From 9b3ec4002e4f07277027f0f2c65482d3446f54a7 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Tue, 14 Jul 2020 12:44:22 -0400 Subject: [PATCH] Update to go-libaudit v2.0.0 (#19300) * Update to go-libaudit v2.0.0 This updates the go-libaudit library to v2.0.0. Some of the updates since the last release were already incorporated into Beats. https://github.com/elastic/go-libaudit/releases/tag/v2.0.0 Fixes #14055 (seccomp field enrichments) Fixes a few minor typos and spelling issues in auditd event.category and event.action values. * Only import go-libaudit on linux (cherry picked from commit 4f3d9507f51f16476971aee16bd76fbaa40f195d) --- CHANGELOG.next.asciidoc | 4 ++++ NOTICE.txt | 8 +++---- auditbeat/module/auditd/audit.go | 23 +++++++++++++++++++ .../auditd/{config.go => config_linux.go} | 6 ----- go.mod | 4 ++-- go.sum | 8 +++---- 6 files changed, 37 insertions(+), 16 deletions(-) create mode 100644 auditbeat/module/auditd/audit.go rename auditbeat/module/auditd/{config.go => config_linux.go} (98%) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 4725d71d816..bcd55a06afb 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -178,6 +178,9 @@ field. You can revert this change by configuring tags for the module and omittin - system/socket: Fix dataset using 100% CPU and becoming unresponsive in some scenarios. {pull}19033[19033] {pull}19764[19764] - system/socket: Fixed tracking of long-running connections. {pull}19033[19033] - system/package: Fix librpm loading on Fedora 31/32. {pull}NNNN[NNNN] +- auditd: Fix spelling of anomaly in `event.category`. +- auditd: Fix typo in `event.action` of `removed-user-role-from`. {pull}19300[19300] +- auditd: Fix typo in `event.action` of `used-suspicious-link`. {pull}19300[19300] *Filebeat* @@ -419,6 +422,7 @@ field. You can revert this change by configuring tags for the module and omittin - Add file integrity module ECS categorization fields. {pull}18012[18012] - Add `file.mime_type`, `file.extension`, and `file.drive_letter` for file integrity module. {pull}18012[18012] - Add ECS categorization info for auditd module {pull}18596[18596] +- Add enrichment of auditd seccomp events with name of the architecture, syscall, and signal. {issue}14055[14055] {pull}19300[19300] *Filebeat* diff --git a/NOTICE.txt b/NOTICE.txt index 21e4e6b11c3..513c37f7cd0 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -6147,11 +6147,11 @@ Contents of probable licence file $GOMODCACHE/github.com/elastic/go-concert@v0.0 -------------------------------------------------------------------------------- Dependency : github.com/elastic/go-libaudit/v2 -Version: v2.0.0-20200515221334-92371bef3fb8 +Version: v2.0.0 Licence type (autodetected): Apache-2.0 -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/github.com/elastic/go-libaudit/v2@v2.0.0-20200515221334-92371bef3fb8/LICENSE.txt: +Contents of probable licence file $GOMODCACHE/github.com/elastic/go-libaudit/v2@v2.0.0/LICENSE.txt: Apache License @@ -15404,11 +15404,11 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- Dependency : golang.org/x/sys -Version: v0.0.0-20200202164722-d101bd2416d5 +Version: v0.0.0-20200615200032-f1bc736245b1 Licence type (autodetected): BSD-3-Clause -------------------------------------------------------------------------------- -Contents of probable licence file $GOMODCACHE/golang.org/x/sys@v0.0.0-20200202164722-d101bd2416d5/LICENSE: +Contents of probable licence file $GOMODCACHE/golang.org/x/sys@v0.0.0-20200615200032-f1bc736245b1/LICENSE: Copyright (c) 2009 The Go Authors. All rights reserved. diff --git a/auditbeat/module/auditd/audit.go b/auditbeat/module/auditd/audit.go new file mode 100644 index 00000000000..9812f2fbefe --- /dev/null +++ b/auditbeat/module/auditd/audit.go @@ -0,0 +1,23 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package auditd + +const ( + moduleName = "auditd" + metricsetName = "auditd" +) diff --git a/auditbeat/module/auditd/config.go b/auditbeat/module/auditd/config_linux.go similarity index 98% rename from auditbeat/module/auditd/config.go rename to auditbeat/module/auditd/config_linux.go index 149af7a08a0..d0d90e86c44 100644 --- a/auditbeat/module/auditd/config.go +++ b/auditbeat/module/auditd/config_linux.go @@ -35,12 +35,6 @@ import ( "github.com/elastic/go-libaudit/v2/rule/flags" ) -const ( - moduleName = "auditd" - metricsetName = "auditd" - recursiveGlobDepth = 8 -) - // Config defines the kernel metricset's possible configuration options. type Config struct { ResolveIDs bool `config:"resolve_ids"` // Resolve UID/GIDs to names. diff --git a/go.mod b/go.mod index a32792bd90d..a97510dd310 100644 --- a/go.mod +++ b/go.mod @@ -60,7 +60,7 @@ require ( github.com/elastic/ecs v1.5.0 github.com/elastic/elastic-agent-client/v7 v7.0.0-20200709172729-d43b7ad5833a github.com/elastic/go-concert v0.0.3 - github.com/elastic/go-libaudit/v2 v2.0.0-20200515221334-92371bef3fb8 + github.com/elastic/go-libaudit/v2 v2.0.0 github.com/elastic/go-licenser v0.3.1 github.com/elastic/go-lookslike v0.3.0 github.com/elastic/go-lumber v0.1.0 @@ -163,7 +163,7 @@ require ( golang.org/x/net v0.0.0-20200202094626-16171245cfb2 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a - golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5 + golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1 golang.org/x/text v0.3.2 golang.org/x/time v0.0.0-20191024005414-555d28b269f0 golang.org/x/tools v0.0.0-20200701041122-1837592efa10 diff --git a/go.sum b/go.sum index f58933110ff..5161a253a9b 100644 --- a/go.sum +++ b/go.sum @@ -232,8 +232,8 @@ github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270 h1:cWPqxlPtir4RoQ github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270/go.mod h1:Msl1pdboCbArMF/nSCDUXgQuWTeoMmE/z8607X+k7ng= github.com/elastic/go-concert v0.0.3 h1:f0F4WOi8tBOFIgwA7YbHRQ+Ok8vR+/qFrG7vYvbpX5Q= github.com/elastic/go-concert v0.0.3/go.mod h1:9MtFarjXroUgmm0m6HY3NSe1XiKhdktiNRRj9hWvIaM= -github.com/elastic/go-libaudit/v2 v2.0.0-20200515221334-92371bef3fb8 h1:Jcnojiuok7Ea5hitJK9VWmBigganE2MMETOH0VZasEA= -github.com/elastic/go-libaudit/v2 v2.0.0-20200515221334-92371bef3fb8/go.mod h1:j2CZcVcluWDGhQTnq1SOPy1NKEIa74FtQ39Nnz87Jxk= +github.com/elastic/go-libaudit/v2 v2.0.0 h1:4pbuZY+9Mz8Y4vxI5+G/RQVSYem0HyFFPcSjtmNDMp4= +github.com/elastic/go-libaudit/v2 v2.0.0/go.mod h1:u100Al3gXDlDelEutZ0CZ6BMM+LsRFqdi7kzdrn6g7o= github.com/elastic/go-licenser v0.3.1 h1:RmRukU/JUmts+rpexAw0Fvt2ly7VVu6mw8z4HrEzObU= github.com/elastic/go-licenser v0.3.1/go.mod h1:D8eNQk70FOCVBl3smCGQt/lv7meBeQno2eI1S5apiHQ= github.com/elastic/go-lookslike v0.3.0 h1:HDI/DQ65V85ZqM7D/sbxcK2wFFnh3+7iFvBk2v2FTHs= @@ -807,7 +807,6 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e h1:vcxGaoTs7kV8m5Np9uUNQin4 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a h1:WXEvlFVvvGxCJLG6REjsT03iWnKLEWinaScsxF2Vm2o= golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20170608164803-0b25a408a500/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -837,8 +836,9 @@ golang.org/x/sys v0.0.0-20200102141924-c96a22e43c9c h1:OYFUffxXPezb7BVTx9AaD4Vl0 golang.org/x/sys v0.0.0-20200102141924-c96a22e43c9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e h1:LwyF2AFISC9nVbS6MgzsaQNSUsRXI49GS+YQ5KX/QH0= golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5 h1:LfCXLvNmTYH9kEmVgqbnsWfruoXZIrh4YBgqVHtDvw0= golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1 h1:ogLJMz+qpzav7lGMh10LMvAkM/fAoGlaiiHYiFYdm80= +golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=