Skip to content

Releases: elastic/go-libaudit

2.6.1

22 Nov 14:52
fa53fcd
Compare
Choose a tag to compare

Changed

  • rule: On s390x, fix handling of rules with filters like -F arch=b64 or -F arch=b32. #164
  • aucoalesce: Fix bug affecting event normalization caused by upgrade to yaml.v3. #170

2.6.0

06 Nov 15:13
7d76d1d
Compare
Choose a tag to compare

Known Issues

Changed

  • Fix panic in parseSockaddr for malformed socket address. #152
  • Set SOCK_CLOEXEC when creating the netlink socket to avoid leaking file descriptors. #165
  • Update syscall tables. #167
  • aucoalesce: Use ECS event.type: end instead of stop for SERVICE_STOP, DAEMON_ABORT, and DAEMON_END messages. #159

2.5.0

23 Jan 16:16
5216c76
Compare
Choose a tag to compare

Added

  • Add ECS normalization for exit_group syscall. #149

Changed

  • Update syscall and architecture tables. #147

2.4.0

24 Oct 05:59
4164fc0
Compare
Choose a tag to compare

Added

  • Support saddr_fam filters. #145

Changed

  • Update Vagrant file gvm and ubuntu versions. #145

2.3.3

10 Aug 21:35
Compare
Choose a tag to compare

Changed

  • Expanded the bitmask applied to ECS file.mode in the aucoalesce package so that the SUID, SGID, and sticky bits can be represented. #137

2.3.2

24 Aug 21:26
Compare
Choose a tag to compare

Changed

  • Reduce allocations when converting bytes to strings for received messages. #116 #122

2.3.1

20 Jul 16:26
Compare
Choose a tag to compare

Changed

  • Reduce heap allocations when parsing and enriching auditd events. #111

Fixed

  • Fix change in behaviour that causes error when unmarshaling AuditStatus with a short buffer. #110
  • Fix minimum AuditStatus length so that library can support kernels from 2.6.32. #113 #119
  • Fix parsing of audit rules where arguments are quoted (like file paths containing spaces). #115

2.3.0

04 May 16:18
Compare
Choose a tag to compare

Added

  • Add ECS mappings for more audit anomaly events. #70
  • Add BacklogWaitTimeActual status field, which is available since Linux 5.9 #93
  • Add ECS normalizations for TIME_ADJNTPVAL and TIME_INJOFFSET. #98
  • Add support for exe filters in exclude rules (e.g. -a exclude,always -F exe=/bin/ls). #97

Changed

  • Update syscall, arches, and audit msg type tables for Linux 5.16. #96
  • Go 1.16 or newer is required because the project uses the embed package. #104
  • Fixed error messages from AddRule() in the audit client. #103

Removed

  • Removed support for resolving syscall numbers to names for the ia64 architecture. #96

2.2.0

03 Feb 08:03
Compare
Choose a tag to compare

[2.2.0]

Added

  • Add user and group mapping for ECS 1.8 compatibility #86

Changed

  • Change ECS category of USER_START and USER_END messages to session. #86

2.1.0

08 Dec 22:48
9aafaf3
Compare
Choose a tag to compare

Added

  • ECS 1.7 configuration categorization. #80

Changed

  • Use ingress/egress instead of inbound/outbound for ECS 1.7. #80