libaudit

package module
v0.0.0-...-f4523b4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 30, 2018 License: MPL-2.0 Imports: 19 Imported by: 0

README

Libaudit in Golang

Golang package (lib) for Linux Audit

Libaudit-go is a pure Go client library for dealing directly with linux audit framework. The idea is provide a replacement to the existing auditd daemon and its libraries. Originally developed for Audit Go Heka Plugin

To get started see package documentation at godoc.

See main.go for an example implementation of the client using libaudit-go.

Supported Methods (API)

General
NewNetlinkConnection

Open a audit netlink socket connection Similar to audit_open, NewNetlinkConnection creates a NETLINK_AUDIT socket for communication with the kernel part of the Linux Audit Subsystem.

It provide three methods

  • Close
  • Send
  • Receive

Example :

s, err := libaudit.NewNetlinkConnection()

if err != nil {
    log.Println(err)
    log.Fatalln("Error while availing socket! Exiting!")
} 

defer s.Close()

Definations of Send and Receive are :

Send

func (s *NetlinkConnection) Send(request *NetlinkMessage) error

Receive

func (s *NetlinkConnection) Receive(bytesize int, block int) ([]NetlinkMessage, error)
GetAuditEvents

Starts an Audit event monitor in a go-routine.

func AuditGetEvents(s *NetlinkConnection, cb EventCallback, ec chan error, args ...interface{})

This function start a audit event monitor and accept a callback that is called on each audit event received from the Audit Subsysten.

Example:


func EventCallback(msg *libaudit.AuditEvent, ce chan error, args ...interface{}) {
	// print the info map
	log.Println(msg.Data)
	// print the raw event
	log.Println(msg.Raw)
}

// Go rutine to monitor events and call callback for each event fired
libaudit.GetAuditEvents(s, EventCallback, errchan)

The callback accept AuditEvent type variable as an argument. AuditEvent is defined as

type AuditEvent struct {
	Serial				int
	Timestamp			float64
	Type 				string
	Data 				map[string]string
	Raw 				string
}
AuditGetRawEvents

Starts an Audit event monitor which emits raw events in a go-routine

func GetRawAuditEvents(s *NetlinkConnection, cb RawEventCallback, ec chan error, args ...interface{})

Same as GetAuditEvents but accept a string type in callback instead of AuditEvent type.

Example -

func RawEventCallback(msg string, ce chan error, args ...interface{}) {
	log.Println(msg)
}

// Go rutine to monitor events and feed raw events to the callback
libaudit.GetRawAuditEvents(s, RawEventCallback, errchan)
AuditIsEnabled

This function will return 0 if audit is not enabled and 1 if enabled, and -1 on error.

func AuditIsEnabled(s *NetlinkConnection) (state int, err error)

Example :

status, err := libaudit.AuditIsEnabled(s)
AuditRequestStatus

Not yet implemented

Audit Set
AuditSetEnabled

Enable or disable auditing, 1 to enable and 0 to disable.

func AuditSetEnabled(s *NetlinkConnection) error

Example :

err := libaudit.AuditSetEnabled(s, 1)
AuditSetRateLimit

Sets rate limit for audit messages from kernel

func AuditSetRateLimit(s *NetlinkConnection, limit int) error

This function set the maximum number of messages that the kernel will send per second.

Example:

err = libaudit.AuditSetRateLimit(s, 600)
AuditSetBacklogLimit

Sets backlog limit for audit messages from kernel

func AuditSetBacklogLimit(s *NetlinkConnection, limit int) error

This function sets the queue length for audit events awaiting transfer to the audit daemon

Example :

err = libaudit.AuditSetBacklogLimit(s, 420)
AuditSetPid

Set audit daemon process ID

func AuditSetPid(s *NetlinkConnection, pid uint32 ) error

This function registers the given PID with kernel as the program for receiving audit messages.

Example :

err = libaudit.AuditSetPid(s, uint32(syscall.Getpid()))
AuditSetFailure

Not yet implemented

Audit Rules
SetRules

Set audit rules from a configuration file

func SetRules(s *NetlinkConnection, content []byte) error

This function accept the json rules file as byte array and register rules with audit. See audit.rules.json for example

Example:

// Load all rules
content, err := ioutil.ReadFile("audit.rules.json")
if err != nil {
	log.Print("Error:", err)
	os.Exit(0)
}

// Set audit rules
err = libaudit.SetRules(s, content)
DeleteAllRules

Delete all audit rules.

func DeleteAllRules(s *NetlinkConnection) error

Example:

err := DeleteAllRules(s)
ListAllRules

ListAllRules lists all audit rules currently loaded in audit kernel in the same format as shown by auditctl utility.

func ListAllRules(s *NetlinkConnection) ([]string, error)

Example:

	rulesArray, err := libaudit.ListAllRules(s)

Documentation

Overview

Package libaudit is a client library in pure Go for talking with audit framework in the linux kernel. It provides API for dealing with audit related tasks like setting audit rules, deleting audit rules etc. The idea is to provide the same set of API as auditd (linux audit daemon).

NOTE: Currently the library is only applicable for x64 architecture.

Example usage of the library: 

package main

import (
	"fmt"
	"ioutil"
	"syscall"
	"time"
	"github.com/mozilla/libaudit-go"
)

func main() {
	s, err := libaudit.NewNetlinkConnection()
	if err != nil {
		fmt.Printf("%v\n", err)
		return
	}
	defer s.Close()
	// enable audit in kernel
	err = libaudit.AuditSetEnabled(s, 1)
	if err != nil {
		fmt.Printf("%v\n", err)
		return
	}
	// check if audit is enabled
	status, err := libaudit.AuditIsEnabled(s)
	if err == nil && status == 1 {
		fmt.Printf("Enabled Audit\n")
	} else if err == nil && status == 0 {
		fmt.Prinft("Audit Not Enabled\n")
		return
	} else {
		fmt.Printf("%v\n", err)
		return
	}
	// set the maximum number of messages
	// that the kernel will send per second
	err = libaudit.AuditSetRateLimit(s, 450)
	if err != nil {
		fmt.Printf("%v\n", err)
		return
	}
	// set max limit audit message queue
	err = libaudit.AuditSetBacklogLimit(s, 16438)
	if err != nil {
		fmt.Printf("%v\n", err)
		return
	}
	// register current pid with audit
	err = libaudit.AuditSetPID(s, syscall.Getpid())
	if err != nil {
		fmt.Printf("%v\n", err)
		return
	}
	// delete all rules that are previously present in kernel
	err = libaudit.DeleteAllRules(s)
	if err != nil {
		fmt.Printf("%v\n", err)
		return
	}
	// set audit rules
	// specify rules in JSON format (for example see: https://github.com/arunk-s/gsoc16/blob/master/audit.rules.json)
	out, _ := ioutil.ReadFile("audit.rules.json")
	err = libaudit.SetRules(s, out)
	if err != nil {
		fmt.Printf("%v\n", err)
		return
	}
	// create a channel to indicate libaudit to stop collecting messages
	done := make(chan, bool)
	// spawn a go routine that will stop the collection after 5 seconds
	go func(){
		time.Sleep(time.Second*5)
		done <- true
	}()
	// collect messages and handle them in a function
	libaudit.GetAuditMessages(s, callback, &done)
}

// provide a function to handle the messages
func callback(msg *libaudit.AuditEvent, ce error, args ...interface{}) {
	if ce != nil {
		fmt.Printf("%v\n", ce)
	} else if msg != nil {
		// AuditEvent struct holds all message details including a map of audit fields => values
		fmt.Println(msg.Raw)
	}
}

Index

Constants

View Source 
const (
	MAX_AUDIT_MESSAGE_LENGTH = 8970
	AUDIT_MAX_FIELDS         = 64
	AUDIT_BITMASK_SIZE       = 64
	//Rule Flags
	AUDIT_FILTER_USER  = 0x00 /* Apply rule to user-generated messages */
	AUDIT_FILTER_TASK  = 0x01 /* Apply rule at task creation (not syscall) */
	AUDIT_FILTER_ENTRY = 0x02 /* Apply rule at syscall entry */
	AUDIT_FILTER_WATCH = 0x03 /* Apply rule to file system watches */
	AUDIT_FILTER_EXIT  = 0x04 /* Apply rule at syscall exit */
	AUDIT_FILTER_TYPE  = 0x05 /* Apply rule at audit_log_start */
	/* These are used in filter control */
	AUDIT_FILTER_MASK  = 0x07 /* Mask to get actual filter */
	AUDIT_FILTER_UNSET = 0x80 /* This value means filter is unset */

	/* Rule actions */
	AUDIT_NEVER    = 0 /* Do not build context if rule matches */
	AUDIT_POSSIBLE = 1 /* Build context if rule matches  */
	AUDIT_ALWAYS   = 2 /* Generate audit record if rule matches */

	/* Rule fields */
	/* These are useful when checking the
	 * task structure at task creation time
	 * (AUDIT_PER_TASK).  */
	AUDIT_PID                   = 0
	AUDIT_UID                   = 1
	AUDIT_EUID                  = 2
	AUDIT_SUID                  = 3
	AUDIT_FSUID                 = 4
	AUDIT_GID                   = 5
	AUDIT_EGID                  = 6
	AUDIT_SGID                  = 7
	AUDIT_FSGID                 = 8
	AUDIT_LOGINUID              = 9
	AUDIT_OBJ_GID               = 110
	AUDIT_OBJ_UID               = 109
	AUDIT_EXIT                  = 103
	AUDIT_PERS                  = 10
	AUDIT_FILTER_EXCLUDE        = 0x05
	AUDIT_ARCH                  = 11
	PATH_MAX                    = 4096
	AUDIT_MSGTYPE               = 12
	AUDIT_MAX_KEY_LEN           = 256
	AUDIT_PERM                  = 106
	AUDIT_FILTERKEY             = 210
	AUDIT_SUBJ_USER             = 13 /* security label user */
	AUDIT_SUBJ_ROLE             = 14 /* security label role */
	AUDIT_SUBJ_TYPE             = 15 /* security label type */
	AUDIT_SUBJ_SEN              = 16 /* security label sensitivity label */
	AUDIT_SUBJ_CLR              = 17 /* security label clearance label */
	AUDIT_PPID                  = 18
	AUDIT_OBJ_USER              = 19
	AUDIT_OBJ_ROLE              = 20
	AUDIT_OBJ_TYPE              = 21
	AUDIT_WATCH                 = 105
	AUDIT_DIR                   = 107
	AUDIT_OBJ_LEV_LOW           = 22
	AUDIT_OBJ_LEV_HIGH          = 23
	AUDIT_LOGINUID_SET          = 24
	AUDIT_DEVMAJOR              = 100
	AUDIT_DEVMINOR              = 101
	AUDIT_INODE                 = 102
	AUDIT_SUCCESS               = 104
	AUDIT_FIELD_COMPARE         = 111
	AUDIT_EXE                   = 112
	AUDIT_PERM_EXEC             = 1
	AUDIT_PERM_WRITE            = 2
	AUDIT_PERM_READ             = 4
	AUDIT_PERM_ATTR             = 8
	AUDIT_FILETYPE              = 108
	AUDIT_ARG0                  = 200
	AUDIT_ARG1                  = (AUDIT_ARG0 + 1)
	AUDIT_ARG2                  = (AUDIT_ARG0 + 2)
	AUDIT_ARG3                  = (AUDIT_ARG0 + 3)
	AUDIT_BIT_MASK              = 0x08000000
	AUDIT_LESS_THAN             = 0x10000000
	AUDIT_GREATER_THAN          = 0x20000000
	AUDIT_NOT_EQUAL             = 0x30000000
	AUDIT_EQUAL                 = 0x40000000
	AUDIT_BIT_TEST              = (AUDIT_BIT_MASK | AUDIT_EQUAL)
	AUDIT_LESS_THAN_OR_EQUAL    = (AUDIT_LESS_THAN | AUDIT_EQUAL)
	AUDIT_GREATER_THAN_OR_EQUAL = (AUDIT_GREATER_THAN | AUDIT_EQUAL)
	AUDIT_OPERATORS             = (AUDIT_EQUAL | AUDIT_NOT_EQUAL | AUDIT_BIT_MASK)
	/* Status symbols */
	/* Mask values */
	AUDIT_STATUS_ENABLED       = 0x0001
	AUDIT_STATUS_FAILURE       = 0x0002
	AUDIT_STATUS_PID           = 0x0004
	AUDIT_STATUS_RATE_LIMIT    = 0x0008
	AUDIT_STATUS_BACKLOG_LIMIT = 0x0010
	/* Failure-to-log actions */
	AUDIT_FAIL_SILENT = 0
	AUDIT_FAIL_PRINTK = 1
	AUDIT_FAIL_PANIC  = 2

