Releases: elastic/go-libaudit
Releases · elastic/go-libaudit
2.6.1
Changed
- rule: On s390x, fix handling of rules with filters like
-F arch=b64
or -F arch=b32
. #164
- aucoalesce: Fix bug affecting event normalization caused by upgrade to yaml.v3. #170
2.6.0
Known Issues
Changed
- Fix panic in
parseSockaddr
for malformed socket address. #152
- Set
SOCK_CLOEXEC
when creating the netlink socket to avoid leaking file descriptors. #165
- Update syscall tables. #167
- aucoalesce: Use ECS
event.type: end
instead of stop
for SERVICE_STOP, DAEMON_ABORT, and DAEMON_END messages. #159
2.5.0
Added
- Add ECS normalization for
exit_group
syscall. #149
Changed
- Update syscall and architecture tables. #147
2.4.0
Added
- Support
saddr_fam
filters. #145
Changed
- Update Vagrant file gvm and ubuntu versions. #145
2.3.3
Changed
- Expanded the bitmask applied to ECS
file.mode
in the aucoalesce package so that the SUID, SGID, and sticky bits can be represented. #137
2.3.2
Changed
- Reduce allocations when converting bytes to strings for received messages. #116 #122
2.3.1
Changed
- Reduce heap allocations when parsing and enriching auditd events. #111
Fixed
- Fix change in behaviour that causes error when unmarshaling
AuditStatus
with a short buffer. #110
- Fix minimum
AuditStatus
length so that library can support kernels from 2.6.32. #113 #119
- Fix parsing of audit rules where arguments are quoted (like file paths containing spaces). #115
2.3.0
Added
- Add ECS mappings for more audit anomaly events. #70
- Add
BacklogWaitTimeActual
status field, which is available since Linux 5.9 #93
- Add ECS normalizations for
TIME_ADJNTPVAL
and TIME_INJOFFSET
. #98
- Add support for exe filters in exclude rules (e.g.
-a exclude,always -F exe=/bin/ls
). #97
Changed
- Update syscall, arches, and audit msg type tables for Linux 5.16. #96
- Go 1.16 or newer is required because the project uses the embed package. #104
- Fixed error messages from
AddRule()
in the audit client. #103
Removed
- Removed support for resolving syscall numbers to names for the ia64 architecture. #96
2.2.0
[2.2.0]
Added
- Add user and group mapping for ECS 1.8 compatibility #86
Changed
- Change ECS category of USER_START and USER_END messages to
session
. #86
2.1.0
Added
- ECS 1.7 configuration categorization. #80
Changed
- Use ingress/egress instead of inbound/outbound for ECS 1.7. #80