libaudit

README

libaudit in Go

libaudit-go is a go package for interfacing with Linux audit.

libaudit-go is a pure Go client library for interfacing with the Linux auditing framework. It provides functions to interact with the auditing subsystems over Netlink, including controlling the rule set and obtaining/interpreting incoming audit events.

libaudit-go can be used to build go applications which perform tasks similar to the standard Linux auditing daemon auditd.

To get started see package documentation at godoc.

For a simple example of usage, see the auditprint tool included in this repository.

sudo service stop auditd
go get -u github.com/mozilla/libaudit-go
cd $GOPATH/src/github.com/mozilla/libaudit-go
go install github.com/mozilla/libaudit-go/auditprint
sudo $GOPATH/bin/auditprint testdata/rules.json

Some key functions are discussed in the overview section below.

Overview

General

NewNetlinkConnection

To use libaudit-go programs will need to initialize a new Netlink connection. NewNetlinkConnection can be used to allocate a new NetlinkConnection type which can then be passed to other functions in the library.

s, err := libaudit.NewNetlinkConnection()
if err != nil {
        fmt.Printf("NewNetlinkConnection: %v\n", err)
} 
defer s.Close()

NetlinkConnection provides a Send and Receive method to send and receive Netlink messages to the kernel, however generally applications will use the various other functions included in libaudit-go and do not need to call these functions directly.

GetAuditEvents

GetAuditEvents starts an audit event monitor in a go-routine and returns. Programs can call this function and specify a callback function as an argument. When the audit event monitor receives a new event, this callback function will be called with the parsed AuditEvent as an argument.

func myCallback(msg *libaudit.AuditEvent, err error) {
        if err != nil {
            // An error occurred getting or parsing the audit event
            return
        }
	// Print the fields
        fmt.Println(msg.Data)
	// Print the raw event
        fmt.Println(msg.Raw)
}

libaudit.GetAuditEvents(s, myCallback)

GetRawAuditEvents

GetRawAuditEvents behaves in a similar manner to GetAuditEvents, however programs can use this function to instead just retrieve raw audit events from the kernel as a string, instead of having libaudit-go parse these audit events into an AuditEvent type.

Audit Rules

Audit rules can be loaded into the kernel using libaudit-go, however the format differs from the common rule set used by userspace tools such as auditctl/auditd.

libaudit-go rulesets are defined as a JSON document. See rules.json as an example. The libaudit-go type which stores the rule set is AuditRules.

SetRules

SetRules can be used to load an audit rule set into the kernel. The function takes a marshalled AuditRules type as an argument (slice of bytes), and converts the JSON based rule set into a set of audit rules suitable for submission to the kernel.

The function then makes the required Netlink calls to clear the existing rule set and load the new rules.

// Load all rules from a file
content, err := ioutil.ReadFile("audit.rules.json")
if err != nil {
        fmt.Printf("error: %v\n", err)
	os.Exit(1)
}

// Set audit rules
err = libaudit.SetRules(s, content)
if err != nil {
        fmt.Printf("error: %v\n", err)
        os.Exit(1)
}

Documentation

Overview

Package libaudit is a client library used for interfacing with the Linux kernel auditing framework. It provides an API for executing audit related tasks such as setting audit rules, changing the auditing configuration, and processing incoming audit events.

The intent for this package is to provide a means for an application to take the role of auditd, for consumption and analysis of audit events in your go program.

Index

• Constants
• func AuditIsEnabled(s Netlink) (bool, error)
• func AuditSetBacklogLimit(s Netlink, limit int) error
• func AuditSetEnabled(s Netlink, enabled bool) (err error)
• func AuditSetPID(s Netlink, pid int) error
• func AuditSetRateLimit(s Netlink, limit int) error
• func DeleteAllRules(s Netlink) error
• func GetAuditEvents(s Netlink, cb EventCallback)
• func GetAuditMessages(s Netlink, cb EventCallback, done *chan bool)
• func GetRawAuditEvents(s Netlink, cb RawEventCallback)
• func ListAllRules(s Netlink) (ret []string, err error)
• func SetRules(s Netlink, content []byte) (warnings []string, err error)
• type AuditEvent
  • func NewAuditEvent(msg NetlinkMessage) (*AuditEvent, error)
  • func ParseAuditEvent(str string, msgType auditConstant, interpret bool) (*AuditEvent, error)
• type AuditFileRule
• type AuditRule
• type AuditRules
• type AuditSyscallRule
• type ErrorAuditParse
  • func (e ErrorAuditParse) Error() string
• type EventCallback
• type Netlink
• type NetlinkConnection
  • func NewNetlinkConnection() (ret *NetlinkConnection, err error)
  • func (s *NetlinkConnection) Close()
  • func (s *NetlinkConnection) GetPID() (int, error)
  • func (s *NetlinkConnection) Receive(nonblocking bool) ([]NetlinkMessage, error)
  • func (s *NetlinkConnection) Send(request *NetlinkMessage) error
• type NetlinkMessage
  • func (rr *NetlinkMessage) ToWireFormat() []byte
• type RawEventCallback

