rule

package
v2.2.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 5, 2021 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ToCommandLine

func ToCommandLine(wf WireFormat, resolveIds bool) (rule string, err error)

ToCommandLine decodes a WireFormat into a command-line rule. When resolveIds is set, it tries to resolve the argument to UIDs, GIDs, file_type fields. `auditctl -l` always prints the numeric (non-resolved) representation of this fields, so when the flag is set to false, the output is the same as auditctl. There is an exception to this rule when parsing the `arch` field: auditctl always prints "b64" or "b32" even for architectures other than the current machine. This is misleading, so this code will print the actual architecture.

Types

type AccessType

type AccessType uint8

AccessType specifies the type of file access to audit.

const (
	ReadAccessType AccessType = iota + 1
	WriteAccessType
	ExecuteAccessType
	AttributeChangeAccessType
)

The access types that can be audited for file watches.

func (AccessType) String

func (t AccessType) String() string

type DeleteAllRule

type DeleteAllRule struct {
	Type Type
	Keys []string // Delete rules that have these keys.
}

DeleteAllRule deletes all existing rules.

func (*DeleteAllRule) TypeOf

func (r *DeleteAllRule) TypeOf() Type

TypeOf returns DeleteAllRuleType.

type FileWatchRule

type FileWatchRule struct {
	Type        Type
	Path        string
	Permissions []AccessType
	Keys        []string
}

FileWatchRule is used to audit access to particular files or directories that you may be interested in.

func (*FileWatchRule) TypeOf

func (r *FileWatchRule) TypeOf() Type

TypeOf returns FileWatchRuleType.

type FilterSpec

type FilterSpec struct {
	Type       FilterType
	LHS        string
	Comparator string
	RHS        string
}

FilterSpec defines a filter to apply to a syscall rule.

func (*FilterSpec) String

func (f *FilterSpec) String() string

type FilterType

type FilterType uint8

FilterType specifies a type of filter to apply to a syscall rule.

const (
	InterFieldFilterType FilterType = iota + 1 // Inter-field comparison filtering (-C).
	ValueFilterType                            // Filtering based on values (-F).
)

The type of filters that can be applied.

type Rule

type Rule interface {
	TypeOf() Type // TypeOf returns the type of rule.
}

Rule is the generic interface that all rule types implement.

type SyscallRule

type SyscallRule struct {
	Type     Type
	List     string
	Action   string
	Filters  []FilterSpec
	Syscalls []string
	Keys     []string
}

SyscallRule is used to audit invocations of specific syscalls.

func (*SyscallRule) TypeOf

func (r *SyscallRule) TypeOf() Type

TypeOf returns either AppendSyscallRuleType or PrependSyscallRuleType.

type Type

type Type int

Type specifies the audit rule type.

const (
	DeleteAllRuleType      Type = iota + 1 // DeleteAllRule
	FileWatchRuleType                      // FileWatchRule
	AppendSyscallRuleType                  // SyscallRule
	PrependSyscallRuleType                 // SyscallRule
)

The rule types supported by this package.

type WireFormat

type WireFormat []byte

WireFormat is the binary representation of a rule as used to exchange rules (commands) with the kernel.

func Build

func Build(rule Rule) (WireFormat, error)

Build builds an audit rule.

Directories

Path Synopsis
Package flags provides parsing of audit rules as specified using CLI flags in accordance to the man page for auditctl (from the auditd userspace tools).
Package flags provides parsing of audit rules as specified using CLI flags in accordance to the man page for auditctl (from the auditd userspace tools).

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL