The highest tagged major version is
Documentation
¶
Overview ¶
Package aucoalesce provides functions to coalesce compound audit messages into a single event and normalize all message types with some common fields.
Index ¶
- func LoadNormalizationConfig(b []byte) (syscalls map[string]*Normalization, recordTypes map[string][]*Normalization, ...)
- func ResolveIDs(event *Event)
- func ResolveIDsFromCaches(event *Event, users UserCache, groups GroupCache)
- type Actor
- type Address
- type AuditEventType
- type Direction
- type Event
- type File
- type GroupCache
- type Network
- type Normalization
- type NormalizationConfig
- type Object
- type ObjectMapping
- type Process
- type Strings
- type SubjectMapping
- type Summary
- type User
- type UserCache
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func LoadNormalizationConfig ¶ added in v0.0.3
func LoadNormalizationConfig(b []byte) (syscalls map[string]*Normalization, recordTypes map[string][]*Normalization, err error)
func ResolveIDs ¶ added in v0.0.3
func ResolveIDs(event *Event)
ResolveIDs translates all uid and gid values to their associated names. Prior to Go 1.9 this requires cgo on Linux. UID and GID values are cached for 60 seconds from the time they are read.
func ResolveIDsFromCaches ¶ added in v0.2.0
func ResolveIDsFromCaches(event *Event, users UserCache, groups GroupCache)
ResolveIDsFromCaches translates all uid and gid values to their associated names using the provided caches. Prior to Go 1.9 this requires cgo on Linux.
Types ¶
type Address ¶ added in v0.0.7
type Address struct {
Hostname string `json:"hostname,omitempty" yaml:"hostname,omitempty"` // Hostname.
IP string `json:"ip,omitempty" yaml:"ip,omitempty"` // IPv4 or IPv6 address.
Port string `json:"port,omitempty" yaml:"port,omitempty"` // Port number.
Path string `json:"path,omitempty" yaml:"path,omitempty"` // Unix socket path.
}
type AuditEventType ¶ added in v0.0.3
type AuditEventType uint16
AuditEventType is a categorization of a simple or compound audit event.
const ( EventTypeUnknown AuditEventType = iota EventTypeUserspace EventTypeSystemServices EventTypeConfig EventTypeTTY EventTypeUserAccount EventTypeUserLogin EventTypeAuditDaemon EventTypeMACDecision EventTypeAnomoly EventTypeIntegrity EventTypeAnomolyResponse EventTypeMAC EventTypeCrypto EventTypeVirt EventTypeAuditRule EventTypeDACDecision EventTypeGroupChange )
func GetAuditEventType ¶ added in v0.0.3
func GetAuditEventType(t AuditMessageType) AuditEventType
func (AuditEventType) MarshalText ¶ added in v0.0.3
func (t AuditEventType) MarshalText() (text []byte, err error)
func (AuditEventType) String ¶ added in v0.0.3
func (t AuditEventType) String() string
type Direction ¶ added in v0.0.7
type Direction uint8
func (Direction) MarshalText ¶ added in v0.0.7
type Event ¶ added in v0.0.3
type Event struct {
Timestamp time.Time `json:"@timestamp" yaml:"timestamp"`
Sequence uint32 `json:"sequence" yaml:"sequence"`
Category AuditEventType `json:"category" yaml:"category"`
Type auparse.AuditMessageType `json:"record_type" yaml:"record_type"`
Result string `json:"result,omitempty" yaml:"result,omitempty"`
Session string `json:"session" yaml:"session"`
Tags []string `json:"tags,omitempty" yaml:"tags,omitempty"`
Summary Summary `json:"summary" yaml:"summary"`
User User `json:"user" yaml:"user"`
Process Process `json:"process,omitempty" yaml:"process,omitempty"`
File *File `json:"file,omitempty" yaml:"file,omitempty"`
Source *Address `json:"source,omitempty" yaml:"source,omitempty"`
Dest *Address `json:"destination,omitempty" yaml:"destination,omitempty"`
Net *Network `json:"network,omitempty" yaml:"network,omitempty"`
Data map[string]string `json:"data,omitempty" yaml:"data,omitempty"`
Paths []map[string]string `json:"paths,omitempty" yaml:"paths,omitempty"`
Warnings []error `json:"-" yaml:"-"`
}
func CoalesceMessages ¶
func CoalesceMessages(msgs []*auparse.AuditMessage) (*Event, error)
CoalesceMessages combines the given messages into a single event. It assumes that all the messages in the slice have the same timestamp and sequence number. An error is returned is msgs is empty or nil or only contains and EOE (end-of-event) message.
