Add ingress/egress and configuration categorization (#80)

* Add ingress/egress/internal and configuration categorization * Add changelog entry * Fix up ingress/egress * Update changelog * remove internal
elastic · Dec 8, 2020 · a2ae67c · a2ae67c
1 parent 8bcb06e
commit a2ae67c
Show file tree

Hide file tree

Showing 7 changed files with 56 additions and 22 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,8 +7,12 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ### Added
 
+- ECS 1.7 `configuration` categorization. [#80](https://github.com/elastic/go-libaudit/pull/80)
+
 ### Changed
 
+- Use ingress/egress instead of inbound/outbound for ECS 1.7. [#80](https://github.com/elastic/go-libaudit/pull/80)
+
 ### Removed
 
 ### Deprecated

diff --git a/aucoalesce/coalesce.go b/aucoalesce/coalesce.go
@@ -123,9 +123,9 @@ const (
 func (d Direction) String() string {
 	switch d {
 	case IncomingDir:
-		return "inbound"
+		return "ingress"
 	case OutgoingDir:
-		return "outbound"
+		return "egress"
 	}
 	return "unknown"
 }

diff --git a/aucoalesce/normalizations.yaml b/aucoalesce/normalizations.yaml
@@ -1179,7 +1179,7 @@ normalizations:
         [op, key, audit_enabled, audit_pid, audit_backlog_limit, audit_failure]
       what: audit-config
     ecs:
-      <<: *ecs-process
+      category: [process, configuration]
       type: change
   # AUDIT_DAEMON_ABORT - Daemon error stop record
   - record_types: DAEMON_ABORT
@@ -1215,8 +1215,8 @@ normalizations:
     object:
       what: service
     ecs:
-      <<: *ecs-process
-      type: stop
+      category: [process, configuration]
+      type: change
   # AUDIT_DAEMON_END - Daemon normal stop record
   - record_types: DAEMON_END
     action: shutdown-audit
@@ -1237,8 +1237,8 @@ normalizations:
     object:
       what: service
     ecs:
-      <<: *ecs-process
-      type: change
+      category: [process, configuration]
+      type: info
   # AUDIT_DAEMON_RESUME - Auditd should resume logging
   - record_types: DAEMON_RESUME
     action: resumed-audit-logging
@@ -1276,18 +1276,27 @@ normalizations:
     object:
       primary: op
       what: system
+    ecs:
+      category: configuration
+      type: change
   # AUDIT_NETFILTER_CFG - Netfilter chain modifications
   - record_types: NETFILTER_CFG
     action: loaded-firewall-rule-to
     object:
       primary: table
       what: firewall
+    ecs:
+      category: configuration
+      type: change
   # AUDIT_FEATURE_CHANGE - audit log listing feature changes
   - record_types: FEATURE_CHANGE
     action: changed-audit-feature
     object:
       primary: feature
       what: system
+    ecs:
+      category: configuration
+      type: change
   # AUDIT_REPLACE - Replace auditd if this packet unanswerd
 
   # TTY events
@@ -1349,17 +1358,26 @@ normalizations:
     object:
       primary: bool
       what: mac-config
+    ecs:
+      category: configuration
+      type: change
   # AUDIT_MAC_POLICY_LOAD - Policy file load
   - record_types: MAC_POLICY_LOAD
     action: loaded-selinux-policy
     object:
       what: mac-config
+    ecs:
+      category: configuration
+      type: access
   # AUDIT_MAC_STATUS - Changed enforcing,permissive,off
   - record_types: MAC_STATUS
     action: changed-selinux-enforcement
     object:
       primary: enforcing
       what: mac-config
+    ecs:
+      category: configuration
+      type: change
   # AUDIT_USER_AVC - User space avc message
   - record_types: USER_AVC
     action: access-permission
@@ -1368,11 +1386,17 @@ normalizations:
     action: changed-mac-configuration
     object:
       what: mac-config
+    ecs:
+      category: configuration
+      type: change
   # AUDIT_USER_MAC_POLICY_LOAD - Userspc daemon loaded polic
   - record_types: USER_MAC_POLICY_LOAD
     action: loaded-mac-policy
     object:
       what: mac-config
+    ecs:
+      category: configuration
+      type: access
   # AUDIT_USER_SELINUX_ERR - SE Linux user space error
   - record_types: USER_SELINUX_ERR
     action: access-error

