diff --git a/aucoalesce/coalesce_test.go b/aucoalesce/coalesce_test.go index 76a4c8b..6963b78 100644 --- a/aucoalesce/coalesce_test.go +++ b/aucoalesce/coalesce_test.go @@ -29,7 +29,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "gopkg.in/yaml.v2" + "gopkg.in/yaml.v3" "github.com/elastic/go-libaudit/v2/auparse" ) @@ -124,7 +124,7 @@ func readEventsFromYAML(t testing.TB, name string) []testEvent { t.Fatal("failed to find 'tests' in yaml") } - cases, ok := tests.(map[interface{}]interface{}) + cases, ok := tests.(map[string]interface{}) if !ok { t.Fatalf("unexpected type %T for 'tests'", tests) } @@ -146,7 +146,7 @@ func readEventsFromYAML(t testing.TB, name string) []testEvent { } testEvents = append(testEvents, testEvent{ - name: name.(string), + name: name, messages: msgs, }) } diff --git a/aucoalesce/normalizations.yaml b/aucoalesce/normalizations.yaml index db3b273..ee6acbe 100644 --- a/aucoalesce/normalizations.yaml +++ b/aucoalesce/normalizations.yaml @@ -2,12 +2,6 @@ # Macros declares some YAML anchors that can be referenced for some common # object type normalizations like user-session, socket, or process. macros: - - &defaults - subject: - primary: auid - secondary: uid - how: [exe, comm] - - ¯o-user-session subject: primary: auid @@ -18,21 +12,6 @@ macros: what: user-session how: [exe, terminal] - - ¯o-socket - <<: *defaults - object: - primary: [addr, path] - secondary: port - what: socket - - - ¯o-process - <<: *defaults - object: - primary: [cmd, exe, comm] - secondary: pid - what: process - how: terminal - - &ecs-iam category: iam type: info @@ -1539,6 +1518,7 @@ normalizations: object: primary: addr secondary: [rport] + what: user-session record_types: CRYPTO_SESSION source_ip: [addr] ecs: *ecs-process diff --git a/aucoalesce/normalize.go b/aucoalesce/normalize.go index d03332b..774e7c7 100644 --- a/aucoalesce/normalize.go +++ b/aucoalesce/normalize.go @@ -22,7 +22,7 @@ import ( "fmt" "strings" - "gopkg.in/yaml.v2" + "gopkg.in/yaml.v3" ) var ( diff --git a/aucoalesce/normalize_test.go b/aucoalesce/normalize_test.go index f9a9323..c5633ac 100644 --- a/aucoalesce/normalize_test.go +++ b/aucoalesce/normalize_test.go @@ -22,7 +22,7 @@ import ( "testing" "github.com/stretchr/testify/assert" - "gopkg.in/yaml.v2" + "gopkg.in/yaml.v3" ) func TestNormInit(t *testing.T) { diff --git a/cmd/auparse/auparse.go b/cmd/auparse/auparse.go index 227e1d9..a4f903c 100644 --- a/cmd/auparse/auparse.go +++ b/cmd/auparse/auparse.go @@ -27,7 +27,7 @@ import ( "os" "time" - "gopkg.in/yaml.v2" + "gopkg.in/yaml.v3" "github.com/elastic/go-libaudit/v2" "github.com/elastic/go-libaudit/v2/aucoalesce" diff --git a/go.mod b/go.mod index cc91306..a9bba37 100644 --- a/go.mod +++ b/go.mod @@ -7,11 +7,10 @@ require ( github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 github.com/stretchr/testify v1.7.0 golang.org/x/sys v0.11.0 - gopkg.in/yaml.v2 v2.4.0 + gopkg.in/yaml.v3 v3.0.1 ) require ( github.com/davecgh/go-spew v1.1.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect - gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect ) diff --git a/go.sum b/go.sum index a263c32..cb11e7c 100644 --- a/go.sum +++ b/go.sum @@ -42,8 +42,6 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= -gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= -gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/rule/gen_testdata_test.go b/rule/gen_testdata_test.go index 5b0dfdc..d680555 100644 --- a/rule/gen_testdata_test.go +++ b/rule/gen_testdata_test.go @@ -33,7 +33,7 @@ import ( "testing" "github.com/kballard/go-shellquote" - "gopkg.in/yaml.v2" + "gopkg.in/yaml.v3" "github.com/elastic/go-libaudit/v2" "github.com/elastic/go-libaudit/v2/sys" diff --git a/rule/rule_integ_test.go b/rule/rule_integ_test.go index 89732ab..7bc6540 100644 --- a/rule/rule_integ_test.go +++ b/rule/rule_integ_test.go @@ -29,7 +29,7 @@ import ( "testing" "github.com/stretchr/testify/assert" - "gopkg.in/yaml.v2" + "gopkg.in/yaml.v3" "github.com/elastic/go-libaudit/v2/rule" "github.com/elastic/go-libaudit/v2/rule/flags"