	AUDIT_ARCH_ALPHA    = (EM_ALPHA | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
	AUDIT_ARCH_ARM      = (EM_ARM | __AUDIT_ARCH_LE)
	AUDIT_ARCH_ARMEB    = (EM_ARM)
	AUDIT_ARCH_CRIS     = (EM_CRIS | __AUDIT_ARCH_LE)
	AUDIT_ARCH_FRV      = (EM_FRV)
	AUDIT_ARCH_I386     = (EM_386 | __AUDIT_ARCH_LE)
	AUDIT_ARCH_IA64     = (EM_IA_64 | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
	AUDIT_ARCH_M32R     = (EM_M32R)
	AUDIT_ARCH_M68K     = (EM_68K)
	AUDIT_ARCH_MIPS     = (EM_MIPS)
	AUDIT_ARCH_MIPSEL   = (EM_MIPS | __AUDIT_ARCH_LE)
	AUDIT_ARCH_MIPS64   = (EM_MIPS | __AUDIT_ARCH_64BIT)
	AUDIT_ARCH_MIPSEL64 = (EM_MIPS | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
	//	AUDIT_ARCH_OPENRISC = (EM_OPENRISC)
	//	AUDIT_ARCH_PARISC   = (EM_PARISC)
	//	AUDIT_ARCH_PARISC64 = (EM_PARISC | __AUDIT_ARCH_64BIT)
	AUDIT_ARCH_PPC     = (EM_PPC)
	AUDIT_ARCH_PPC64   = (EM_PPC64 | __AUDIT_ARCH_64BIT)
	AUDIT_ARCH_S390    = (EM_S390)
	AUDIT_ARCH_S390X   = (EM_S390 | __AUDIT_ARCH_64BIT)
	AUDIT_ARCH_SH      = (EM_SH)
	AUDIT_ARCH_SHEL    = (EM_SH | __AUDIT_ARCH_LE)
	AUDIT_ARCH_SH64    = (EM_SH | __AUDIT_ARCH_64BIT)
	AUDIT_ARCH_SHEL64  = (EM_SH | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
	AUDIT_ARCH_SPARC   = (EM_SPARC)
	AUDIT_ARCH_SPARC64 = (EM_SPARCV9 | __AUDIT_ARCH_64BIT)
	AUDIT_ARCH_X86_64  = (EM_X86_64 | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
	///Temporary Solution need to add linux/elf-em.h
	EM_NONE  = 0
	EM_M32   = 1
	EM_SPARC = 2
	EM_386   = 3
	EM_68K   = 4
	EM_88K   = 5
	EM_486   = 6 /* Perhaps disused */
	EM_860   = 7
	EM_MIPS  = 8 /* MIPS R3000 (officially, big-endian only) */
	/* Next two are historical and binaries and
	   modules of these types will be rejected by
	   Linux.  */
	EM_MIPS_RS3_LE = 10 /* MIPS R3000 little-endian */
	EM_MIPS_RS4_BE = 10 /* MIPS R4000 big-endian */

	EM_PARISC      = 15     /* HPPA */
	EM_SPARC32PLUS = 18     /* Sun's "v8plus" */
	EM_PPC         = 20     /* PowerPC */
	EM_PPC64       = 21     /* PowerPC64 */
	EM_SPU         = 23     /* Cell BE SPU */
	EM_ARM         = 40     /* ARM 32 bit */
	EM_SH          = 42     /* SuperH */
	EM_SPARCV9     = 43     /* SPARC v9 64-bit */
	EM_IA_64       = 50     /* HP/Intel IA-64 */
	EM_X86_64      = 62     /* AMD x86-64 */
	EM_S390        = 22     /* IBM S/390 */
	EM_CRIS        = 76     /* Axis Communications 32-bit embedded processor */
	EM_V850        = 87     /* NEC v850 */
	EM_M32R        = 88     /* Renesas M32R */
	EM_MN10300     = 89     /* Panasonic/MEI MN10300, AM33 */
	EM_BLACKFIN    = 106    /* ADI Blackfin Processor */
	EM_TI_C6000    = 140    /* TI C6X DSPs */
	EM_AARCH64     = 183    /* ARM 64 bit */
	EM_FRV         = 0x5441 /* Fujitsu FR-V */
	EM_AVR32       = 0x18ad /* Atmel AVR32 */

	/*
	 * This is an interim value that we will use until the committee comes
	 * up with a final number.
	 */
	EM_ALPHA = 0x9026

