[Auditbeat] Add syscall names to to violated-seccomp-policy events #14055
Labels
Comments
|
I believe this stems from elastic/go-libaudit not enrich the seccomp events with the syscall name. It's only happening on the audit events triggered by rules to watch a syscall. |
andrewkroh
changed the title
|
I opened elastic/go-libaudit#64 to add enrichment of arch, syscall, and signal name. FYI @spinscale |
|
PR to update Beats with new go-libaudit release: #19300 |
andrewkroh
added a commit
to andrewkroh/beats
that referenced
this issue
Jul 14, 2020
This updates the go-libaudit library to v2.0.0. Some of the updates since the last release were already incorporated into Beats. https://github.com/elastic/go-libaudit/releases/tag/v2.0.0 Fixes elastic#14055 (seccomp field enrichments) Fixes a few minor typos and spelling issues in auditd event.category and event.action values.
andrewkroh
added a commit
that referenced
this issue
Jul 14, 2020
* Update to go-libaudit v2.0.0 This updates the go-libaudit library to v2.0.0. Some of the updates since the last release were already incorporated into Beats. https://github.com/elastic/go-libaudit/releases/tag/v2.0.0 Fixes #14055 (seccomp field enrichments) Fixes a few minor typos and spelling issues in auditd event.category and event.action values. * Only import go-libaudit on linux
andrewkroh
added a commit
to andrewkroh/beats
that referenced
this issue
Jul 15, 2020
* Update to go-libaudit v2.0.0 This updates the go-libaudit library to v2.0.0. Some of the updates since the last release were already incorporated into Beats. https://github.com/elastic/go-libaudit/releases/tag/v2.0.0 Fixes elastic#14055 (seccomp field enrichments) Fixes a few minor typos and spelling issues in auditd event.category and event.action values. * Only import go-libaudit on linux (cherry picked from commit 4f3d950)
andrewkroh
added a commit
that referenced
this issue
Jul 16, 2020
* Update to go-libaudit v2.0.0 This updates the go-libaudit library to v2.0.0. Some of the updates since the last release were already incorporated into Beats. https://github.com/elastic/go-libaudit/releases/tag/v2.0.0 Fixes #14055 (seccomp field enrichments) Fixes a few minor typos and spelling issues in auditd event.category and event.action values. * Only import go-libaudit on linux (cherry picked from commit 4f3d950)
melchiormoulin
pushed a commit
to melchiormoulin/beats
that referenced
this issue
Oct 14, 2020
* Update to go-libaudit v2.0.0 This updates the go-libaudit library to v2.0.0. Some of the updates since the last release were already incorporated into Beats. https://github.com/elastic/go-libaudit/releases/tag/v2.0.0 Fixes elastic#14055 (seccomp field enrichments) Fixes a few minor typos and spelling issues in auditd event.category and event.action values. * Only import go-libaudit on linux
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the enhancement:
(Tested on Auditbeat 6.5.4)
when
event.actionisviolated-seccomp-policy, there'sauditd.data.syscallwhich is a number, but I want a name.Describe a specific use case for the enhancement or feature:
When trying to understand what kinds of syscalls are causing seccomp violations, it would be more useful to have these syscalls available by name.
Here's a sample chart which isn't really useful unless you have memorized the syscall -> name mappings, and I don''t have these memorized ;)
cc @stiltz who may be interested in this
The text was updated successfully, but these errors were encountered: