategorizationFields{ // 2206 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_RESP_ACCT_LOCK: ecsCategorizationFields{ // 2207 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_RESP_TERM_LOCK: ecsCategorizationFields{ // 2208 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_RESP_SEBOOL: ecsCategorizationFields{ // 2209 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_RESP_EXEC: ecsCategorizationFields{ // 2210 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_RESP_SINGLE: ecsCategorizationFields{ // 2211 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_RESP_HALT: ecsCategorizationFields{ // 2212 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_RESP_ORIGIN_BLOCK: ecsCategorizationFields{ // 2213 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_RESP_ORIGIN_BLOCK_TIMED: ecsCategorizationFields{ // 2214 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_LAST_ANOM_RESP: ecsCategorizationFields{ // 2299 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_USER_ROLE_CHANGE: ecsCategorizationFields{ // 2300 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ROLE_ASSIGN: ecsCategorizationFields{ // 2301 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ROLE_REMOVE: ecsCategorizationFields{ // 2302 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_LABEL_OVERRIDE: ecsCategorizationFields{ // 2303 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_LABEL_LEVEL_CHANGE: ecsCategorizationFields{ // 2304 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_USER_LABELED_EXPORT: ecsCategorizationFields{ // 2305 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_USER_UNLABELED_EXPORT: ecsCategorizationFields{ // 2306 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_DEV_ALLOC: ecsCategorizationFields{ // 2307 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_DEV_DEALLOC: ecsCategorizationFields{ // 2308 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_FS_RELABEL: ecsCategorizationFields{ // 2309 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_USER_MAC_POLICY_LOAD: ecsCategorizationFields{ // 2310 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_ROLE_MODIFY: ecsCategorizationFields{ // 2311 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_USER_MAC_CONFIG_CHANGE: ecsCategorizationFields{ // 2312 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_LAST_USER_LSPP_MSG: ecsCategorizationFields{ // 2399 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_CRYPTO_TEST_USER: ecsCategorizationFields{ // 2400 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_CRYPTO_PARAM_CHANGE_USER: ecsCategorizationFields{ // 2401 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_CRYPTO_LOGIN: ecsCategorizationFields{ // 2402 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_CRYPTO_LOGOUT: ecsCategorizationFields{ // 2403 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_CRYPTO_KEY_USER: ecsCategorizationFields{ // 2404 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_CRYPTO_FAILURE_USER: ecsCategorizationFields{ // 2405 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_CRYPTO_REPLAY_USER: ecsCategorizationFields{ // 2406 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_CRYPTO_SESSION: ecsCategorizationFields{ // 2407 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_CRYPTO_IKE_SA: ecsCategorizationFields{ // 2408 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_CRYPTO_IPSEC_SA: ecsCategorizationFields{ // 2409 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_LAST_CRYPTO_MSG: ecsCategorizationFields{ // 2499 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_VIRT_CONTROL: ecsCategorizationFields{ // 2500 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_VIRT_RESOURCE: ecsCategorizationFields{ // 2501 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_VIRT_MACHINE_ID: ecsCategorizationFields{ // 2502 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_VIRT_INTEGRITY_CHECK: ecsCategorizationFields{ // 2503 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_VIRT_CREATE: ecsCategorizationFields{ // 2504 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_VIRT_DESTROY: ecsCategorizationFields{ // 2505 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_VIRT_MIGRATE_IN: ecsCategorizationFields{ // 2506 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_VIRT_MIGRATE_OUT: ecsCategorizationFields{ // 2507 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_LAST_VIRT_MSG: ecsCategorizationFields{ // 2599 + Categories: []string{}, + Types: []string{}, + }, + auocoalesce.AUDIT_LAST_USER_MSG2: ecsCategorizationFields{ // 2999 + Categories: []string{}, + Types: []string{}, + }, +} + +func getECSCategorization(messageType aucoalesce.AuditMessageType) ecsCategorizationFields { + if found, ok := ecsAuditdCategories[messageType]; ok { + return found + } + return ecsCategorizationFields{} +} From 71ceb1dada7b821783ae9ddab9cdcecb05006e30 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Mon, 27 Apr 2020 13:12:44 -0400 Subject: [PATCH 2/6] update test --- auditbeat/module/auditd/audit_linux_test.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/auditbeat/module/auditd/audit_linux_test.go b/auditbeat/module/auditd/audit_linux_test.go index aaf0b522086..c68feb2c580 100644 --- a/auditbeat/module/auditd/audit_linux_test.go +++ b/auditbeat/module/auditd/audit_linux_test.go @@ -141,24 +141,24 @@ func TestLoginType(t *testing.T) { for idx, expected := range []common.MapStr{ { - "event.category": []string{"authentication"}, - "event.type": []string{"authentication_failure"}, + "event.category": []string{"authentication", "user-login"}, + "event.type": []string{"start", "authentication_failure"}, "event.outcome": "failure", "user.name": "(invalid user)", "user.id": nil, "session": nil, }, { - "event.category": []string{"authentication"}, - "event.type": []string{"authentication_success"}, + "event.category": []string{"authentication", "user-login"}, + "event.type": []string{"start", "authentication_success"}, "event.outcome": "success", "user.name": "adrian", "user.audit.id": nil, "auditd.session": nil, }, { - "event.category": []string{"user-login"}, - "event.type": []string{}, + "event.category": []string{"authentication", "user-login"}, + "event.type": []string{"info"}, "event.outcome": "success", "user.name": "root", "user.id": "0", From 0ce532596ebd7dfcac2cba3102772a5c9c5f0b5d Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Mon, 27 Apr 2020 14:09:38 -0400 Subject: [PATCH 3/6] update generator --- auditbeat/module/auditd/audit_linux.go | 4 +- .../module/auditd/ecs_categorization.yml | 37 +- .../module/auditd/mkecs_categorization.go | 258 ++--- .../module/auditd/zecs_categorization.go | 901 +----------------- 4 files changed, 147 insertions(+), 1053 deletions(-) diff --git a/auditbeat/module/auditd/audit_linux.go b/auditbeat/module/auditd/audit_linux.go index 474aea2eea5..3f21dad4012 100644 --- a/auditbeat/module/auditd/audit_linux.go +++ b/auditbeat/module/auditd/audit_linux.go @@ -475,9 +475,9 @@ func buildMetricbeatEvent(msgs []*auparse.AuditMessage, config Config) mb.Event if eventOutcome == "fail" { eventOutcome = "failure" } - ecsCategorization := getECSCategorization(auditEvent.Type) + ecsCategorization := getECSCategorization(auditEvent.Category, auditEvent.Type) // keep this for now, remove in 8.x - categories = append(ecsCategorization.Categories, auditEvent.Category.String()) + categories := append(ecsCategorization.Categories, auditEvent.Category.String()) out := mb.Event{ Timestamp: auditEvent.Timestamp, RootFields: common.MapStr{ diff --git a/auditbeat/module/auditd/ecs_categorization.yml b/auditbeat/module/auditd/ecs_categorization.yml index 4d796baa398..c605e3777f3 100644 --- a/auditbeat/module/auditd/ecs_categorization.yml +++ b/auditbeat/module/auditd/ecs_categorization.yml @@ -1,10 +1,27 @@ -AUDIT_USER_LOGIN: - categories: - - authenticated - types: - - start -AUDIT_USER_AUTH: - categories: - - authenticated - types: - - info +eventTypes: + # EventTypeUnknown: + # EventTypeUserspace: + # EventTypeSystemServices: + # EventTypeConfig: + # EventTypeTTY: + # EventTypeUserAccount: + EventTypeUserLogin: + categories: + - authentication + default_types: + - info + types: + AUDIT_USER_LOGIN: + - start + # EventTypeAuditDaemon: + # EventTypeMACDecision: + # EventTypeAnomoly: + # EventTypeIntegrity: + # EventTypeAnomolyResponse: + # EventTypeMAC: + # EventTypeCrypto: + # EventTypeVirt: + # EventTypeAuditRule: + # EventTypeDACDecision: + # EventTypeGroupChange: +# messageTypes: diff --git a/auditbeat/module/auditd/mkecs_categorization.go b/auditbeat/module/auditd/mkecs_categorization.go index 480d1ece741..b3bccad545f 100644 --- a/auditbeat/module/auditd/mkecs_categorization.go +++ b/auditbeat/module/auditd/mkecs_categorization.go @@ -20,42 +20,39 @@ package main import ( - "bufio" - "bytes" "flag" "fmt" - "io" "io/ioutil" - "net/http" "os" "os/exec" "path/filepath" - "regexp" - "strconv" "strings" "text/template" "gopkg.in/yaml.v2" ) -// Min and max record/message numbers. -const ( - minRecordNum = 1000 - maxRecordNum = 3000 -) - -type categorizationFields struct { - Name string `yaml:"-"` +type messageType struct { CategoriesString string `yaml:"-"` TypesString string `yaml:"-"` Categories []string `yaml:"categories"` Types []string `yaml:"types"` } +type eventType struct { + CategoriesString string `yaml:"-"` + DefaultTypesString string `yaml:"-"` + TypeStrings map[string]string `yaml:"-"` + Categories []string `yaml:"categories"` + DefaultTypes []string `yaml:"default_types"` + Types map[string][]string `yaml:"types"` +} + // TemplateParams is the data used in evaluating the template. type TemplateParams struct { - Command string - FieldsByNumber map[int]categorizationFields + Command string `yaml:"-"` + EventTypes map[string]eventType `yaml:"eventTypes"` + MessageTypes map[string]messageType `yaml:"messagetypes"` } const fileTemplate = ` @@ -81,6 +78,7 @@ const fileTemplate = ` package auditd import ( + "github.com/elastic/go-libaudit/auparse" "github.com/elastic/go-libaudit/aucoalesce" ) @@ -89,128 +87,96 @@ type ecsCategorizationFields struct { Types []string } -var ecsAuditdCategories = map[aucoalesce.AuditMessageType]ecsCategorizationFields{ -{{- range $recordNum, $recordType := .FieldsByNumber }} - auocoalesce.