	/* Bogus old v850 magic number, used by old tools. */
	EM_CYGNUS_V850 = 0x9080
	/* Bogus old m32r magic number, used by old tools. */
	EM_CYGNUS_M32R = 0x9041
	/* This is the old interim value for S/390 architecture */
	EM_S390_OLD = 0xA390
	/* Also Panasonic/MEI MN10300, AM33 */
	EM_CYGNUS_MN10300 = 0xbeef
)
View Source 
const (
	AUDIT_GET         auditConstant = 1000 /* Get status */
	AUDIT_SET         auditConstant = 1001 /* Set status (enable/disable/auditd) */
	AUDIT_LIST        auditConstant = 1002 /* List syscall rules -- deprecated */
	AUDIT_ADD         auditConstant = 1003 /* Add syscall rule -- deprecated */
	AUDIT_DEL         auditConstant = 1004 /* Delete syscall rule -- deprecated */
	AUDIT_USER        auditConstant = 1005 /* Message from userspace -- deprecated */
	AUDIT_LOGIN       auditConstant = 1006 /* Define the login id and information */
	AUDIT_WATCH_INS   auditConstant = 1007 /* Insert file/dir watch entry */
	AUDIT_WATCH_REM   auditConstant = 1008 /* Remove file/dir watch entry */
	AUDIT_WATCH_LIST  auditConstant = 1009 /* List all file/dir watches */
	AUDIT_SIGNAL_INFO auditConstant = 1010 /* Get info about sender of signal to auditd */
	AUDIT_ADD_RULE    auditConstant = 1011 /* Add syscall filtering rule */
	AUDIT_DEL_RULE    auditConstant = 1012 /* Delete syscall filtering rule */
	AUDIT_LIST_RULES  auditConstant = 1013 /* List syscall filtering rules */
	AUDIT_TRIM        auditConstant = 1014 /* Trim junk from watched tree */
	AUDIT_MAKE_EQUIV  auditConstant = 1015 /* Append to watched tree */
	AUDIT_TTY_GET     auditConstant = 1016 /* Get TTY auditing status */
	AUDIT_TTY_SET     auditConstant = 1017 /* Set TTY auditing status */
	AUDIT_SET_FEATURE auditConstant = 1018 /* Turn an audit feature on or off */
	AUDIT_GET_FEATURE auditConstant = 1019 /* Get which features are enabled */

	AUDIT_FIRST_USER_MSG   auditConstant = 1100 /* First user space message */
	AUDIT_LAST_USER_MSG    auditConstant = 1199 /* Last user space message */
	AUDIT_USER_AUTH        auditConstant = 1100 /* User space authentication */
	AUDIT_USER_ACCT        auditConstant = 1101 /* User space acct change */
	AUDIT_USER_MGMT        auditConstant = 1102 /* User space acct management */
	AUDIT_CRED_ACQ         auditConstant = 1103 /* User space credential acquired */
	AUDIT_CRED_DISP        auditConstant = 1104 /* User space credential disposed */
	AUDIT_USER_START       auditConstant = 1105 /* User space session start */
	AUDIT_USER_END         auditConstant = 1106 /* User space session end */
	AUDIT_USER_AVC         auditConstant = 1107 /* User space avc message */
	AUDIT_USER_CHAUTHTOK   auditConstant = 1108 /* User space acct attr changed */
	AUDIT_USER_ERR         auditConstant = 1109 /* User space acct state err */
	AUDIT_CRED_REFR        auditConstant = 1110 /* User space credential refreshed */
	AUDIT_USYS_CONFIG      auditConstant = 1111 /* User space system config change */
	AUDIT_USER_LOGIN       auditConstant = 1112 /* User space user has logged in */
	AUDIT_USER_LOGOUT      auditConstant = 1113 /* User space user has logged out */
	AUDIT_ADD_USER         auditConstant = 1114 /* User space user account added */
	AUDIT_DEL_USER         auditConstant = 1115 /* User space user account deleted */
	AUDIT_ADD_GROUP        auditConstant = 1116 /* User space group added */
	AUDIT_DEL_GROUP        auditConstant = 1117 /* User space group deleted */
	AUDIT_DAC_CHECK        auditConstant = 1118 /* User space DAC check results */
	AUDIT_CHGRP_ID         auditConstant = 1119 /* User space group ID changed */
	AUDIT_TEST             auditConstant = 1120 /* Used for test success messages */
	AUDIT_TRUSTED_APP      auditConstant = 1121 /* Trusted app msg - freestyle text */
	AUDIT_USER_SELINUX_ERR auditConstant = 1122 /* SE Linux user space error */
	AUDIT_USER_CMD         auditConstant = 1123 /* User shell command and args */
	AUDIT_USER_TTY         auditConstant = 1124 /* Non-ICANON TTY input meaning */
	AUDIT_CHUSER_ID        auditConstant = 1125 /* Changed user ID supplemental data */
	AUDIT_GRP_AUTH         auditConstant = 1126 /* Authentication for group password */
	AUDIT_SYSTEM_BOOT      auditConstant = 1127 /* System boot */
	AUDIT_SYSTEM_SHUTDOWN  auditConstant = 1128 /* System shutdown */
	AUDIT_SYSTEM_RUNLEVEL  auditConstant = 1129 /* System runlevel change */
	AUDIT_SERVICE_START    auditConstant = 1130 /* Service (daemon) start */
	AUDIT_SERVICE_STOP     auditConstant = 1131 /* Service (daemon) stop */
	AUDIT_GRP_MGMT         auditConstant = 1132 /* Group account attr was modified */
	AUDIT_GRP_CHAUTHTOK    auditConstant = 1133 /* Group acct password or pin changed */
	AUDIT_MAC_CHECK        auditConstant = 1134 /* User space MAC decision results */
	AUDIT_ACCT_LOCK        auditConstant = 1135 /* User's account locked by admin */
	AUDIT_ACCT_UNLOCK      auditConstant = 1136 /* User's account unlocked by admin */

	AUDIT_FIRST_DAEMON    auditConstant = 1200
	AUDIT_LAST_DAEMON     auditConstant = 1299
	AUDIT_DAEMON_CONFIG   auditConstant = 1203 /* Daemon config change */
	AUDIT_DAEMON_RECONFIG auditConstant = 1204 /* Auditd should reconfigure */
	AUDIT_DAEMON_ROTATE   auditConstant = 1205 /* Auditd should rotate logs */
	AUDIT_DAEMON_RESUME   auditConstant = 1206 /* Auditd should resume logging */
	AUDIT_DAEMON_ACCEPT   auditConstant = 1207 /* Auditd accepted remote connection */
	AUDIT_DAEMON_CLOSE    auditConstant = 1208 /* Auditd closed remote connection */

