Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ingress/egress and configuration categorization #80

Merged
merged 5 commits into from
Dec 8, 2020
Merged

Add ingress/egress and configuration categorization #80

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
19023af
Add ingress/egress/internal and configuration categorization
Dec 8, 2020
933ce50
Add changelog entry
Dec 8, 2020
6566473
Fix up ingress/egress
Dec 8, 2020
0aa1215
Update changelog
Dec 8, 2020
3b592f0
remove internal
Dec 8, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,12 @@ This project adheres to [Semantic Versioning](http://semver.org/).

### Added

- ECS 1.7 `configuration` categorization. [#80](https://github.com/elastic/go-libaudit/pull/80)

### Changed

- Use ingress/egress instead of inbound/outbound for ECS 1.7. [#80](https://github.com/elastic/go-libaudit/pull/80)

### Removed

### Deprecated
Expand Down
4 changes: 2 additions & 2 deletions aucoalesce/coalesce.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,9 +123,9 @@ const (
func (d Direction) String() string {
switch d {
case IncomingDir:
return "inbound"
return "ingress"
case OutgoingDir:
return "outbound"
return "egress"
}
return "unknown"
}
Expand Down
34 changes: 29 additions & 5 deletions aucoalesce/normalizations.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1179,7 +1179,7 @@ normalizations:
[op, key, audit_enabled, audit_pid, audit_backlog_limit, audit_failure]
what: audit-config
ecs:
<<: *ecs-process
category: [process, configuration]
type: change
# AUDIT_DAEMON_ABORT - Daemon error stop record
- record_types: DAEMON_ABORT
Expand Down Expand Up @@ -1215,8 +1215,8 @@ normalizations:
object:
what: service
ecs:
<<: *ecs-process
type: stop
category: [process, configuration]
type: change
# AUDIT_DAEMON_END - Daemon normal stop record
- record_types: DAEMON_END
action: shutdown-audit
Expand All @@ -1237,8 +1237,8 @@ normalizations:
object:
what: service
ecs:
<<: *ecs-process
type: change
category: [process, configuration]
type: info
# AUDIT_DAEMON_RESUME - Auditd should resume logging
- record_types: DAEMON_RESUME
action: resumed-audit-logging
Expand Down Expand Up @@ -1276,18 +1276,27 @@ normalizations:
object:
primary: op
what: system
ecs:
category: configuration
type: change
# AUDIT_NETFILTER_CFG - Netfilter chain modifications
- record_types: NETFILTER_CFG
action: loaded-firewall-rule-to
object:
primary: table
what: firewall
ecs:
category: configuration
type: change
# AUDIT_FEATURE_CHANGE - audit log listing feature changes
- record_types: FEATURE_CHANGE
action: changed-audit-feature
object:
primary: feature
what: system
ecs:
category: configuration
type: change
# AUDIT_REPLACE - Replace auditd if this packet unanswerd

# TTY events
Expand Down Expand Up @@ -1349,17 +1358,26 @@ normalizations:
object:
primary: bool
what: mac-config
ecs:
category: configuration
type: change
# AUDIT_MAC_POLICY_LOAD - Policy file load
- record_types: MAC_POLICY_LOAD
action: loaded-selinux-policy
object:
what: mac-config
ecs:
category: configuration
type: access
# AUDIT_MAC_STATUS - Changed enforcing,permissive,off
- record_types: MAC_STATUS
action: changed-selinux-enforcement
object:
primary: enforcing
what: mac-config
ecs:
category: configuration
type: change
# AUDIT_USER_AVC - User space avc message
- record_types: USER_AVC
action: access-permission
Expand All @@ -1368,11 +1386,17 @@ normalizations:
action: changed-mac-configuration
object:
what: mac-config
ecs:
category: configuration
type: change
# AUDIT_USER_MAC_POLICY_LOAD - Userspc daemon loaded polic
- record_types: USER_MAC_POLICY_LOAD
action: loaded-mac-policy
object:
what: mac-config
ecs:
category: configuration
type: access
# AUDIT_USER_SELINUX_ERR - SE Linux user space error
- record_types: USER_SELINUX_ERR
action: access-error
Expand Down
12 changes: 7 additions & 5 deletions aucoalesce/testdata/rhel-7-linux-3.10.0.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,8 @@
"ecs": {
"event": {
"category": [
"process"
"process",
"configuration"
],
"type": [
"change"
Expand Down Expand Up @@ -87,7 +88,8 @@
"ecs": {
"event": {
"category": [
"process"
"process",
"configuration"
],
"type": [
"change"
Expand Down Expand Up @@ -140,7 +142,7 @@
"ip": "96.241.146.97"
},
"network": {
"direction": "inbound"
"direction": "ingress"
},
"data": {
"fp": "6d:a3:7f:ed:de:4a:79:f2:aa:49:ec:d1:75:36:97:a3",
Expand Down Expand Up @@ -204,7 +206,7 @@
"ip": "96.241.146.97"
},
"network": {
"direction": "inbound"
"direction": "ingress"
},
"data": {
"cipher": "chacha20-poly1305@openssh.com",
Expand Down Expand Up @@ -324,7 +326,7 @@
"ip": "46.160.144.250"
},
"network": {
"direction": "inbound"
"direction": "ingress"
},
"data": {
"acct": "root",
Expand Down
18 changes: 11 additions & 7 deletions aucoalesce/testdata/ubuntu-16.10-linux-4.8.0.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,8 @@
"ecs": {
"event": {
"category": [
"process"
"process",
"configuration"
],
"type": [
"change"
Expand Down Expand Up @@ -149,7 +150,8 @@
"ecs": {
"event": {
"category": [
"process"
"process",
"configuration"
],
"type": [
"change"
Expand Down Expand Up @@ -319,9 +321,11 @@
"ecs": {
"event": {
"category": [
"configuration",
"process"
],
"type": [
"change",
"info"
]
}
Expand Down Expand Up @@ -462,7 +466,7 @@
"ip": "179.38.151.221"
},
"network": {
"direction": "inbound"
"direction": "ingress"
},
"data": {
"acct": "(invalid user)",
Expand Down Expand Up @@ -517,7 +521,7 @@
"ip": "72.83.230.100"
},
"network": {
"direction": "inbound"
"direction": "ingress"
},
"data": {
"hostname": "72.83.230.100",
Expand Down Expand Up @@ -573,7 +577,7 @@
"ip": "72.83.230.100"
},
"network": {
"direction": "inbound"
"direction": "ingress"
},
"data": {
"acct": "andrew_kroh",
Expand Down Expand Up @@ -643,7 +647,7 @@
"port": "58140"
},
"network": {
"direction": "inbound"
"direction": "ingress"
},
"data": {
"a0": "3",
Expand Down Expand Up @@ -786,7 +790,7 @@
"port": "80"
},
"network": {
"direction": "outbound"
"direction": "egress"
},
"data": {
"a0": "5",
Expand Down
4 changes: 2 additions & 2 deletions aucoalesce/testdata/ubuntu-17.04-linux-4.10.0.json.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -494,7 +494,7 @@
"ip": "185.56.82.22"
},
"network": {
"direction": "inbound"
"direction": "ingress"
},
"data": {
"hostname": "185.56.82.22",
Expand Down Expand Up @@ -549,7 +549,7 @@
"ip": "31.207.47.36"
},
"network": {
"direction": "inbound"
"direction": "ingress"
},
"data": {
"acct": "(invalid user)",
Expand Down
2 changes: 1 addition & 1 deletion aucoalesce/znormalize_data.go
View file
Open in desktop

Large diffs are not rendered by default.