{{ $recordType.Name }}: ecsCategorizationFields{ // {{ $recordNum }} - Categories: []string{ {{ $recordType.CategoriesString }} }, - Types: []string{ {{ $recordType.TypesString }} }, - }, -{{- end }} +type nestedCategorizationFields struct { + Categories []string + DefaultTypes []string + Types map[auparse.AuditMessageType][]string } -func getECSCategorization(messageType aucoalesce.AuditMessageType) ecsCategorizationFields { - if found, ok := ecsAuditdCategories[messageType]; ok { - return found - } - return ecsCategorizationFields{} +var ecsAuditdCategories = map[aucoalesce.AuditEventType]nestedCategorizationFields{ +{{- range $name, $eventType := .EventTypes }} + aucoalesce.{{ $name }}: nestedCategorizationFields{ + Categories: []string{ {{ $eventType.CategoriesString }} }, + DefaultTypes: []string{ {{ $eventType.DefaultTypesString }} }, + Types: map[auparse.AuditMessageType][]string{ + {{- range $type, $messageType := $eventType.TypeStrings }} + auparse.{{ $type }}: []string{ {{ $messageType }} }, + {{- end }} + }, + }, +{{- end }} } -` - -var tmpl = template.Must(template.New("message_types").Parse(fileTemplate)) -var ( - headers = []string{ - `https://raw.githubusercontent.com/torvalds/linux/v4.16/include/uapi/linux/audit.h`, - `https://raw.githubusercontent.com/linux-audit/audit-userspace/4d933301b1835cafa08b9e9ef705c8fb6c96cb62/lib/libaudit.h`, - `https://raw.githubusercontent.com/linux-audit/audit-userspace/4d933301b1835cafa08b9e9ef705c8fb6c96cb62/lib/msg_typetab.h`, - } -) - -func DownloadFile(url, destinationDir string) (string, error) { - resp, err := http.Get(url) - if err != nil { - return "", fmt.Errorf("http get failed: %v", err) - } - defer resp.Body.Close() - - if resp.StatusCode != http.StatusOK { - return "", fmt.Errorf("download failed with http status %v", resp.StatusCode) - } - - name := filepath.Join(destinationDir, filepath.Base(url)) - f, err := os.Create(name) - if err != nil { - return "", fmt.Errorf("failed to create output file: %v", err) - } - - _, err = io.Copy(f, resp.Body) - if err != nil { - return "", fmt.Errorf("failed to write file to disk: %v", err) - } - - return name, nil +var ecsAuditdCategoryOverrides = map[auparse.AuditMessageType]ecsCategorizationFields{ +{{- range $name, $messageType := .MessageTypes }} + auparse.{{ $name }}: ecsCategorizationFields{ + Categories: []string{ {{ $messageType.CategoriesString }} }, + Types: []string{ {{ $messageType.TypesString }} }, + }, +{{- end }} } -var ( - // nameMappingRegex is used to parse name mappings from msg_typetab.h. - nameMappingRegex = regexp.MustCompile(`^_S\((AUDIT_\w+),\s+"(\w+)"`) - - // recordTypeDefinitionRegex is used to parse type definitions from audit - // header files. - recordTypeDefinitionRegex = regexp.MustCompile(`^#define\s+(AUDIT_\w+)\s+(\d+)`) -) - -func readMessageTypeTable() (map[string]string, error) { - f, err := os.Open("msg_typetab.h") - if err != nil { - return nil, err +func getECSCategorization(eventType aucoalesce.AuditEventType, messageType auparse.AuditMessageType) ecsCategorizationFields { + if found, ok := ecsAuditdCategoryOverrides[messageType]; ok { + return found } - defer f.Close() - - constantToStringName := map[string]string{} - s := bufio.NewScanner(f) - for s.Scan() { - matches := nameMappingRegex.FindStringSubmatch(s.Text()) - if len(matches) == 3 { - constantToStringName[matches[1]] = matches[2] + if found, ok := ecsAuditdCategories[eventType]; ok { + var types []string + if mappedTypes, ok := found.Types[messageType]; ok { + types = mappedTypes + } else { + types = found.DefaultTypes + } + return ecsCategorizationFields{ + Categories: found.Categories, + Types: types, } } - return constantToStringName, nil + return ecsCategorizationFields{} } +` -func readRecordTypes() (map[string]int, error) { - out, err := exec.Command("gcc", "-E", "-dD", "libaudit.h", "audit.h").Output() - if err != nil { - return nil, err - } +var tmpl = template.Must(template.New("message_types").Parse(fileTemplate)) - recordTypeToNum := map[string]int{} - s := bufio.NewScanner(bytes.NewReader(out)) - for s.Scan() { - matches := recordTypeDefinitionRegex.FindStringSubmatch(s.Text()) - if len(matches) != 3 { - continue +func fillMessageTypes(schema map[string]messageType) { + for name, message := range schema { + categoryStrings := []string{} + typeStrings := []string{} + for _, category := range message.Categories { + categoryStrings = append(categoryStrings, fmt.Sprintf("\"%s\"", category)) } - recordNum, _ := strconv.Atoi(matches[2]) - - // Filter constants. - if recordNum >= minRecordNum && recordNum <= maxRecordNum { - recordTypeToNum[matches[1]] = recordNum + for _, typeString := range message.Types { + typeStrings = append(typeStrings, fmt.Sprintf("\"%s\"", typeString)) } + message.CategoriesString = strings.Join(categoryStrings, ", ") + message.TypesString = strings.Join(typeStrings, ", ") + schema[name] = message } - - return recordTypeToNum, nil } -func categorizationFieldFor(recordType string, schema map[string]categorizationFields) categorizationFields { - if found, ok := schema[recordType]; ok { +func fillEventTypes(schema map[string]eventType) { + for name, event := range schema { categoryStrings := []string{} - typeStrings := []string{} - for _, category := range found.Categories { + defaultTypeStrings := []string{} + for _, category := range event.Categories { categoryStrings = append(categoryStrings, fmt.Sprintf("\"%s\"", category)) } - for _, typeString := range found.Types { - typeStrings = append(typeStrings, fmt.Sprintf("\"%s\"", typeString)) + for _, typeString := range event.DefaultTypes { + defaultTypeStrings = append(defaultTypeStrings, fmt.Sprintf("\"%s\"", typeString)) } - return categorizationFields{ - Name: recordType, - CategoriesString: strings.Join(categoryStrings, ", "), - TypesString: strings.Join(typeStrings, ", "), + event.CategoriesString = strings.Join(categoryStrings, ", ") + event.DefaultTypesString = strings.Join(defaultTypeStrings, ", ") + typeStrings := make(map[string]string, len(event.Types)) + for name, messageType := range event.Types { + types := []string{} + for _, typeString := range messageType { + types = append(types, fmt.Sprintf("\"%s\"", typeString)) + } + typeStrings[name] = strings.Join(types, ", ") } - } - return categorizationFields{ - Name: recordType, + event.TypeStrings = typeStrings + schema[name] = event } } @@ -227,70 +193,20 @@ func run() error { return err } - schema := make(map[string]categorizationFields) - if err := yaml.Unmarshal(inData, &schema); err != nil { - return err - } - - tmp, err := ioutil.TempDir("", "mk_audit_msg_types") - if err != nil { - return err - } - defer os.RemoveAll(tmp) - - // Download header files from the Linux audit project. - var files []string - for _, url := range headers { - f, err := DownloadFile(url, tmp) - if err != nil { - return fmt.Errorf("download failed for %v: %v", url, err) - } - files = append(files, f) - } - - if err := os.Chdir(tmp); err != nil { - return err + params := TemplateParams{ + Command: filepath.Base(os.Args[0]), } - - recordTypeToStringName, err := readMessageTypeTable() - if err != nil { + if err := yaml.Unmarshal(inData, ¶ms); err != nil { return err } + fillEventTypes(params.EventTypes) + fillMessageTypes(params.MessageTypes) - recordTypeToNum, err := readRecordTypes() - if err != nil { - return err - } - - numToRecordType := map[int]categorizationFields{} - for recordType := range recordTypeToStringName { - num, found := recordTypeToNum[recordType] - if !found { - return fmt.Errorf("missing definition of %v", recordType) - } - numToRecordType[num] = categorizationFieldFor(recordType, schema) - } - - for recordType, num := range recordTypeToNum { - // Do not replace existing mappings. - if _, found := numToRecordType[num]; found { - continue - } - numToRecordType[num] = categorizationFieldFor(recordType, schema) - } - - // Create output file. f, err := os.Create(flagOut) if err != nil { return err } - - // Evaluate template. - r := TemplateParams{ - Command: filepath.Base(os.Args[0]), - FieldsByNumber: numToRecordType, - } - if err := tmpl.Execute(f, r); err != nil { + if err := tmpl.Execute(f, params); err != nil { f.Close() return err } diff --git a/auditbeat/module/auditd/zecs_categorization.go b/auditbeat/module/auditd/zecs_categorization.go index 3ae76315cf3..94f5946af08 100644 --- a/auditbeat/module/auditd/zecs_categorization.go +++ b/auditbeat/module/auditd/zecs_categorization.go @@ -21,6 +21,7 @@ package auditd import ( "github.com/elastic/go-libaudit/aucoalesce" + "github.com/elastic/go-libaudit/auparse" ) type ecsCategorizationFields struct { @@ -28,880 +29,40 @@ type ecsCategorizationFields struct { Types []string } -var ecsAuditdCategories = map[aucoalesce.AuditMessageType]ecsCategorizationFields{ - auocoalesce.AUDIT_GET: ecsCategorizationFields{ // 1000 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_SET: ecsCategorizationFields{ // 1001 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_LIST: ecsCategorizationFields{ // 1002 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ADD: ecsCategorizationFields{ // 1003 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_DEL: ecsCategorizationFields{ // 1004 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_USER: ecsCategorizationFields{ // 1005 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_LOGIN: ecsCategorizationFields{ // 1006 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_WATCH_INS: ecsCategorizationFields{ // 1007 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_WATCH_REM: ecsCategorizationFields{ // 1008 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_WATCH_LIST: ecsCategorizationFields{ // 1009 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_SIGNAL_INFO: ecsCategorizationFields{ // 1010 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ADD_RULE: ecsCategorizationFields{ // 1011 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_DEL_RULE: ecsCategorizationFields{ // 1012 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_LIST_RULES: ecsCategorizationFields{ // 1013 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_TRIM: ecsCategorizationFields{ // 1014 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_MAKE_EQUIV: ecsCategorizationFields{ // 1015 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_TTY_GET: ecsCategorizationFields{ // 1016 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_TTY_SET: ecsCategorizationFields{ // 1017 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_SET_FEATURE: ecsCategorizationFields{ // 1018 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_GET_FEATURE: ecsCategorizationFields{ // 1019 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_USER_AUTH: ecsCategorizationFields{ // 1100 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_USER_ACCT: ecsCategorizationFields{ // 1101 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_USER_MGMT: ecsCategorizationFields{ // 1102 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_CRED_ACQ: ecsCategorizationFields{ // 1103 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_CRED_DISP: ecsCategorizationFields{ // 1104 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_USER_START: ecsCategorizationFields{ // 1105 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_USER_END: ecsCategorizationFields{ // 1106 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_USER_AVC: ecsCategorizationFields{ // 1107 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_USER_CHAUTHTOK: ecsCategorizationFields{ // 1108 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_USER_ERR: ecsCategorizationFields{ // 1109 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_CRED_REFR: ecsCategorizationFields{ // 1110 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_USYS_CONFIG: ecsCategorizationFields{ // 1111 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_USER_LOGIN: ecsCategorizationFields{ // 1112 - Categories: []string{"authenticated"}, - Types: []string{"start"}, - }, - auocoalesce.AUDIT_USER_LOGOUT: ecsCategorizationFields{ // 1113 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ADD_USER: ecsCategorizationFields{ // 1114 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_DEL_USER: ecsCategorizationFields{ // 1115 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ADD_GROUP: ecsCategorizationFields{ // 1116 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_DEL_GROUP: ecsCategorizationFields{ // 1117 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_DAC_CHECK: ecsCategorizationFields{ // 1118 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_CHGRP_ID: ecsCategorizationFields{ // 1119 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_TEST: ecsCategorizationFields{ // 1120 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_TRUSTED_APP: ecsCategorizationFields{ // 1121 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_USER_SELINUX_ERR: ecsCategorizationFields{ // 1122 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_USER_CMD: ecsCategorizationFields{ // 1123 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_USER_TTY: ecsCategorizationFields{ // 1124 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_CHUSER_ID: ecsCategorizationFields{ // 1125 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_GRP_AUTH: ecsCategorizationFields{ // 1126 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_SYSTEM_BOOT: ecsCategorizationFields{ // 1127 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_SYSTEM_SHUTDOWN: ecsCategorizationFields{ // 1128 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_SYSTEM_RUNLEVEL: ecsCategorizationFields{ // 1129 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_SERVICE_START: ecsCategorizationFields{ // 1130 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_SERVICE_STOP: ecsCategorizationFields{ // 1131 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_GRP_MGMT: ecsCategorizationFields{ // 1132 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_GRP_CHAUTHTOK: ecsCategorizationFields{ // 1133 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_MAC_CHECK: ecsCategorizationFields{ // 1134 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ACCT_LOCK: ecsCategorizationFields{ // 1135 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ACCT_UNLOCK: ecsCategorizationFields{ // 1136 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_USER_DEVICE: ecsCategorizationFields{ // 1137 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_SOFTWARE_UPDATE: ecsCategorizationFields{ // 1138 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_LAST_USER_MSG: ecsCategorizationFields{ // 1199 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_DAEMON_START: ecsCategorizationFields{ // 1200 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_DAEMON_END: ecsCategorizationFields{ // 1201 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_DAEMON_ABORT: ecsCategorizationFields{ // 1202 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_DAEMON_CONFIG: ecsCategorizationFields{ // 1203 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_DAEMON_RECONFIG: ecsCategorizationFields{ // 1204 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_DAEMON_ROTATE: ecsCategorizationFields{ // 1205 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_DAEMON_RESUME: ecsCategorizationFields{ // 1206 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_DAEMON_ACCEPT: ecsCategorizationFields{ // 1207 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_DAEMON_CLOSE: ecsCategorizationFields{ // 1208 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_DAEMON_ERR: ecsCategorizationFields{ // 1209 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_LAST_DAEMON: ecsCategorizationFields{ // 1299 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_SYSCALL: ecsCategorizationFields{ // 1300 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_PATH: ecsCategorizationFields{ // 1302 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_IPC: ecsCategorizationFields{ // 1303 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_SOCKETCALL: ecsCategorizationFields{ // 1304 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_CONFIG_CHANGE: ecsCategorizationFields{ // 1305 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_SOCKADDR: ecsCategorizationFields{ // 1306 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_CWD: ecsCategorizationFields{ // 1307 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_EXECVE: ecsCategorizationFields{ // 1309 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_IPC_SET_PERM: ecsCategorizationFields{ // 1311 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_MQ_OPEN: ecsCategorizationFields{ // 1312 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_MQ_SENDRECV: ecsCategorizationFields{ // 1313 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_MQ_NOTIFY: ecsCategorizationFields{ // 1314 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_MQ_GETSETATTR: ecsCategorizationFields{ // 1315 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_KERNEL_OTHER: ecsCategorizationFields{ // 1316 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_FD_PAIR: ecsCategorizationFields{ // 1317 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_OBJ_PID: ecsCategorizationFields{ // 1318 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_TTY: ecsCategorizationFields{ // 1319 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_EOE: ecsCategorizationFields{ // 1320 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_BPRM_FCAPS: ecsCategorizationFields{ // 1321 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_CAPSET: ecsCategorizationFields{ // 1322 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_MMAP: ecsCategorizationFields{ // 1323 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_NETFILTER_PKT: ecsCategorizationFields{ // 1324 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_NETFILTER_CFG: ecsCategorizationFields{ // 1325 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_SECCOMP: ecsCategorizationFields{ // 1326 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_PROCTITLE: ecsCategorizationFields{ // 1327 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_FEATURE_CHANGE: ecsCategorizationFields{ // 1328 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_REPLACE: ecsCategorizationFields{ // 1329 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_KERN_MODULE: ecsCategorizationFields{ // 1330 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_FANOTIFY: ecsCategorizationFields{ // 1331 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_LAST_EVENT: ecsCategorizationFields{ // 1399 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_AVC: ecsCategorizationFields{ // 1400 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_SELINUX_ERR: ecsCategorizationFields{ // 1401 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_AVC_PATH: ecsCategorizationFields{ // 1402 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_MAC_POLICY_LOAD: ecsCategorizationFields{ // 1403 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_MAC_STATUS: ecsCategorizationFields{ // 1404 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_MAC_CONFIG_CHANGE: ecsCategorizationFields{ // 1405 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_MAC_UNLBL_ALLOW: ecsCategorizationFields{ // 1406 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_MAC_CIPSOV4_ADD: ecsCategorizationFields{ // 1407 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_MAC_CIPSOV4_DEL: ecsCategorizationFields{ // 1408 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_MAC_MAP_ADD: ecsCategorizationFields{ // 1409 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_MAC_MAP_DEL: ecsCategorizationFields{ // 1410 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_MAC_IPSEC_ADDSA: ecsCategorizationFields{ // 1411 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_MAC_IPSEC_DELSA: ecsCategorizationFields{ // 1412 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_MAC_IPSEC_ADDSPD: ecsCategorizationFields{ // 1413 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_MAC_IPSEC_DELSPD: ecsCategorizationFields{ // 1414 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_MAC_IPSEC_EVENT: ecsCategorizationFields{ // 1415 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_MAC_UNLBL_STCADD: ecsCategorizationFields{ // 1416 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_MAC_UNLBL_STCDEL: ecsCategorizationFields{ // 1417 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_MAC_CALIPSO_ADD: ecsCategorizationFields{ // 1418 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_MAC_CALIPSO_DEL: ecsCategorizationFields{ // 1419 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_LAST_SELINUX: ecsCategorizationFields{ // 1499 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_AA: ecsCategorizationFields{ // 1500 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_APPARMOR_AUDIT: ecsCategorizationFields{ // 1501 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_APPARMOR_ALLOWED: ecsCategorizationFields{ // 1502 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_APPARMOR_DENIED: ecsCategorizationFields{ // 1503 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_APPARMOR_HINT: ecsCategorizationFields{ // 1504 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_APPARMOR_STATUS: ecsCategorizationFields{ // 1505 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_APPARMOR_ERROR: ecsCategorizationFields{ // 1506 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_LAST_APPARMOR: ecsCategorizationFields{ // 1599 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_FIRST_KERN_CRYPTO_MSG: ecsCategorizationFields{ // 1600 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_LAST_KERN_CRYPTO_MSG: ecsCategorizationFields{ // 1699 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ANOM_PROMISCUOUS: ecsCategorizationFields{ // 1700 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ANOM_ABEND: ecsCategorizationFields{ // 1701 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ANOM_LINK: ecsCategorizationFields{ // 1702 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_LAST_KERN_ANOM_MSG: ecsCategorizationFields{ // 1799 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_INTEGRITY_DATA: ecsCategorizationFields{ // 1800 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_INTEGRITY_METADATA: ecsCategorizationFields{ // 1801 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_INTEGRITY_STATUS: ecsCategorizationFields{ // 1802 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_INTEGRITY_HASH: ecsCategorizationFields{ // 1803 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_INTEGRITY_PCR: ecsCategorizationFields{ // 1804 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_INTEGRITY_RULE: ecsCategorizationFields{ // 1805 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_INTEGRITY_EVM_XATTR: ecsCategorizationFields{ // 1806 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_INTEGRITY_POLICY_RULE: ecsCategorizationFields{ // 1807 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_INTEGRITY_LAST_MSG: ecsCategorizationFields{ // 1899 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_KERNEL: ecsCategorizationFields{ // 2000 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ANOM_LOGIN_FAILURES: ecsCategorizationFields{ // 2100 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ANOM_LOGIN_TIME: ecsCategorizationFields{ // 2101 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ANOM_LOGIN_SESSIONS: ecsCategorizationFields{ // 2102 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ANOM_LOGIN_ACCT: ecsCategorizationFields{ // 2103 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ANOM_LOGIN_LOCATION: ecsCategorizationFields{ // 2104 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ANOM_MAX_DAC: ecsCategorizationFields{ // 2105 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ANOM_MAX_MAC: ecsCategorizationFields{ // 2106 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ANOM_AMTU_FAIL: ecsCategorizationFields{ // 2107 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ANOM_RBAC_FAIL: ecsCategorizationFields{ // 2108 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ANOM_RBAC_INTEGRITY_FAIL: ecsCategorizationFields{ // 2109 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ANOM_CRYPTO_FAIL: ecsCategorizationFields{ // 2110 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ANOM_ACCESS_FS: ecsCategorizationFields{ // 2111 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ANOM_EXEC: ecsCategorizationFields{ // 2112 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ANOM_MK_EXEC: ecsCategorizationFields{ // 2113 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ANOM_ADD_ACCT: ecsCategorizationFields{ // 2114 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ANOM_DEL_ACCT: ecsCategorizationFields{ // 2115 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ANOM_MOD_ACCT: ecsCategorizationFields{ // 2116 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ANOM_ROOT_TRANS: ecsCategorizationFields{ // 2117 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ANOM_LOGIN_SERVICE: ecsCategorizationFields{ // 2118 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_LAST_ANOM_MSG: ecsCategorizationFields{ // 2199 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_RESP_ANOMALY: ecsCategorizationFields{ // 2200 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_RESP_ALERT: ecsCategorizationFields{ // 2201 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_RESP_KILL_PROC: ecsCategorizationFields{ // 2202 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_RESP_TERM_ACCESS: ecsCategorizationFields{ // 2203 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_RESP_ACCT_REMOTE: ecsCategorizationFields{ // 2204 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_RESP_ACCT_LOCK_TIMED: ecsCategorizationFields{ // 2205 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_RESP_ACCT_UNLOCK_TIMED: ecsCategorizationFields{ // 2206 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_RESP_ACCT_LOCK: ecsCategorizationFields{ // 2207 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_RESP_TERM_LOCK: ecsCategorizationFields{ // 2208 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_RESP_SEBOOL: ecsCategorizationFields{ // 2209 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_RESP_EXEC: ecsCategorizationFields{ // 2210 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_RESP_SINGLE: ecsCategorizationFields{ // 2211 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_RESP_HALT: ecsCategorizationFields{ // 2212 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_RESP_ORIGIN_BLOCK: ecsCategorizationFields{ // 2213 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_RESP_ORIGIN_BLOCK_TIMED: ecsCategorizationFields{ // 2214 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_LAST_ANOM_RESP: ecsCategorizationFields{ // 2299 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_USER_ROLE_CHANGE: ecsCategorizationFields{ // 2300 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ROLE_ASSIGN: ecsCategorizationFields{ // 2301 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ROLE_REMOVE: ecsCategorizationFields{ // 2302 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_LABEL_OVERRIDE: ecsCategorizationFields{ // 2303 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_LABEL_LEVEL_CHANGE: ecsCategorizationFields{ // 2304 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_USER_LABELED_EXPORT: ecsCategorizationFields{ // 2305 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_USER_UNLABELED_EXPORT: ecsCategorizationFields{ // 2306 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_DEV_ALLOC: ecsCategorizationFields{ // 2307 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_DEV_DEALLOC: ecsCategorizationFields{ // 2308 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_FS_RELABEL: ecsCategorizationFields{ // 2309 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_USER_MAC_POLICY_LOAD: ecsCategorizationFields{ // 2310 