Skip to content

Commit

Permalink
Merge branch 'main' into rule-deletion
Browse files Browse the repository at this point in the history
  • Loading branch information
andrewkroh authored Jul 23, 2024
2 parents b0c2227 + f626137 commit 4961b27
Show file tree
Hide file tree
Showing 32 changed files with 291 additions and 78 deletions.
26 changes: 25 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,32 @@ This project adheres to [Semantic Versioning](http://semver.org/).

### Changed

- Fix panic in `parseSockaddr` for malformed socket address. [#152](https://github.com/elastic/go-libaudit/pull/152)

### Removed

### Deprecated

## [2.5.0]

### Added

- Add ECS normalization for `exit_group` syscall. [#149](https://github.com/elastic/go-libaudit/pull/149)

### Changed

- Update syscall and architecture tables. [#147](https://github.com/elastic/go-libaudit/pull/147)

## [2.4.0]

### Added

- Support `saddr_fam` filters. [#145](https://github.com/elastic/go-libaudit/pull/145)

### Changed

- Update Vagrant file gvm and ubuntu versions. [#145](https://github.com/elastic/go-libaudit/pull/145)

## [2.3.3]

### Changed
Expand Down Expand Up @@ -248,7 +270,9 @@ This project adheres to [Semantic Versioning](http://semver.org/).
Linux kernel.
- Added auparse package for parsing audit logs.

[Unreleased]: https://github.com/elastic/go-libaudit/compare/v2.3.3...HEAD
[Unreleased]: https://github.com/elastic/go-libaudit/compare/v2.5.0...HEAD
[2.5.0]: https://github.com/elastic/go-libaudit/releases/tag/v2.5.0
[2.4.0]: https://github.com/elastic/go-libaudit/releases/tag/v2.4.0
[2.3.3]: https://github.com/elastic/go-libaudit/releases/tag/v2.3.3
[2.3.2]: https://github.com/elastic/go-libaudit/releases/tag/v2.3.2
[2.3.1]: https://github.com/elastic/go-libaudit/releases/tag/v2.3.1
Expand Down
4 changes: 2 additions & 2 deletions Vagrantfile
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ SCRIPT
install_gvm = <<SCRIPT
mkdir -p ~/bin
if [ ! -e "~/bin/gvm" ]; then
curl -sL -o ~/bin/gvm https://github.com/andrewkroh/gvm/releases/download/v0.4.0/gvm-linux-amd64
curl -sL -o ~/bin/gvm https://github.com/andrewkroh/gvm/releases/download/v0.5.2/gvm-linux-amd64
chmod +x ~/bin/gvm
~/bin/gvm #{GO_VERSION}
echo 'export GOPATH=$HOME/go' >> ~/.bash_profile
Expand All @@ -29,7 +29,7 @@ rm -f golangci-lint-#{GOLANGCI_LINT_VERSION}-linux-amd64.deb
SCRIPT

Vagrant.configure(2) do |config|
config.vm.box = "ubuntu/impish64"
config.vm.box = "ubuntu/mantic64"
config.vm.network :forwarded_port, guest: 22, host: 2228, id: "ssh", auto_correct: true
config.vm.provision "shell", inline: create_symlink, privileged: false
config.vm.provision "shell", inline: install_gvm, privileged: false
Expand Down
11 changes: 5 additions & 6 deletions aucoalesce/coalesce_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ import (
"bufio"
"encoding/json"
"flag"
"io/ioutil"
"os"
"path/filepath"
"sort"
Expand All @@ -30,7 +29,7 @@ import (

"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"gopkg.in/yaml.v2"
"gopkg.in/yaml.v3"

"github.com/elastic/go-libaudit/v2/auparse"
)
Expand Down Expand Up @@ -110,7 +109,7 @@ func testCoalesceEvent(t *testing.T, file string) {
}

func readEventsFromYAML(t testing.TB, name string) []testEvent {
file, err := ioutil.ReadFile(name)
file, err := os.ReadFile(name)
if err != nil {
t.Fatal(err)
}
Expand All @@ -125,7 +124,7 @@ func readEventsFromYAML(t testing.TB, name string) []testEvent {
t.Fatal("failed to find 'tests' in yaml")
}

cases, ok := tests.(map[interface{}]interface{})
cases, ok := tests.(map[string]interface{})
if !ok {
t.Fatalf("unexpected type %T for 'tests'", tests)
}
Expand All @@ -147,7 +146,7 @@ func readEventsFromYAML(t testing.TB, name string) []testEvent {
}

