Skip to content

Releases: elastic/go-libaudit

v2.0.0

18 Jun 20:28
@andrewkroh andrewkroh
v2.0.0
05fbb4e
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v2.0.0

Added

  • Added SetImmutable to the audit client for marking the audit settings as immutable within the kernel. #55 #68
  • Added Vagrantfile for development ease. #61
  • Added enrichment of arch, syscall, and sig to type=SECCOMP messages. #64
  • Added support for big endian. #48

Changed

  • Added semantic versioning support via go modules. #61
  • Added ECS categorization support for events by record type and syscall. #62
  • Fixed a typo in the action value associated with ROLE_REMOVE messages. #65
  • Fixed a typo in the action value associated with ANOM_LINK messages. #66
  • Fixed spelling of anomaly in aucoalesce package. #67
Assets 2
Loading

v0.4.0

18 Jun 20:10
@andrewkroh andrewkroh
v0.4.0
39073a2
Compare
Choose a tag to compare
v0.4.0

Added

  • Added method to convert kernel rules to text format in order to display them.

Changed

  • aucoalesce - Made the user/group ID cache thread-safe. #42 #45
Assets 2
Loading

v0.3.0

25 May 13:53
@andrewkroh andrewkroh
v0.3.0
c18782e
Compare
Choose a tag to compare
v0.3.0

Added

  • Added support for setting the kernel's backlog wait time via the new
    SetBacklogWaitTime function. #34
  • New method GetStatusAsync to perform asynchronous status checks. #37

Changed

  • AuditClient Close() is now safe to call more than once. #35
Assets 2
Loading

v0.2.1

03 May 13:40
@andrewkroh andrewkroh
v0.2.1
55225d0
Compare
Choose a tag to compare
v0.2.1

Added

  • Added better error messages for when NewAuditClient fails due to the
    Linux kernel not supporting auditing (CONFIG_AUDIT=n). #32
Assets 2
Loading

v0.2.0

30 Apr 14:09
@andrewkroh andrewkroh
v0.2.0
7839a62
Compare
Choose a tag to compare
v0.2.0

Changed

  • auparse - Fixed parsing of apparmor AVC messages. #25
  • auparse - Update syscall and audit message type tables for Linux 4.16. #30
  • aucoalesce - Cache UID/GID values for one minute. #24
Assets 2
Loading

v0.1.1

05 Apr 19:22
@andrewkroh andrewkroh
v0.1.1
bc9f53e
Compare
Choose a tag to compare
v0.1.1

Added

  • rules - Detect s390 or s390x as the runtime architecture (GOOS) and
    automatically use the appropriate syscall name to number table without
    requiring the rule to explicitly specify an arch (-F arch=s390x). #23
Assets 2
Loading

v0.1.0

28 Mar 14:52
@andrewkroh andrewkroh
v0.1.0
4a806ed
Compare
Choose a tag to compare
v0.1.0

Changed

  • auparse - Fixed an issue where the name value was not being hex decoded from
    PATH records. #20
Assets 2
Loading

v0.0.7

18 Jan 14:34
@andrewkroh andrewkroh
v0.0.7
c139147
Compare
Choose a tag to compare
v0.0.7

Added

  • Added WaitForPendingACKs to receive pending ACK messages from the kernel. #14
  • The AuditClient will unregister with the kernel if SetPID has been called. #19

Changed

  • auparse - Fixed an issue where the proctitle value was being truncated. #15
  • auparse - Fixed an issue where values were incorrectly interpretted as hex
    data. #13
  • auparse - Fixed parsing of the key value when multiple keys are present. #16
  • auparse - The cmdline key is no longer created for EXECVE records. #17
  • aucoalesce - Changed the event format to have objects for user, process, file,
    and network data. #17
  • Fixed an issue when an audit notification is received while waiting for the
    response to a control command.
Assets 2
Loading

v0.0.6

18 Jan 14:33
@andrewkroh andrewkroh
v0.0.6
df0d498
Compare
Choose a tag to compare
v0.0.6

Added

  • Add support for listening for audit messages using a multicast group. #9
Assets 2
Loading

v0.0.5

24 Jul 13:14
@andrewkroh andrewkroh
v0.0.5
3a005d3
Compare
Choose a tag to compare
v0.0.5

Changed

  • auparse - Apply hex decoding to CWD field. #10
Assets 4
Loading