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_ROLE_MODIFY: ecsCategorizationFields{ // 2311 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_USER_MAC_CONFIG_CHANGE: ecsCategorizationFields{ // 2312 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_LAST_USER_LSPP_MSG: ecsCategorizationFields{ // 2399 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_CRYPTO_TEST_USER: ecsCategorizationFields{ // 2400 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_CRYPTO_PARAM_CHANGE_USER: ecsCategorizationFields{ // 2401 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_CRYPTO_LOGIN: ecsCategorizationFields{ // 2402 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_CRYPTO_LOGOUT: ecsCategorizationFields{ // 2403 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_CRYPTO_KEY_USER: ecsCategorizationFields{ // 2404 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_CRYPTO_FAILURE_USER: ecsCategorizationFields{ // 2405 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_CRYPTO_REPLAY_USER: ecsCategorizationFields{ // 2406 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_CRYPTO_SESSION: ecsCategorizationFields{ // 2407 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_CRYPTO_IKE_SA: ecsCategorizationFields{ // 2408 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_CRYPTO_IPSEC_SA: ecsCategorizationFields{ // 2409 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_LAST_CRYPTO_MSG: ecsCategorizationFields{ // 2499 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_VIRT_CONTROL: ecsCategorizationFields{ // 2500 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_VIRT_RESOURCE: ecsCategorizationFields{ // 2501 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_VIRT_MACHINE_ID: ecsCategorizationFields{ // 2502 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_VIRT_INTEGRITY_CHECK: ecsCategorizationFields{ // 2503 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_VIRT_CREATE: ecsCategorizationFields{ // 2504 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_VIRT_DESTROY: ecsCategorizationFields{ // 2505 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_VIRT_MIGRATE_IN: ecsCategorizationFields{ // 2506 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_VIRT_MIGRATE_OUT: ecsCategorizationFields{ // 2507 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_LAST_VIRT_MSG: ecsCategorizationFields{ // 2599 - Categories: []string{}, - Types: []string{}, - }, - auocoalesce.AUDIT_LAST_USER_MSG2: ecsCategorizationFields{ // 2999 - Categories: []string{}, - Types: []string{}, +type nestedCategorizationFields struct { + Categories []string + DefaultTypes []string + Types map[auparse.AuditMessageType][]string +} + +var ecsAuditdCategories = map[aucoalesce.AuditEventType]nestedCategorizationFields{ + aucoalesce.EventTypeUserLogin: nestedCategorizationFields{ + Categories: []string{"authentication"}, + DefaultTypes: []string{"info"}, + Types: map[auparse.AuditMessageType][]string{ + auparse.AUDIT_USER_LOGIN: []string{"start"}, + }, }, } -func getECSCategorization(messageType aucoalesce.AuditMessageType) ecsCategorizationFields { - if found, ok := ecsAuditdCategories[messageType]; ok { +var ecsAuditdCategoryOverrides = map[auparse.AuditMessageType]ecsCategorizationFields{} + +func getECSCategorization(eventType aucoalesce.AuditEventType, messageType auparse.AuditMessageType) ecsCategorizationFields { + if found, ok := ecsAuditdCategoryOverrides[messageType]; ok { return found } + if found, ok := ecsAuditdCategories[eventType]; ok { + var types []string + if mappedTypes, ok := found.Types[messageType]; ok { + types = mappedTypes + } else { + types = found.DefaultTypes + } + return ecsCategorizationFields{ + Categories: found.Categories, + Types: types, + } + } + return ecsCategorizationFields{} } From 5231c24594370979792074cec318af7e56004299 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Mon, 27 Apr 2020 16:23:10 -0400 Subject: [PATCH 4/6] Update mappings --- auditbeat/module/auditd/audit_linux.go | 2 +- .../module/auditd/ecs_categorization.yml | 302 ++++++++++++++++-- ...gorization.go => mk_ecs_categorization.go} | 4 +- .../module/auditd/z_ecs_categorization.go | 194 +++++++++++ .../module/auditd/zecs_categorization.go | 68 ---- 5 files changed, 481 insertions(+), 89 deletions(-) rename auditbeat/module/auditd/{mkecs_categorization.go => mk_ecs_categorization.go} (98%) create mode 100644 auditbeat/module/auditd/z_ecs_categorization.go delete mode 100644 auditbeat/module/auditd/zecs_categorization.go diff --git a/auditbeat/module/auditd/audit_linux.go b/auditbeat/module/auditd/audit_linux.go index 3f21dad4012..36e7b3530db 100644 --- a/auditbeat/module/auditd/audit_linux.go +++ b/auditbeat/module/auditd/audit_linux.go @@ -17,7 +17,7 @@ package auditd -//go:generate sh -c "go run mkecs_categorization.go -in ecs_categorization.yml -out zecs_categorization.go" +//go:generate sh -c "go run mk_ecs_categorization.go -in ecs_categorization.yml -out z_ecs_categorization.go" import ( "fmt" diff --git a/auditbeat/module/auditd/ecs_categorization.yml b/auditbeat/module/auditd/ecs_categorization.yml index c605e3777f3..ccce91ec4e9 100644 --- a/auditbeat/module/auditd/ecs_categorization.yml +++ b/auditbeat/module/auditd/ecs_categorization.yml @@ -1,11 +1,61 @@ +# Useful links: +# https://raw.githubusercontent.com/torvalds/linux/v4.16/include/uapi/linux/audit.h +# https://raw.githubusercontent.com/linux-audit/audit-userspace/4d933301b1835cafa08b9e9ef705c8fb6c96cb62/lib/libaudit.h +# https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-category.html +# https://github.com/elastic/go-libaudit/blob/master/aucoalesce/event_type.go +# https://github.com/elastic/go-libaudit/blob/master/aucoalesce/normalizations.yaml + eventTypes: - # EventTypeUnknown: - # EventTypeUserspace: - # EventTypeSystemServices: - # EventTypeConfig: - # EventTypeTTY: - # EventTypeUserAccount: + EventTypeUserAccount: + # AUDIT_ADD_USER - User account added + # AUDIT_DEL_USER - User account deleted + # AUDIT_ADD_GROUP - Group account added + # AUDIT_DEL_GROUP - Group account deleted + # AUDIT_GRP_MGMT - Group account attr was modified + # AUDIT_GRP_CHAUTHTOK - Group acct password or pin changed + # AUDIT_ACCT_LOCK - User's account locked by admin + # AUDIT_ACCT_UNLOCK - User's account unlocked by admin + categories: + - iam + default_types: + - info + types: + AUDIT_ADD_USER: + - user + - creation + AUDIT_USER_MGMT: + - user + - change + AUDIT_DEL_USER: + - user + - deletion + AUDIT_GRP_MGMT: + - group + - change + AUDIT_GRP_CHAUTHTOK: + - group + - change + AUDIT_ADD_GROUP: + - group + - creation + AUDIT_DEL_GROUP: + - group + - deletion + EventTypeUserLogin: + # AUDIT_USER_AUTH - User system access authentication + # AUDIT_USER_ACCT - User system access authorization + # AUDIT_USER_MGMT - User acct attribute change + # AUDIT_CRED_ACQ - User credential acquired + # AUDIT_CRED_DISP - User credential disposed + # AUDIT_USER_START - User session start + # AUDIT_USER_END - User session end + # AUDIT_USER_CHAUTHTOK - User acct password or pin changed // should this be classified EventTypeUserAccount? + # AUDIT_USER_ERR - User acct state error + # AUDIT_CRED_REFR - User credential refreshed + # AUDIT_USER_LOGIN - User has logged in + # AUDIT_USER_LOGOUT - User has logged out + # AUDIT_GRP_AUTH - Authentication for group password categories: - authentication default_types: @@ -13,15 +63,231 @@ eventTypes: types: AUDIT_USER_LOGIN: - start - # EventTypeAuditDaemon: - # EventTypeMACDecision: - # EventTypeAnomoly: - # EventTypeIntegrity: - # EventTypeAnomolyResponse: - # EventTypeMAC: - # EventTypeCrypto: - # EventTypeVirt: - # EventTypeAuditRule: - # EventTypeDACDecision: - # EventTypeGroupChange: -# messageTypes: + AUDIT_USER_LOGOUT: + - end + + EventTypeVirt: + # AUDIT_VIRT_CONTROL - Start, Pause, Stop VM + # AUDIT_VIRT_RESOURCE - Resource assignment + # AUDIT_VIRT_MACHINE_ID - Binding of label to VM + # AUDIT_VIRT_INTEGRITY_CHECK - Guest integrity results + # AUDIT_VIRT_CREATE - Creation of guest image + # AUDIT_VIRT_DESTROY - Destruction of guest image + # AUDIT_VIRT_MIGRATE_IN - Inbound guest migration info + # AUDIT_VIRT_MIGRATE_OUT - Outbound guest migration info + categories: + - host + default_types: + - info + + EventTypeAuditRule: + # AUDIT_SYSCALL - Syscall event + # AUDIT_PATH - Filename path information + # AUDIT_IPC - IPC record + # AUDIT_SOCKETCALL - sys_socketcall arguments + # AUDIT_SOCKADDR - sockaddr copied as syscall arg + # AUDIT_CWD - Current working directory + # AUDIT_IPC_SET_PERM - IPC new permissions record type + # AUDIT_MQ_OPEN - POSIX MQ open record type + # AUDIT_MQ_SENDRECV- POSIX MQ send/receive record type + # AUDIT_MQ_NOTIFY - POSIX MQ notify record type + # AUDIT_MQ_GETSETATTR - POSIX MQ get/set attribute record type + # AUDIT_FD_PAIR - audit record for pipe/socketpair + # AUDIT_OBJ_PID - ptrace target + # AUDIT_BPRM_FCAPS - Information about fcaps increasing perms + # AUDIT_CAPSET - Record showing argument to sys_capset + # AUDIT_MMAP - Record showing descriptor and flags in mmap + # AUDIT_NETFILTER_PKT - Packets traversing netfilter chains + + EventTypeUserspace: + # AUDIT_CHGRP_ID - User space group ID changed + # AUDIT_TEST - Used for test success messages + # AUDIT_TRUSTED_APP - Trusted app msg - freestyle text + # AUDIT_USER_CMD - User shell command and args + # AUDIT_CHUSER_ID - Changed user ID supplemental data + + EventTypeSystemServices: + # AUDIT_KERNEL - Asynchronous audit record. NOT A REQUEST. + # AUDIT_SYSTEM_BOOT - System boot + # AUDIT_SYSTEM_SHUTDOWN - System shutdown + # AUDIT_SYSTEM_RUNLEVEL - System runlevel