	AUDIT_SYSCALL auditConstant = 1300 /* Syscall event */
	/* AUDIT_FS_WATCH     auditConstant       =   1301     * Deprecated */
	AUDIT_PATH           auditConstant = 1302 /* Filename path information */
	AUDIT_IPC            auditConstant = 1303 /* IPC record */
	AUDIT_SOCKETCALL     auditConstant = 1304 /* sys_socketcall arguments */
	AUDIT_CONFIG_CHANGE  auditConstant = 1305 /* Audit system configuration change */
	AUDIT_SOCKADDR       auditConstant = 1306 /* sockaddr copied as syscall arg */
	AUDIT_CWD            auditConstant = 1307 /* Current working directory */
	AUDIT_EXECVE         auditConstant = 1309 /* execve arguments */
	AUDIT_IPC_SET_PERM   auditConstant = 1311 /* IPC new permissions record type */
	AUDIT_MQ_OPEN        auditConstant = 1312 /* POSIX MQ open record type */
	AUDIT_MQ_SENDRECV    auditConstant = 1313 /* POSIX MQ send/receive record type */
	AUDIT_MQ_NOTIFY      auditConstant = 1314 /* POSIX MQ notify record type */
	AUDIT_MQ_GETSETATTR  auditConstant = 1315 /* POSIX MQ get/set attribute record type */
	AUDIT_KERNEL_OTHER   auditConstant = 1316 /* For use by 3rd party modules */
	AUDIT_FD_PAIR        auditConstant = 1317 /* audit record for pipe/socketpair */
	AUDIT_OBJ_PID        auditConstant = 1318 /* ptrace target */
	AUDIT_TTY            auditConstant = 1319 /* Input on an administrative TTY */
	AUDIT_EOE            auditConstant = 1320 /* End of multi-record event */
	AUDIT_BPRM_FCAPS     auditConstant = 1321 /* Information about fcaps increasing perms */
	AUDIT_CAPSET         auditConstant = 1322 /* Record showing argument to sys_capset */
	AUDIT_MMAP           auditConstant = 1323 /* Record showing descriptor and flags in mmap */
	AUDIT_NETFILTER_PKT  auditConstant = 1324 /* Packets traversing netfilter chains */
	AUDIT_NETFILTER_CFG  auditConstant = 1325 /* Netfilter chain modifications */
	AUDIT_SECCOMP        auditConstant = 1326 /* Secure Computing event */
	AUDIT_PROCTITLE      auditConstant = 1327 /* Proctitle emit event */
	AUDIT_FEATURE_CHANGE auditConstant = 1328 /* audit log listing feature changes */

	/* AUDIT_FIRST_EVENT       1300 */ //TODO: libaudit define this as AUDIT_FIRST_EVENT but audit.h differently.
	AUDIT_LAST_EVENT                   auditConstant = 1399

	/* AUDIT_FIRST_SELINUX     1400 */ // TODO: libaudit define this as AUDIT_FIRST_SELINUX but audit.h as AUDIT_AVC
	AUDIT_AVC                          auditConstant = 1400 /* SE Linux avc denial or grant */
	AUDIT_SELINUX_ERR                  auditConstant = 1401 /* internal SE Linux Errors */
	AUDIT_AVC_PATH                     auditConstant = 1402 /* dentry, vfsmount pair from avc */
	AUDIT_MAC_POLICY_LOAD              auditConstant = 1403 /* Policy file load */
	AUDIT_MAC_STATUS                   auditConstant = 1404 /* Changed enforcing,permissive,off */
	AUDIT_MAC_CONFIG_CHANGE            auditConstant = 1405 /* Changes to booleans */
	AUDIT_MAC_UNLBL_ALLOW              auditConstant = 1406 /* NetLabel: allow unlabeled traffic */
	AUDIT_MAC_CIPSOV4_ADD              auditConstant = 1407 /* NetLabel: add CIPSOv4 DOI entry */
	AUDIT_MAC_CIPSOV4_DEL              auditConstant = 1408 /* NetLabel: del CIPSOv4 DOI entry */
	AUDIT_MAC_MAP_ADD                  auditConstant = 1409 /* NetLabel: add LSM domain mapping */
	AUDIT_MAC_MAP_DEL                  auditConstant = 1410 /* NetLabel: del LSM domain mapping */
	AUDIT_MAC_IPSEC_ADDSA              auditConstant = 1411 /* Not used */
	AUDIT_MAC_IPSEC_DELSA              auditConstant = 1412 /* Not used  */
	AUDIT_MAC_IPSEC_ADDSPD             auditConstant = 1413 /* Not used */
	AUDIT_MAC_IPSEC_DELSPD             auditConstant = 1414 /* Not used */
	AUDIT_MAC_IPSEC_EVENT              auditConstant = 1415 /* Audit an IPSec event */
	AUDIT_MAC_UNLBL_STCADD             auditConstant = 1416 /* NetLabel: add a static label */
	AUDIT_MAC_UNLBL_STCDEL             auditConstant = 1417 /* NetLabel: del a static label */
	AUDIT_LAST_SELINUX                 auditConstant = 1499

	AUDIT_FIRST_APPARMOR auditConstant = 1500
	AUDIT_LAST_APPARMOR  auditConstant = 1599

	AUDIT_AA               auditConstant = 1500 /* Not upstream yet*/
	AUDIT_APPARMOR_AUDIT   auditConstant = 1501
	AUDIT_APPARMOR_ALLOWED auditConstant = 1502
	AUDIT_APPARMOR_DENIED  auditConstant = 1503
	AUDIT_APPARMOR_HT      auditConstant = 1504
	AUDIT_APPARMOR_STATUS  auditConstant = 1505
	AUDIT_APPARMOR_ERROR   auditConstant = 1506

	AUDIT_FIRST_KERN_CRYPTO_MSG auditConstant = 1600
	AUDIT_LAST_KERN_CRYPTO_MSG  auditConstant = 1699

