From c687bf38493fc5043f448035993769ee9c432fb2 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Fri, 15 May 2020 21:28:37 -0400 Subject: [PATCH] [Auditbeat] Update auditbeat ECS mappings (#18596) * Update auditbeat ECS mappings * Add changelog entry * Rev go-libaudit with build tag fix (cherry picked from commit bd7414d09b9589f9843193a53f8bfef9f9eca0a4) --- CHANGELOG.next.asciidoc | 1 + NOTICE.txt | 11 +- auditbeat/module/auditd/audit_linux.go | 54 +- auditbeat/module/auditd/audit_linux_test.go | 15 +- auditbeat/module/auditd/config.go | 4 +- auditbeat/module/auditd/mock_linux_test.go | 4 +- auditbeat/module/auditd/show_linux.go | 4 +- go.mod | 4 +- go.sum | 10 +- .../aucoalesce/normalizations.yaml | 752 -------- .../go-libaudit/aucoalesce/znormalize_data.go | 42 - .../elastic/go-libaudit/{ => v2}/.gitignore | 0 .../elastic/go-libaudit/v2/.go-version | 1 + .../elastic/go-libaudit/{ => v2}/.travis.yml | 31 +- .../elastic/go-libaudit/{ => v2}/CHANGELOG.md | 19 +- .../elastic/go-libaudit/{ => v2}/LICENSE.txt | 0 .../elastic/go-libaudit/{ => v2}/NOTICE.txt | 0 .../elastic/go-libaudit/{ => v2}/README.md | 23 +- .../elastic/go-libaudit/v2/Vagrantfile | 30 + .../{ => v2}/aucoalesce/coalesce.go | 41 +- .../{ => v2}/aucoalesce/event_type.go | 2 +- .../{ => v2}/aucoalesce/id_lookup.go | 0 .../v2/aucoalesce/normalizations.yaml | 1566 +++++++++++++++++ .../{ => v2}/aucoalesce/normalize.go | 8 +- .../v2/aucoalesce/znormalize_data.go | 42 + .../elastic/go-libaudit/{ => v2}/audit.go | 13 +- .../go-libaudit/{ => v2}/auparse/auparse.go | 0 .../go-libaudit/{ => v2}/auparse/doc.go | 0 .../go-libaudit/{ => v2}/auparse/hex.go | 0 .../{ => v2}/auparse/mk_audit_arches.pl | 0 .../{ => v2}/auparse/mk_audit_syscalls.pl | 0 .../go-libaudit/{ => v2}/auparse/sockaddr.go | 0 .../{ => v2}/auparse/zaudit_arches.go | 0 .../{ => v2}/auparse/zaudit_exit_codes.go | 0 .../{ => v2}/auparse/zaudit_msg_types.go | 0 .../{ => v2}/auparse/zaudit_syscalls.go | 0 .../elastic/go-libaudit/{ => v2}/doc.go | 0 .../github.com/elastic/go-libaudit/v2/go.mod | 13 + .../github.com/elastic/go-libaudit/v2/go.sum | 16 + .../elastic/go-libaudit/{ => v2}/netlink.go | 15 +- .../go-libaudit/{ => v2}/reassembler.go | 2 +- .../go-libaudit/{ => v2}/rule/binary.go | 4 +- .../go-libaudit/{ => v2}/rule/flags/flags.go | 2 +- .../elastic/go-libaudit/{ => v2}/rule/rule.go | 2 +- .../go-libaudit/{ => v2}/rule/tables.go | 2 +- .../go-libaudit/{ => v2}/rule/types.go | 0 .../{ => v2}/rule/zkernel_types.go | 0 .../elastic/go-libaudit/v2/sys/endian.go | 33 + vendor/gopkg.in/yaml.v2/apic.go | 1 + vendor/modules.txt | 15 +- .../auditbeat/module/system/socket/state.go | 2 +- 51 files changed, 1901 insertions(+), 883 deletions(-) delete mode 100644 vendor/github.com/elastic/go-libaudit/aucoalesce/normalizations.yaml delete mode 100644 vendor/github.com/elastic/go-libaudit/aucoalesce/znormalize_data.go rename vendor/github.com/elastic/go-libaudit/{ => v2}/.gitignore (100%) create mode 100644 vendor/github.com/elastic/go-libaudit/v2/.go-version rename vendor/github.com/elastic/go-libaudit/{ => v2}/.travis.yml (55%) rename vendor/github.com/elastic/go-libaudit/{ => v2}/CHANGELOG.md (95%) rename vendor/github.com/elastic/go-libaudit/{ => v2}/LICENSE.txt (100%) rename vendor/github.com/elastic/go-libaudit/{ => v2}/NOTICE.txt (100%) rename vendor/github.com/elastic/go-libaudit/{ => v2}/README.md (95%) create mode 100644 vendor/github.com/elastic/go-libaudit/v2/Vagrantfile rename vendor/github.com/elastic/go-libaudit/{ => v2}/aucoalesce/coalesce.go (93%) rename vendor/github.com/elastic/go-libaudit/{ => v2}/aucoalesce/event_type.go (99%) rename vendor/github.com/elastic/go-libaudit/{ => v2}/aucoalesce/id_lookup.go (100%) create mode 100644 vendor/github.com/elastic/go-libaudit/v2/aucoalesce/normalizations.yaml rename vendor/github.com/elastic/go-libaudit/{ => v2}/aucoalesce/normalize.go (95%) create mode 100644 vendor/github.com/elastic/go-libaudit/v2/aucoalesce/znormalize_data.go rename vendor/github.com/elastic/go-libaudit/{ => v2}/audit.go (98%) rename vendor/github.com/elastic/go-libaudit/{ => v2}/auparse/auparse.go (100%) rename vendor/github.com/elastic/go-libaudit/{ => v2}/auparse/doc.go (100%) rename vendor/github.com/elastic/go-libaudit/{ => v2}/auparse/hex.go (100%) rename vendor/github.com/elastic/go-libaudit/{ => v2}/auparse/mk_audit_arches.pl (100%) rename vendor/github.com/elastic/go-libaudit/{ => v2}/auparse/mk_audit_syscalls.pl (100%) rename vendor/github.com/elastic/go-libaudit/{ => v2}/auparse/sockaddr.go (100%) rename vendor/github.com/elastic/go-libaudit/{ => v2}/auparse/zaudit_arches.go (100%) rename vendor/github.com/elastic/go-libaudit/{ => v2}/auparse/zaudit_exit_codes.go (100%) rename vendor/github.com/elastic/go-libaudit/{ => v2}/auparse/zaudit_msg_types.go (100%) rename vendor/github.com/elastic/go-libaudit/{ => v2}/auparse/zaudit_syscalls.go (100%) rename vendor/github.com/elastic/go-libaudit/{ => v2}/doc.go (100%) create mode 100644 vendor/github.com/elastic/go-libaudit/v2/go.mod create mode 100644 vendor/github.com/elastic/go-libaudit/v2/go.sum rename vendor/github.com/elastic/go-libaudit/{ => v2}/netlink.go (94%) rename vendor/github.com/elastic/go-libaudit/{ => v2}/reassembler.go (99%) rename vendor/github.com/elastic/go-libaudit/{ => v2}/rule/binary.go (97%) rename vendor/github.com/elastic/go-libaudit/{ => v2}/rule/flags/flags.go (99%) rename vendor/github.com/elastic/go-libaudit/{ => v2}/rule/rule.go (99%) rename vendor/github.com/elastic/go-libaudit/{ => v2}/rule/tables.go (99%) rename vendor/github.com/elastic/go-libaudit/{ => v2}/rule/types.go (100%) rename vendor/github.com/elastic/go-libaudit/{ => v2}/rule/zkernel_types.go (100%) create mode 100644 vendor/github.com/elastic/go-libaudit/v2/sys/endian.go diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index e156ee239be..5eb868b21d0 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -317,6 +317,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add system module socket dataset ECS categorization fields. {pull}18036[18036] - Add file integrity module ECS categorization fields. {pull}18012[18012] - Add `file.mime_type`, `file.extension`, and `file.drive_letter` for file integrity module. {pull}18012[18012] +- Add ECS categorization info for auditd module {pull}18596[18596] *Filebeat* diff --git a/NOTICE.txt b/NOTICE.txt index f3da3bf0cc3..c621b3a2e92 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -1681,10 +1681,11 @@ See the License for the specific language governing permissions and limitations under the License. -------------------------------------------------------------------- -Dependency: github.com/elastic/go-libaudit -Version: v0.4.0 +Dependency: github.com/elastic/go-libaudit/v2 +Version: v2.0.0 +Revision: 92371bef3fb8 License type (autodetected): Apache-2.0 -./vendor/github.com/elastic/go-libaudit/LICENSE.txt: +./vendor/github.com/elastic/go-libaudit/v2/LICENSE.txt: -------------------------------------------------------------------- Apache License 2.0 @@ -8430,7 +8431,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------- Dependency: gopkg.in/yaml.v2 -Version: v2.2.8 +Version: v2.3.0 License type (autodetected): Apache-2.0 ./vendor/gopkg.in/yaml.v2/LICENSE: -------------------------------------------------------------------- @@ -8453,7 +8454,7 @@ limitations under the License. -------------------------------------------------------------------- Dependency: