Merge branch 'main' into rule-deletion

elastic · Nov 4, 2024 · 8375b53 · 8375b53
2 parents 4961b27 + 33356aa
commit 8375b53
Show file tree

Hide file tree

Showing 8 changed files with 93 additions and 14 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,9 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 ### Changed
 
 - Fix panic in `parseSockaddr` for malformed socket address. [#152](https://github.com/elastic/go-libaudit/pull/152)
+- Set `SOCK_CLOEXEC` when creating the netlink socket to avoid leaking file descriptors. [#165](https://github.com/elastic/go-libaudit/pull/165)
+- Update syscall tables. [#167](https://github.com/elastic/go-libaudit/pull/167)
+- aucoalesce: Use ECS `event.type: end` instead of `stop` for SERVICE_STOP, DAEMON_ABORT, and DAEMON_END messages. [#159](https://github.com/elastic/go-libaudit/pull/159)
 
 ### Removed
 

diff --git a/aucoalesce/normalizations.yaml b/aucoalesce/normalizations.yaml
@@ -1230,7 +1230,7 @@ normalizations:
       what: service
     ecs:
       <<: *ecs-process
-      type: stop
+      type: end
 
   # Auditd internal events
 
@@ -1251,7 +1251,7 @@ normalizations:
       what: service
     ecs:
       <<: *ecs-process
-      type: stop
+      type: end
   # AUDIT_DAEMON_ACCEPT - Auditd accepted remote connection
   - record_types: DAEMON_ACCEPT
     action: remote-audit-connected
@@ -1287,7 +1287,7 @@ normalizations:
       what: service
     ecs:
       <<: *ecs-process
-      type: stop
+      type: end
   # AUDIT_DAEMON_ERR - Auditd internal error
   - record_types: DAEMON_ERR
     action: audit-error

diff --git a/auparse/mk_audit_arches.pl b/auparse/mk_audit_arches.pl
@@ -17,7 +17,7 @@
 
 my $command = "mk_audit_arches.pl ". join(' ', @ARGV);
 
-`curl -s -O https://raw.githubusercontent.com/torvalds/linux/v6.6/include/uapi/linux/audit.h`;
+`curl -s -O https://raw.githubusercontent.com/torvalds/linux/v6.11/include/uapi/linux/audit.h`;
 
 open(GCC, "gcc -E -dD audit.h |") || die "can't run gcc";
 my @arches;

diff --git a/auparse/mk_audit_msg_types.go b/auparse/mk_audit_msg_types.go
@@ -158,9 +158,8 @@ func GetAuditMessageType(name string) (AuditMessageType, error) {
 var tmpl = template.Must(template.New("message_types").Parse(fileTemplate))
 
 var headers = []string{
-	`https://raw.githubusercontent.com/torvalds/linux/v6.6/include/uapi/linux/audit.h`,
-	`https://raw.githubusercontent.com/linux-audit/audit-userspace/v3.1.2/lib/libaudit.h`,
-	`https://raw.githubusercontent.com/linux-audit/audit-userspace/v3.1.2/lib/msg_typetab.h`,
+	`https://raw.githubusercontent.com/linux-audit/audit-userspace/v4.0.2/lib/audit-records.h`,
+	`https://raw.githubusercontent.com/linux-audit/audit-userspace/v4.0.2/lib/msg_typetab.h`,
 }
 
 func DownloadFile(url, destinationDir string) (string, error) {
@@ -217,13 +216,13 @@ func readMessageTypeTable() (map[string]string, error) {
 		}
 	}
 
-	return constantToStringName, nil
+	return constantToStringName, s.Err()
 }
 
 func readRecordTypes() (map[string]int, error) {
-	out, err := exec.Command("gcc", "-E", "-dD", "libaudit.h", "audit.h").Output()
+	out, err := exec.Command("gcc", "-E", "-dD", "audit-records.h").Output()
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to run gcc: %w", err)
 	}
 
 	recordTypeToNum := map[string]int{}
@@ -241,7 +240,7 @@ func readRecordTypes() (map[string]int, error) {
 		}
 	}
 
-	return recordTypeToNum, nil
+	return recordTypeToNum, s.Err()
 }
 
 func run() error {

diff --git a/auparse/mk_audit_syscalls.pl b/auparse/mk_audit_syscalls.pl
@@ -22,7 +22,7 @@ sub fmt {
     print "\t\t$num: \"$name\",\n";
 }
 
-my $base_url = "https://raw.githubusercontent.com/linux-audit/audit-userspace/v3.1.2/lib";
+my $base_url = "https://raw.githubusercontent.com/linux-audit/audit-userspace/v4.0.2/lib";
 my @tables = (
     "aarch64",
     "arm",

diff --git a/auparse/zaudit_syscalls.go b/auparse/zaudit_syscalls.go
diff --git a/cmd/audit/audit.go b/cmd/audit/audit.go
@@ -138,7 +138,7 @@ func receive(r *libaudit.AuditClient) error {
 			return fmt.Errorf("receive failed: %w", err)
 		}
 
-		// Messages from 1300-2999 are valid audit messages.
+		// Messages from 1100-2999 are valid audit messages.
 		if rawEvent.Type < auparse.AUDIT_USER_AUTH ||
 			rawEvent.Type > auparse.AUDIT_LAST_USER_MSG2 {
 			continue

diff --git a/netlink.go b/netlink.go
@@ -77,7 +77,7 @@ type NetlinkClient struct {
 //
 // The returned NetlinkClient must be closed with Close() when finished.
 func NewNetlinkClient(proto int, groups uint32, readBuf []byte, resp io.Writer) (*NetlinkClient, error) {
-	s, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_RAW, proto)
+	s, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_RAW|syscall.SOCK_CLOEXEC, proto)
 	if err != nil {
 		return nil, err
 	}