Constants

const (
	MAX_AUDIT_MESSAGE_LENGTH = 8970
	AUDIT_MAX_FIELDS         = 64
	AUDIT_BITMASK_SIZE       = 64
	//Rule Flags
	AUDIT_FILTER_USER  = 0x00 /* Apply rule to user-generated messages */
	AUDIT_FILTER_TASK  = 0x01 /* Apply rule at task creation (not syscall) */
	AUDIT_FILTER_ENTRY = 0x02 /* Apply rule at syscall entry */
	AUDIT_FILTER_WATCH = 0x03 /* Apply rule to file system watches */
	AUDIT_FILTER_EXIT  = 0x04 /* Apply rule at syscall exit */
	AUDIT_FILTER_TYPE  = 0x05 /* Apply rule at audit_log_start */
	/* These are used in filter control */
	AUDIT_FILTER_MASK  = 0x07 /* Mask to get actual filter */
	AUDIT_FILTER_UNSET = 0x80 /* This value means filter is unset */

	/* Rule actions */
	AUDIT_NEVER    = 0 /* Do not build context if rule matches */
	AUDIT_POSSIBLE = 1 /* Build context if rule matches  */
	AUDIT_ALWAYS   = 2 /* Generate audit record if rule matches */

	/* Rule fields */
	/* These are useful when checking the
	 * task structure at task creation time
	 * (AUDIT_PER_TASK).  */
	AUDIT_PID                   = 0
	AUDIT_UID                   = 1
	AUDIT_EUID                  = 2
	AUDIT_SUID                  = 3
	AUDIT_FSUID                 = 4
	AUDIT_GID                   = 5
	AUDIT_EGID                  = 6
	AUDIT_SGID                  = 7
	AUDIT_FSGID                 = 8
	AUDIT_LOGINUID              = 9
	AUDIT_OBJ_GID               = 110
	AUDIT_OBJ_UID               = 109
	AUDIT_EXIT                  = 103
	AUDIT_PERS                  = 10
	AUDIT_FILTER_EXCLUDE        = 0x05
	AUDIT_ARCH                  = 11
	PATH_MAX                    = 4096
	AUDIT_MSGTYPE               = 12
	AUDIT_MAX_KEY_LEN           = 256
	AUDIT_PERM                  = 106
	AUDIT_FILTERKEY             = 210
	AUDIT_SUBJ_USER             = 13 /* security label user */
	AUDIT_SUBJ_ROLE             = 14 /* security label role */
	AUDIT_SUBJ_TYPE             = 15 /* security label type */
	AUDIT_SUBJ_SEN              = 16 /* security label sensitivity label */
	AUDIT_SUBJ_CLR              = 17 /* security label clearance label */
	AUDIT_PPID                  = 18
	AUDIT_OBJ_USER              = 19
	AUDIT_OBJ_ROLE              = 20
	AUDIT_OBJ_TYPE              = 21
	AUDIT_WATCH                 = 105
	AUDIT_DIR                   = 107
	AUDIT_OBJ_LEV_LOW           = 22
	AUDIT_OBJ_LEV_HIGH          = 23
	AUDIT_LOGINUID_SET          = 24
	AUDIT_DEVMAJOR              = 100
	AUDIT_DEVMINOR              = 101
	AUDIT_INODE                 = 102
	AUDIT_SUCCESS               = 104
	AUDIT_FIELD_COMPARE         = 111
	AUDIT_EXE                   = 112
	AUDIT_PERM_EXEC             = 1
	AUDIT_PERM_WRITE            = 2
	AUDIT_PERM_READ             = 4
	AUDIT_PERM_ATTR             = 8
	AUDIT_FILETYPE              = 108
	AUDIT_ARG0                  = 200
	AUDIT_ARG1                  = (AUDIT_ARG0 + 1)
	AUDIT_ARG2                  = (AUDIT_ARG0 + 2)
	AUDIT_ARG3                  = (AUDIT_ARG0 + 3)
	AUDIT_BIT_MASK              = 0x08000000
	AUDIT_LESS_THAN             = 0x10000000
	AUDIT_GREATER_THAN          = 0x20000000
	AUDIT_NOT_EQUAL             = 0x30000000
	AUDIT_EQUAL                 = 0x40000000
	AUDIT_BIT_TEST              = (AUDIT_BIT_MASK | AUDIT_EQUAL)
	AUDIT_LESS_THAN_OR_EQUAL    = (AUDIT_LESS_THAN | AUDIT_EQUAL)
	AUDIT_GREATER_THAN_OR_EQUAL = (AUDIT_GREATER_THAN | AUDIT_EQUAL)
	AUDIT_OPERATORS             = (AUDIT_EQUAL | AUDIT_NOT_EQUAL | AUDIT_BIT_MASK)
	/* Status symbols */
	/* Mask values */
	AUDIT_STATUS_ENABLED       = 0x0001
	AUDIT_STATUS_FAILURE       = 0x0002
	AUDIT_STATUS_PID           = 0x0004
	AUDIT_STATUS_RATE_LIMIT    = 0x0008
	AUDIT_STATUS_BACKLOG_LIMIT = 0x0010
	/* Failure-to-log actions */
	AUDIT_FAIL_SILENT = 0
	AUDIT_FAIL_PRINTK = 1
	AUDIT_FAIL_PANIC  = 2

