Skip to content

Releases: elastic/go-libaudit

2.0.2

19 Aug 15:00
8bcb06e
Compare
Choose a tag to compare

Changed

  • Use ECS recommended values for network direction. #75 #76

Removed

  • Remove github.com/Sirupsen/logrus dependency from examples. #73

2.0.1

20 Jul 11:57
Compare
Choose a tag to compare

Changed

  • Fixed syscall lookup for ppc64 and ppc64le. #71

v2.0.0

18 Jun 20:28
05fbb4e
Compare
Choose a tag to compare

Added

  • Added SetImmutable to the audit client for marking the audit settings as immutable within the kernel. #55 #68
  • Added Vagrantfile for development ease. #61
  • Added enrichment of arch, syscall, and sig to type=SECCOMP messages. #64
  • Added support for big endian. #48

Changed

  • Added semantic versioning support via go modules. #61
  • Added ECS categorization support for events by record type and syscall. #62
  • Fixed a typo in the action value associated with ROLE_REMOVE messages. #65
  • Fixed a typo in the action value associated with ANOM_LINK messages. #66
  • Fixed spelling of anomaly in aucoalesce package. #67

v0.4.0

18 Jun 20:10
Compare
Choose a tag to compare

Added

  • Added method to convert kernel rules to text format in order to display them.

Changed

  • aucoalesce - Made the user/group ID cache thread-safe. #42 #45

v0.3.0

25 May 13:53
Compare
Choose a tag to compare

Added

  • Added support for setting the kernel's backlog wait time via the new
    SetBacklogWaitTime function. #34
  • New method GetStatusAsync to perform asynchronous status checks. #37

Changed

  • AuditClient Close() is now safe to call more than once. #35

v0.2.1

03 May 13:40
Compare
Choose a tag to compare

Added

  • Added better error messages for when NewAuditClient fails due to the
    Linux kernel not supporting auditing (CONFIG_AUDIT=n). #32

v0.2.0

30 Apr 14:09
Compare
Choose a tag to compare

Changed

  • auparse - Fixed parsing of apparmor AVC messages. #25
  • auparse - Update syscall and audit message type tables for Linux 4.16. #30
  • aucoalesce - Cache UID/GID values for one minute. #24

v0.1.1

05 Apr 19:22
Compare
Choose a tag to compare

Added

  • rules - Detect s390 or s390x as the runtime architecture (GOOS) and
    automatically use the appropriate syscall name to number table without
    requiring the rule to explicitly specify an arch (-F arch=s390x). #23

v0.1.0

28 Mar 14:52
Compare
Choose a tag to compare

Changed

  • auparse - Fixed an issue where the name value was not being hex decoded from
    PATH records. #20

v0.0.7

18 Jan 14:34
Compare
Choose a tag to compare

Added

  • Added WaitForPendingACKs to receive pending ACK messages from the kernel. #14
  • The AuditClient will unregister with the kernel if SetPID has been called. #19

Changed

  • auparse - Fixed an issue where the proctitle value was being truncated. #15
  • auparse - Fixed an issue where values were incorrectly interpretted as hex
    data. #13
  • auparse - Fixed parsing of the key value when multiple keys are present. #16
  • auparse - The cmdline key is no longer created for EXECVE records. #17
  • aucoalesce - Changed the event format to have objects for user, process, file,
    and network data. #17
  • Fixed an issue when an audit notification is received while waiting for the
    response to a control command.