README
¶
A/I Audit Suite
This software implements a distributed collection framework for user audit logs, which consist of high-level management events related to specific user accounts. Such logs are generated at a relatively low rate, but they are very important and must not be lost. On the other hand, this data doesn't have to be real-time: some delay in the collection pipeline is acceptable (after all, these logs are primarily useful long-term).
An interface to query the audit database is also provided, with a very simple key = value syntax.
Overview
A single audit message is a schema-less JSON dictionary describing a specific event. The meanings of its attributes are determined by convention, but a message must include at least the user, message and stamp attributes.
The design aims to be as lightweight as possible, since audit functionality has to be added to many diverse applications. It also needs to tolerate failure at any stage of the collection pipeline, to avoid dependencies on highly-available network and databases. It works as follows:
-
When an audit client application wants to log a message, it tries first to deliver it to the local audit daemon (via a UNIX socket). If this fails, it will store the message in a spool directory on the local filesystem.
-
The local audit daemon, which runs on every machine where audit logs are generated, is a lightweight daemon that implements the store-and-forward retry logic: when it receives an incoming message, it tries to send it to the main audit daemon, and if this fails, it stores the message in the local spool directory. It also periodically scans the spool directory and attempts to deliver messages to the main audit daemon.
-
The main audit daemon receives messages and stores them in the database.
Authentication
The suite is meant to be deployed along an X509-based authentication infrastructure where a trusted Certification Authority assigns a certificate to each machine. The local audit daemons will use the machine certificates to authenticate themselves to the main audit daemon, which will consider valid any certificate signed by the CA.
Client authorization is managed using UNIX permissions: the local audit socket and spool directories are owned by the audit group, so in order to allow an application to log audit events one should simply add the user it's running as to the audit group.
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewUniqueId ¶
Generate a new time-based unique ID for use as primary key. The resulting IDs can be sorted lexicographically preserving the time ordering.
func TLSClientAuthConfig ¶
Create a tls.Config enforcing CA-based client authentication. The resulting Config can be used by clients and servers alike. It forces some strict connection parameters since we control both endpoints and don't have to worry about wide compatibility.
func TLSClientAuthConfigWithCerts ¶
Same as TLSClientAuthConfig, but load client certificates too.
Types ¶
type Message ¶
type Message map[string]interface{}
A message is a map of strings to arbitrary types.
func MessageFromJSON ¶
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Godeps
|
|
|
_workspace/src/github.com/golang/snappy
Package snappy implements the snappy block-based compression format.
|
Package snappy implements the snappy block-based compression format. |
|
_workspace/src/github.com/syndtr/goleveldb/leveldb
Package leveldb provides implementation of LevelDB key/value database.
|
Package leveldb provides implementation of LevelDB key/value database. |
|
_workspace/src/github.com/syndtr/goleveldb/leveldb/cache
Package cache provides interface and implementation of a cache algorithms.
|
Package cache provides interface and implementation of a cache algorithms. |
|
_workspace/src/github.com/syndtr/goleveldb/leveldb/comparer
Package comparer provides interface and implementation for ordering sets of data.
|
Package comparer provides interface and implementation for ordering sets of data. |
|
_workspace/src/github.com/syndtr/goleveldb/leveldb/errors
Package errors provides common error types used throughout leveldb.
|
Package errors provides common error types used throughout leveldb. |
|
_workspace/src/github.com/syndtr/goleveldb/leveldb/filter
Package filter provides interface and implementation of probabilistic data structure.
|
Package filter provides interface and implementation of probabilistic data structure. |
|
_workspace/src/github.com/syndtr/goleveldb/leveldb/iterator
Package iterator provides interface and implementation to traverse over contents of a database.
|
Package iterator provides interface and implementation to traverse over contents of a database. |
|
_workspace/src/github.com/syndtr/goleveldb/leveldb/journal
Package journal reads and writes sequences of journals.
|
Package journal reads and writes sequences of journals. |
|
_workspace/src/github.com/syndtr/goleveldb/leveldb/memdb
Package memdb provides in-memory key/value database implementation.
|
Package memdb provides in-memory key/value database implementation. |
|
_workspace/src/github.com/syndtr/goleveldb/leveldb/opt
Package opt provides sets of options used by LevelDB.
|
Package opt provides sets of options used by LevelDB. |
|
_workspace/src/github.com/syndtr/goleveldb/leveldb/storage
Package storage provides storage abstraction for LevelDB.
|
Package storage provides storage abstraction for LevelDB. |
|
_workspace/src/github.com/syndtr/goleveldb/leveldb/table
Package table allows read and write sorted key/value.
|
Package table allows read and write sorted key/value. |
|
_workspace/src/github.com/syndtr/goleveldb/leveldb/util
Package util provides utilities used throughout leveldb.
|
Package util provides utilities used throughout leveldb. |
|
cmd
|
|
|
auditc
Command-line client for the audit log collection suite.
|
Command-line client for the audit log collection suite. |