Merge branch 'main' into rule-deletion

Author: andrewkroh

CHANGELOG.md

@@ -9,10 +9,32 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ### Changed
 
+- Fix panic in `parseSockaddr` for malformed socket address. [#152](https://github.com/elastic/go-libaudit/pull/152)
+
 ### Removed
 
 ### Deprecated
 
+## [2.5.0]
+
+### Added
+
+- Add ECS normalization for `exit_group` syscall. [#149](https://github.com/elastic/go-libaudit/pull/149)
+
+### Changed
+
+- Update syscall and architecture tables. [#147](https://github.com/elastic/go-libaudit/pull/147)
+
+## [2.4.0]
+
+### Added
+
+- Support `saddr_fam` filters. [#145](https://github.com/elastic/go-libaudit/pull/145)
+
+### Changed
+
+- Update Vagrant file gvm and ubuntu versions. [#145](https://github.com/elastic/go-libaudit/pull/145)
+
 ## [2.3.3]
 
 ### Changed
@@ -248,7 +270,9 @@ This project adheres to [Semantic Versioning](http://semver.org/).
   Linux kernel.
 - Added auparse package for parsing audit logs.
 
-[Unreleased]: https://github.com/elastic/go-libaudit/compare/v2.3.3...HEAD
+[Unreleased]: https://github.com/elastic/go-libaudit/compare/v2.5.0...HEAD
+[2.5.0]: https://github.com/elastic/go-libaudit/releases/tag/v2.5.0
+[2.4.0]: https://github.com/elastic/go-libaudit/releases/tag/v2.4.0
 [2.3.3]: https://github.com/elastic/go-libaudit/releases/tag/v2.3.3
 [2.3.2]: https://github.com/elastic/go-libaudit/releases/tag/v2.3.2
 [2.3.1]: https://github.com/elastic/go-libaudit/releases/tag/v2.3.1

Vagrantfile

@@ -11,7 +11,7 @@ SCRIPT
 install_gvm = <<SCRIPT
 mkdir -p ~/bin
 if [ ! -e "~/bin/gvm" ]; then
-  curl -sL -o ~/bin/gvm https://github.com/andrewkroh/gvm/releases/download/v0.4.0/gvm-linux-amd64
+  curl -sL -o ~/bin/gvm https://github.com/andrewkroh/gvm/releases/download/v0.5.2/gvm-linux-amd64
   chmod +x ~/bin/gvm
   ~/bin/gvm #{GO_VERSION}
   echo 'export GOPATH=$HOME/go' >> ~/.bash_profile
@@ -29,7 +29,7 @@ rm -f golangci-lint-#{GOLANGCI_LINT_VERSION}-linux-amd64.deb
 SCRIPT
 
 Vagrant.configure(2) do |config|
-  config.vm.box = "ubuntu/impish64"
+  config.vm.box = "ubuntu/mantic64"
   config.vm.network :forwarded_port, guest: 22, host: 2228, id: "ssh", auto_correct: true
   config.vm.provision "shell", inline: create_symlink, privileged: false
   config.vm.provision "shell", inline: install_gvm, privileged: false

aucoalesce/coalesce_test.go

@@ -21,7 +21,6 @@ import (
 	"bufio"
 	"encoding/json"
 	"flag"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"sort"
@@ -30,7 +29,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 
 	"github.com/elastic/go-libaudit/v2/auparse"
 )
@@ -110,7 +109,7 @@ func testCoalesceEvent(t *testing.T, file string) {
 }
 
 func readEventsFromYAML(t testing.TB, name string) []testEvent {
-	file, err := ioutil.ReadFile(name)
+	file, err := os.ReadFile(name)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -125,7 +124,7 @@ func readEventsFromYAML(t testing.TB, name string) []testEvent {
 		t.Fatal("failed to find 'tests' in yaml")
 	}
 
-	cases, ok := tests.(map[interface{}]interface{})
+	cases, ok := tests.(map[string]interface{})
 	if !ok {
 		t.Fatalf("unexpected type %T for 'tests'", tests)
 	}
@@ -147,7 +146,7 @@ func readEventsFromYAML(t testing.TB, name string) []testEvent {
 		}
 
 		testEvents = append(testEvents, testEvent{
-			name:     name.(string),
+			name:     name,
 			messages: msgs,
 		})
 	}
@@ -184,7 +183,7 @@ func writeGoldenFile(name string, events []testEventOutput) error {
 func readGoldenFile(name string) ([]map[string]interface{}, error) {
 	name = strings.TrimSuffix(name, ".yaml")
 
-	data, err := ioutil.ReadFile(name + ".json.golden")
+	data, err := os.ReadFile(name + ".json.golden")
 	if err != nil {
 		return nil, err
 	}

aucoalesce/normalizations.yaml

@@ -2,12 +2,6 @@
 # Macros declares some YAML anchors that can be referenced for some common
 # object type normalizations like user-session, socket, or process.
 macros:
-  - &defaults
-    subject:
-      primary: auid
-      secondary: uid
-    how: [exe, comm]
-
   - &macro-user-session
     subject:
       primary: auid
@@ -18,21 +12,6 @@ macros:
       what: user-session
     how: [exe, terminal]
 
-  - &macro-socket
-    <<: *defaults
-    object:
-      primary: [addr, path]
-      secondary: port
-      what: socket
-
-  - &macro-process
-    <<: *defaults
-    object:
-      primary: [cmd, exe, comm]
-      secondary: pid
-      what: process
-    how: terminal
-
   - &ecs-iam
     category: iam
     type: info
@@ -548,6 +527,15 @@ normalizations:
     ecs:
       <<: *ecs-process
       type: change
+  - action: end
+    object:
+      what: process
+    how: syscall
+    syscalls:
+      # exit_group - exit all threads in a process
+      - exit_group
+    ecs: *ecs-process
+    type: end
 
   # Currently unhandled
   # this list comes from parsing linux man pages at https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git
@@ -673,7 +661,6 @@ normalizations:
   # acct - switch process accounting on or off
   # sigsuspend - wait for a signal
   # rt_sigsuspend - wait for a signal
-  # exit_group - exit all threads in a process
   # socket - create an endpoint for communication
   # ioctl_userfaultfd - create a file descriptor for handling page faults in user space
   # sched_get_priority_max - get static priority range
@@ -1531,6 +1518,7 @@ normalizations:
     object:
       primary: addr
       secondary: [rport]
+      what: user-session
     record_types: CRYPTO_SESSION
     source_ip: [addr]
     ecs: *ecs-process

aucoalesce/normalize.go

@@ -22,7 +22,7 @@ import (
 	"fmt"
 	"strings"
 
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 )
 
 var (

aucoalesce/normalize_test.go

@@ -18,11 +18,11 @@
 package aucoalesce
 
 import (
-	"io/ioutil"
+	"os"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 )
 
 func TestNormInit(t *testing.T) {
@@ -31,7 +31,7 @@ func TestNormInit(t *testing.T) {
 }
 
 func TestLoadNormalizationConfig(t *testing.T) {
-	b, err := ioutil.ReadFile("normalizations.yaml")
+	b, err := os.ReadFile("normalizations.yaml")
 	if err != nil {
 		t.Fatal(err)
 	}

audit.go

@@ -30,8 +30,6 @@ import (
 	"time"
 	"unsafe"
 
-	"go.uber.org/multierr"
-
 	"github.com/elastic/go-libaudit/v2/auparse"
 )
 
@@ -451,7 +449,7 @@ func (c *AuditClient) Close() error {
 			err = c.set(status, NoWait)
 		}
 
-		err = multierr.Append(err, c.Netlink.Close())
+		err = errors.Join(err, c.Netlink.Close())
 	})
 
 	return err

auparse/auparse.go

@@ -33,6 +33,7 @@ import (
 //go:generate sh -c "perl mk_audit_syscalls.pl > zaudit_syscalls.go && gofmt -s -w zaudit_syscalls.go"
 //go:generate perl mk_audit_arches.pl
 //go:generate go run mk_audit_exit_codes.go
+//go:generate go run github.com/elastic/go-licenser
 
 const (
 	typeToken = "type="
@@ -55,6 +56,8 @@ type AuditMessage struct {
 	Sequence   uint32           // Sequence parsed from payload.
 	RawData    string           // Raw message as a string.
 
+	Payload interface{} // Opaque payload. This can be anything that is needed to be preserved along with the message and returned back after aggregation.
+
 	offset int               // offset is the index into RawData where the header ends and message begins.
 	data   map[string]string // The key value pairs parsed from the message.
 	tags   []string          // The keys associated with the event (e.g. the values set in rules with -F key=exec).

auparse/auparse_test.go

@@ -22,7 +22,6 @@ import (
 	"encoding/json"
 	"flag"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -436,7 +435,7 @@ func writeGoldenFile(sourceName string, events []*AuditMessage) error {
 }
 
 func readGoldenFile(name string) ([]*StoredAuditMessage, error) {
-	data, err := ioutil.ReadFile(name)
+	data, err := os.ReadFile(name)
 	if err != nil {
 		return nil, err
 	}
@@ -480,7 +479,7 @@ func BenchmarkParseLogLine(b *testing.B) {
 	require.NoError(b, err)
 	var msgs []string
 	for _, f := range files {
-		data, err := ioutil.ReadFile(f)
+		data, err := os.ReadFile(f)
 		require.NoError(b, err)
 		for _, line := range strings.Split(strings.TrimSpace(string(data)), "\n") {
 			if _, err = ParseLogLine(line); err == nil {