	AUDIT_ARCH_ALPHA    = (EM_ALPHA | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
	AUDIT_ARCH_ARM      = (EM_ARM | __AUDIT_ARCH_LE)
	AUDIT_ARCH_ARMEB    = (EM_ARM)
	AUDIT_ARCH_CRIS     = (EM_CRIS | __AUDIT_ARCH_LE)
	AUDIT_ARCH_FRV      = (EM_FRV)
	AUDIT_ARCH_I386     = (EM_386 | __AUDIT_ARCH_LE)
	AUDIT_ARCH_IA64     = (EM_IA_64 | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
	AUDIT_ARCH_M32R     = (EM_M32R)
	AUDIT_ARCH_M68K     = (EM_68K)
	AUDIT_ARCH_MIPS     = (EM_MIPS)
	AUDIT_ARCH_MIPSEL   = (EM_MIPS | __AUDIT_ARCH_LE)
	AUDIT_ARCH_MIPS64   = (EM_MIPS | __AUDIT_ARCH_64BIT)
	AUDIT_ARCH_MIPSEL64 = (EM_MIPS | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
	//	AUDIT_ARCH_OPENRISC = (EM_OPENRISC)
	//	AUDIT_ARCH_PARISC   = (EM_PARISC)
	//	AUDIT_ARCH_PARISC64 = (EM_PARISC | __AUDIT_ARCH_64BIT)
	AUDIT_ARCH_PPC     = (EM_PPC)
	AUDIT_ARCH_PPC64   = (EM_PPC64 | __AUDIT_ARCH_64BIT)
	AUDIT_ARCH_S390    = (EM_S390)
	AUDIT_ARCH_S390X   = (EM_S390 | __AUDIT_ARCH_64BIT)
	AUDIT_ARCH_SH      = (EM_SH)
	AUDIT_ARCH_SHEL    = (EM_SH | __AUDIT_ARCH_LE)
	AUDIT_ARCH_SH64    = (EM_SH | __AUDIT_ARCH_64BIT)
	AUDIT_ARCH_SHEL64  = (EM_SH | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
	AUDIT_ARCH_SPARC   = (EM_SPARC)
	AUDIT_ARCH_SPARC64 = (EM_SPARCV9 | __AUDIT_ARCH_64BIT)
	AUDIT_ARCH_X86_64  = (EM_X86_64 | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
	///Temporary Solution need to add linux/elf-em.h
	EM_NONE  = 0
	EM_M32   = 1
	EM_SPARC = 2
	EM_386   = 3
	EM_68K   = 4
	EM_88K   = 5
	EM_486   = 6 /* Perhaps disused */
	EM_860   = 7
	EM_MIPS  = 8 /* MIPS R3000 (officially, big-endian only) */
	/* Next two are historical and binaries and
	   modules of these types will be rejected by
	   Linux.  */
	EM_MIPS_RS3_LE = 10 /* MIPS R3000 little-endian */
	EM_MIPS_RS4_BE = 10 /* MIPS R4000 big-endian */