type File ¶ added in v0.0.7
type File struct {
Path string `json:"path,omitempty" yaml:"path,omitempty"`
Device string `json:"device,omitempty" yaml:"device,omitempty"`
Inode string `json:"inode,omitempty" yaml:"inode,omitempty"`
Mode string `json:"mode,omitempty" yaml:"mode,omitempty"` // Permissions
UID string `json:"uid,omitempty" yaml:"uid,omitempty"`
GID string `json:"gid,omitempty" yaml:"gid,omitempty"`
Owner string `json:"owner,omitempty" yaml:"owner,omitempty"`
Group string `json:"group,omitempty" yaml:"group,omitempty"`
SELinux map[string]string `json:"selinux,omitempty" yaml:"selinux,omitempty"` // SELinux labels.
}
type GroupCache ¶ added in v0.0.3
type GroupCache struct {
// contains filtered or unexported fields
}
GroupCache is a cache of GID to group name.
func NewGroupCache ¶ added in v0.0.3
func NewGroupCache(expiration time.Duration) GroupCache
NewGroupCache returns a new GroupCache. GroupCache is not thread-safe.
func (GroupCache) LookupGID ¶ added in v0.0.3
func (c GroupCache) LookupGID(gid string) string
LookupGID looks up a GID and returns the group associated with it. If no group could be found an empty string is returned. The value will be cached for a minute. This requires cgo on Linux.
type Network ¶ added in v0.0.7
type Network struct {
Direction Direction `json:"direction" yaml:"direction"`
}
type Normalization ¶ added in v0.0.3
type Normalization struct {
Subject SubjectMapping `yaml:"subject"`
Action string `yaml:"action"`
Object ObjectMapping `yaml:"object"`
How Strings `yaml:"how"`
RecordTypes Strings `yaml:"record_types"`
Syscalls Strings `yaml:"syscalls"`
SourceIP Strings `yaml:"source_ip"`
HasFields Strings `yaml:"has_fields"`
}
type NormalizationConfig ¶ added in v0.0.3
type NormalizationConfig struct {
Default Normalization `yaml:"default"`
Normalizations []Normalization
}
type ObjectMapping ¶ added in v0.0.3
type Process ¶ added in v0.0.7
type Process struct {
PID string `json:"pid,omitempty" yaml:"pid,omitempty"`
PPID string `json:"ppid,omitempty" yaml:"ppid,omitempty"`
Title string `json:"title,omitempty" yaml:"title,omitempty"`
Name string `json:"name,omitempty" yaml:"name,omitempty"` // Comm
Exe string `json:"exe,omitempty" yaml:"exe,omitempty"`
CWD string `json:"cwd,omitempty" yaml:"cwd,omitempty"`
Args []string `json:"args,omitempty" yaml:"args,omitempty"`
}
type Strings ¶ added in v0.0.3
type Strings struct {
Values []string
}
Strings is a custom type to enable YAML values that can be either a string or a list of strings.
func (*Strings) UnmarshalYAML ¶ added in v0.0.3
type SubjectMapping ¶ added in v0.0.3
type User ¶ added in v0.0.7
type User struct {
IDs map[string]string `json:"ids,omitempty" yaml:"ids,omitempty"` // Identifying data like auid, uid, euid, suid, fsuid, gid, egid, sgid, fsgid.
Names map[string]string `json:"names,omitempty" yaml:"names,omitempty"` // Mappings of ID to name (auid -> "root").
SELinux map[string]string `json:"selinux,omitempty" yaml:"selinux,omitempty"` // SELinux labels.
}
type UserCache ¶ added in v0.0.3
type UserCache struct {
// contains filtered or unexported fields
}
UserCache is a cache of UID to username.
func NewUserCache ¶ added in v0.0.3
NewUserCache returns a new UserCache. UserCache is not thread-safe.
Source Files
Click to show internal directories.
Click to hide internal directories.