[auditd]: set event.outcome value as per ECS specification

[r00tu53r]

What does this PR do?

The PR sets/fixes event.outcome value as per ECS specification.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

elastic-package test pipeline -v -g

Related issues

• Closes auditd using invalid field values according to ECS #3043

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-04-13T05:50:47.861+0000

• Duration: 14 min 46 sec

Test stats 🧪

Test	Results
Failed	0
Passed	14
Skipped	0
Total	14

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[efd6]

Do we know that 0 is always failed and 1 is always success? This post suggests that it is just not valid to have a value that is not success or failed. Given the tone of the post and the author, it probably means that a value that is not one of the valid values is unknown (pondering that 0=false in C, but success in unix and 1 is true and failed).

[r00tu53r]

Do we know that 0 is always failed and 1 is always success? This post suggests that it is just not valid to have a value that is not success or failed. Given the tone of the post and the author, it probably means that a value that is not one of the valid values is unknown (pondering that 0=false in C, but success in unix and 1 is true and failed).

Yes I came upon that link too. It does go by how C treats 0 as false. I confirmed that from the code here and other locations across other functions.