gopkg.in/yaml.v2 -Version: v2.2.8 +Version: v2.3.0 License type (autodetected): MIT ./vendor/gopkg.in/yaml.v2/LICENSE.libyaml: -------------------------------------------------------------------- diff --git a/auditbeat/module/auditd/audit_linux.go b/auditbeat/module/auditd/audit_linux.go index 1cf0236d7f7..1586eaeaffa 100644 --- a/auditbeat/module/auditd/audit_linux.go +++ b/auditbeat/module/auditd/audit_linux.go @@ -35,10 +35,10 @@ import ( "github.com/elastic/beats/v7/libbeat/monitoring" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/mb/parse" - "github.com/elastic/go-libaudit" - "github.com/elastic/go-libaudit/aucoalesce" - "github.com/elastic/go-libaudit/auparse" - "github.com/elastic/go-libaudit/rule" + "github.com/elastic/go-libaudit/v2" + "github.com/elastic/go-libaudit/v2/aucoalesce" + "github.com/elastic/go-libaudit/v2/auparse" + "github.com/elastic/go-libaudit/v2/rule" ) const ( @@ -539,10 +539,10 @@ func buildMetricbeatEvent(msgs []*auparse.AuditMessage, config Config) mb.Event m.Put("paths", auditEvent.Paths) } + normalizeEventFields(auditEvent, out.RootFields) + switch auditEvent.Category { case aucoalesce.EventTypeUserLogin: - // Customize event.type / event.category to match unified values. - normalizeEventFields(out.RootFields) // Set ECS user fields from the attempted login account. if usernameOrID := auditEvent.Summary.Actor.Secondary; usernameOrID != "" { if usr, err := resolveUsernameOrID(usernameOrID); err == nil { @@ -572,25 +572,39 @@ func resolveUsernameOrID(userOrID string) (usr *user.User, err error) { return user.LookupId(userOrID) } -func normalizeEventFields(m common.MapStr) { - getFieldAsStr := func(key string) (s string, found bool) { - iface, err := m.GetValue(key) - if err != nil { +func normalizeEventFields(event *aucoalesce.Event, m common.MapStr) { + // we need to merge types for backwards compatibility + types := event.ECS.Event.Type + + // Remove this block in 8.x + { + getFieldAsStr := func(key string) (s string, found bool) { + iface, err := m.GetValue(key) + if err != nil { + return + } + s, found = iface.(string) return } - s, found = iface.(string) - return + oldCategory, ok1 := getFieldAsStr("event.category") + oldAction, ok2 := getFieldAsStr("event.action") + oldOutcome, ok3 := getFieldAsStr("event.outcome") + if ok1 && ok2 && ok3 { + if oldCategory == "user-login" && oldAction == "logged-in" { // USER_LOGIN + types = append(types, fmt.Sprintf("authentication_%s", oldOutcome)) + } + } } - category, ok1 := getFieldAsStr("event.category") - action, ok2 := getFieldAsStr("event.action") - outcome, ok3 := getFieldAsStr("event.outcome") - if !ok1 || !ok2 || !ok3 { - return + m.Put("event.kind", "event") + if len(event.ECS.Event.Category) > 0 { + m.Put("event.category", event.ECS.Event.Category) + } + if len(types) > 0 { + m.Put("event.type", types) } - if category == "user-login" && action == "logged-in" { // USER_LOGIN - m.Put("event.category", "authentication") - m.Put("event.type", fmt.Sprintf("authentication_%s", outcome)) + if event.ECS.Event.Outcome != "" { + m.Put("event.outcome", event.ECS.Event.Outcome) } } diff --git a/auditbeat/module/auditd/audit_linux_test.go b/auditbeat/module/auditd/audit_linux_test.go index c8da4f06965..ec0997ef340 100644 --- a/auditbeat/module/auditd/audit_linux_test.go +++ b/auditbeat/module/auditd/audit_linux_test.go @@ -40,8 +40,8 @@ import ( "github.com/elastic/beats/v7/libbeat/mapping" "github.com/elastic/beats/v7/metricbeat/mb" mbtest "github.com/elastic/beats/v7/metricbeat/mb/testing" - "github.com/elastic/go-libaudit" - "github.com/elastic/go-libaudit/auparse" + "github.com/elastic/go-libaudit/v2" + "github.com/elastic/go-libaudit/v2/auparse" ) // Specify the -audit flag when running these tests to interact with the real @@ -141,23 +141,24 @@ func TestLoginType(t *testing.T) { for idx, expected := range []common.MapStr{ { - "event.category": "authentication", - "event.type": "authentication_failure", + "event.category": []string{"authentication"}, + "event.type": []string{"start", "authentication_failure"}, "event.outcome": "failure", "user.name": "(invalid user)", "user.id": nil, "session": nil, }, { - "event.category": "authentication", - "event.type": "authentication_success", + "event.category": []string{"authentication"}, + "event.type": []string{"start", "authentication_success"}, "event.outcome": "success", "user.name": "adrian", "user.audit.id": nil, "auditd.session": nil, }, { - "event.category": "user-login", + "event.category": []string{"authentication"}, + "event.type": []string{"info"}, "event.outcome": "success", "user.name": "root", "user.id": "0", diff --git a/auditbeat/module/auditd/config.go b/auditbeat/module/auditd/config.go index 3048e80c047..149af7a08a0 100644 --- a/auditbeat/module/auditd/config.go +++ b/auditbeat/module/auditd/config.go @@ -31,8 +31,8 @@ import ( "github.com/joeshaw/multierror" "github.com/pkg/errors" - "github.com/elastic/go-libaudit/rule" - "github.com/elastic/go-libaudit/rule/flags" + "github.com/elastic/go-libaudit/v2/rule" + "github.com/elastic/go-libaudit/v2/rule/flags" ) const ( diff --git a/auditbeat/module/auditd/mock_linux_test.go b/auditbeat/module/auditd/mock_linux_test.go index db1a4cc4e25..13239eb9455 100644 --- a/auditbeat/module/auditd/mock_linux_test.go +++ b/auditbeat/module/auditd/mock_linux_test.go @@ -23,8 +23,8 @@ import ( "errors" "syscall" - "github.com/elastic/go-libaudit" - "github.com/elastic/go-libaudit/auparse" + "github.com/elastic/go-libaudit/v2" + "github.com/elastic/go-libaudit/v2/auparse" ) type MockNetlinkSendReceiver struct { diff --git a/auditbeat/module/auditd/show_linux.go b/auditbeat/module/auditd/show_linux.go index bcd332eaa7b..856697086ab 100644 --- a/auditbeat/module/auditd/show_linux.go +++ b/auditbeat/module/auditd/show_linux.go @@ -24,8 +24,8 @@ import ( "github.com/pkg/errors" "github.com/spf13/cobra" - "github.com/elastic/go-libaudit" - "github.com/elastic/go-libaudit/rule" + "github.com/elastic/go-libaudit/v2" + "github.com/elastic/go-libaudit/v2/rule" "github.com/elastic/beats/v7/auditbeat/cmd" ) diff --git a/go.mod b/go.mod index 20c1392cc48..88548a85750 100644 --- a/go.mod +++ b/go.mod @@ -57,7 +57,7 @@ require ( github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4 github.com/eclipse/paho.mqtt.golang v1.2.1-0.20200121105743-0d940dd29fd2 github.com/elastic/ecs v1.5.0 - github.com/elastic/go-libaudit v0.4.0 + github.com/elastic/go-libaudit/v2 v2.0.0-20200515221334-92371bef3fb8 github.com/elastic/go-licenser v0.2.1 github.com/elastic/go-lookslike v0.3.0 github.com/elastic/go-lumber v0.1.0 @@ -164,7 +164,7 @@ require ( gopkg.in/inf.v0 v0.9.0 gopkg.in/jcmturner/gokrb5.v7 v7.3.0 gopkg.in/mgo.v2 v2.0.0-20160818020120-3f83fa500528 - gopkg.in/yaml.v2 v2.2.8 + gopkg.in/yaml.v2 v2.3.0 howett.net/plist v0.0.0-20181124034731-591f970eefbb k8s.io/api v0.0.0-20190722141453-b90922c02518 k8s.io/apimachinery v0.0.0-20190719140911-bfcf53abc9f8 diff --git a/go.sum b/go.sum index 0c5430c0db3..f94a1ef851b 100644 --- a/go.sum +++ b/go.sum @@ -89,6 +89,7 @@ github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbt github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/Shopify/toxiproxy v2.1.4+incompatible h1:TKdv8HiTLgE5wdJuEML90aBgNWsokNbMijUGhmcoBJc= github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI= +github.com/Sirupsen/logrus v1.0.1-0.20170608221441-85b1699d5056/go.mod