aucoalesce: add link / linkat syscalls to normalizations (#177)

Add ECS enrichment to normalizations.yaml for the 'link' and 'linkat' syscalls.

Co-authored-by: Andrew Kroh <[email protected]>

Author: rafiyr

CHANGELOG.md

@@ -7,6 +7,8 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ### Added
 
+- aucoalesce: Add ECS enrichments for `link` and `linkat` syscalls. [#177](https://github.com/elastic/go-libaudit/pull/177)
+
 ### Changed
 
 ### Removed

aucoalesce/normalizations.yaml

@@ -269,6 +269,18 @@ normalizations:
       # fstatfs - get filesystem statistics
       - fstatfs
     ecs: *ecs-file
+  - action: linked
+    object_what: file
+    syscalls:
+      # link - make a new name for a file
+      - link
+      # linkat - make a new name for a file
+      - linkat
+    ecs:
+      <<: *ecs-file
+      # "creation" since we're creating a new file system
+      # entry for the link
+      type: creation
   - action: symlinked
     object_what: file
     syscalls:

aucoalesce/testdata/ubuntu-24.04-linux-6.8.0.json.golden

@@ -0,0 +1,76 @@
+[
+  {
+    "test_name": "linkat_syscall",
+    "event": {
+      "@timestamp": "2025-03-14T20:13:15.885Z",
+      "sequence": 240,
+      "category": "audit-rule",
+      "record_type": "syscall",
+      "result": "fail",
+      "session": "3",
+      "tags": [
+        "syscalls_link_operations"
+      ],
+      "summary": {
+        "actor": {
+          "primary": "1000",
+          "secondary": "0"
+        },
+        "action": "linked",
+        "object": {
+          "type": "file"
+        },
+        "how": "/home/ubuntu/link"
+      },
+      "user": {
+        "ids": {
+          "auid": "1000",
+          "egid": "0",
+          "euid": "0",
+          "fsgid": "0",
+          "fsuid": "0",
+          "gid": "0",
+          "sgid": "0",
+          "suid": "0",
+          "uid": "0"
+        },
+        "selinux": {
+          "user": "unconfined"
+        }
+      },
+      "process": {
+        "pid": "15200",
+        "ppid": "6099",
+        "name": "link",
+        "exe": "/home/ubuntu/link"
+      },
+      "data": {
+        "a0": "ffffffffffffff9c",
+        "a1": "0",
+        "a2": "ffffffffffffff9c",
+        "a3": "fffffa0ba75f",
+        "arch": "aarch64",
+        "exit": "EFAULT",
+        "items": "1",
+        "syscall": "linkat",
+        "tty": "pts1"
+      },
+      "ecs": {
+        "event": {
+          "category": [
+            "file"
+          ],
+          "type": [
+            "creation"
+          ]
+        },
+        "user": {
+          "effective": {},
+          "target": {},
+          "changes": {}
+        },
+        "group": {}
+      }
+    }
+  }
+]

aucoalesce/testdata/ubuntu-24.04-linux-6.8.0.yaml

@@ -0,0 +1,5 @@
+---
+tests:
+  # -a always,exit -F arch=b64  -S linkat -k syscalls_link_operations
+  linkat_syscall: >
+    type=SYSCALL msg=audit(1741983195.885:240): arch=c00000b7 syscall=37 success=no exit=-14 a0=ffffffffffffff9c a1=0 a2=ffffffffffffff9c a3=fffffa0ba75f items=1 ppid=6099 pid=15200 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="link" exe="/home/ubuntu/link" subj=unconfined key="syscalls_link_operations"