[Auditbeat] Update auditbeat ECS mappings

[andrewstucki]

What does this PR do?

This is the spiritual successor to #18028 -- with the code to do the categorization itself moved into go-libaudit (see elastic/go-libaudit#62).

It adds in ECS categorization fields for a good chunk of auditd-based syscalls and event types.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

• Relates [Auditbeat] Update OSS Audibeat auditd module to ECS 1.5 #17519

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[elasticmachine]

💚 Build Succeeded

Expand to view the summary

Build stats

• Build Cause: [Pull request [Auditbeat] Update auditbeat ECS mappings #18596 updated]

• Start Time: 2020-05-15T22:23:38.652+0000

• Duration: 73 min 18 sec (4397767)

Test stats 🧪

Test	Results
Failed	0
Passed	9210
Skipped	1542
Total	10752

Steps errors

Expand to view the steps failures

• Name: Report to Codecov

  • Description: curl -sSLo codecov https://codecov.io/bash for i in auditbeat filebeat heartbeat libbeat metricbeat packetbeat winlogbeat journalbeat do FILE="${i}/build/coverage/full.cov" if [ -f "${FILE}" ]; then bash codecov -f "${FILE}" fi done

  • Result: FAILURE

  • Duration: 0 min 10 sec

  • Start Time: 2020-05-15T22:50:35.370+0000

  • log

[andrewkroh]

LGTM assuming the tests go green.