h1:rmk17hk6i8ZSAJkSDa7nOxamrG+SP4P0mm+DAvExv4U= github.com/StackExchange/wmi v0.0.0-20170221213301-9f32b5905fd6 h1:2Gl9Tray0NEjP9KC0FjdGWlszbmTIsBP3JYzgyFdL4E= github.com/StackExchange/wmi v0.0.0-20170221213301-9f32b5905fd6/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg= github.com/adriansr/fsnotify v0.0.0-20180417234312-c9bbe1f46f1d h1:g0M6kedfjDpyAAuxqBvJzMNjFzlrQ7Av6LCDFqWierk= @@ -227,8 +228,8 @@ github.com/elastic/ecs v1.5.0 h1:/VEIBsRU4ecq2+U3RPfKNc6bFyomP6qnthYEcQZu8GU= github.com/elastic/ecs v1.5.0/go.mod h1:pgiLbQsijLOJvFR8OTILLu0Ni/R/foUNg0L+T6mU9b4= github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270 h1:cWPqxlPtir4RoQVCpGSRXmLqjEHpJKbR60rxh1nQZY4= github.com/elastic/fsevents v0.0.0-20181029231046-e1d381a4d270/go.mod h1:Msl1pdboCbArMF/nSCDUXgQuWTeoMmE/z8607X+k7ng= -github.com/elastic/go-libaudit v0.4.0 h1:pxLCycMJKW91W8ZmZT74DQmryTZuXryKESo6sXdu1XY= -github.com/elastic/go-libaudit v0.4.0/go.mod h1:lNJ7gX+arohEQTwqinAc8xycVuFNqsaunba1mwcBdvE= +github.com/elastic/go-libaudit/v2 v2.0.0-20200515221334-92371bef3fb8 h1:Jcnojiuok7Ea5hitJK9VWmBigganE2MMETOH0VZasEA= +github.com/elastic/go-libaudit/v2 v2.0.0-20200515221334-92371bef3fb8/go.mod h1:j2CZcVcluWDGhQTnq1SOPy1NKEIa74FtQ39Nnz87Jxk= github.com/elastic/go-licenser v0.2.1 h1:K76YI6XR2LRpewLGwhrTqasXZcNJG2yHY4/jit/IXGY= github.com/elastic/go-licenser v0.2.1/go.mod h1:D8eNQk70FOCVBl3smCGQt/lv7meBeQno2eI1S5apiHQ= github.com/elastic/go-lookslike v0.3.0 h1:HDI/DQ65V85ZqM7D/sbxcK2wFFnh3+7iFvBk2v2FTHs= @@ -555,6 +556,7 @@ github.com/pierrec/lz4 v2.2.6+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi github.com/pierrre/gotestcover v0.0.0-20160113212533-7b94f124d338 h1:/VAZ3an4jHXs+61iNHugNR1mG25MSpaxtMnwOJVEAQM= github.com/pierrre/gotestcover v0.0.0-20160113212533-7b94f124d338/go.mod h1:4xpMLz7RBWyB+ElzHu8Llua96TRCB3YwX+l5EP1wmHk= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.8.1-0.20170505043639-c605e284fe17/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -631,6 +633,7 @@ github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+ github.com/stretchr/objx v0.2.0 h1:Hbg2NidpLE8veEBkEZTL3CvlkUIVzuU9jDplZO54c48= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.1.5-0.20170601210322-f6abca593680/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= @@ -778,6 +781,7 @@ golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e h1:vcxGaoTs7kV8m5Np9uUNQin4BrLOthgV7252N8V+FwY= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20170608164803-0b25a408a500/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -920,6 +924,8 @@ gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU= +gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= diff --git a/vendor/github.com/elastic/go-libaudit/aucoalesce/normalizations.yaml b/vendor/github.com/elastic/go-libaudit/aucoalesce/normalizations.yaml deleted file mode 100644 index 622cf51217b..00000000000 --- a/vendor/github.com/elastic/go-libaudit/aucoalesce/normalizations.yaml +++ /dev/null @@ -1,752 +0,0 @@ ---- -# Macros declares some YAML anchors that can be referenced for some common -# object type normalizations like user-session, socket, or process. -macros: -- &defaults - subject: - primary: auid - secondary: uid - how: [exe, comm] - -- ¯o-user-session - subject: - primary: auid - secondary: [acct, id, uid] - object: - primary: terminal - secondary: [addr, hostname] - what: user-session - how: [exe, terminal] - -- ¯o-socket - <<: *defaults - object: - primary: [addr, path] - secondary: port - what: socket - -- ¯o-process - <<: *defaults - object: - primary: [cmd, exe, comm] - secondary: pid - what: process - how: terminal - -# Normalizations is a list of declarations specifying how to normalize the data -# contained in an event. The normalization can be applied based on the syscall -# name (e.g. connect, open) or based on the record type (e.g. USER_LOGIN). -# No two normalizations can apply to the same syscall or record type. This -# will result in a failure at load time. -# -# Each normalization should specify: -# action - what happened -# actor - who did this or who triggered the event -# object - what was the "thing" involved in the action (e.g. process, socket) -# how - how was the action performed (e.g. exe or terminal) -normalizations: -- - action: opened-file - object: - what: file - syscalls: - - creat - - fallocate - - truncate - - ftruncate - - open - - openat - - readlink - - readlinkat -- - action: changed-file-attributes-of - object: - what: file - syscalls: - - setxattr - - fsetxattr - - lsetxattr - - removexattr - - fremovexattr - - lremovexattr -- - action: changed-file-permissions-of - object: - what: file - syscalls: - - chmod - - fchmod - - fchmodat -- - action: changed-file-ownership-of - object: - what: file - syscalls: - - chown - - fchown - - fchownat - - lchown -- - action: loaded-kernel-module - object: - what: file - primary: name - record_types: - - KERN_MODULE - syscalls: - - finit_module - - init_module -- - action: unloaded-kernel-module - object: - what: file - syscalls: - - delete_module -- - action: created-directory - object: - what: file - path_index: 1 - syscalls: - - mkdir - - mkdirat -- - action: mounted - object: - what: filesystem - path_index: 1 - syscalls: - - mount -- - action: renamed - object: - what: file - path_index: 2 - syscalls: - - rename - - renameat - - renameat2 -- - action: checked-metadata-of - object: - what: file - syscalls: - - access - - faccessat - - newfstatat - - stat - - fstat - - lstat - - stat64 - - getxattr - - lgetxattr - - fgetxattr -- - action: checked-filesystem-metadata-of - object: - what: filesystem - syscalls: - - statfs - - fstatfs -- - action: symlinked - object: - what: file - syscalls: - - symlink - - symlinkat -- - action: unmounted - object: - what: filesystem - syscalls: - - umount2 -- - action: deleted - object: - what: file - syscalls: - - rmdir - - unlink - - unlinkat -- - action: changed-timestamp-of - object: - what: file - syscalls: - - utime - - utimes - - futimesat - - futimens - - utimensat -- - action: executed - object: - what: file - syscalls: - - execve - - execveat -- - action: listen-for-connections - object: - what: socket - syscalls: - - listen -- - action: accepted-connection-from - object: - what: socket - syscalls: - - accept - - accept4 -- - action: bound-socket - object: - what: socket - syscalls: - - bind -- - action: connected-to - object: - what: socket - syscalls: - - connect -- - action: received-from - object: - what: socket - syscalls: - - recvfrom - - recvmsg -- - action: sent-to - object: - what: socket - syscalls: - - sendto - - sendmsg -- - action: killed-pid - object: - what: process - syscalls: - - kill - - tkill - - tgkill -- - action: changed-identity-of - object: - what: process - how: syscall - syscalls: - - setuid - - seteuid - - setfsuid - - setreuid - - setresuid - - setgid - - setegid - - setfsgid - - setregid - - setresgid -- - action: changed-system-time - object: - what: system - syscalls: - - settimeofday - - clock_settime - - stime - - adjtimex -- - action: make-device - object: - what: file - syscalls: - - mknod - - mknodat -- - action: changed-system-name - object: - what: system - syscalls: - - sethostname - - setdomainname -- - action: allocated-memory - object: - what: memory - syscalls: - - mmap - - brk -- - action: adjusted-scheduling-policy-of - object: - what: process - how: syscall - syscalls: - - sched_setparam - - sched_setscheduler - - sched_setattr -- - action: caused-mac-policy-error - object: - what: system - record_types: SELINUX_ERR -- - action: loaded-firewall-rule-to - object: - primary: table - what: firewall - record_types: NETFILTER_CFG -- - # Could be entered or exited based on prom field. - action: changed-promiscuous-mode-on-device - object: - primary: dev - what: network-device - record_types: ANOM_PROMISCUOUS -- - action: locked-account - record_types: ACCT_LOCK -- - action: unlocked-account - record_types: ACCT_UNLOCK -- - action: added-group-account-to - object: - primary: [id, acct] - what: account - record_types: ADD_GROUP -- - action: added-user-account - object: - primary: [id, acct] - what: account - record_types: ADD_USER -- - action: crashed-program - object: - primary: [comm, exe] - secondary: pid - what: process - how: sig - record_types: ANOM_ABEND -- - action: attempted-execution-of-forbidden-program - object: - primary: cmd - what: process - how: terminal - record_types: ANOM_EXEC -- - action: used-suspcious-link - record_types: ANOM_LINK -- - <<: *macro-user-session - action: failed-log-in-too-many-times-to - record_types: ANOM_LOGIN_FAILURES -- - <<: *macro-user-session - action: attempted-log-in-from-unusual-place-to - record_types: ANOM_LOGIN_LOCATION -- - <<: *macro-user-session - action: opened-too-many-sessions-to - record_types: ANOM_LOGIN_SESSIONS -- - <<: *macro-user-session - action: attempted-log-in-during-unusual-hour-to - record_types: ANOM_LOGIN_TIME -- - action: tested-file-system-integrity-of - object: - primary: hostname - what: filesystem - record_types: ANOM_RBAC_INTEGRITY_FAIL -- - action: violated-selinux-policy - subject: - primary: scontext - object: - primary: tcontext - secondary: tclass - record_types: AVC - has_fields: - - seresult -- - action: violated-apparmor-policy - object: - primary: operation - secondary: [requested_mask, denied_mask, capname] - what: policy - record_types: AVC - has_fields: - - apparmor -- - action: changed-group - record_types: CHGRP_ID -- - action: changed-user-id - record_types: CHUSER_ID -- - action: changed-audit-configuration - object: - primary: [op, key, audit_enabled, audit_pid, audit_backlog_limit, audit_failure] - what: audit-config - record_types: CONFIG_CHANGE -- - <<: *macro-user-session - action: acquired-credentials - record_types: CRED_ACQ -- - <<: *macro-user-session - action: disposed-credentials - record_types: CRED_DISP -- - <<: *macro-user-session - action: refreshed-credentials - record_types: CRED_REFR -- - <<: *macro-user-session - action: negotiated-crypto-key - object: - primary: fp - secondary: [addr, hostname] - what: user-session - record_types: CRYPTO_KEY_USER - source_ip: [addr] -- - action: crypto-officer-logged-in - record_types: CRYPTO_LOGIN -- - action: crypto-officer-logged-out - record_types: CRYPTO_LOGOUT -- - <<: *macro-user-session - action: started-crypto-session - object: - primary: addr - secondary: [rport] - record_types: CRYPTO_SESSION - source_ip: [addr] -- - action: access-result - record_types: DAC_CHECK -- - action: aborted-auditd-startup - object: - what: service - record_types: DAEMON_ABORT -- - action: remote-audit-connected - object: - what: service - record_types: DAEMON_ACCEPT -- - action: remote-audit-disconnected - object: - what: service - record_types: DAEMON_CLOSE -- - action: changed-auditd-configuration - object: - what: service - record_types: DAEMON_CONFIG -- - action: shutdown-audit - object: - what: service - record_types: DAEMON_END -- - action: audit-error - object: - what: service - record_types: DAEMON_ERR -- - action: reconfigured-auditd - object: - what: service - record_types: DAEMON_RECONFIG -- - action: resumed-audit-logging - object: - what: service - record_types: DAEMON_RESUME -- - action: rotated-audit-logs - object: - what: service - record_types: DAEMON_ROTATE -- - action: started-audit - object: - what: service - record_types: DAEMON_START -- - action: deleted-group-account-from - object: - primary: [id, acct] - what: account - record_types: DEL_GROUP -- - action: deleted-user-account - object: - primary: [id, acct] - what: account - record_types: DEL_USER -- - action: changed-audit-feature - object: - primary: feature - what: system - record_types: FEATURE_CHANGE -- - action: relabeled-filesystem - record_types: FS_RELABEL -- - action: authenticated-to-group - record_types: GRP_AUTH -- - <<: *macro-user-session - action: changed-group-password - object: - primary: acct - what: user-session - record_types: GRP_CHAUTHTOK -- - action: modified-group-account - object: - primary: [id, acct] - what: account - record_types: GRP_MGMT -- - action: initialized-audit-subsystem - record_types: KERNEL -- - action: modified-level-of - object: - primary: printer - what: printer - record_types: LABEL_LEVEL_CHANGE -- - action: overrode-label-of - object: - what: mac-config - record_types: LABEL_OVERRIDE -- - object: - what: mac-config - record_types: - - AUDIT_DEV_ALLOC - - AUDIT_DEV_DEALLOC - - AUDIT_FS_RELABEL - - AUDIT_USER_MAC_POLICY_LOAD - - AUDIT_USER_MAC_CONFIG_CHANGE -- - action: changed-login-id-to - subject: - primary: [old_auid, old-auid] - secondary: uid - object: - primary: auid - what: user-session - record_types: LOGIN -- - action: mac-permission - record_types: MAC_CHECK -- - action: changed-selinux-boolean - object: - primary: bool - what: mac-config - record_types: MAC_CONFIG_CHANGE -- - action: loaded-selinux-policy - object: - what: mac-config - record_types: MAC_POLICY_LOAD -- - action: changed-selinux-enforcement - object: - primary: enforcing - what: mac-config - record_types: MAC_STATUS -- - action: assigned-user-role-to - object: - primary: [id, acct] - what: account - record_types: ROLE_ASSIGN -- - action: modified-role - record_types: ROLE_MODIFY -- - action: removed-use-role-from - object: - primary: [id, acct] - what: account - record_types: ROLE_REMOVE -- - action: violated-seccomp-policy - object: - primary: syscall - what: process - record_types: SECCOMP -- - action: started-service - object: - primary: unit - what: service - record_types: SERVICE_START -- - action: stopped-service - object: - primary: unit - what: service - record_types: SERVICE_STOP -- - action: booted-system - object: - what: system - record_types: SYSTEM_BOOT -- - action: changed-to-runlevel - object: - primary: new-level - what: system - record_types: SYSTEM_RUNLEVEL -- - action: shutdown-system - object: - what: system - record_types: SYSTEM_SHUTDOWN -- - action: sent-test - record_types: TEST -- - action: unknown - record_types: TRUSTED_APP -- - action: sent-message - object: - primary: addr - record_types: USER -- - <<: *macro-user-session - action: was-authorized - record_types: USER_ACCT -- - <<: *macro-user-session - action: authenticated - record_types: USER_AUTH -- - action: access-permission - record_types: USER_AVC -- - <<: *macro-user-session - action: changed-password - record_types: USER_CHAUTHTOK -- - action: ran-command - object: - primary: cmd - what: process - record_types: USER_CMD - description: > - These messages are from user-space apps, like sudo, that log commands - being run by a user. The uid contained in these messages is user's UID at - the time the command was run. It is not the "target" UID used to run the - command, which is normally root. -- - <<: *macro-user-session - action: ended-session - record_types: USER_END -- - <<: *macro-user-session - action: error - record_types: USER_ERR - source_ip: [addr] -- - <<: *macro-user-session - action: logged-in - record_types: USER_LOGIN - source_ip: [addr] -- - <<: *macro-user-session - action: logged-out - record_types: USER_LOGOUT -- - action: changed-mac-configuration - record_types: USER_MAC_CONFIG_CHANGE -- - action: loaded-mac-policy - record_types: USER_MAC_POLICY_LOAD -- - <<: *macro-user-session - action: modified-user-account - record_types: USER_MGMT -- - <<: *macro-user-session - action: changed-role-to - object: - primary: selected-context - what: user-session - record_types: USER_ROLE_CHANGE -- - action: access-error - record_types: USER_SELINUX_ERR -- - <<: *macro-user-session - action: started-session - record_types: USER_START - source_ip: [addr] -- - action: changed-configuration - object: - primary: op - what: system - record_types: USYS_CONFIG -- - action: issued-vm-control - object: - primary: op - secondary: vm - what: virtual-machine - record_types: VIRT_CONTROL -- - action: created-vm-image - record_types: VIRT_CREATE -- - action: deleted-vm-image - record_types: VIRT_DESTROY -- - action: checked-integrity-of - record_types: VIRT_INTEGRITY_CHECK -- - action: assigned-vm-id - object: - primary: vm - what: virtual-machine - record_types: VIRT_MACHINE_ID -- - action: migrated-vm-from - record_types: VIRT_MIGRATE_IN -- - action: migrated-vm-to - record_types: VIRT_MIGRATE_OUT -- - action: assigned-vm-resource - object: - primary: resrc - secondary: vm - what: virtual-machine - record_types: VIRT_RESOURCE -- action: typed - object: - primary: data - what: keystrokes - how: [comm, exe] - record_types: - - TTY - - USER_TTY diff --git a/vendor/github.com/elastic/go-libaudit/aucoalesce/znormalize_data.go b/vendor/github.com/elastic/go-libaudit/aucoalesce/znormalize_data.go deleted file mode 100644 index 5f6c14bebdf..00000000000 --- a/vendor/github.com/elastic/go-libaudit/aucoalesce/znormalize_data.go +++ /dev/null @@ -1,42 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -// Code generated by mknormalize_data.go - DO NOT EDIT. - -package aucoalesce - -import ( - "encoding/base64" - "fmt" -) - -var assets map[string][]byte - -func asset(key string) ([]byte, error) { - if assets == nil { - assets = map[string][]byte{} - - var value []byte - value, _ = base64.StdEncoding.DecodeString("LS0tCiMgTWFjcm9zIGRlY2xhcmVzIHNvbWUgWUFNTCBhbmNob3JzIHRoYXQgY2FuIGJlIHJlZmVyZW5jZWQgZm9yIHNvbWUgY29tbW9uCiMgb2JqZWN0IHR5cGUgbm9ybWFsaXphdGlvbnMgbGlrZSB1c2VyLXNlc3Npb24sIHNvY2tldCwgb3IgcHJvY2Vzcy4KbWFjcm9zOgotICZkZWZhdWx0cwogIHN1YmplY3Q6CiAgICBwcmltYXJ5OiBhdWlkCiAgICBzZWNvbmRhcnk6IHVpZAogIGhvdzogW2V4ZSwgY29tbV0KCi0gJm1hY3JvLXVzZXItc2Vzc2lvbgogIHN1YmplY3Q6CiAgICBwcmltYXJ5OiBhdWlkCiAgICBzZWNvbmRhcnk6IFthY2N0LCBpZCwgdWlkXQogIG9iamVjdDoKICAgIHByaW1hcnk6IHRlcm1pbmFsCiAgICBzZWNvbmRhcnk6IFthZGRyLCBob3N0bmFtZV0KICAgIHdoYXQ6IHVzZXItc2Vzc2lvbgogIGhvdzogW2V4ZSwgdGVybWluYWxdCgotICZtYWNyby1zb2NrZXQKICA8PDogKmRlZmF1bHRzCiAgb2JqZWN0OgogICAgcHJpbWFyeTogW2FkZHIsIHBhdGhdCiAgICBzZWNvbmRhcnk6IHBvcnQKICAgIHdoYXQ6IHNvY2tldAoKLSAmbWFjcm8tcHJvY2VzcwogIDw8OiAqZGVmYXVsdHMKICBvYmplY3Q6CiAgICBwcmltYXJ5OiBbY21kLCBleGUsIGNvbW1dCiAgICBzZWNvbmRhcnk6IHBpZAogICAgd2hhdDogcHJvY2VzcwogIGhvdzogdGVybWluYWwKCiMgTm9ybWFsaXphdGlvbnMgaXMgYSBsaXN0IG9mIGRlY2xhcmF0aW9ucyBzcGVjaWZ5aW5nIGhvdyB0byBub3JtYWxpemUgdGhlIGRhdGEKIyBjb250YWluZWQgaW4gYW4gZXZlbnQuIFRoZSBub3JtYWxpemF0aW9uIGNhbiBiZSBhcHBsaWVkIGJhc2VkIG9uIHRoZSBzeXNjYWxsCiMgbmFtZSAoZS5nLiBjb25uZWN0LCBvcGVuKSBvciBiYXNlZCBvbiB0aGUgcmVjb3JkIHR5cGUgKGUuZy4gVVNFUl9MT0dJTikuCiMgTm8gdHdvIG5vcm1hbGl6YXRpb25zIGNhbiBhcHBseSB0byB0aGUgc2FtZSBzeXNjYWxsIG9yIHJlY29yZCB0eXBlLiBUaGlzCiMgd2lsbCByZXN1bHQgaW4gYSBmYWlsdXJlIGF0IGxvYWQgdGltZS4KIwojIEVhY2ggbm9ybWFsaXphdGlvbiBzaG91bGQgc3BlY2lmeToKIyAgIGFjdGlvbiAtIHdoYXQgaGFwcGVuZWQKIyAgIGFjdG9yICAtIHdobyBkaWQgdGhpcyBvciB3aG8gdHJpZ2dlcmVkIHRoZSBldmVudAojICAgb2JqZWN0IC0gd2hhdCB3YXMgdGhlICJ0aGluZyIgaW52b2x2ZWQgaW4gdGhlIGFjdGlvbiAoZS5nLiBwcm9jZXNzLCBzb2NrZXQpCiMgICBob3cgICAgLSBob3cgd2FzIHRoZSBhY3Rpb24gcGVyZm9ybWVkIChlLmcuIGV4ZSBvciB0ZXJtaW5hbCkKbm9ybWFsaXphdGlvbnM6Ci0KICBhY3Rpb246IG9wZW5lZC1maWxlCiAgb2JqZWN0OgogICAgd2hhdDogZmlsZQogIHN5c2NhbGxzOgogIC0gY3JlYXQKICAtIGZhbGxvY2F0ZQogIC0gdHJ1bmNhdGUKICAtIGZ0cnVuY2F0ZQogIC0gb3BlbgogIC0gb3BlbmF0CiAgLSByZWFkbGluawogIC0gcmVhZGxpbmthdAotCiAgYWN0aW9uOiBjaGFuZ2VkLWZpbGUtYXR0cmlidXRlcy1vZgogIG9iamVjdDoKICAgIHdoYXQ6IGZpbGUKICBzeXNjYWxsczoKICAtIHNldHhhdHRyCiAgLSBmc2V0eGF0dHIKICAtIGxzZXR4YXR0cgogIC0gcmVtb3ZleGF0dHIKICAtIGZyZW1vdmV4YXR0cgogIC0gbHJlbW92ZXhhdHRyCi0KICBhY3Rpb246IGNoYW5nZWQtZmlsZS1wZXJtaXNzaW9ucy1vZgogIG9iamVjdDoKICAgIHdoYXQ6IGZpbGUKICBzeXNjYWxsczoKICAtIGNobW9kCiAgLSBmY2htb2QKICAtIGZjaG1vZGF0Ci0KICBhY3Rpb246IGNoYW5nZWQtZmlsZS1vd25lcnNoaXAtb2YKICBvYmplY3Q6CiAgICB3aGF0OiBmaWxlCiAgc3lzY2FsbHM6CiAgLSBjaG93bgogIC0gZmNob3duCiAgLSBmY2hvd25hdAogIC0gbGNob3duCi0KICBhY3Rpb246IGxvYWRlZC1rZXJuZWwtbW9kdWxlCiAgb2JqZWN0OgogICAgd2hhdDogZmlsZQogICAgcHJpbWFyeTogbmFtZQogIHJlY29yZF90eXBlczoKICAtIEtFUk5fTU9EVUxFCiAgc3lzY2FsbHM6CiAgLSBmaW5pdF9tb2R1bGUKICAtIGluaXRfbW9kdWxlCi0KICBhY3Rpb246IHVubG9hZGVkLWtlcm5lbC1tb2R1bGUKICBvYmplY3Q6CiAgICB3aGF0OiBmaWxlCiAgc3lzY2FsbHM6CiAgLSBkZWxldGVfbW9kdWxlCi0KICBhY3Rpb246IGNyZWF0ZWQtZGlyZWN0b3J5CiAgb2JqZWN0OgogICAgd2hhdDogZmlsZQogICAgcGF0aF9pbmRleDogMQogIHN5c2NhbGxzOgogIC0gbWtkaXIKICAtIG1rZGlyYXQKLQogIGFjdGlvbjogbW91bnRlZAogIG9iamVjdDoKICAgIHdoYXQ6IGZpbGVzeXN0ZW0KICAgIHBhdGhfaW5kZXg6IDEKICBzeXNjYWxsczoKICAtIG1vdW50Ci0KICBhY3Rpb246IHJlbmFtZWQKICBvYmplY3Q6CiAgICB3aGF0OiBmaWxlCiAgICBwYXRoX2luZGV4OiAyCiAgc3lzY2FsbHM6CiAgLSByZW5hbWUKICAtIHJlbmFtZWF0CiAgLSByZW5hbWVhdDIKLQogIGFjdGlvbjogY2hlY2tlZC1tZXRhZGF0YS1vZgogIG9iamVjdDoKICAgIHdoYXQ6IGZpbGUKICBzeXNjYWxsczoKICAtIGFjY2VzcwogIC0gZmFjY2Vzc2F0CiAgLSBuZXdmc3RhdGF0CiAgLSBzdGF0CiAgLSBmc3RhdAogIC0gbHN0YXQKICAtIHN0YXQ2NAogIC0gZ2V0eGF0dHIKICAtIGxnZXR4YXR0cgogIC0gZmdldHhhdHRyCi0KICBhY3Rpb246IGNoZWNrZWQtZmlsZXN5c3RlbS1tZXRhZGF0YS1vZgogIG9iamVjdDoKICAgIHdoYXQ6IGZpbGVzeXN0ZW0KICBzeXNjYWxsczoKICAtIHN0YXRmcwogIC0gZnN0YXRmcwotCiAgYWN0aW9uOiBzeW1saW5rZWQKICBvYmplY3Q6CiAgICB3aGF0OiBmaWxlCiAgc3lzY2FsbHM6CiAgLSBzeW1saW5rCiAgLSBzeW1saW5rYXQKLQogIGFjdGlvbjogdW5tb3VudGVkCiAgb2JqZWN0OgogICAgd2hhdDogZmlsZXN5c3RlbQogIHN5c2NhbGxzOgogIC0gdW1vdW50MgotCiAgYWN0aW9uOiBkZWxldGVkCiAgb2JqZWN0OgogICAgd2hhdDogZmlsZQogIHN5c2NhbGxzOgogIC0gcm1kaXIKICAtIHVubGluawogIC0gdW5saW5rYXQKLQogIGFjdGlvbjogY2hhbmdlZC10aW1lc3RhbXAtb2YKICBvYmplY3Q6CiAgICB3aGF0OiBmaWxlCiAgc3lzY2FsbHM6CiAgLSB1dGltZQogIC0gdXRpbWVzCiAgLSBmdXRpbWVzYXQKICAtIGZ1dGltZW5zCiAgLSB1dGltZW5zYXQKLQogIGFjdGlvbjogZXhlY3V0ZWQKICBvYmplY3Q6CiAgICB3aGF0OiBmaWxlCiAgc3lzY2FsbHM6CiAgLSBleGVjdmUKICAtIGV4ZWN2ZWF0Ci0KICBhY3Rpb246IGxpc3Rlbi1mb3ItY29ubmVjdGlvbnMKICBvYmplY3Q6CiAgICB3aGF0OiBzb2NrZXQKICBzeXNjYWxsczoKICAtIGxpc3RlbgotCiAgYWN0aW9uOiBhY2NlcHRlZC1jb25uZWN0aW9uLWZyb20KICBvYmplY3Q6CiAgICB3aGF0OiBzb2NrZXQKICBzeXNjYWxsczoKICAtIGFjY2VwdAogIC0gYWNjZXB0NAotCiAgYWN0aW9uOiBib3VuZC1zb2NrZXQKICBvYmplY3Q6CiAgICB3aGF0OiBzb2NrZXQKICBzeXNjYWxsczoKICAtIGJpbmQKLQogIGFjdGlvbjogY29ubmVjdGVkLXRvCiAgb2JqZWN0OgogICAgd2hhdDogc29ja2V0CiAgc3lzY2FsbHM6CiAgLSBjb25uZWN0Ci0KICBhY3Rpb246IHJlY2VpdmVkLWZyb20KICBvYmplY3Q6CiAgICB3aGF0OiBzb2NrZXQKICBzeXNjYWxsczoKICAtIHJlY3Zmcm9tCiAgLSByZWN2bXNnCi0KICBhY3Rpb246IHNlbnQtdG8KICBvYmplY3Q6CiAgICB3aGF0OiBzb2NrZXQKICBzeXNjYWxsczoKICAtIHNlbmR0bwogIC0gc2VuZG1zZwotCiAgYWN0aW9uOiBraWxsZWQtcGlkCiAgb2JqZWN0OgogICAgd2hhdDogcHJvY2VzcwogIHN5c2NhbGxzOgogIC0ga2lsbAogIC0gdGtpbGwKICAtIHRna2lsbAotCiAgYWN0aW9uOiBjaGFuZ2VkLWlkZW50aXR5LW9mCiAgb2JqZWN0OgogICAgd2hhdDogcHJvY2VzcwogIGhvdzogc3lzY2FsbAogIHN5c2NhbGxzOgogIC0gc2V0dWlkCiAgLSBzZXRldWlkCiAgLSBzZXRmc3VpZAogIC0gc2V0cmV1aWQKICAtIHNldHJlc3VpZAogIC0gc2V0Z2lkCiAgLSBzZXRlZ2lkCiAgLSBzZXRmc2dpZAogIC0gc2V0cmVnaWQKICAtIHNldHJlc2dpZAotCiAgYWN0aW9uOiBjaGFuZ2VkLXN5c3RlbS10aW1lCiAgb2JqZWN0OgogICAgd2hhdDogc3lzdGVtCiAgc3lzY2FsbHM6CiAgLSBzZXR0aW1lb2ZkYXkKICAtIGNsb2NrX3NldHRpbWUKICAtIHN0aW1lCiAgLSBhZGp0aW1leAotCiAgYWN0aW9uOiBtYWtlLWRldmljZQogIG9iamVjdDoKICAgIHdoYXQ6IGZpbGUKICBzeXNjYWxsczoKICAtIG1rbm9kCiAgLSBta25vZGF0Ci0KICBhY3Rpb246IGNoYW5nZWQtc3lzdGVtLW5hbWUKICBvYmplY3Q6CiAgICB3aGF0OiBzeXN0ZW0KICBzeXNjYWxsczoKICAtIHNldGhvc3RuYW1lCiAgLSBzZXRkb21haW5uYW1lCi0KICBhY3Rpb246IGFsbG9jYXRlZC1tZW1vcnkKICBvYmplY3Q6CiAgICB3aGF0OiBtZW1vcnkKICBzeXNjYWxsczoKICAtIG1tYXAKICAtIGJyawotCiAgYWN0aW9uOiBhZGp1c3RlZC1zY2hlZHVsaW5nLXBvbGljeS1vZgogIG9iamVjdDoKICAgIHdoYXQ6IHByb2Nlc3MKICBob3c6IHN5c2NhbGwKICBzeXNjYWxsczoKICAtIHNjaGVkX3NldHBhcmFtCiAgLSBzY2hlZF9zZXRzY2hlZHVsZXIKICAtIHNjaGVkX3NldGF0dHIKLQogIGFjdGlvbjogY2F1c2VkLW1hYy1wb2xpY3ktZXJyb3IKICBvYmplY3Q6CiAgICB3aGF0OiBzeXN0ZW0KICByZWNvcmRfdHlwZXM6IFNFTElOVVhfRVJSCi0KICBhY3Rpb246IGxvYWRlZC1maXJld2FsbC1ydWxlLXRvCiAgb2JqZWN0OgogICAgcHJpbWFyeTogdGFibGUKICAgIHdoYXQ6IGZpcmV3YWxsCiAgcmVjb3JkX3R5cGVzOiBORVRGSUxURVJfQ0ZHCi0KICAjIENvdWxkIGJlIGVudGVyZWQgb3IgZXhpdGVkIGJhc2VkIG9uIHByb20gZmllbGQuCiAgYWN0aW9uOiBjaGFuZ2VkLXByb21pc2N1b3VzLW1vZGUtb24tZGV2aWNlCiAgb2JqZWN0OgogICAgcHJpbWFyeTogZGV2CiAgICB3aGF0OiBuZXR3b3JrLWRldmljZQogIHJlY29yZF90eXBlczogQU5PTV9QUk9NSVNDVU9VUwotCiAgYWN0aW9uOiBsb2NrZWQtYWNjb3VudAogIHJlY29yZF90eXBlczogQUNDVF9MT0NLCi0KICBhY3Rpb246IHVubG9ja2VkLWFjY291bnQKICByZWNvcmRfdHlwZXM6IEFDQ1RfVU5MT0NLCi0KICBhY3Rpb246IGFkZGVkLWdyb3VwLWFjY291bnQtdG8KICBvYmplY3Q6CiAgICBwcmltYXJ5OiBbaWQsIGFjY3RdCiAgICB3aGF0OiBhY2NvdW50CiAgcmVjb3JkX3R5cGVzOiBBRERfR1JPVVAKLQogIGFjdGlvbjogYWRkZWQtdXNlci1hY2NvdW50CiAgb2JqZWN0OgogICAgcHJpbWFyeTogW2lkLCBhY2N0XQogICAgd2hhdDogYWNjb3VudAogIHJlY29yZF90eXBlczogQUREX1VTRVIKLQogIGFjdGlvbjogY3Jhc2hlZC1wcm9ncmFtCiAgb2JqZWN0OgogICAgcHJpbWFyeTogW2NvbW0sIGV4ZV0KICAgIHNlY29uZGFyeTogcGlkCiAgICB3aGF0OiBwcm9jZXNzCiAgaG93OiBzaWcKICByZWNvcmRfdHlwZXM6IEFOT01fQUJFTkQKLQogIGFjdGlvbjogYXR0ZW1wdGVkLWV4ZWN1dGlvbi1vZi1mb3JiaWRkZW4tcHJvZ3JhbQogIG9iamVjdDoKICAgIHByaW1hcnk6IGNtZAogICAgd2hhdDogcHJvY2VzcwogIGhvdzogdGVybWluYWwKICByZWNvcmRfdHlwZXM6IEFOT01fRVhFQwotCiAgYWN0aW9uOiB1c2VkLXN1c3BjaW91cy1saW5rCiAgcmVjb3JkX3R5cGVzOiBBTk9NX0xJTksKLQogIDw8OiAqbWFjcm8tdXNlci1zZXNzaW9uCiAgYWN0aW9uOiBmYWlsZWQtbG9nLWluLXRvby1tYW55LXRpbWVzLXRvCiAgcmVjb3JkX3R5cGVzOiBBTk9NX0xPR0lOX0ZBSUxVUkVTCi0KICA8PDogKm1hY3JvLXVzZXItc2Vzc2lvbgogIGFjdGlvbjogYXR0ZW1wdGVkLWxvZy1pbi1mcm9tLXVudXN1YWwtcGxhY2UtdG8KICByZWNvcmRfdHlwZXM6IEFOT01fTE9HSU5fTE9DQVRJT04KLQogIDw8OiAqbWFjcm8tdXNlci1zZXNzaW9uCiAgYWN0aW9uOiBvcGVuZWQtdG9vLW1hbnktc2Vzc2lvbnMtdG8KICByZWNvcmRfdHlwZXM6IEFOT01fTE9HSU5fU0VTU0lPTlMKLQogIDw8OiAqbWFjcm8tdXNlci1zZXNzaW9uCiAgYWN0aW9uOiBhdHRlbXB0ZWQtbG9nLWluLWR1cmluZy11bnVzdWFsLWhvdXItdG8KICByZWNvcmRfdHlwZXM6IEFOT01fTE9HSU5fVElNRQotCiAgYWN0aW9uOiB0ZXN0ZWQtZmlsZS1zeXN0ZW0taW50ZWdyaXR5LW9mCiAgb2JqZWN0OgogICAgcHJpbWFyeTogaG9zdG5hbWUKICAgIHdoYXQ6IGZpbGVzeXN0ZW0KICByZWNvcmRfdHlwZXM6IEFOT01fUkJBQ19JTlRFR1JJVFlfRkFJTAotCiAgYWN0aW9uOiB2aW9sYXRlZC1zZWxpbnV4LXBvbGljeQogIHN1YmplY3Q6CiAgICBwcmltYXJ5OiBzY29udGV4dAogIG9iamVjdDoKICAgIHByaW1hcnk6IHRjb250ZXh0CiAgICBzZWNvbmRhcnk6IHRjbGFzcwogIHJlY29yZF90eXBlczogQVZDCiAgaGFzX2ZpZWxkczoKICAtIHNlcmVzdWx0Ci0KICBhY3Rpb246IHZpb2xhdGVkLWFwcGFybW9yLXBvbGljeQogIG9iamVjdDoKICAgIHByaW1hcnk6IG9wZXJhdGlvbgogICAgc2Vjb25kYXJ5OiBbcmVxdWVzdGVkX21hc2ssIGRlbmllZF9tYXNrLCBjYXBuYW1lXQogICAgd2hhdDogcG9saWN5CiAgcmVjb3JkX3R5cGVzOiBBVkMKICBoYXNfZmllbGRzOgogIC0gYXBwYXJtb3IKLQogIGFjdGlvbjogY2hhbmdlZC1ncm91cAogIHJlY29yZF90eXBlczogQ0hHUlBfSUQKLQogIGFjdGlvbjogY2hhbmdlZC11c2VyLWlkCiAgcmVjb3JkX3R5cGVzOiBDSFVTRVJfSUQKLQogIGFjdGlvbjogY2hhbmdlZC1hdWRpdC1jb25maWd1cmF0aW9uCiAgb2JqZWN0OgogICAgcHJpbWFyeTogW29wLCBrZXksIGF1ZGl0X2VuYWJsZWQsIGF1ZGl0X3BpZCwgYXVkaXRfYmFja2xvZ19saW1pdCwgYXVkaXRfZmFpbHVyZV0KICAgIHdoYXQ6IGF1ZGl0LWNvbmZpZwogIHJlY29yZF90eXBlczogQ09ORklHX0NIQU5HRQotCiAgPDw6ICptYWNyby11c2VyLXNlc3Npb24KICBhY3Rpb246IGFjcXVpcmVkLWNyZWRlbnRpYWxzCiAgcmVjb3JkX3R5cGVzOiBDUkVEX0FDUQotCiAgPDw6ICptYWNyby11c2VyLXNlc3Npb24KICBhY3Rpb246IGRpc3Bvc2VkLWNyZWRlbnRpYWxzCiAgcmVjb3JkX3R5cGVzOiBDUkVEX0RJU1AKLQogIDw8OiAqbWFjcm8tdXNlci1zZXNzaW9uCiAgYWN0aW9uOiByZWZyZXNoZWQtY3JlZGVudGlhbHMKICByZWNvcmRfdHlwZXM6IENSRURfUkVGUgotCiAgPDw6ICptYWNyby11c2VyLXNlc3Npb24KICBhY3Rpb246IG5lZ290aWF0ZWQtY3J5cHRvLWtleQogIG9iamVjdDoKICAgIHByaW1hcnk6IGZwCiAgICBzZWNvbmRhcnk6IFthZGRyLCBob3N0bmFtZV0KICAgIHdoYXQ6IHVzZXItc2Vzc2lvbgogIHJlY29yZF90eXBlczogQ1JZUFRPX0tFWV9VU0VSCiAgc291cmNlX2lwOiBbYWRkcl0KLQogIGFjdGlvbjogY3J5cHRvLW9mZmljZXItbG9nZ2VkLWluCiAgcmVjb3JkX3R5cGVzOiBDUllQVE9fTE9HSU4KLQogIGFjdGlvbjogY3J5cHRvLW9mZmljZXItbG9nZ2VkLW91dAogIHJlY29yZF90eXBlczogQ1JZUFRPX0xPR09VVAotCiAgPDw6ICptYWNyby11c2VyLXNlc3Npb24KICBhY3Rpb246IHN0YXJ0ZWQtY3J5cHRvLXNlc3Npb24KICBvYmplY3Q6CiAgICBwcmltYXJ5OiBhZGRyCiAgICBzZWNvbmRhcnk6IFtycG9ydF0KICByZWNvcmRfdHlwZXM6IENSWVBUT19TRVNTSU9OCiAgc291cmNlX2lwOiBbYWRkcl0KLQogIGFjdGlvbjogYWNjZXNzLXJlc3VsdAogIHJlY29yZF90eXBlczogREFDX0NIRUNLCi0KICBhY3Rpb246IGFib3J0ZWQtYXVkaXRkLXN0YXJ0dXAKICBvYmplY3Q6CiAgICB3aGF0OiBzZXJ2aWNlCiAgcmVjb3JkX3R5cGVzOiBEQUVNT05fQUJPUlQKLQogIGFjdGlvbjogcmVtb3RlLWF1ZGl0LWNvbm5lY3RlZAogIG9iamVjdDoKICAgIHdoYXQ6IHNlcnZpY2UKICByZWNvcmRfdHlwZXM6IERBRU1PTl9BQ0NFUFQKLQogIGFjdGlvbjogcmVtb3RlLWF1ZGl0LWRpc2Nvbm5lY3RlZAogIG9iamVjdDoKICAgIHdoYXQ6IHNlcnZpY2UKICByZWNvcmRfdHlwZXM6IERBRU1PTl9DTE9TRQotCiAgYWN0aW9uOiBjaGFuZ2VkLWF1ZGl0ZC1jb25maWd1cmF0aW9uCiAgb2JqZWN0OgogICAgd2hhdDogc2VydmljZQogIHJlY29yZF90eXBlczogREFFTU9OX0NPTkZJRwotCiAgYWN0aW9uOiBzaHV0ZG93bi1hdWRpdAogIG9iamVjdDoKICAgIHdoYXQ6IHNlcnZpY2UKICByZWNvcmRfdHlwZXM6IERBRU1PTl9FTkQKLQogIGFjdGlvbjogYXVkaXQtZXJyb3IKICBvYmplY3Q6CiAgICB3aGF0OiBzZXJ2aWNlCiAgcmVjb3JkX3R5cGVzOiBEQUVNT05fRVJSCi0KICBhY3Rpb246IHJlY29uZmlndXJlZC1hdWRpdGQKICBvYmplY3Q6CiAgICB3aGF0OiBzZXJ2aWNlCiAgcmVjb3JkX3R5cGVzOiBEQUVNT05fUkVDT05GSUcKLQogIGFjdGlvbjogcmVzdW1lZC1hdWRpdC1sb2dnaW5nCiAgb2JqZWN0OgogICAgd2hhdDogc2VydmljZQogIHJlY29yZF90eXBlczogREFFTU9OX1JFU1VNRQotCiAgYWN0aW9uOiByb3RhdGVkLWF1ZGl0LWxvZ3MKICBvYmplY3Q6CiAgICB3aGF0OiBzZXJ2aWNlCiAgcmVjb3JkX3R5cGVzOiBEQUVNT05fUk9UQVRFCi0KICBhY3Rpb246IHN0YXJ0ZWQtYXVkaXQKICBvYmplY3Q6CiAgICB3aGF0OiBzZXJ2aWNlCiAgcmVjb3JkX3R5cGVzOiBEQUVNT05fU1RBUlQKLQogIGFjdGlvbjogZGVsZXRlZC1ncm91cC1hY2NvdW50LWZyb20KICBvYmplY3Q6CiAgICBwcmltYXJ5OiBbaWQsIGFjY3RdCiAgICB3aGF0OiBhY2NvdW50CiAgcmVjb3JkX3R5cGVzOiBERUxfR1JPVVAKLQogIGFjdGlvbjogZGVsZXRlZC11c2VyLWFjY291bnQKICBvYmplY3Q6CiAgICBwcmltYXJ5OiBbaWQsIGFjY3RdCiAgICB3aGF0OiBhY2NvdW50CiAgcmVjb3JkX3R5cGVzOiBERUxfVVNFUgotCiAgYWN0aW9uOiBjaGFuZ2VkLWF1ZGl0LWZlYXR1cmUKICBvYmplY3Q6CiAgICBwcmltYXJ5OiBmZWF0dXJlCiAgICB3aGF0OiBzeXN0ZW0KICByZWNvcmRfdHlwZXM6IEZFQVRVUkVfQ0hBTkdFCi0KICBhY3Rpb246IHJlbGFiZWxlZC1maWxlc3lzdGVtCiAgcmVjb3JkX3R5cGVzOiBGU19SRUxBQkVMCi0KICBhY3Rpb246IGF1dGhlbnRpY2F0ZWQtdG8tZ3JvdXAKICByZWNvcmRfdHlwZXM6IEdSUF9BVVRICi0KICA8PDogKm1hY3JvLXVzZXItc2Vzc2lvbgogIGFjdGlvbjogY2hhbmdlZC1ncm91cC1wYXNzd29yZAogIG9iamVjdDoKICAgIHByaW1hcnk6IGFjY3QKICAgIHdoYXQ6IHVzZXItc2Vzc2lvbgogIHJlY29yZF90eXBlczogR1JQX0NIQVVUSFRPSwotCiAgYWN0aW9uOiBtb2RpZmllZC1ncm91cC1hY2NvdW50CiAgb2JqZWN0OgogICAgcHJpbWFyeTogW2lkLCBhY2N0XQogICAgd2hhdDogYWNjb3VudAogIHJlY29yZF90eXBlczogR1JQX01HTVQKLQogIGFjdGlvbjogaW5pdGlhbGl6ZWQtYXVkaXQtc3Vic3lzdGVtCiAgcmVjb3JkX3R5cGVzOiBLRVJORUwKLQogIGFjdGlvbjogbW9kaWZpZWQtbGV2ZWwtb2YKICBvYmplY3Q6CiAgICBwcmltYXJ5OiBwcmludGVyCiAgICB3aGF0OiBwcmludGVyCiAgcmVjb3JkX3R5cGVzOiBMQUJFTF9MRVZFTF9DSEFOR0UKLQogIGFjdGlvbjogb3ZlcnJvZGUtbGFiZWwtb2YKICBvYmplY3Q6CiAgICB3aGF0OiBtYWMtY29uZmlnCiAgcmVjb3JkX3R5cGVzOiBMQUJFTF9PVkVSUklERQotCiAgb2JqZWN0OgogICAgd2hhdDogbWFjLWNvbmZpZwogIHJlY29yZF90eXBlczoKICAtIEFVRElUX0RFVl9BTExPQwogIC0gQVVESVRfREVWX0RFQUxMT0MKICAtIEFVRElUX0ZTX1JFTEFCRUwKICAtIEFVRElUX1VTRVJfTUFDX1BPTElDWV9MT0FECiAgLSBBVURJVF9VU0VSX01BQ19DT05GSUdfQ0hBTkdFCi0KICBhY3Rpb246IGNoYW5nZWQtbG9naW4taWQtdG8KICBzdWJqZWN0OgogICAgcHJpbWFyeTogW29sZF9hdWlkLCBvbGQtYXVpZF0KICAgIHNlY29uZGFyeTogdWlkCiAgb2JqZWN0OgogICAgcHJpbWFyeTogYXVpZAogICAgd2hhdDogdXNlci1zZXNzaW9uCiAgcmVjb3JkX3R5cGVzOiBMT0dJTgotCiAgYWN0aW9uOiBtYWMtcGVybWlzc2lvbgogIHJlY29yZF90eXBlczogTUFDX0NIRUNLCi0KICBhY3Rpb246IGNoYW5nZWQtc2VsaW51eC1ib29sZWFuCiAgb2JqZWN0OgogICAgcHJpbWFyeTogYm9vbAogICAgd2hhdDogbWFjLWNvbmZpZwogIHJlY29yZF90eXBlczogTUFDX0NPTkZJR19DSEFOR0UKLQogIGFjdGlvbjogbG9hZGVkLXNlbGludXgtcG9saWN5CiAgb2JqZWN0OgogICAgd2hhdDogbWFjLWNvbmZpZwogIHJlY29yZF90eXBlczogTUFDX1BPTElDWV9MT0FECi0KICBhY3Rpb246IGNoYW5nZWQtc2VsaW51eC1lbmZvcmNlbWVudAogIG9iamVjdDoKICAgIHByaW1hcnk6IGVuZm9yY2luZwogICAgd2hhdDogbWFjLWNvbmZpZwogIHJlY29yZF90eXBlczogTUFDX1NUQVRVUwotCiAgYWN0aW9uOiBhc3NpZ25lZC11c2VyLXJvbGUtdG8KICBvYmplY3Q6CiAgICBwcmltYXJ5OiBbaWQsIGFjY3RdCiAgICB3aGF0OiBhY2NvdW50CiAgcmVjb3JkX3R5cGVzOiBST0xFX0FTU0lHTgotCiAgYWN0aW9uOiBtb2RpZmllZC1yb2xlCiAgcmVjb3JkX3R5cGVzOiBST0xFX01PRElGWQotCiAgYWN0aW9uOiByZW1vdmVkLXVzZS1yb2xlLWZyb20KICBvYmplY3Q6CiAgICBwcmltYXJ5OiBbaWQsIGFjY3RdCiAgICB3aGF0OiBhY2NvdW50CiAgcmVjb3JkX3R5cGVzOiBST0xFX1JFTU9WRQotCiAgYWN0aW9uOiB2aW9sYXRlZC1zZWNjb21wLXBvbGljeQogIG9iamVjdDoKICAgIHByaW1hcnk6IHN5c2NhbGwKICAgIHdoYXQ6IHByb2Nlc3MKICByZWNvcmRfdHlwZXM6IFNFQ0NPTVAKLQogIGFjdGlvbjogc3RhcnRlZC1zZXJ2aWNlCiAgb2JqZWN0OgogICAgcHJpbWFyeTogdW5pdAogICAgd2hhdDogc2VydmljZQogIHJlY29yZF90eXBlczogU0VSVklDRV9TVEFSVAotCiAgYWN0aW9uOiBzdG9wcGVkLXNlcnZpY2UKICBvYmplY3Q6CiAgICBwcmltYXJ5OiB1bml0CiAgICB3aGF0OiBzZXJ2aWNlCiAgcmVjb3JkX3R5cGVzOiBTRVJWSUNFX1NUT1AKLQogIGFjdGlvbjogYm9vdGVkLXN5c3RlbQogIG9iamVjdDoKICAgIHdoYXQ6IHN5c3RlbQogIHJlY29yZF90eXBlczogU1lTVEVNX0JPT1QKLQogIGFjdGlvbjogY2hhbmdlZC10by1ydW5sZXZlbAogIG9iamVjdDoKICAgIHByaW1hcnk6IG5ldy1sZXZlbAogICAgd2hhdDogc3lzdGVtCiAgcmVjb3JkX3R5cGVzOiBTWVNURU1fUlVOTEVWRUwKLQogIGFjdGlvbjogc2h1dGRvd24tc3lzdGVtCiAgb2JqZWN0OgogICAgd2hhdDogc3lzdGVtCiAgcmVjb3JkX3R5cGVzOiBTWVNURU1fU0hVVERPV04KLQogIGFjdGlvbjogc2VudC10ZXN0CiAgcmVjb3JkX3R5cGVzOiBURVNUCi0KICBhY3Rpb246IHVua25vd24KICByZWNvcmRfdHlwZXM6IFRSVVNURURfQVBQCi0KICBhY3Rpb246IHNlbnQtbWVzc2FnZQogIG9iamVjdDoKICAgIHByaW1hcnk6IGFkZHIKICByZWNvcmRfdHlwZXM6IFVTRVIKLQogIDw8OiAqbWFjcm8tdXNlci1zZXNzaW9uCiAgYWN0aW9uOiB3YXMtYXV0aG9yaXplZAogIHJlY29yZF90eXBlczogVVNFUl9BQ0NUCi0KICA8PDogKm1hY3JvLXVzZXItc2Vzc2lvbgogIGFjdGlvbjogYXV0aGVudGljYXRlZAogIHJlY29yZF90eXBlczogVVNFUl9BVVRICi0KICBhY3Rpb246IGFjY2Vzcy1wZXJtaXNzaW9uCiAgcmVjb3JkX3R5cGVzOiBVU0VSX0FWQwotCiAgPDw6ICptYWNyby11c2VyLXNlc3Npb24KICBhY3Rpb246IGNoYW5nZWQtcGFzc3dvcmQKICByZWNvcmRfdHlwZXM6IFVTRVJfQ0hBVVRIVE9LCi0KICBhY3Rpb246IHJhbi1jb21tYW5kCiAgb2JqZWN0OgogICAgcHJpbWFyeTogY21kCiAgICB3aGF0OiBwcm9jZXNzCiAgcmVjb3JkX3R5cGVzOiBVU0VSX0NNRAogIGRlc2NyaXB0aW9uOiA+CiAgICBUaGVzZSBtZXNzYWdlcyBhcmUgZnJvbSB1c2VyLXNwYWNlIGFwcHMsIGxpa2Ugc3VkbywgdGhhdCBsb2cgY29tbWFuZHMKICAgIGJlaW5nIHJ1biBieSBhIHVzZXIuIFRoZSB1aWQgY29udGFpbmVkIGluIHRoZXNlIG1lc3NhZ2VzIGlzIHVzZXIncyBVSUQgYXQKICAgIHRoZSB0aW1lIHRoZSBjb21tYW5kIHdhcyBydW4uIEl0IGlzIG5vdCB0aGUgInRhcmdldCIgVUlEIHVzZWQgdG8gcnVuIHRoZQogICAgY29tbWFuZCwgd2hpY2ggaXMgbm9ybWFsbHkgcm9vdC4KLQogIDw8OiAqbWFjcm8tdXNlci1zZXNzaW9uCiAgYWN0aW9uOiBlbmRlZC1zZXNzaW9uCiAgcmVjb3JkX3R5cGVzOiBVU0VSX0VORAotCiAgPDw6ICptYWNyby11c2VyLXNlc3Npb24KICBhY3Rpb246IGVycm9yCiAgcmVjb3JkX3R5cGVzOiBVU0VSX0VSUgogIHNvdXJjZV9pcDogW2FkZHJdCi0KICA8PDogKm1hY3JvLXVzZXItc2Vzc2lvbgogIGFjdGlvbjogbG9nZ2VkLWluCiAgcmVjb3JkX3R5cGVzOiBVU0VSX0xPR0lOCiAgc291cmNlX2lwOiBbYWRkcl0KLQogIDw8OiAqbWFjcm8tdXNlci1zZXNzaW9uCiAgYWN0aW9uOiBsb2dnZWQtb3V0CiAgcmVjb3JkX3R5cGVzOiBVU0VSX0xPR09VVAotCiAgYWN0aW9uOiBjaGFuZ2VkLW1hYy1jb25maWd1cmF0aW9uCiAgcmVjb3JkX3R5cGVzOiBVU0VSX01BQ19DT05GSUdfQ0hBTkdFCi0KICBhY3Rpb246IGxvYWRlZC1tYWMtcG9saWN5CiAgcmVjb3JkX3R5cGVzOiBVU0VSX01BQ19QT0xJQ1lfTE9BRAotCiAgPDw6ICptYWNyby11c2VyLXNlc3Npb24KICBhY3Rpb246IG1vZGlmaWVkLXVzZXItYWNjb3VudAogIHJlY29yZF90eXBlczogVVNFUl9NR01UCi0KICA8PDogKm1hY3JvLXVzZXItc2Vzc2lvbgogIGFjdGlvbjogY2hhbmdlZC1yb2xlLXRvCiAgb2JqZWN0OgogICAgcHJpbWFyeTogc2VsZWN0ZWQtY29udGV4dAogICAgd2hhdDogdXNlci1zZXNzaW9uCiAgcmVjb3JkX3R5cGVzOiBVU0VSX1JPTEVfQ0hBTkdFCi0KICBhY3Rpb246IGFjY2Vzcy1lcnJvcgogIHJlY29yZF90eXBlczogVVNFUl9TRUxJTlVYX0VSUgotCiAgPDw6ICptYWNyby11c2VyLXNlc3Npb24KICBhY3Rpb246IHN0YXJ0ZWQtc2Vzc2lvbgogIHJlY29yZF90eXBlczogVVNFUl9TVEFSVAogIHNvdXJjZV9pcDogW2FkZHJdCi0KICBhY3Rpb246IGNoYW5nZWQtY29uZmlndXJhdGlvbgogIG9iamVjdDoKICAgIHByaW1hcnk6IG9wCiAgICB3aGF0OiBzeXN0ZW0KICByZWNvcmRfdHlwZXM6IFVTWVNfQ09ORklHCi0KICBhY3Rpb246IGlzc3VlZC12bS1jb250cm9sCiAgb2JqZWN0OgogICAgcHJpbWFyeTogb3AKICAgIHNlY29uZGFyeTogdm0KICAgIHdoYXQ6IHZpcnR1YWwtbWFjaGluZQogIHJlY29yZF90eXBlczogVklSVF9DT05UUk9MCi0KICBhY3Rpb246IGNyZWF0ZWQtdm0taW1hZ2UKICByZWNvcmRfdHlwZXM6IFZJUlRfQ1JFQVRFCi0KICBhY3Rpb246IGRlbGV0ZWQtdm0taW1hZ2UKICByZWNvcmRfdHlwZXM6IFZJUlRfREVTVFJPWQotCiAgYWN0aW9uOiBjaGVja2VkLWludGVncml0eS1vZgogIHJlY29yZF90eXBlczogVklSVF9JTlRFR1JJVFlfQ0hFQ0sKLQogIGFjdGlvbjogYXNzaWduZWQtdm0taWQKICBvYmplY3Q6CiAgICBwcmltYXJ5OiB2bQogICAgd2hhdDogdmlydHVhbC1tYWNoaW5lCiAgcmVjb3JkX3R5cGVzOiBWSVJUX01BQ0hJTkVfSUQKLQogIGFjdGlvbjogbWlncmF0ZWQtdm0tZnJvbQogIHJlY29yZF90eXBlczogVklSVF9NSUdSQVRFX0lOCi0KICBhY3Rpb246IG1pZ3JhdGVkLXZtLXRvCiAgcmVjb3JkX3R5cGVzOiBWSVJUX01JR1JBVEVfT1VUCi0KICBhY3Rpb246IGFzc2lnbmVkLXZtLXJlc291cmNlCiAgb2JqZWN0OgogICAgcHJpbWFyeTogcmVzcmMKICAgIHNlY29uZGFyeTogdm0KICAgIHdoYXQ6IHZpcnR1YWwtbWFjaGluZQogIHJlY29yZF90eXBlczogVklSVF9SRVNPVVJDRQotIGFjdGlvbjogdHlwZWQKICBvYmplY3Q6CiAgICBwcmltYXJ5OiBkYXRhCiAgICB3aGF0OiBrZXlzdHJva2VzCiAgaG93OiBbY29tbSwgZXhlXQogIHJlY29yZF90eXBlczoKICAtIFRUWQogIC0gVVNFUl9UVFkK") - assets["normalizationData"] = value - } - - if value, found := assets[key]; found { - return value, nil - } - return nil, fmt.Errorf("asset not found for key=%v", key) -} diff --git a/vendor/github.com/elastic/go-libaudit/.gitignore b/vendor/github.com/elastic/go-libaudit/v2/.gitignore similarity index 100% rename from vendor/github.com/elastic/go-libaudit/.gitignore rename to vendor/github.com/elastic/go-libaudit/v2/.gitignore diff --git a/vendor/github.com/elastic/go-libaudit/v2/.go-version b/vendor/github.com/elastic/go-libaudit/v2/.go-version new file mode 100644 index 00000000000..a4cc55716f5 --- /dev/null +++ b/vendor/github.com/elastic/go-libaudit/v2/.go-version @@ -0,0 +1 @@ +1.14.2 diff --git a/vendor/github.com/elastic/go-libaudit/.travis.yml b/vendor/github.com/elastic/go-libaudit/v2/.travis.yml similarity index 55% rename from vendor/github.com/elastic/go-libaudit/.travis.yml rename to vendor/github.com/elastic/go-libaudit/v2/.travis.yml index 61b197b5c13..72f7219d7ff 100644 --- a/vendor/github.com/elastic/go-libaudit/.travis.yml +++ b/vendor/github.com/elastic/go-libaudit/v2/.travis.yml @@ -2,31 +2,34 @@ sudo: false language: go go: -- 1.10.x + - 1.14.x go_import_path: github.com/elastic/go-libaudit install: -- go get -u github.com/elastic/go-licenser -- go get -d -t ./... + - GO111MODULE=off go get -u github.com/elastic/go-licenser + - go get -d -t ./... script: -- go-licenser -d -- > - find . -name '*.go' | grep -v vendor | xargs gofmt -s -l | read && - echo "Code differs from gofmt's style. Run 'gofmt -s -w .'" 