diff --git a/aucoalesce/testdata/rhel-7-linux-3.10.0.json.golden b/aucoalesce/testdata/rhel-7-linux-3.10.0.json.golden
@@ -40,7 +40,8 @@
       "ecs": {
         "event": {
           "category": [
-            "process"
+            "process",
+            "configuration"
           ],
           "type": [
             "change"
@@ -87,7 +88,8 @@
       "ecs": {
         "event": {
           "category": [
-            "process"
+            "process",
+            "configuration"
           ],
           "type": [
             "change"
@@ -140,7 +142,7 @@
         "ip": "96.241.146.97"
       },
       "network": {
-        "direction": "inbound"
+        "direction": "ingress"
       },
       "data": {
         "fp": "6d:a3:7f:ed:de:4a:79:f2:aa:49:ec:d1:75:36:97:a3",
@@ -204,7 +206,7 @@
         "ip": "96.241.146.97"
       },
       "network": {
-        "direction": "inbound"
+        "direction": "ingress"
       },
       "data": {
         "cipher": "[email protected]",
@@ -324,7 +326,7 @@
         "ip": "46.160.144.250"
       },
       "network": {
-        "direction": "inbound"
+        "direction": "ingress"
       },
       "data": {
         "acct": "root",

diff --git a/aucoalesce/testdata/ubuntu-16.10-linux-4.8.0.json.golden b/aucoalesce/testdata/ubuntu-16.10-linux-4.8.0.json.golden
@@ -104,7 +104,8 @@
       "ecs": {
         "event": {
           "category": [
-            "process"
+            "process",
+            "configuration"
           ],
           "type": [
             "change"
@@ -149,7 +150,8 @@
       "ecs": {
         "event": {
           "category": [
-            "process"
+            "process",
+            "configuration"
           ],
           "type": [
             "change"
@@ -319,9 +321,11 @@
       "ecs": {
         "event": {
           "category": [
+            "configuration",
             "process"
           ],
           "type": [
+            "change",
             "info"
           ]
         }
@@ -462,7 +466,7 @@
         "ip": "179.38.151.221"
       },
       "network": {
-        "direction": "inbound"
+        "direction": "ingress"
       },
       "data": {
         "acct": "(invalid user)",
@@ -517,7 +521,7 @@
         "ip": "72.83.230.100"
       },
       "network": {
-        "direction": "inbound"
+        "direction": "ingress"
       },
       "data": {
         "hostname": "72.83.230.100",
@@ -573,7 +577,7 @@
         "ip": "72.83.230.100"
       },
       "network": {
-        "direction": "inbound"
+        "direction": "ingress"
       },
       "data": {
         "acct": "andrew_kroh",
@@ -643,7 +647,7 @@
         "port": "58140"
       },
       "network": {
-        "direction": "inbound"
+        "direction": "ingress"
       },
       "data": {
         "a0": "3",
@@ -786,7 +790,7 @@
         "port": "80"
       },
       "network": {
-        "direction": "outbound"
+        "direction": "egress"
       },
       "data": {
         "a0": "5",

diff --git a/aucoalesce/testdata/ubuntu-17.04-linux-4.10.0.json.golden b/aucoalesce/testdata/ubuntu-17.04-linux-4.10.0.json.golden
@@ -494,7 +494,7 @@
         "ip": "185.56.82.22"
       },
       "network": {
-        "direction": "inbound"
+        "direction": "ingress"
       },
       "data": {
         "hostname": "185.56.82.22",
@@ -549,7 +549,7 @@
         "ip": "31.207.47.36"
       },
       "network": {
-        "direction": "inbound"
+        "direction": "ingress"
       },
       "data": {
         "acct": "(invalid user)",

diff --git a/aucoalesce/znormalize_data.go b/aucoalesce/znormalize_data.go