testEvents = append(testEvents, testEvent{
name: name.(string),
name: name,
messages: msgs,
})
}
Expand Down Expand Up @@ -184,7 +183,7 @@ func writeGoldenFile(name string, events []testEventOutput) error {
func readGoldenFile(name string) ([]map[string]interface{}, error) {
name = strings.TrimSuffix(name, ".yaml")

data, err := ioutil.ReadFile(name + ".json.golden")
data, err := os.ReadFile(name + ".json.golden")
if err != nil {
return nil, err
}
Expand Down
32 changes: 10 additions & 22 deletions aucoalesce/normalizations.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,6 @@
# Macros declares some YAML anchors that can be referenced for some common
# object type normalizations like user-session, socket, or process.
macros:
- &defaults
subject:
primary: auid
secondary: uid
how: [exe, comm]

- &macro-user-session
subject:
primary: auid
Expand All @@ -18,21 +12,6 @@ macros:
what: user-session
how: [exe, terminal]

- &macro-socket
<<: *defaults
object:
primary: [addr, path]
secondary: port
what: socket

- &macro-process
<<: *defaults
object:
primary: [cmd, exe, comm]
secondary: pid
what: process
how: terminal

- &ecs-iam
category: iam
type: info
Expand Down Expand Up @@ -548,6 +527,15 @@ normalizations:
ecs:
<<: *ecs-process
type: change
- action: end
object:
what: process
how: syscall
syscalls:
# exit_group - exit all threads in a process
- exit_group
ecs: *ecs-process
type: end

# Currently unhandled
# this list comes from parsing linux man pages at https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git
Expand Down Expand Up @@ -673,7 +661,6 @@ normalizations:
# acct - switch process accounting on or off
# sigsuspend - wait for a signal
# rt_sigsuspend - wait for a signal
# exit_group - exit all threads in a process
# socket - create an endpoint for communication
# ioctl_userfaultfd - create a file descriptor for handling page faults in user space
# sched_get_priority_max - get static priority range
Expand Down Expand Up @@ -1531,6 +1518,7 @@ normalizations:
object:
primary: addr
secondary: [rport]
what: user-session
record_types: CRYPTO_SESSION
source_ip: [addr]
ecs: *ecs-process
Expand Down
2 changes: 1 addition & 1 deletion aucoalesce/normalize.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ import (
"fmt"
"strings"

"gopkg.in/yaml.v2"
"gopkg.in/yaml.v3"
)

var (
Expand Down
6 changes: 3 additions & 3 deletions aucoalesce/normalize_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,11 @@
package aucoalesce

import (
"io/ioutil"
"os"
"testing"

"github.com/stretchr/testify/assert"
"gopkg.in/yaml.v2"
"gopkg.in/yaml.v3"
)

func TestNormInit(t *testing.T) {
Expand All @@ -31,7 +31,7 @@ func TestNormInit(t *testing.T) {
}

func TestLoadNormalizationConfig(t *testing.T) {
b, err := ioutil.ReadFile("normalizations.yaml")
b, err := os.ReadFile("normalizations.yaml")
if err != nil {
t.Fatal(err)
}
Expand Down
4 changes: 1 addition & 3 deletions audit.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,6 @@ import (
"time"
"unsafe"

"go.uber.org/multierr"

"github.com/elastic/go-libaudit/v2/auparse"
)

Expand Down Expand Up @@ -451,7 +449,7 @@ func (c *AuditClient) Close() error {
err = c.set(status, NoWait)
}

err = multierr.Append(err, c.Netlink.Close())
err = errors.Join(err, c.Netlink.Close())
})

return err
Expand Down
3 changes: 3 additions & 0 deletions auparse/auparse.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ import (
//go:generate sh -c "perl mk_audit_syscalls.pl > zaudit_syscalls.go && gofmt -s -w zaudit_syscalls.go"
//go:generate perl mk_audit_arches.pl
//go:generate go run mk_audit_exit_codes.go
//go:generate go run github.com/elastic/go-licenser

const (
typeToken = "type="
Expand All @@ -55,6 +56,8 @@ type AuditMessage struct {
Sequence uint32 // Sequence parsed from payload.
RawData string // Raw message as a string.