	// AUDIT_FIRST_KERN_ANOM_MSG auditConstant = 1700
	AUDIT_LAST_KERN_ANOM_MSG auditConstant = 1799
	AUDIT_ANOM_PROMISCUOUS   auditConstant = 1700 /* Device changed promiscuous mode */
	AUDIT_ANOM_ABEND         auditConstant = 1701 /* Process ended abnormally */
	AUDIT_ANOM_LINK          auditConstant = 1702 /* Suspicious use of file links */

	AUDIT_INTEGRITY_FIRST_MSG auditConstant = 1800
	AUDIT_TINTEGRITY_LAST_MSG auditConstant = 1899

	AUDIT_INTEGRITY_DATA     auditConstant = 1800 /* Data integrity verification */
	AUDIT_INTEGRITY_METADATA auditConstant = 1801 // Metadata integrity verification
	AUDIT_INTEGRITY_STATUS   auditConstant = 1802 /* integrity enable status */
	AUDIT_INTEGRITY_HASH     auditConstant = 1803 /* integrity HASH type */
	AUDIT_INTEGRITY_PCR      auditConstant = 1804 /* PCR invalidation msgs */
	AUDIT_INTEGRITY_RULE     auditConstant = 1805 /* Policy rule */
	AUDIT_KERNEL             auditConstant = 2000 /* Asynchronous audit record. NOT A REQUEST. */

	AUDIT_FIRST_ANOM_MSG           auditConstant = 2100
	AUDIT_LAST_ANOM_MSG            auditConstant = 2199
	AUDIT_ANOM_LOGIN_FAILURES      auditConstant = 2100 // Failed login limit reached
	AUDIT_ANOM_LOGIN_TIME          auditConstant = 2101 // Login attempted at bad time
	AUDIT_ANOM_LOGIN_SESSIONS      auditConstant = 2102 // Max concurrent sessions reached
	AUDIT_ANOM_LOGIN_ACCT          auditConstant = 2103 // Login attempted to watched acct
	AUDIT_ANOM_LOGIN_LOCATION      auditConstant = 2104 // Login from forbidden location
	AUDIT_ANOM_MAX_DAC             auditConstant = 2105 // Max DAC failures reached
	AUDIT_ANOM_MAX_MAC             auditConstant = 2106 // Max MAC failures reached
	AUDIT_ANOM_AMTU_FAIL           auditConstant = 2107 // AMTU failure
	AUDIT_ANOM_RBAC_FAIL           auditConstant = 2108 // RBAC self test failure
	AUDIT_ANOM_RBAC_INTEGRITY_FAIL auditConstant = 2109 // RBAC file Tegrity failure
	AUDIT_ANOM_CRYPTO_FAIL         auditConstant = 2110 // Crypto system test failure
	AUDIT_ANOM_ACCESS_FS           auditConstant = 2111 // Access of file or dir
	AUDIT_ANOM_EXEC                auditConstant = 2112 // Execution of file
	AUDIT_ANOM_MK_EXEC             auditConstant = 2113 // Make an executable
	AUDIT_ANOM_ADD_ACCT            auditConstant = 2114 // Adding an acct
	AUDIT_ANOM_DEL_ACCT            auditConstant = 2115 // Deleting an acct
	AUDIT_ANOM_MOD_ACCT            auditConstant = 2116 // Changing an acct
	AUDIT_ANOM_ROOT_TRANS          auditConstant = 2117 // User became root

	AUDIT_FIRST_ANOM_RESP        auditConstant = 2200
	AUDIT_LAST_ANOM_RESP         auditConstant = 2299
	AUDIT_RESP_ANOMALY           auditConstant = 2200 /* Anomaly not reacted to */
	AUDIT_RESP_ALERT             auditConstant = 2201 /* Alert email was sent */
	AUDIT_RESP_KILL_PROC         auditConstant = 2202 /* Kill program */
	AUDIT_RESP_TERM_ACCESS       auditConstant = 2203 /* Terminate session */
	AUDIT_RESP_ACCT_REMOTE       auditConstant = 2204 /* Acct locked from remote access*/
	AUDIT_RESP_ACCT_LOCK_TIMED   auditConstant = 2205 /* User acct locked for time */
	AUDIT_RESP_ACCT_UNLOCK_TIMED auditConstant = 2206 /* User acct unlocked from time */
	AUDIT_RESP_ACCT_LOCK         auditConstant = 2207 /* User acct was locked */
	AUDIT_RESP_TERM_LOCK         auditConstant = 2208 /* Terminal was locked */
	AUDIT_RESP_SEBOOL            auditConstant = 2209 /* Set an SE Linux boolean */
	AUDIT_RESP_EXEC              auditConstant = 2210 /* Execute a script */
	AUDIT_RESP_SINGLE            auditConstant = 2211 /* Go to single user mode */
	AUDIT_RESP_HALT              auditConstant = 2212 /* take the system down */

	AUDIT_FIRST_USER_LSPP_MSG    auditConstant = 2300
	AUDIT_LAST_USER_LSPP_MSG     auditConstant = 2399
	AUDIT_USER_ROLE_CHANGE       auditConstant = 2300 /* User changed to a new role */
	AUDIT_ROLE_ASSIGN            auditConstant = 2301 /* Admin assigned user to role */
	AUDIT_ROLE_REMOVE            auditConstant = 2302 /* Admin removed user from role */
	AUDIT_LABEL_OVERRIDE         auditConstant = 2303 /* Admin is overriding a label */
	AUDIT_LABEL_LEVEL_CHANGE     auditConstant = 2304 /* Object's level was changed */
	AUDIT_USER_LABELED_EXPORT    auditConstant = 2305 /* Object exported with label */
	AUDIT_USER_UNLABELED_EXPORT  auditConstant = 2306 /* Object exported without label */
	AUDIT_DEV_ALLOC              auditConstant = 2307 /* Device was allocated */
	AUDIT_DEV_DEALLOC            auditConstant = 2308 /* Device was deallocated */
	AUDIT_FS_RELABEL             auditConstant = 2309 /* Filesystem relabeled */
	AUDIT_USER_MAC_POLICY_LOAD   auditConstant = 2310 /* Userspc daemon loaded policy */
	AUDIT_ROLE_MODIFY            auditConstant = 2311 /* Admin modified a role */
	AUDIT_USER_MAC_CONFIG_CHANGE auditConstant = 2312 /* Change made to MAC policy */