	EM_PARISC      = 15     /* HPPA */
	EM_SPARC32PLUS = 18     /* Sun's "v8plus" */
	EM_PPC         = 20     /* PowerPC */
	EM_PPC64       = 21     /* PowerPC64 */
	EM_SPU         = 23     /* Cell BE SPU */
	EM_ARM         = 40     /* ARM 32 bit */
	EM_SH          = 42     /* SuperH */
	EM_SPARCV9     = 43     /* SPARC v9 64-bit */
	EM_IA_64       = 50     /* HP/Intel IA-64 */
	EM_X86_64      = 62     /* AMD x86-64 */
	EM_S390        = 22     /* IBM S/390 */
	EM_CRIS        = 76     /* Axis Communications 32-bit embedded processor */
	EM_V850        = 87     /* NEC v850 */
	EM_M32R        = 88     /* Renesas M32R */
	EM_MN10300     = 89     /* Panasonic/MEI MN10300, AM33 */
	EM_BLACKFIN    = 106    /* ADI Blackfin Processor */
	EM_TI_C6000    = 140    /* TI C6X DSPs */
	EM_AARCH64     = 183    /* ARM 64 bit */
	EM_FRV         = 0x5441 /* Fujitsu FR-V */
	EM_AVR32       = 0x18ad /* Atmel AVR32 */

	/*
	 * This is an interim value that we will use until the committee comes
	 * up with a final number.
	 */
	EM_ALPHA = 0x9026

	/* Bogus old v850 magic number, used by old tools. */
	EM_CYGNUS_V850 = 0x9080
	/* Bogus old m32r magic number, used by old tools. */
	EM_CYGNUS_M32R = 0x9041
	/* This is the old interim value for S/390 architecture */
	EM_S390_OLD = 0xA390
	/* Also Panasonic/MEI MN10300, AM33 */
	EM_CYGNUS_MN10300 = 0xbeef
)

const (
	AUDIT_GET         auditConstant = 1000 /* Get status */
	AUDIT_SET         auditConstant = 1001 /* Set status (enable/disable/auditd) */
	AUDIT_LIST        auditConstant = 1002 /* List syscall rules -- deprecated */
	AUDIT_ADD         auditConstant = 1003 /* Add syscall rule -- deprecated */
	AUDIT_DEL         auditConstant = 1004 /* Delete syscall rule -- deprecated */
	AUDIT_USER        auditConstant = 1005 /* Message from userspace -- deprecated */
	AUDIT_LOGIN       auditConstant = 1006 /* Define the login id and information */
	AUDIT_WATCH_INS   auditConstant = 1007 /* Insert file/dir watch entry */
	AUDIT_WATCH_REM   auditConstant = 1008 /* Remove file/dir watch entry */
	AUDIT_WATCH_LIST  auditConstant = 1009 /* List all file/dir watches */
	AUDIT_SIGNAL_INFO auditConstant = 1010 /* Get info about sender of signal to auditd */
	AUDIT_ADD_RULE    auditConstant = 1011 /* Add syscall filtering rule */
	AUDIT_DEL_RULE    auditConstant = 1012 /* Delete syscall filtering rule */
	AUDIT_LIST_RULES  auditConstant = 1013 /* List syscall filtering rules */
	AUDIT_TRIM        auditConstant = 1014 /* Trim junk from watched tree */
	AUDIT_MAKE_EQUIV  auditConstant = 1015 /* Append to watched tree */
	AUDIT_TTY_GET     auditConstant = 1016 /* Get TTY auditing status */
	AUDIT_TTY_SET     auditConstant = 1017 /* Set TTY auditing status */
	AUDIT_SET_FEATURE auditConstant = 1018 /* Turn an audit feature on or off */
	AUDIT_GET_FEATURE auditConstant = 1019 /* Get which features are enabled */

