Go Libaudit Versions Save

Added

• Add ECS normalization for exit_group syscall. #149

Changed

• Update syscall and architecture tables. #147

Added

• Support saddr_fam filters. #145

Changed

• Update Vagrant file gvm and ubuntu versions. #145

Changed

• Expanded the bitmask applied to ECS file.mode in the aucoalesce package so that the SUID, SGID, and sticky bits can be represented. #137

Changed

• Reduce allocations when converting bytes to strings for received messages. #116 #122

Changed

• Reduce heap allocations when parsing and enriching auditd events. #111

Fixed

• Fix change in behaviour that causes error when unmarshaling AuditStatus with a short buffer. #110
• Fix minimum AuditStatus length so that library can support kernels from 2.6.32. #113 #119
• Fix parsing of audit rules where arguments are quoted (like file paths containing spaces). #115

Added

• Add ECS mappings for more audit anomaly events. #70
• Add BacklogWaitTimeActual status field, which is available since Linux 5.9 #93
• Add ECS normalizations for TIME_ADJNTPVAL and TIME_INJOFFSET. #98
• Add support for exe filters in exclude rules (e.g. -a exclude,always -F exe=/bin/ls). #97

Changed

• Update syscall, arches, and audit msg type tables for Linux 5.16. #96
• Go 1.16 or newer is required because the project uses the embed package. #104
• Fixed error messages from AddRule() in the audit client. #103

Removed

• Removed support for resolving syscall numbers to names for the ia64 architecture. #96

[2.2.0]

Added

• Add user and group mapping for ECS 1.8 compatibility #86

Changed

• Change ECS category of USER_START and USER_END messages to session. #86

Added

• ECS 1.7 configuration categorization. #80

Changed

• Use ingress/egress instead of inbound/outbound for ECS 1.7. #80

Changed

• Use ECS recommended values for network direction. #75 #76

Removed

• Remove github.com/Sirupsen/logrus dependency from examples. #73

Changed

• Fixed syscall lookup for ppc64 and ppc64le. #71