	AUDIT_FIRST_CRYPTO_MSG         auditConstant = 2400
	AUDIT_CRYPTO_TEST_USER         auditConstant = 2400 /* Crypto test results */
	AUDIT_CRYPTO_PARAM_CHANGE_USER auditConstant = 2401 /* Crypto attribute change */
	AUDIT_CRYPTO_LOGIN             auditConstant = 2402 /* Logged in as crypto officer */
	AUDIT_CRYPTO_LOGOUT            auditConstant = 2403 /* Logged out from crypto */
	AUDIT_CRYPTO_KEY_USER          auditConstant = 2404 /* Create,delete,negotiate */
	AUDIT_CRYPTO_FAILURE_USER      auditConstant = 2405 /* Fail decrypt,encrypt,randomiz */
	AUDIT_CRYPTO_REPLAY_USER       auditConstant = 2406 /* Crypto replay detected */
	AUDIT_CRYPTO_SESSION           auditConstant = 2407 /* Record parameters set during TLS session establishment */
	AUDIT_CRYPTO_IKE_SA            auditConstant = 2408 /* Record parameters related to IKE SA */
	AUDIT_CRYPTO_IPSEC_SA          auditConstant = 2409 /* Record parameters related to IPSEC SA */

	AUDIT_LAST_CRYPTO_MSG auditConstant = 2499

	AUDIT_FIRST_VIRT_MSG  auditConstant = 2500
	AUDIT_VIRT_CONTROL    auditConstant = 2500 /* Start, Pause, Stop VM */
	AUDIT_VIRT_RESOURCE   auditConstant = 2501 /* Resource assignment */
	AUDIT_VIRT_MACHINE_ID auditConstant = 2502 /* Binding of label to VM */
	AUDIT_LAST_VIRT_MSG   auditConstant = 2599
	AUDIT_LAST_USER_MSG2  auditConstant = 2999
	// Field Comparing Constants
	AUDIT_COMPARE_UID_TO_OBJ_UID   auditConstant = 1
	AUDIT_COMPARE_GID_TO_OBJ_GID   auditConstant = 2
	AUDIT_COMPARE_EUID_TO_OBJ_UID  auditConstant = 3
	AUDIT_COMPARE_EGID_TO_OBJ_GID  auditConstant = 4
	AUDIT_COMPARE_AUID_TO_OBJ_UID  auditConstant = 5
	AUDIT_COMPARE_SUID_TO_OBJ_UID  auditConstant = 6
	AUDIT_COMPARE_SGID_TO_OBJ_GID  auditConstant = 7
	AUDIT_COMPARE_FSUID_TO_OBJ_UID auditConstant = 8
	AUDIT_COMPARE_FSGID_TO_OBJ_GID auditConstant = 9
	AUDIT_COMPARE_UID_TO_AUID      auditConstant = 10
	AUDIT_COMPARE_UID_TO_EUID      auditConstant = 11
	AUDIT_COMPARE_UID_TO_FSUID     auditConstant = 12
	AUDIT_COMPARE_UID_TO_SUID      auditConstant = 13
	AUDIT_COMPARE_AUID_TO_FSUID    auditConstant = 14
	AUDIT_COMPARE_AUID_TO_SUID     auditConstant = 15
	AUDIT_COMPARE_AUID_TO_EUID     auditConstant = 16
	AUDIT_COMPARE_EUID_TO_SUID     auditConstant = 17
	AUDIT_COMPARE_EUID_TO_FSUID    auditConstant = 18
	AUDIT_COMPARE_SUID_TO_FSUID    auditConstant = 19
	AUDIT_COMPARE_GID_TO_EGID      auditConstant = 20
	AUDIT_COMPARE_GID_TO_FSGID     auditConstant = 21
	AUDIT_COMPARE_GID_TO_SGID      auditConstant = 22
	AUDIT_COMPARE_EGID_TO_FSGID    auditConstant = 23
	AUDIT_COMPARE_EGID_TO_SGID     auditConstant = 24
	AUDIT_COMPARE_SGID_TO_FSGID    auditConstant = 25
)
View Source 
const (
	AUDIT_STATUS_SIZE = 36 // Size of auditStatus
)

Variables

View Source 
var MsgTypeTab = map[string]auditConstant{}/* 162 elements not displayed */

MsgTypeTab is for looking audit header type based on string prefixes attached to audit messages

Functions

func AuditIsEnabled 

func AuditIsEnabled(s Netlink) (bool, error)

Returns true if the auditing subsystem is enabled in the kernel

func AuditSetBacklogLimit 

func AuditSetBacklogLimit(s Netlink, limit int) error

AuditSetBacklogLimit sets the backlog limit for audit messages in the kernel

func AuditSetEnabled 

func AuditSetEnabled(s Netlink, enabled bool) (err error)

Enable or disable auditing in the kernel

func AuditSetPID 

func AuditSetPID(s Netlink, pid int) error

Set PID for audit daemon in kernel (audit_set_pid(3))

func AuditSetRateLimit 

func AuditSetRateLimit(s Netlink, limit int) error

AuditSetRateLimit sets the rate limit for audit messages from the kernel

func AuditSyscallToName 

func AuditSyscallToName(syscall string) (name string, err error)

AuditSyscallToName takes syscall number and returns the syscall name. Currently only applicable for x64 arch.

func DeleteAllRules 

func DeleteAllRules(s Netlink) error

Purge all audit rules currently in use in the audit system

func GetAuditEvents 

func GetAuditEvents(s Netlink, cb EventCallback, args ...interface{})

GetAuditEvents receives audit messages from the kernel and parses them to AuditEvent struct. It passes them along the callback function and if any error occurs while receiving the message, the same will be passed in the callback as well. Code that receives the message runs inside a go-routine.

func GetAuditMessages 

func GetAuditMessages(s Netlink, cb EventCallback, done *chan bool, args ...interface{})

GetAuditMessages is a blocking function (runs in forever for loop) that receives audit messages from kernel and parses them to AuditEvent. It passes them along the callback function and if any error occurs while receiving the message, the same will be passed in the callback as well. It will return when a signal is received on the done channel.

func GetRawAuditEvents 

func GetRawAuditEvents(s Netlink, cb RawEventCallback, args ...interface{})

GetRawAuditEvents receives raw audit messages from kernel parses them to AuditEvent struct. It passes them along the callback function and if any error occurs while receiving the message, the same will be passed in the callback as well. Code that receives the message runs inside a go-routine.

func ListAllRules 

func ListAllRules(s Netlink) ([]string, error)

ListAllRules lists all audit rules currently loaded in audit kernel. It displays them in the standard auditd format as done by auditctl utility. It also returns a list of strings that contain the audit rules (in auditctl format)

func ParseAuditEventRegex 

func ParseAuditEventRegex(str string) (serial string, timestamp string, m map[string]string, err error)

ParseAuditEventRegex takes an audit event message and returns the essentials to form an AuditEvent struct regex used in the function should always match for a proper audit event

func SetRules 

func SetRules(s Netlink, content []byte) error

SetRules reads the configuration file for audit rules and sets them in kernel. It expects the config in a json formatted string of following format: 

{
    "delete": true,
    "enable": "1",
    "buffer": "16348",
    "rate": "500",
    "strict_path_check": false,
    "file_rules": [
        {
            "path": "/etc/audit/",
            "key": "audit",
            "permission": "wa"
        }
	],
	"syscall_rules": [
        {
            "key": "bypass",
            "fields": [
                {
                    "name": "arch",
                    "value": 64,
                    "op": "eq"
                }
            ],
            "syscalls": [
                "personality"
            ],
            "actions": [
                "always",
                "exit"
            ]
        },
        {
            "fields": [
                {
                    "name": "dir",
                    "value": "/usr/lib/nagios/plugins",
                    "op": "eq"
                },
                {
                    "name": "perm",
                    "value": "x",
                    "op": "eq"
                }
            ],
            "actions": [
                "exit",
                "never"
            ]
		},
        {
            "syscalls": [
                "clone",
                "fork",
                "vfork"
            ],
            "actions": [
                "entry",
                "always"
            ]
        }
	]
}

Types

type AuditEvent 

type AuditEvent struct {
	Serial    string
	Timestamp string
	Type      string
	Data      map[string]string
	Raw       string
}

AuditEvent holds a parsed audit message. Serial holds the serial number for the message. Timestamp holds the unix timestamp of the message. Type indicates the type of the audit message. Data holds a map of field values of audit messages where keys => field names and values => field values. Raw string holds the original audit message received from kernel.

func NewAuditEvent 

func NewAuditEvent(msg NetlinkMessage) (*AuditEvent, error)

NewAuditEvent takes a NetlinkMessage passed from the netlink connection and parses the data from the message header to return an AuditEvent struct.

func ParseAuditEvent 

func ParseAuditEvent(str string, msgType auditConstant, interpret bool) (*AuditEvent, error)

ParseAuditEvent parses an incoming audit message from kernel and returns an AuditEvent. msgType is supposed to come from the calling function which holds the msg header indicating header type of the messages it uses simple string parsing techniques and provider better performance than the regex parser idea taken from parse_up_record(rnode* r) in ellist.c (libauparse) any intersting looking audit message should be added to parser_test and see how parser performs against it

type EventCallback 

type EventCallback func(*AuditEvent, error, ...interface{})

EventCallback is the function signature for any function that wants to receive an AuditEvent as soon as it is received from the kernel. Error will be set to indicate any error that happens while receiving messages. 

type Netlink interface {
	Send(request *NetlinkMessage) error                 // Send a NetlinkMessage
	Receive(nonblocking bool) ([]NetlinkMessage, error) // Receive netlink message(s) from the kernel
	GetPID() (int, error)                               // Get netlink peer PID
}

Interface abstracting netlink IO functions; generally used with NetlinkConnection

type NetlinkConnection 

type NetlinkConnection struct {
	// contains filtered or unexported fields
}

NetlinkConnection describes a netlink interface with the kernel.

Programs should call NewNetlinkConnection() to create a new instance.

func NewNetlinkConnection 

func NewNetlinkConnection() (ret *NetlinkConnection, err error)

Create a new netlink connection with the kernel audit subsystem and return a NetlinkConnection describing it. The process should ensure it has the required privileges before calling. An error is returned if any error is encountered creating the netlink connection.

func (*NetlinkConnection) Close 

func (s *NetlinkConnection) Close()

Close fd associated with netlink connection

func (*NetlinkConnection) GetPID 

func (s *NetlinkConnection) GetPID() (int, error)

Retrieves port ID of netlink socket peer

func (*NetlinkConnection) Receive 

func (s *NetlinkConnection) Receive(nonblocking bool) ([]NetlinkMessage, error)

Receive any available netlink messages being sent to us by the kernel

func (*NetlinkConnection) Send 

func (s *NetlinkConnection) Send(request *NetlinkMessage) error

Send netlink message using the netlink connection

type NetlinkMessage 

type NetlinkMessage syscall.NetlinkMessage

NetlinkMessage is the struct type that is used for communicating on netlink sockets.

func (*NetlinkMessage) ToWireFormat 

func (rr *NetlinkMessage) ToWireFormat() []byte

Convert a NetlinkMessage to a byte stream suitable to send to the kernel

type RawEventCallback 

type RawEventCallback func(string, error, ...interface{})

RawEventCallback is similar to EventCallback and provides a function signature but the difference is that the function will receive only the message string which contains the audit event and not the parsed AuditEvent struct.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.