	AUDIT_FIRST_USER_MSG   auditConstant = 1100 /* First user space message */
	AUDIT_LAST_USER_MSG    auditConstant = 1199 /* Last user space message */
	AUDIT_USER_AUTH        auditConstant = 1100 /* User space authentication */
	AUDIT_USER_ACCT        auditConstant = 1101 /* User space acct change */
	AUDIT_USER_MGMT        auditConstant = 1102 /* User space acct management */
	AUDIT_CRED_ACQ         auditConstant = 1103 /* User space credential acquired */
	AUDIT_CRED_DISP        auditConstant = 1104 /* User space credential disposed */
	AUDIT_USER_START       auditConstant = 1105 /* User space session start */
	AUDIT_USER_END         auditConstant = 1106 /* User space session end */
	AUDIT_USER_AVC         auditConstant = 1107 /* User space avc message */
	AUDIT_USER_CHAUTHTOK   auditConstant = 1108 /* User space acct attr changed */
	AUDIT_USER_ERR         auditConstant = 1109 /* User space acct state err */
	AUDIT_CRED_REFR        auditConstant = 1110 /* User space credential refreshed */
	AUDIT_USYS_CONFIG      auditConstant = 1111 /* User space system config change */
	AUDIT_USER_LOGIN       auditConstant = 1112 /* User space user has logged in */
	AUDIT_USER_LOGOUT      auditConstant = 1113 /* User space user has logged out */
	AUDIT_ADD_USER         auditConstant = 1114 /* User space user account added */
	AUDIT_DEL_USER         auditConstant = 1115 /* User space user account deleted */
	AUDIT_ADD_GROUP        auditConstant = 1116 /* User space group added */
	AUDIT_DEL_GROUP        auditConstant = 1117 /* User space group deleted */
	AUDIT_DAC_CHECK        auditConstant = 1118 /* User space DAC check results */
	AUDIT_CHGRP_ID         auditConstant = 1119 /* User space group ID changed */
	AUDIT_TEST             auditConstant = 1120 /* Used for test success messages */
	AUDIT_TRUSTED_APP      auditConstant = 1121 /* Trusted app msg - freestyle text */
	AUDIT_USER_SELINUX_ERR auditConstant = 1122 /* SE Linux user space error */
	AUDIT_USER_CMD         auditConstant = 1123 /* User shell command and args */
	AUDIT_USER_TTY         auditConstant = 1124 /* Non-ICANON TTY input meaning */
	AUDIT_CHUSER_ID        auditConstant = 1125 /* Changed user ID supplemental data */
	AUDIT_GRP_AUTH         auditConstant = 1126 /* Authentication for group password */
	AUDIT_SYSTEM_BOOT      auditConstant = 1127 /* System boot */
	AUDIT_SYSTEM_SHUTDOWN  auditConstant = 1128 /* System shutdown */
	AUDIT_SYSTEM_RUNLEVEL  auditConstant = 1129 /* System runlevel change */
	AUDIT_SERVICE_START    auditConstant = 1130 /* Service (daemon) start */
	AUDIT_SERVICE_STOP     auditConstant = 1131 /* Service (daemon) stop */
	AUDIT_GRP_MGMT         auditConstant = 1132 /* Group account attr was modified */
	AUDIT_GRP_CHAUTHTOK    auditConstant = 1133 /* Group acct password or pin changed */
	AUDIT_MAC_CHECK        auditConstant = 1134 /* User space MAC decision results */
	AUDIT_ACCT_LOCK        auditConstant = 1135 /* User's account locked by admin */
	AUDIT_ACCT_UNLOCK      auditConstant = 1136 /* User's account unlocked by admin */