change + # AUDIT_SERVICE_START - Service (daemon) start + # AUDIT_SERVICE_STOP - Service (daemon) stop + categories: + - host + default_types: + - info + types: + AUDIT_SYSTEM_BOOT: + - start + AUDIT_SYSTEM_RUNLEVEL: + - change + AUDIT_SYSTEM_SHUTDOWN: + - end + + EventTypeConfig: + # AUDIT_USYS_CONFIG - User space system config change + # AUDIT_CONFIG_CHANGE - Audit system configuration change + # AUDIT_NETFILTER_CFG - Netfilter chain modifications + # AUDIT_FEATURE_CHANGE - audit log listing feature changes + # AUDIT_REPLACE - Replace auditd if this packet unanswerd + + EventTypeTTY: + # AUDIT_USER_TTY - Non-ICANON TTY input meaning + # AUDIT_TTY - Input on an administrative TTY + categories: + # - device + + EventTypeAuditDaemon: + # AUDIT_DAEMON_START - Daemon startup record + # AUDIT_DAEMON_END - Daemon normal stop record + # AUDIT_DAEMON_ABORT - Daemon error stop record + # AUDIT_DAEMON_CONFIG - Daemon config change + + EventTypeMACDecision: + # AUDIT_USER_SELINUX_ERR - SE Linux user space error + # AUDIT_USER_AVC - User space avc message + # AUDIT_APPARMOR_ALLOWED + # AUDIT_APPARMOR_DENIED + # AUDIT_APPARMOR_ERROR + # AUDIT_AVC - SE Linux avc denial or grant + # AUDIT_SELINUX_ERR - Internal SE Linux Errors + # AUDIT_AVC_PATH - dentry, vfsmount pair from avc + categories: + # - policy + + EventTypeAnomoly: + # AUDIT_ANOM_PROMISCUOUS - Device changed promiscuous mode + # AUDIT_ANOM_ABEND - Process ended abnormally + # AUDIT_ANOM_LINK - Suspicious use of file links + # AUDIT_ANOM_LOGIN_FAILURES - Failed login limit reached + # AUDIT_ANOM_LOGIN_TIME - Login attempted at bad time + # AUDIT_ANOM_LOGIN_SESSIONS - Max concurrent sessions reached + # AUDIT_ANOM_LOGIN_ACCT - Login attempted to watched acct + # AUDIT_ANOM_LOGIN_LOCATION - Login from forbidden location + # AUDIT_ANOM_MAX_DAC - Max DAC failures reached + # AUDIT_ANOM_MAX_MAC - Max MAC failures reached + # AUDIT_ANOM_AMTU_FAIL - AMTU failure + # AUDIT_ANOM_RBAC_FAIL - RBAC self test failure + # AUDIT_ANOM_CRYPTO_FAIL - Crypto system test failure + # AUDIT_ANOM_EXEC - Execution of file + # AUDIT_ANOM_MK_EXE - Make an executable + # AUDIT_ANOM_ACCESS_FS - Access of file or dir + # AUDIT_ANOM_ADD_ACCT - Adding an acct + # AUDIT_ANOM_DEL_ACCT - Deleting an acct + # AUDIT_ANOM_MOD_ACCT - Changing an acct + # AUDIT_ANOM_ROOT_TRANS - User became root + # AUDIT_ANOM_LOGIN_SERVICE - Service acct attempted login + categories: + # - anomaly + + EventTypeIntegrity: + # AUDIT_INTEGRITY_DATA - Data integrity verification + # AUDIT_INTEGRITY_METADATA - Metadata integrity verification + # AUDIT_INTEGRITY_STATUS - Integrity enable status + # AUDIT_INTEGRITY_HASH - Integrity HASH type + # AUDIT_INTEGRITY_PCR - PCR invalidation msgs + # AUDIT_INTEGRITY_RULE - Policy rule + # AUDIT_ANOM_RBAC_INTEGRITY_FAIL - RBAC file integrity failure + + EventTypeAnomolyResponse: + # AUDIT_RESP_ANOMALY - Anomaly not reacted to + # AUDIT_RESP_ALERT - Alert email was sent + # AUDIT_RESP_KILL_PROC - Kill program + # AUDIT_RESP_TERM_ACCESS - Terminate session + # AUDIT_RESP_ACCT_REMOTE - Acct locked from remote access + # AUDIT_RESP_ACCT_LOCK_TIMED - User acct locked for time + # AUDIT_RESP_ACCT_UNLOCK_TIMED - User acct unlocked from time + # AUDIT_RESP_ACCT_LOCK - User acct was locked + # AUDIT_RESP_TERM_LOCK - Terminal was locked + # AUDIT_RESP_SEBOOL - Set an SE Linux boolean + # AUDIT_RESP_EXEC - Execute a script + # AUDIT_RESP_SINGLE - Go to single user mode + # AUDIT_RESP_HALT - take the system down + # AUDIT_RESP_ORIGIN_BLOCK - Address blocked by iptables + # AUDIT_RESP_ORIGIN_BLOCK_TIMED - Address blocked for time + + EventTypeMAC: + # AUDIT_APPARMOR_AUDIT + # AUDIT_APPARMOR_HINT + # AUDIT_APPARMOR_STATUS + # AUDIT_APPARMOR_ERROR + # AUDIT_MAC_POLICY_LOAD - Policy file load + # AUDIT_MAC_STATUS - Changed enforcing,permissive,off + # AUDIT_MAC_CONFIG_CHANGE - Changes to booleans + # AUDIT_MAC_UNLBL_ALLOW - NetLabel: allow unlabeled traffic + # AUDIT_MAC_CIPSOV4_ADD - NetLabel: add CIPSOv4 DOI entry + # AUDIT_MAC_CIPSOV4_DEL - NetLabel: del CIPSOv4 DOI entry + # AUDIT_MAC_MAP_ADD - NetLabel: add LSM domain mapping + # AUDIT_MAC_MAP_DEL - NetLabel: del LSM domain mapping + # AUDIT_MAC_IPSEC_EVENT - Audit an IPSec event + # AUDIT_MAC_UNLBL_STCADD - NetLabel: add a static label + # AUDIT_MAC_UNLBL_STCDEL - NetLabel: del a static label + # AUDIT_MAC_CALIPSO_ADD - NetLabel: add CALIPSO DOI entry + # AUDIT_MAC_CALIPSO_DEL - NetLabel: del CALIPSO DOI entry + # AUDIT_USER_ROLE_CHANGE - User changed to a new role // should this be classified EventTypeUserAccount? + # AUDIT_ROLE_ASSIGN - Admin assigned user to role // should this be classified EventTypeUserAccount? + # AUDIT_ROLE_REMOVE - Admin removed user from role // should this be classified EventTypeUserAccount? + # AUDIT_LABEL_OVERRIDE - Admin is overriding a label + # AUDIT_LABEL_LEVEL_CHANGE - Object's level was changed + # AUDIT_USER_LABELED_EXPORT - Object exported with label + # AUDIT_USER_UNLABELED_EXPORT - Object exported without label + # AUDIT_DEV_ALLOC - Device was allocated + # AUDIT_DEV_DEALLOC - Device was deallocated + # AUDIT_FS_RELABEL - Filesystem relabeled + # AUDIT_USER_MAC_POLICY_LOAD - Userspc daemon loaded policy + # AUDIT_ROLE_MODIFY - Admin modified a role + # AUDIT_USER_MAC_CONFIG_CHANGE - Change made to MAC policy + + EventTypeDACDecision: + # AUDIT_SECCOMP - Secure Computing event + + EventTypeCrypto: + EventTypeUnknown: + +messageTypes: + AUDIT_EXECVE: + categories: + - process + types: + - start + AUDIT_SERVICE_START: + categories: + - process + types: + - start + AUDIT_SERVICE_STOP: + categories: + - process + types: + - end + AUDIT_USER_CHAUTHTOK: + categories: + - iam + types: + - user + - change + AUDIT_ROLE_ASSIGN: + categories: + - iam + types: + - user + - change + AUDIT_ROLE_REMOVE: + categories: + - iam + types: + - user + - change + # triggers on setuid + AUDIT_CHUSER_ID: + categories: + - process + types: + - change + # triggers on setgid + AUDIT_CHGRP_ID: + categories: + - process + types: + - change diff --git a/auditbeat/module/auditd/mkecs_categorization.go b/auditbeat/module/auditd/mk_ecs_categorization.go similarity index 98% rename from auditbeat/module/auditd/mkecs_categorization.go rename to auditbeat/module/auditd/mk_ecs_categorization.go index b3bccad545f..1dd02f9c11d 100644 --- a/auditbeat/module/auditd/mkecs_categorization.go +++ b/auditbeat/module/auditd/mk_ecs_categorization.go @@ -52,7 +52,7 @@ type eventType struct { type TemplateParams struct { Command string `yaml:"-"` EventTypes map[string]eventType `yaml:"eventTypes"` - MessageTypes map[string]messageType `yaml:"messagetypes"` + MessageTypes map[string]messageType `yaml:"messageTypes"` } const fileTemplate = ` @@ -224,7 +224,7 @@ var flagOut string func main() { flag.StringVar(&flagIn, "in", "ecs_categorization.yml", "input file") - flag.StringVar(&flagOut, "out", "zecs_categorization.go", "output file") + flag.StringVar(&flagOut, "out", "z_ecs_categorization.go", "output file") flag.Parse() var err error diff --git a/auditbeat/module/auditd/z_ecs_categorization.go b/auditbeat/module/auditd/z_ecs_categorization.go new file mode 100644 index 00000000000..583b7f85fd5 --- /dev/null +++ b/auditbeat/module/auditd/z_ecs_categorization.go @@ -0,0 +1,194 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Code generated by mk_ecs_categorization - DO NOT EDIT. + +package auditd + +import ( + "github.com/elastic/go-libaudit/aucoalesce" + "github.com/elastic/go-libaudit/auparse" +) + +type ecsCategorizationFields struct { + Categories []string + Types []string +} + +type nestedCategorizationFields struct { + Categories []string + DefaultTypes []string + Types map[auparse.AuditMessageType][]string +} + +var ecsAuditdCategories = map[aucoalesce.AuditEventType]nestedCategorizationFields{ + aucoalesce.EventTypeAnomoly: nestedCategorizationFields{ + Categories: []string{}, + DefaultTypes: []string{}, + Types: map[auparse.AuditMessageType][]string{}, + }, + aucoalesce.EventTypeAnomolyResponse: nestedCategorizationFields{ + Categories: []string{}, + DefaultTypes: []string{}, + Types: map[auparse.AuditMessageType][]string{}, + }, + aucoalesce.EventTypeAuditDaemon: nestedCategorizationFields{ + Categories: []string{}, + DefaultTypes: []string{}, + Types: map[auparse.AuditMessageType][]string{}, + }, + aucoalesce.EventTypeAuditRule: nestedCategorizationFields{ + Categories: []string{}, + DefaultTypes: []string{}, + Types: map[auparse.AuditMessageType][]string{}, + }, + aucoalesce.EventTypeConfig: nestedCategorizationFields{ + Categories: []string{}, + DefaultTypes: []string{}, + Types: map[auparse.AuditMessageType][]string{}, + }, + aucoalesce.EventTypeCrypto: nestedCategorizationFields{ + Categories: []string{}, + DefaultTypes: []string{}, + Types: map[auparse.AuditMessageType][]string{}, + }, + aucoalesce.EventTypeDACDecision: nestedCategorizationFields{ + Categories: []string{}, + DefaultTypes: []string{}, + Types: map[auparse.AuditMessageType][]string{}, + }, + aucoalesce.EventTypeIntegrity: nestedCategorizationFields{ + Categories: []string{}, + DefaultTypes: []string{}, + Types: map[auparse.AuditMessageType][]string{}, + }, + aucoalesce.EventTypeMAC: nestedCategorizationFields{ + Categories: []string{}, + DefaultTypes: []string{}, + Types: map[auparse.AuditMessageType][]string{}, + }, + aucoalesce.EventTypeMACDecision: nestedCategorizationFields{ + Categories: []string{}, + DefaultTypes: []string{}, + Types: map[auparse.AuditMessageType][]string{}, + }, + aucoalesce.EventTypeSystemServices: nestedCategorizationFields{ + Categories: []string{"host"}, + DefaultTypes: []string{"info"}, + Types: map[auparse.AuditMessageType][]string{ + auparse.AUDIT_SYSTEM_BOOT: []string{"start"}, + auparse.AUDIT_SYSTEM_RUNLEVEL: []string{"change"}, + auparse.AUDIT_SYSTEM_SHUTDOWN: []string{"end"}, + }, + }, + aucoalesce.EventTypeTTY: nestedCategorizationFields{ + Categories: []string{}, + DefaultTypes: []string{}, + Types: map[auparse.AuditMessageType][]string{}, + }, + aucoalesce.EventTypeUnknown: nestedCategorizationFields{ + Categories: []string{}, + DefaultTypes: []string{}, + Types: map[auparse.AuditMessageType][]string{}, + }, + aucoalesce.EventTypeUserAccount: nestedCategorizationFields{ + Categories: []string{"iam"}, + DefaultTypes: []string{"info"}, + Types: map[auparse.AuditMessageType][]string{ + auparse.AUDIT_ADD_GROUP: []string{"group", "creation"}, + auparse.AUDIT_ADD_USER: []string{"user", "creation"}, + auparse.AUDIT_DEL_GROUP: []string{"group", "deletion"}, + auparse.AUDIT_DEL_USER: []string{"user", "deletion"}, + auparse.AUDIT_GRP_CHAUTHTOK: []string{"group", "change"}, + auparse.AUDIT_GRP_MGMT: []string{"group", "change"}, + auparse.AUDIT_USER_MGMT: []string{"user", "change"}, + }, + }, + aucoalesce.EventTypeUserLogin: nestedCategorizationFields{ + Categories: []string{"authentication"}, + DefaultTypes: []string{"info"}, + Types: map[auparse.AuditMessageType][]string{ + auparse.AUDIT_USER_LOGIN: []string{"start"}, + auparse.AUDIT_USER_LOGOUT: []string{"end"}, + }, + }, + aucoalesce.EventTypeUserspace: nestedCategorizationFields{ + Categories: []string{}, + DefaultTypes: []string{}, + Types: map[auparse.AuditMessageType][]string{}, + }, + aucoalesce.EventTypeVirt: nestedCategorizationFields{ + Categories: []string{"host"}, + DefaultTypes: []string{"info"}, + Types: map[auparse.AuditMessageType][]string{}, + }, +} + +var ecsAuditdCategoryOverrides = map[auparse.AuditMessageType]ecsCategorizationFields{ + auparse.AUDIT_CHGRP_ID: ecsCategorizationFields{ + Categories: []string{"process"}, + Types: []string{"change"}, + }, + auparse.AUDIT_CHUSER_ID: ecsCategorizationFields{ + Categories: []string{"process"}, + Types: []string{"change"}, + }, + auparse.AUDIT_EXECVE: ecsCategorizationFields{ + Categories: []string{"process"}, + Types: []string{"start"}, + }, + auparse.AUDIT_ROLE_ASSIGN: ecsCategorizationFields{ + Categories: []string{"iam"}, + Types: []string{"user", "change"}, + }, + auparse.AUDIT_ROLE_REMOVE: ecsCategorizationFields{ + Categories: []string{"iam"}, + Types: []string{"user", "change"}, + }, + auparse.AUDIT_SERVICE_START: ecsCategorizationFields{ + Categories: []string{"process"}, + Types: []string{"start"}, + }, + auparse.AUDIT_SERVICE_STOP: ecsCategorizationFields{ + Categories: []string{"process"}, + Types: []string{"end"}, + }, + auparse.AUDIT_USER_CHAUTHTOK: ecsCategorizationFields{ + Categories: []string{"iam"}, + Types: []string{"user", "change"}, + }, +} + +func getECSCategorization(eventType aucoalesce.AuditEventType, messageType auparse.AuditMessageType) ecsCategorizationFields { + if found, ok := ecsAuditdCategoryOverrides[messageType]; ok { + return found + } + if found, ok := ecsAuditdCategories[eventType]; ok { + var types []string + if mappedTypes, ok := found.Types[messageType]; ok { + types = mappedTypes + } else { + types = found.DefaultTypes + } + return ecsCategorizationFields{ + Categories: found.Categories, + Types: types, + } + } + + return ecsCategorizationFields{} +} diff --git a/auditbeat/module/auditd/zecs_categorization.go b/auditbeat/module/auditd/zecs_categorization.go deleted file mode 100644 index 94f5946af08..00000000000 --- a/auditbeat/module/auditd/zecs_categorization.go +++ /dev/null @@ -1,68 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by mkecs_categorization - DO NOT EDIT. - -package auditd - -import ( - "github.com/elastic/go-libaudit/aucoalesce" - "github.com/elastic/go-libaudit/auparse" -) - -type ecsCategorizationFields struct { - Categories []string - Types []string -} - -type nestedCategorizationFields struct { - Categories []string - DefaultTypes []string - Types map[auparse.AuditMessageType][]string -} - -var ecsAuditdCategories = map[aucoalesce.AuditEventType]nestedCategorizationFields{ - aucoalesce.EventTypeUserLogin: nestedCategorizationFields{ - Categories: []string{"authentication"}, - DefaultTypes: []string{"info"}, - Types: map[auparse.AuditMessageType][]string{ - auparse.AUDIT_USER_LOGIN: []string{"start"}, - }, - }, -} - -var ecsAuditdCategoryOverrides = map[auparse.AuditMessageType]ecsCategorizationFields{} - -func getECSCategorization(eventType aucoalesce.AuditEventType, messageType auparse.AuditMessageType) ecsCategorizationFields { - if found, ok := ecsAuditdCategoryOverrides[messageType]; ok { - return found - } - if found, ok := ecsAuditdCategories[eventType]; ok { - var types []string - if mappedTypes, ok := found.Types[messageType]; ok { - types = mappedTypes - } else { - types = found.DefaultTypes - } - return ecsCategorizationFields{ - Categories: found.Categories, - Types: types, - } - } - - return ecsCategorizationFields{} -} From 49f75622e70938fcbf06e7dc7da144e7f5534e5a Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Mon, 27 Apr 2020 16:37:12 -0400 Subject: [PATCH 5/6] update yaml --- .../module/auditd/ecs_categorization.yml | 107 +++++++++++------- .../module/auditd/z_ecs_categorization.go | 35 +++--- 2 files changed, 81 insertions(+), 61 deletions(-) diff --git a/auditbeat/module/auditd/ecs_categorization.yml b/auditbeat/module/auditd/ecs_categorization.yml index ccce91ec4e9..f3caf477d98 100644 --- a/auditbeat/module/auditd/ecs_categorization.yml +++ b/auditbeat/module/auditd/ecs_categorization.yml @@ -80,31 +80,21 @@ eventTypes: default_types: - info - EventTypeAuditRule: - # AUDIT_SYSCALL - Syscall event - # AUDIT_PATH - Filename path information - # AUDIT_IPC - IPC record - # AUDIT_SOCKETCALL - sys_socketcall arguments - # AUDIT_SOCKADDR - sockaddr copied as syscall arg - # AUDIT_CWD - Current working directory - # AUDIT_IPC_SET_PERM - IPC new permissions record type - # AUDIT_MQ_OPEN - POSIX MQ open record type - # AUDIT_MQ_SENDRECV- POSIX MQ send/receive record type - # AUDIT_MQ_NOTIFY - POSIX MQ notify record type - # AUDIT_MQ_GETSETATTR - POSIX MQ get/set attribute record type - # AUDIT_FD_PAIR - audit record for pipe/socketpair - # AUDIT_OBJ_PID - ptrace target - # AUDIT_BPRM_FCAPS - Information about fcaps increasing perms - # AUDIT_CAPSET - Record showing argument to sys_capset - # AUDIT_MMAP - Record showing descriptor and flags in mmap - # AUDIT_NETFILTER_PKT - Packets traversing netfilter chains - EventTypeUserspace: # AUDIT_CHGRP_ID - User space group ID changed # AUDIT_TEST - Used for test success messages # AUDIT_TRUSTED_APP - Trusted app msg - freestyle text # AUDIT_USER_CMD - User shell command and args # AUDIT_CHUSER_ID - Changed user ID supplemental data + categories: + - process + default_types: + - info + types: + AUDIT_CHUSER_ID: + - change + AUDIT_CHGRP_ID: + - change EventTypeSystemServices: # AUDIT_KERNEL - Asynchronous audit record. NOT A REQUEST. @@ -125,25 +115,43 @@ eventTypes: AUDIT_SYSTEM_SHUTDOWN: - end + EventTypeAuditDaemon: + # AUDIT_DAEMON_START - Daemon startup record + # AUDIT_DAEMON_END - Daemon normal stop record + # AUDIT_DAEMON_ABORT - Daemon error stop record + # AUDIT_DAEMON_CONFIG - Daemon config change + categories: + - process + default_types: + - info + types: + AUDIT_DAEMON_START: + - start + AUDIT_DAEMON_END: + - end + + EventTypeDACDecision: + # AUDIT_SECCOMP - Secure Computing event + categories: + - process + default_types: + - change + EventTypeConfig: # AUDIT_USYS_CONFIG - User space system config change # AUDIT_CONFIG_CHANGE - Audit system configuration change # AUDIT_NETFILTER_CFG - Netfilter chain modifications # AUDIT_FEATURE_CHANGE - audit log listing feature changes # AUDIT_REPLACE - Replace auditd if this packet unanswerd + categories: + # - config - EventTypeTTY: + EventTypeTTY: # AUDIT_USER_TTY - Non-ICANON TTY input meaning # AUDIT_TTY - Input on an administrative TTY categories: # - device - EventTypeAuditDaemon: - # AUDIT_DAEMON_START - Daemon startup record - # AUDIT_DAEMON_END - Daemon normal stop record - # AUDIT_DAEMON_ABORT - Daemon error stop record - # AUDIT_DAEMON_CONFIG - Daemon config change - EventTypeMACDecision: # AUDIT_USER_SELINUX_ERR - SE Linux user space error # AUDIT_USER_AVC - User space avc message @@ -189,6 +197,8 @@ eventTypes: # AUDIT_INTEGRITY_PCR - PCR invalidation msgs # AUDIT_INTEGRITY_RULE - Policy rule # AUDIT_ANOM_RBAC_INTEGRITY_FAIL - RBAC file integrity failure + categories: + # - check EventTypeAnomolyResponse: # AUDIT_RESP_ANOMALY - Anomaly not reacted to @@ -206,6 +216,8 @@ eventTypes: # AUDIT_RESP_HALT - take the system down # AUDIT_RESP_ORIGIN_BLOCK - Address blocked by iptables # AUDIT_RESP_ORIGIN_BLOCK_TIMED - Address blocked for time + categories: + # - anomaly EventTypeMAC: # AUDIT_APPARMOR_AUDIT @@ -238,12 +250,38 @@ eventTypes: # AUDIT_USER_MAC_POLICY_LOAD - Userspc daemon loaded policy # AUDIT_ROLE_MODIFY - Admin modified a role # AUDIT_USER_MAC_CONFIG_CHANGE - Change made to MAC policy + categories: + # - policy - EventTypeDACDecision: - # AUDIT_SECCOMP - Secure Computing event + EventTypeAuditRule: + # AUDIT_SYSCALL - Syscall event + # AUDIT_PATH - Filename path information + # AUDIT_IPC - IPC record + # AUDIT_SOCKETCALL - sys_socketcall arguments + # AUDIT_SOCKADDR - sockaddr copied as syscall arg + # AUDIT_CWD - Current working directory + # AUDIT_EXECVE - execve arguments + # AUDIT_IPC_SET_PERM - IPC new permissions record type + # AUDIT_MQ_OPEN - POSIX MQ open record type + # AUDIT_MQ_SENDRECV- POSIX MQ send/receive record type + # AUDIT_MQ_NOTIFY - POSIX MQ notify record type + # AUDIT_MQ_GETSETATTR - POSIX MQ get/set attribute record type + # AUDIT_FD_PAIR - audit record for pipe/socketpair + # AUDIT_OBJ_PID - ptrace target + # AUDIT_BPRM_FCAPS - Information about fcaps increasing perms + # AUDIT_CAPSET - Record showing argument to sys_capset + # AUDIT_MMAP - Record showing descriptor and flags in mmap + # AUDIT_NETFILTER_PKT - Packets traversing netfilter chains + categories: + # - ? EventTypeCrypto: + categories: + # - ? + EventTypeUnknown: + categories: + # - ? messageTypes: AUDIT_EXECVE: @@ -261,6 +299,7 @@ messageTypes: - process types: - end + # are these mis-classified? AUDIT_USER_CHAUTHTOK: categories: - iam @@ -279,15 +318,3 @@ messageTypes: types: - user - change - # triggers on setuid - AUDIT_CHUSER_ID: - categories: - - process - types: - - change - # triggers on setgid - AUDIT_CHGRP_ID: - categories: - - process - types: - - change diff --git a/auditbeat/module/auditd/z_ecs_categorization.go b/auditbeat/module/auditd/z_ecs_categorization.go index 583b7f85fd5..8255bb1efc7 100644 --- a/auditbeat/module/auditd/z_ecs_categorization.go +++ b/auditbeat/module/auditd/z_ecs_categorization.go @@ -47,9 +47,12 @@ var ecsAuditdCategories = map[aucoalesce.AuditEventType]nestedCategorizationFiel Types: map[auparse.AuditMessageType][]string{}, }, aucoalesce.EventTypeAuditDaemon: nestedCategorizationFields{ - Categories: []string{}, - DefaultTypes: []string{}, - Types: map[auparse.AuditMessageType][]string{}, + Categories: []string{"process"}, + DefaultTypes: []string{"info"}, + Types: map[auparse.AuditMessageType][]string{ + auparse.AUDIT_DAEMON_END: []string{"end"}, + auparse.AUDIT_DAEMON_START: []string{"start"}, + }, }, aucoalesce.EventTypeAuditRule: nestedCategorizationFields{ Categories: []string{}, @@ -67,8 +70,8 @@ var ecsAuditdCategories = map[aucoalesce.AuditEventType]nestedCategorizationFiel Types: map[auparse.AuditMessageType][]string{}, }, aucoalesce.EventTypeDACDecision: nestedCategorizationFields{ - Categories: []string{}, - DefaultTypes: []string{}, + Categories: []string{"process"}, + DefaultTypes: []string{"change"}, Types: map[auparse.AuditMessageType][]string{}, }, aucoalesce.EventTypeIntegrity: nestedCategorizationFields{ @@ -95,11 +98,6 @@ var ecsAuditdCategories = map[aucoalesce.AuditEventType]nestedCategorizationFiel auparse.AUDIT_SYSTEM_SHUTDOWN: []string{"end"}, }, }, - aucoalesce.EventTypeTTY: nestedCategorizationFields{ - Categories: []string{}, - DefaultTypes: []string{}, - Types: map[auparse.AuditMessageType][]string{}, - }, aucoalesce.EventTypeUnknown: nestedCategorizationFields{ Categories: []string{}, DefaultTypes: []string{}, @@ -127,9 +125,12 @@ var ecsAuditdCategories = map[aucoalesce.AuditEventType]nestedCategorizationFiel }, }, aucoalesce.EventTypeUserspace: nestedCategorizationFields{ - Categories: []string{}, - DefaultTypes: []string{}, - Types: map[auparse.AuditMessageType][]string{}, + Categories: []string{"process"}, + DefaultTypes: []string{"info"}, + Types: map[auparse.AuditMessageType][]string{ + auparse.AUDIT_CHGRP_ID: []string{"change"}, + auparse.AUDIT_CHUSER_ID: []string{"change"}, + }, }, aucoalesce.EventTypeVirt: nestedCategorizationFields{ Categories: []string{"host"}, @@ -139,14 +140,6 @@ var ecsAuditdCategories = map[aucoalesce.AuditEventType]nestedCategorizationFiel } var ecsAuditdCategoryOverrides = map[auparse.AuditMessageType]ecsCategorizationFields{ - auparse.AUDIT_CHGRP_ID: ecsCategorizationFields{ - Categories: []string{"process"}, - Types: []string{"change"}, - }, - auparse.AUDIT_CHUSER_ID: ecsCategorizationFields{ - Categories: []string{"process"}, - Types: []string{"change"}, - }, auparse.AUDIT_EXECVE: ecsCategorizationFields{ Categories: []string{"process"}, Types: []string{"start"}, From cb7747c61172c66198d8a9d6179990b3f6c92ed2 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Mon, 27 Apr 2020 16:57:00 -0400 Subject: [PATCH 6/6] normalize whitespace --- .../module/auditd/ecs_categorization.yml | 50 +++++++++---------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/auditbeat/module/auditd/ecs_categorization.yml b/auditbeat/module/auditd/ecs_categorization.yml index f3caf477d98..d49b16b41c2 100644 --- a/auditbeat/module/auditd/ecs_categorization.yml +++ b/auditbeat/module/auditd/ecs_categorization.yml @@ -68,12 +68,12 @@ eventTypes: EventTypeVirt: # AUDIT_VIRT_CONTROL - Start, Pause, Stop VM - # AUDIT_VIRT_RESOURCE - Resource assignment - # AUDIT_VIRT_MACHINE_ID - Binding of label to VM + # AUDIT_VIRT_RESOURCE - Resource assignment + # AUDIT_VIRT_MACHINE_ID - Binding of label to VM # AUDIT_VIRT_INTEGRITY_CHECK - Guest integrity results - # AUDIT_VIRT_CREATE - Creation of guest image + # AUDIT_VIRT_CREATE - Creation of guest image # AUDIT_VIRT_DESTROY - Destruction of guest image - # AUDIT_VIRT_MIGRATE_IN - Inbound guest migration info + # AUDIT_VIRT_MIGRATE_IN - Inbound guest migration info # AUDIT_VIRT_MIGRATE_OUT - Outbound guest migration info categories: - host @@ -98,10 +98,10 @@ eventTypes: EventTypeSystemServices: # AUDIT_KERNEL - Asynchronous audit record. NOT A REQUEST. - # AUDIT_SYSTEM_BOOT - System boot - # AUDIT_SYSTEM_SHUTDOWN - System shutdown - # AUDIT_SYSTEM_RUNLEVEL - System runlevel change - # AUDIT_SERVICE_START - Service (daemon) start + # AUDIT_SYSTEM_BOOT - System boot + # AUDIT_SYSTEM_SHUTDOWN - System shutdown + # AUDIT_SYSTEM_RUNLEVEL - System runlevel change + # AUDIT_SERVICE_START - Service (daemon) start # AUDIT_SERVICE_STOP - Service (daemon) stop categories: - host @@ -116,7 +116,7 @@ eventTypes: - end EventTypeAuditDaemon: - # AUDIT_DAEMON_START - Daemon startup record + # AUDIT_DAEMON_START - Daemon startup record # AUDIT_DAEMON_END - Daemon normal stop record # AUDIT_DAEMON_ABORT - Daemon error stop record # AUDIT_DAEMON_CONFIG - Daemon config change @@ -168,10 +168,10 @@ eventTypes: # AUDIT_ANOM_PROMISCUOUS - Device changed promiscuous mode # AUDIT_ANOM_ABEND - Process ended abnormally # AUDIT_ANOM_LINK - Suspicious use of file links - # AUDIT_ANOM_LOGIN_FAILURES - Failed login limit reached - # AUDIT_ANOM_LOGIN_TIME - Login attempted at bad time - # AUDIT_ANOM_LOGIN_SESSIONS - Max concurrent sessions reached - # AUDIT_ANOM_LOGIN_ACCT - Login attempted to watched acct + # AUDIT_ANOM_LOGIN_FAILURES - Failed login limit reached + # AUDIT_ANOM_LOGIN_TIME - Login attempted at bad time + # AUDIT_ANOM_LOGIN_SESSIONS - Max concurrent sessions reached + # AUDIT_ANOM_LOGIN_ACCT - Login attempted to watched acct # AUDIT_ANOM_LOGIN_LOCATION - Login from forbidden location # AUDIT_ANOM_MAX_DAC - Max DAC failures reached # AUDIT_ANOM_MAX_MAC - Max MAC failures reached @@ -210,11 +210,11 @@ eventTypes: # AUDIT_RESP_ACCT_UNLOCK_TIMED - User acct unlocked from time # AUDIT_RESP_ACCT_LOCK - User acct was locked # AUDIT_RESP_TERM_LOCK - Terminal was locked - # AUDIT_RESP_SEBOOL - Set an SE Linux boolean + # AUDIT_RESP_SEBOOL - Set an SE Linux boolean # AUDIT_RESP_EXEC - Execute a script - # AUDIT_RESP_SINGLE - Go to single user mode + # AUDIT_RESP_SINGLE - Go to single user mode # AUDIT_RESP_HALT - take the system down - # AUDIT_RESP_ORIGIN_BLOCK - Address blocked by iptables + # AUDIT_RESP_ORIGIN_BLOCK - Address blocked by iptables # AUDIT_RESP_ORIGIN_BLOCK_TIMED - Address blocked for time categories: # - anomaly @@ -238,17 +238,17 @@ eventTypes: # AUDIT_MAC_CALIPSO_ADD - NetLabel: add CALIPSO DOI entry # AUDIT_MAC_CALIPSO_DEL - NetLabel: del CALIPSO DOI entry # AUDIT_USER_ROLE_CHANGE - User changed to a new role // should this be classified EventTypeUserAccount? - # AUDIT_ROLE_ASSIGN - Admin assigned user to role // should this be classified EventTypeUserAccount? + # AUDIT_ROLE_ASSIGN - Admin assigned user to role // should this be classified EventTypeUserAccount? # AUDIT_ROLE_REMOVE - Admin removed user from role // should this be classified EventTypeUserAccount? # AUDIT_LABEL_OVERRIDE - Admin is overriding a label # AUDIT_LABEL_LEVEL_CHANGE - Object's level was changed # AUDIT_USER_LABELED_EXPORT - Object exported with label # AUDIT_USER_UNLABELED_EXPORT - Object exported without label # AUDIT_DEV_ALLOC - Device was allocated - # AUDIT_DEV_DEALLOC - Device was deallocated + # AUDIT_DEV_DEALLOC - Device was deallocated # AUDIT_FS_RELABEL - Filesystem relabeled # AUDIT_USER_MAC_POLICY_LOAD - Userspc daemon loaded policy - # AUDIT_ROLE_MODIFY - Admin modified a role + # AUDIT_ROLE_MODIFY - Admin modified a role # AUDIT_USER_MAC_CONFIG_CHANGE - Change made to MAC policy categories: # - policy @@ -256,18 +256,18 @@ eventTypes: EventTypeAuditRule: # AUDIT_SYSCALL - Syscall event # AUDIT_PATH - Filename path information - # AUDIT_IPC - IPC record + # AUDIT_IPC - IPC record # AUDIT_SOCKETCALL - sys_socketcall arguments # AUDIT_SOCKADDR - sockaddr copied as syscall arg - # AUDIT_CWD - Current working directory + # AUDIT_CWD - Current working directory # AUDIT_EXECVE - execve arguments # AUDIT_IPC_SET_PERM - IPC new permissions record type - # AUDIT_MQ_OPEN - POSIX MQ open record type + # AUDIT_MQ_OPEN - POSIX MQ open record type # AUDIT_MQ_SENDRECV- POSIX MQ send/receive record type - # AUDIT_MQ_NOTIFY - POSIX MQ notify record type + # AUDIT_MQ_NOTIFY - POSIX MQ notify record type # AUDIT_MQ_GETSETATTR - POSIX MQ get/set attribute record type - # AUDIT_FD_PAIR - audit record for pipe/socketpair - # AUDIT_OBJ_PID - ptrace target + # AUDIT_FD_PAIR - audit record for pipe/socketpair + # AUDIT_OBJ_PID - ptrace target # AUDIT_BPRM_FCAPS - Information about fcaps increasing perms # AUDIT_CAPSET - Record showing argument to sys_capset # AUDIT_MMAP - Record showing descriptor and flags in mmap