1>&2 && exit 1 || true -- go test -v $(go list ./... | grep -v /vendor/) -- GOARCH=386 go test -v $(go list ./... | grep -v /vendor/) -- mkdir -p build/bin -- go build -o build/bin/audit ./cmd/audit/ -- go build -o build/bin/auparse ./cmd/auparse/ + - go mod download + - go mod verify + - go mod tidy && [ -z "$(git status --porcelain go.mod go.sum)" ] || (echo "Go module manifest changed. Run 'go mod tidy'" 1>&2 && exit 1) + - go-licenser -d + - > + find . -name '*.go' | grep -v vendor | xargs gofmt -s -l | read && + echo "Code differs from gofmt's style. Run 'gofmt -s -w .'" 1>&2 && exit 1 || true + - go test -v $(go list ./... | grep -v /vendor/) + - GOARCH=386 go test -v $(go list ./... | grep -v /vendor/) + - mkdir -p build/bin + - go build -o build/bin/audit ./cmd/audit/ + - go build -o build/bin/auparse ./cmd/auparse/ deploy: provider: releases api_key: secure: IpZfb/x2tZy21LLsAWDv45A8nHxaSlMHOOLzAr+LJUQf4vh/mGxlUeXzbm6VsRPBXkNFRQEoc/+Lo/1xEPFJ293GsJecZz15PGPkSgJ5fpODR/8U7x/ZXeV3PEFcREebllMkvuE0f4op8YkLG+8UrP4telOkJANYCI5GCE7ASEpisC/1xEyddpOTAwinHpoT0BITMwIC+VzZ2I8ZvKP/4rUBM1D9i278uNrAd0rn+X3pM6ssRrQELgURlCudbjN/Gi4lETg7ibj5cTFCTeLyALPu2elPeAt62Dtu7Dp6XSbkmfQhnGqqzxvAbkPRmfnEJS46zoMkHnSPiovLcYpoJLV8jF80FXiGtT70VvkEDpGHiNufp5VFO8RosqYnTwAHkx5WcrWvYdXu83jRFmZ20BiV91MoafnuAMD4YkPj/B5VmCP0rY06vA+V02w71/s6D8HscPWOuvKTRUMhCVVuQnd0gbBAGrznwwtcqobkhjJGQkzSoDaafmxky1yNKLfWN5ttgpSfPiSDchkBtkxgW9Z0Bp2n9nL8X12xgQKGIXbl446/g1AEkFEeTmEdqFvKrmz3PQAkprrOoRfB57lB+GYgrDd3aEGg9Hb2CPRbORTMdPdSJ7ZFE00H1TCG0F6y8nK9o6cfK3yKbsuy0/U4q7daixu4XRFLyEFyjkeD434= file: - - build/bin/audit - - build/bin/auparse + - build/bin/audit + - build/bin/auparse on: tags: true repo: elastic/go-libaudit diff --git a/vendor/github.com/elastic/go-libaudit/CHANGELOG.md b/vendor/github.com/elastic/go-libaudit/v2/CHANGELOG.md similarity index 95% rename from vendor/github.com/elastic/go-libaudit/CHANGELOG.md rename to vendor/github.com/elastic/go-libaudit/v2/CHANGELOG.md index b82a06e9bbe..84da0b0110a 100644 --- a/vendor/github.com/elastic/go-libaudit/CHANGELOG.md +++ b/vendor/github.com/elastic/go-libaudit/v2/CHANGELOG.md @@ -1,4 +1,5 @@ # Change Log + All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/). @@ -6,8 +7,14 @@ This project adheres to [Semantic Versioning](http://semver.org/). ### Added +- Vagrantfile for development ease. #61 + ### Changed +- Added support for big endian. #48 +- Added semantic versioning support via go modules. #61 +- Add ECS categorization support for events by record type and syscall. #62 + ### Removed ## [0.4.0] @@ -24,7 +31,6 @@ This project adheres to [Semantic Versioning](http://semver.org/). ### Removed - ## [0.3.0] ### Added @@ -70,12 +76,12 @@ This project adheres to [Semantic Versioning](http://semver.org/). PATH records. #20 ## [0.0.7] - + ### Added - Added WaitForPendingACKs to receive pending ACK messages from the kernel. #14 - The AuditClient will unregister with the kernel if `SetPID` has been called. #19 - + ### Changed - auparse - Fixed an issue where the proctitle value was being truncated. #15 @@ -97,11 +103,13 @@ This project adheres to [Semantic Versioning](http://semver.org/). ## [0.0.5] ### Changed + - auparse - Apply hex decoding to CWD field. #10 ## [0.0.4] ### Added + - Add a package for building audit rules that can be added to the kernel. - Add GetRules, DeleteRules, DeleteRule, and AddRule methods to AuditClient. - auparse - Add conversion of POSIX exit code values to their name. @@ -110,12 +118,14 @@ This project adheres to [Semantic Versioning](http://semver.org/). ## [0.0.3] ### Added + - auparse - Convert auid and session values of `4294967295` or `-1` to "unset". #5 - auparse - Added `MarshallText` method to AuditMessageType to enable the value to be marshaled as a string in JSON. faabfa94ec9479bdc1ad6c0334ff178b8193fce5 - aucoalesce - Enhanced aucoalesce to normalize events. 666ff1c30fe624e9fcd9a108b20fceb82331f5fa ### Changed + - Rename RawAuditMessage fields `MessageType` and `RawData` to `Type` and `Data` respectively. 8622833714fccd7810669b1265df1c1f918ec0c4 - Make Reassembler concurrency-safe. c57b59c20a684e2a6298a1a5929a79192d76d61b @@ -129,6 +139,7 @@ This project adheres to [Semantic Versioning](http://semver.org/). ## [0.0.2] ### Added + - Added `libaudit.Reassembler` for reassembling out of order or interleaved messages and providing notification for lost events based on gaps in sequence numbers. a60bdd3b1b642cc80a3872d999114ae675456768 @@ -143,6 +154,7 @@ This project adheres to [Semantic Versioning](http://semver.org/). event. #1 ### Changed + - auparse - Changed the behavior of `ParseLogLine()` and `Parse()` to only parse the message header. To parse the message body, call `Data()` on the returned `AuditMessage`. @@ -154,6 +166,7 @@ This project adheres to [Semantic Versioning](http://semver.org/). ## [0.0.1] ### Added + - Added AuditClient for communicating with the Linux Audit Framework in the Linux kernel. - Added auparse package for parsing audit logs. diff --git a/vendor/github.com/elastic/go-libaudit/LICENSE.txt b/vendor/github.com/elastic/go-libaudit/v2/LICENSE.txt similarity index 100% rename from vendor/github.com/elastic/go-libaudit/LICENSE.txt rename to vendor/github.com/elastic/go-libaudit/v2/LICENSE.txt diff --git a/vendor/github.com/elastic/go-libaudit/NOTICE.txt b/vendor/github.com/elastic/go-libaudit/v2/NOTICE.txt similarity index 100% rename from vendor/github.com/elastic/go-libaudit/NOTICE.txt rename to vendor/github.com/elastic/go-libaudit/v2/NOTICE.txt diff --git a/vendor/github.com/elastic/go-libaudit/README.md b/vendor/github.com/elastic/go-libaudit/v2/README.md similarity index 95% rename from vendor/github.com/elastic/go-libaudit/README.md rename to vendor/github.com/elastic/go-libaudit/v2/README.md index 502fbddfd27..5c105c714ca 100644 --- a/vendor/github.com/elastic/go-libaudit/README.md +++ b/vendor/github.com/elastic/go-libaudit/v2/README.md @@ -35,7 +35,6 @@ The second is _auparse_ which parses the log files from the Linux auditd process or the output of the _audit_ example command. It combines related log messages that are a part of the same event. - ``` $ go install github.com/elastic/go-libaudit/cmd/auparse $ sudo cat /var/log/audit/audit.log | auparse @@ -111,6 +110,12 @@ data: grantors: pam_env,pam_unix op: PAM:setcred terminal: /dev/pts/1 +ecs: + event: + category: + - authentication + type: + - info --- timestamp: 2016-12-07T02:22:14.303Z @@ -148,6 +153,12 @@ data: grantors: pam_keyinit,pam_limits op: PAM:session_open terminal: /dev/pts/1 +ecs: + event: + category: + - authentication + type: + - info --- timestamp: 2016-12-07T02:22:14.304Z @@ -250,4 +261,14 @@ paths: ogid: "0" ouid: "0" rdev: "00:00" +ecs: + event: + category: + - process + type: + - start ``` + +## ECS compatibility + +This currently provides [Elastic Common Schema (ECS) 1.5](https://www.elastic.co/guide/en/ecs/current/index.html) categorization support for some of the more prominent or meaningful auditd events and syscalls. diff --git a/vendor/github.com/elastic/go-libaudit/v2/Vagrantfile b/vendor/github.com/elastic/go-libaudit/v2/Vagrantfile new file mode 100644 index 00000000000..a681dbb069d --- /dev/null +++ b/vendor/github.com/elastic/go-libaudit/v2/Vagrantfile @@ -0,0 +1,30 @@ +# Read the branch's Go version from the .go-version file. +GO_VERSION = File.read(File.join(File.dirname(__FILE__), ".go-version")).strip + +create_symlink = <