	AUDIT_FIRST_DAEMON    auditConstant = 1200
	AUDIT_LAST_DAEMON     auditConstant = 1299
	AUDIT_DAEMON_CONFIG   auditConstant = 1203 /* Daemon config change */
	AUDIT_DAEMON_RECONFIG auditConstant = 1204 /* Auditd should reconfigure */
	AUDIT_DAEMON_ROTATE   auditConstant = 1205 /* Auditd should rotate logs */
	AUDIT_DAEMON_RESUME   auditConstant = 1206 /* Auditd should resume logging */
	AUDIT_DAEMON_ACCEPT   auditConstant = 1207 /* Auditd accepted remote connection */
	AUDIT_DAEMON_CLOSE    auditConstant = 1208 /* Auditd closed remote connection */

	AUDIT_SYSCALL auditConstant = 1300 /* Syscall event */
	/* AUDIT_FS_WATCH     auditConstant       =   1301     * Deprecated */
	AUDIT_PATH           auditConstant = 1302 /* Filename path information */
	AUDIT_IPC            auditConstant = 1303 /* IPC record */
	AUDIT_SOCKETCALL     auditConstant = 1304 /* sys_socketcall arguments */
	AUDIT_CONFIG_CHANGE  auditConstant = 1305 /* Audit system configuration change */
	AUDIT_SOCKADDR       auditConstant = 1306 /* sockaddr copied as syscall arg */
	AUDIT_CWD            auditConstant = 1307 /* Current working directory */
	AUDIT_EXECVE         auditConstant = 1309 /* execve arguments */
	AUDIT_IPC_SET_PERM   auditConstant = 1311 /* IPC new permissions record type */
	AUDIT_MQ_OPEN        auditConstant = 1312 /* POSIX MQ open record type */
	AUDIT_MQ_SENDRECV    auditConstant = 1313 /* POSIX MQ send/receive record type */
	AUDIT_MQ_NOTIFY      auditConstant = 1314 /* POSIX MQ notify record type */
	AUDIT_MQ_GETSETATTR  auditConstant = 1315 /* POSIX MQ get/set attribute record type */
	AUDIT_KERNEL_OTHER   auditConstant = 1316 /* For use by 3rd party modules */
	AUDIT_FD_PAIR        auditConstant = 1317 /* audit record for pipe/socketpair */
	AUDIT_OBJ_PID        auditConstant = 1318 /* ptrace target */
	AUDIT_TTY            auditConstant = 1319 /* Input on an administrative TTY */
	AUDIT_EOE            auditConstant = 1320 /* End of multi-record event */
	AUDIT_BPRM_FCAPS     auditConstant = 1321 /* Information about fcaps increasing perms */
	AUDIT_CAPSET         auditConstant = 1322 /* Record showing argument to sys_capset */
	AUDIT_MMAP           auditConstant = 1323 /* Record showing descriptor and flags in mmap */
	AUDIT_NETFILTER_PKT  auditConstant = 1324 /* Packets traversing netfilter chains */
	AUDIT_NETFILTER_CFG  auditConstant = 1325 /* Netfilter chain modifications */
	AUDIT_SECCOMP        auditConstant = 1326 /* Secure Computing event */
	AUDIT_PROCTITLE      auditConstant = 1327 /* Proctitle emit event */
	AUDIT_FEATURE_CHANGE auditConstant = 1328 /* audit log listing feature changes */

	/* AUDIT_FIRST_EVENT       1300 */ //TODO: libaudit define this as AUDIT_FIRST_EVENT but audit.h differently.
	AUDIT_LAST_EVENT                   auditConstant = 1399

