go.mod - update to go-libaudit v2.6.1

[andrewkroh]

Proposed commit message

Update to go-libaudit v2.6.1.

This release updates the syscall tables for Linux 6.11. And it corrects the ECS `event.type`
value used for SERVICE_STOP, DAEMON_ABORT, and DAEMON_END messages.

https://github.com/elastic/go-libaudit/releases/tag/v2.6.1

https://github.com/elastic/go-libaudit/compare/v2.5.0..v2.6.1

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @andrewkroh? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit

[mergify]

backport-8.x has been added to help with the transition to the new branch 8.x.
If you don't need it please use backport-skip label and remove the backport-8.x label.

[elasticmachine]

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

[andrewkroh]

Nothing changed in the definition of the USER_ROLE_CHANGE¹ normalization, but the tests are failing. I suspect that the change from yaml.v2 -> yaml.v3 in go-libaudit had an effect on the YAML anchor and alias evaluation. I think we need to diff the result of unmarshaling the normalizations.yaml between 2.4.0 and 2.5.0 or yaml.v2 and yaml.v3.

beats/auditbeat/module/auditd/testdata/sudo.log-expected.json

Lines 925 to 931 in 048c3cc

	"how": "/bin/su",
	"object": {
	"primary": "1234",
	"secondary": "127.0.0.1",
	"type": "user-session"
	}
	}

        	            	Diff:
        	            	--- Expected
        	            	+++ Actual
        	            	@@ -925,5 +925,4 @@
        	            	     (string) (len=3) "how": (string) (len=7) "/bin/su",
        	            	-    (string) (len=6) "object": (map[string]interface {}) (len=3) {
        	            	+    (string) (len=6) "object": (map[string]interface {}) (len=2) {
        	            	      (string) (len=7) "primary": (string) (len=4) "1234",
        	            	-     (string) (len=9) "secondary": (string) (len=9) "127.0.0.1",
        	            	      (string) (len=4) "type": (string) (len=12) "user-session"
        	Test:       	TestGoldenFiles/sudo
=== FAIL: auditbeat/module/auditd TestGoldenFiles (0.14s)

Footnotes

1. https://github.com/elastic/go-libaudit/blame/7d76d1d23187e2a3e2dcfabc4d15c8872448af86/aucoalesce/normalizations.yaml#L1087-L1093 ↩

[andrewkroh]

The problem is now tracked in elastic/go-libaudit#169.

[andrewkroh]

The problem was fixed upstream in go-libaudit v2.6.1, and the PR has be updated to use that version.