Payload interface{} // Opaque payload. This can be anything that is needed to be preserved along with the message and returned back after aggregation.

offset int // offset is the index into RawData where the header ends and message begins.
data map[string]string // The key value pairs parsed from the message.
tags []string // The keys associated with the event (e.g. the values set in rules with -F key=exec).
Expand Down
5 changes: 2 additions & 3 deletions auparse/auparse_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ import (
"encoding/json"
"flag"
"fmt"
"io/ioutil"
"os"
"path/filepath"
"regexp"
Expand Down Expand Up @@ -436,7 +435,7 @@ func writeGoldenFile(sourceName string, events []*AuditMessage) error {
}

func readGoldenFile(name string) ([]*StoredAuditMessage, error) {
data, err := ioutil.ReadFile(name)
data, err := os.ReadFile(name)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -480,7 +479,7 @@ func BenchmarkParseLogLine(b *testing.B) {
require.NoError(b, err)
var msgs []string
for _, f := range files {
data, err := ioutil.ReadFile(f)
data, err := os.ReadFile(f)
require.NoError(b, err)
for _, line := range strings.Split(strings.TrimSpace(string(data)), "\n") {
if _, err = ParseLogLine(line); err == nil {
Expand Down
4 changes: 4 additions & 0 deletions auparse/defs_audit_arches.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion auparse/mk_audit_arches.pl
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@

my $command = "mk_audit_arches.pl ". join(' ', @ARGV);

`curl -s -O https://raw.githubusercontent.com/torvalds/linux/v5.16/include/uapi/linux/audit.h`;
`curl -s -O https://raw.githubusercontent.com/torvalds/linux/v6.6/include/uapi/linux/audit.h`;

open(GCC, "gcc -E -dD audit.h |") || die "can't run gcc";
my @arches;
Expand Down
5 changes: 2 additions & 3 deletions auparse/mk_audit_exit_codes.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@ import (
"bytes"
"flag"
"fmt"
"io/ioutil"
"os"
"os/exec"
"path/filepath"
Expand Down Expand Up @@ -144,7 +143,7 @@ func readErrorNumbers() ([]ErrorNumber, error) {
}

func run() error {
tmp, err := ioutil.TempDir("", "mk_audit_exit_codes")
tmp, err := os.MkdirTemp("", "mk_audit_exit_codes")
if err != nil {
return err
}
Expand Down Expand Up @@ -202,7 +201,7 @@ func run() error {
}
}

if err = ioutil.WriteFile(flagOut, buf.Bytes(), 0o644); err != nil {
if err = os.WriteFile(flagOut, buf.Bytes(), 0o644); err != nil {
return err
}

Expand Down
9 changes: 4 additions & 5 deletions auparse/mk_audit_msg_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ import (
"flag"
"fmt"
"io"
"io/ioutil"
"net/http"
"os"
"os/exec"
Expand Down Expand Up @@ -159,9 +158,9 @@ func GetAuditMessageType(name string) (AuditMessageType, error) {
var tmpl = template.Must(template.New("message_types").Parse(fileTemplate))

var headers = []string{
`https://raw.githubusercontent.com/torvalds/linux/v5.16/include/uapi/linux/audit.h`,
`https://raw.githubusercontent.com/linux-audit/audit-userspace/v3.0.7/lib/libaudit.h`,
`https://raw.githubusercontent.com/linux-audit/audit-userspace/v3.0.7/lib/msg_typetab.h`,
`https://raw.githubusercontent.com/torvalds/linux/v6.6/include/uapi/linux/audit.h`,
`https://raw.githubusercontent.com/linux-audit/audit-userspace/v3.1.2/lib/libaudit.h`,
`https://raw.githubusercontent.com/linux-audit/audit-userspace/v3.1.2/lib/msg_typetab.h`,
}

func DownloadFile(url, destinationDir string) (string, error) {
Expand Down Expand Up @@ -246,7 +245,7 @@ func readRecordTypes() (map[string]int, error) {
}

func run() error {
tmp, err := ioutil.TempDir("", "mk_audit_msg_types")
tmp, err := os.MkdirTemp("", "mk_audit_msg_types")
if err != nil {
return err
}
Expand Down
2 changes: 1 addition & 1 deletion auparse/mk_audit_syscalls.pl
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ sub fmt {
print "\t\t$num: \"$name\",\n";
}

my $base_url = "https://raw.githubusercontent.com/linux-audit/audit-userspace/v3.0.7/lib";
my $base_url = "https://raw.githubusercontent.com/linux-audit/audit-userspace/v3.1.2/lib";
my @tables = (
"aarch64",
"arm",
Expand Down
Loading

0 comments on commit 4961b27

Please sign in to comment.