Skip to content

Commit 8375b53

Browse files
andrewkrohandrewkroh
authored
Merge branch 'main' into rule-deletion
2 parents 4961b27 + 33356aa commit 8375b53

File tree

8 files changed

+93
-14
lines changed

8 files changed

+93
-14
lines changed

CHANGELOG.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,9 @@ This project adheres to [Semantic Versioning](http://semver.org/).
1010
### Changed
1111

1212
- Fix panic in `parseSockaddr` for malformed socket address. [#152](https://github.com/elastic/go-libaudit/pull/152)
13+
- Set `SOCK_CLOEXEC` when creating the netlink socket to avoid leaking file descriptors. [#165](https://github.com/elastic/go-libaudit/pull/165)
14+
- Update syscall tables. [#167](https://github.com/elastic/go-libaudit/pull/167)
15+
- aucoalesce: Use ECS `event.type: end` instead of `stop` for SERVICE_STOP, DAEMON_ABORT, and DAEMON_END messages. [#159](https://github.com/elastic/go-libaudit/pull/159)
1316

1417
### Removed
1518

aucoalesce/normalizations.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1230,7 +1230,7 @@ normalizations:
12301230
what: service
12311231
ecs:
12321232
<<: *ecs-process
1233-
type: stop
1233+
type: end
12341234

12351235
# Auditd internal events
12361236

@@ -1251,7 +1251,7 @@ normalizations:
12511251
what: service
12521252
ecs:
12531253
<<: *ecs-process
1254-
type: stop
1254+
type: end
12551255
# AUDIT_DAEMON_ACCEPT - Auditd accepted remote connection
12561256
- record_types: DAEMON_ACCEPT
12571257
action: remote-audit-connected
@@ -1287,7 +1287,7 @@ normalizations:
12871287
what: service
12881288
ecs:
12891289
<<: *ecs-process
1290-
type: stop
1290+
type: end
12911291
# AUDIT_DAEMON_ERR - Auditd internal error
12921292
- record_types: DAEMON_ERR
12931293
action: audit-error

auparse/mk_audit_arches.pl

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@
1717

1818
my $command = "mk_audit_arches.pl ". join(' ', @ARGV);
1919

20-
`curl -s -O https://raw.githubusercontent.com/torvalds/linux/v6.6/include/uapi/linux/audit.h`;
20+
`curl -s -O https://raw.githubusercontent.com/torvalds/linux/v6.11/include/uapi/linux/audit.h`;
2121

2222
open(GCC, "gcc -E -dD audit.h |") || die "can't run gcc";
2323
my @arches;

auparse/mk_audit_msg_types.go

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -158,9 +158,8 @@ func GetAuditMessageType(name string) (AuditMessageType, error) {
158158
var tmpl = template.Must(template.New("message_types").Parse(fileTemplate))
159159

160160
var headers = []string{
161-
`https://raw.githubusercontent.com/torvalds/linux/v6.6/include/uapi/linux/audit.h`,
162-
`https://raw.githubusercontent.com/linux-audit/audit-userspace/v3.1.2/lib/libaudit.h`,
163-
`https://raw.githubusercontent.com/linux-audit/audit-userspace/v3.1.2/lib/msg_typetab.h`,
161+
`https://raw.githubusercontent.com/linux-audit/audit-userspace/v4.0.2/lib/audit-records.h`,
162+
`https://raw.githubusercontent.com/linux-audit/audit-userspace/v4.0.2/lib/msg_typetab.h`,
164163
}
165164

166165
func DownloadFile(url, destinationDir string) (string, error) {
@@ -217,13 +216,13 @@ func readMessageTypeTable() (map[string]string, error) {
217216
}
218217
}
219218

220-
return constantToStringName, nil
219+
return constantToStringName, s.Err()
221220
}
222221

223222
func readRecordTypes() (map[string]int, error) {
224-
out, err := exec.Command("gcc", "-E", "-dD", "libaudit.h", "audit.h").Output()
223+
out, err := exec.Command("gcc", "-E", "-dD", "audit-records.h").Output()
225224
if err != nil {
226-
return nil, err
225+
return nil, fmt.Errorf("failed to run gcc: %w", err)
227226
}
228227

229228
recordTypeToNum := map[string]int{}
@@ -241,7 +240,7 @@ func readRecordTypes() (map[string]int, error) {
241240
}
242241
}
243242

244-
return recordTypeToNum, nil
243+
return recordTypeToNum, s.Err()
245244
}
246245

247246
func run() error {

auparse/mk_audit_syscalls.pl

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ sub fmt {
2222
print "\t\t$num: \"$name\",\n";
2323
}
2424

25-
my $base_url = "https://raw.githubusercontent.com/linux-audit/audit-userspace/v3.1.2/lib";
25+
my $base_url = "https://raw.githubusercontent.com/linux-audit/audit-userspace/v4.0.2/lib";
2626
my @tables = (
2727
"aarch64",
2828
"arm",

auparse/zaudit_syscalls.go

Lines changed: 77 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

cmd/audit/audit.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -138,7 +138,7 @@ func receive(r *libaudit.AuditClient) error {
138138
return fmt.Errorf("receive failed: %w", err)
139139
}
140140

141-
// Messages from 1300-2999 are valid audit messages.
141+
// Messages from 1100-2999 are valid audit messages.
142142
if rawEvent.Type < auparse.AUDIT_USER_AUTH ||
143143
rawEvent.Type > auparse.AUDIT_LAST_USER_MSG2 {
144144
continue

netlink.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -77,7 +77,7 @@ type NetlinkClient struct {
7777
//
7878
// The returned NetlinkClient must be closed with Close() when finished.
7979
func NewNetlinkClient(proto int, groups uint32, readBuf []byte, resp io.Writer) (*NetlinkClient, error) {
80-
s, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_RAW, proto)
80+
s, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_RAW|syscall.SOCK_CLOEXEC, proto)
8181
if err != nil {
8282
return nil, err
8383
}

0 commit comments

Comments
 (0)