Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ToCommandLine ¶ added in v0.4.0
func ToCommandLine(wf WireFormat, resolveIds bool) (rule string, err error)
ToCommandLine decodes a WireFormat into a command-line rule. When resolveIds is set, it tries to resolve the argument to UIDs, GIDs, file_type fields. `auditctl -l` always prints the numeric (non-resolved) representation of this fields, so when the flag is set to false, the output is the same as auditctl. There is an exception to this rule when parsing the `arch` field: auditctl always prints "b64" or "b32" even for architectures other than the current machine. This is misleading, so this code will print the actual architecture.
Types ¶
type AccessType ¶
type AccessType uint8
AccessType specifies the type of file access to audit.
const ( ReadAccessType AccessType = iota + 1 WriteAccessType ExecuteAccessType AttributeChangeAccessType )
The access types that can be audited for file watches.
func (AccessType) String ¶
func (t AccessType) String() string
type DeleteAllRule ¶
DeleteAllRule deletes all existing rules.
func (*DeleteAllRule) TypeOf ¶
func (r *DeleteAllRule) TypeOf() Type
TypeOf returns DeleteAllRuleType.
type FileWatchRule ¶
type FileWatchRule struct { Type Type Path string Permissions []AccessType Keys []string }
FileWatchRule is used to audit access to particular files or directories that you may be interested in.
func (*FileWatchRule) TypeOf ¶
func (r *FileWatchRule) TypeOf() Type
TypeOf returns FileWatchRuleType.
type FilterSpec ¶
type FilterSpec struct { Type FilterType LHS string Comparator string RHS string }
FilterSpec defines a filter to apply to a syscall rule.
func (*FilterSpec) String ¶
func (f *FilterSpec) String() string
type FilterType ¶
type FilterType uint8
FilterType specifies a type of filter to apply to a syscall rule.
const ( InterFieldFilterType FilterType = iota + 1 // Inter-field comparison filtering (-C). ValueFilterType // Filtering based on values (-F). )
The type of filters that can be applied.
type Rule ¶
type Rule interface {
TypeOf() Type // TypeOf returns the type of rule.
}
Rule is the generic interface that all rule types implement.
type SyscallRule ¶
type SyscallRule struct { Type Type List string Action string Filters []FilterSpec Syscalls []string Keys []string }
SyscallRule is used to audit invocations of specific syscalls.
func (*SyscallRule) TypeOf ¶
func (r *SyscallRule) TypeOf() Type
TypeOf returns either AppendSyscallRuleType or PrependSyscallRuleType.
type WireFormat ¶
type WireFormat []byte
WireFormat is the binary representation of a rule as used to exchange rules (commands) with the kernel.
Directories ¶
Path | Synopsis |
---|---|
Package flags provides parsing of audit rules as specified using CLI flags in accordance to the man page for auditctl (from the auditd userspace tools).
|
Package flags provides parsing of audit rules as specified using CLI flags in accordance to the man page for auditctl (from the auditd userspace tools). |