	/* AUDIT_FIRST_SELINUX     1400 */ // TODO: libaudit define this as AUDIT_FIRST_SELINUX but audit.h as AUDIT_AVC
	AUDIT_AVC                          auditConstant = 1400 /* SE Linux avc denial or grant */
	AUDIT_SELINUX_ERR                  auditConstant = 1401 /* internal SE Linux Errors */
	AUDIT_AVC_PATH                     auditConstant = 1402 /* dentry, vfsmount pair from avc */
	AUDIT_MAC_POLICY_LOAD              auditConstant = 1403 /* Policy file load */
	AUDIT_MAC_STATUS                   auditConstant = 1404 /* Changed enforcing,permissive,off */
	AUDIT_MAC_CONFIG_CHANGE            auditConstant = 1405 /* Changes to booleans */
	AUDIT_MAC_UNLBL_ALLOW              auditConstant = 1406 /* NetLabel: allow unlabeled traffic */
	AUDIT_MAC_CIPSOV4_ADD              auditConstant = 1407 /* NetLabel: add CIPSOv4 DOI entry */
	AUDIT_MAC_CIPSOV4_DEL              auditConstant = 1408 /* NetLabel: del CIPSOv4 DOI entry */
	AUDIT_MAC_MAP_ADD                  auditConstant = 1409 /* NetLabel: add LSM domain mapping */
	AUDIT_MAC_MAP_DEL                  auditConstant = 1410 /* NetLabel: del LSM domain mapping */
	AUDIT_MAC_IPSEC_ADDSA              auditConstant = 1411 /* Not used */
	AUDIT_MAC_IPSEC_DELSA              auditConstant = 1412 /* Not used  */
	AUDIT_MAC_IPSEC_ADDSPD             auditConstant = 1413 /* Not used */
	AUDIT_MAC_IPSEC_DELSPD             auditConstant = 1414 /* Not used */
	AUDIT_MAC_IPSEC_EVENT              auditConstant = 1415 /* Audit an IPSec event */
	AUDIT_MAC_UNLBL_STCADD             auditConstant = 1416 /* NetLabel: add a static label */
	AUDIT_MAC_UNLBL_STCDEL             auditConstant = 1417 /* NetLabel: del a static label */
	AUDIT_LAST_SELINUX                 auditConstant = 1499

	AUDIT_FIRST_APPARMOR auditConstant = 1500
	AUDIT_LAST_APPARMOR  auditConstant = 1599

	AUDIT_AA               auditConstant = 1500 /* Not upstream yet*/
	AUDIT_APPARMOR_AUDIT   auditConstant = 1501
	AUDIT_APPARMOR_ALLOWED auditConstant = 1502
	AUDIT_APPARMOR_DENIED  auditConstant = 1503
	AUDIT_APPARMOR_HT      auditConstant = 1504
	AUDIT_APPARMOR_STATUS  auditConstant = 1505
	AUDIT_APPARMOR_ERROR   auditConstant = 1506

	AUDIT_FIRST_KERN_CRYPTO_MSG auditConstant = 1600
	AUDIT_LAST_KERN_CRYPTO_MSG  auditConstant = 1699

	// AUDIT_FIRST_KERN_ANOM_MSG auditConstant = 1700
	AUDIT_LAST_KERN_ANOM_MSG auditConstant = 1799
	AUDIT_ANOM_PROMISCUOUS   auditConstant = 1700 /* Device changed promiscuous mode */
	AUDIT_ANOM_ABEND         auditConstant = 1701 /* Process ended abnormally */
	AUDIT_ANOM_LINK          auditConstant = 1702 /* Suspicious use of file links */

	AUDIT_INTEGRITY_FIRST_MSG auditConstant = 1800
	AUDIT_TINTEGRITY_LAST_MSG auditConstant = 1899

	AUDIT_INTEGRITY_DATA     auditConstant = 1800 /* Data integrity verification */
	AUDIT_INTEGRITY_METADATA auditConstant = 1801 // Metadata integrity verification
	AUDIT_INTEGRITY_STATUS   auditConstant = 1802 /* integrity enable status */
	AUDIT_INTEGRITY_HASH     auditConstant = 1803 /* integrity HASH type */
	AUDIT_INTEGRITY_PCR      auditConstant = 1804 /* PCR invalidation msgs */
	AUDIT_INTEGRITY_RULE     auditConstant = 1805 /* Policy rule */
	AUDIT_KERNEL             auditConstant = 2000 /* Asynchronous audit record. NOT A REQUEST. */

	AUDIT_FIRST_ANOM_MSG           auditConstant = 2100
	AUDIT_LAST_ANOM_MSG            auditConstant = 2199
	AUDIT_ANOM_LOGIN_FAILURES      auditConstant = 2100 // Failed login limit reached
	AUDIT_ANOM_LOGIN_TIME          auditConstant = 2101 // Login attempted at bad time
	AUDIT_ANOM_LOGIN_SESSIONS      auditConstant = 2102 // Max concurrent sessions reached
	AUDIT_ANOM_LOGIN_ACCT          auditConstant = 2103 // Login attempted to watched acct
	AUDIT_ANOM_LOGIN_LOCATION      auditConstant = 2104 // Login from forbidden location
	AUDIT_ANOM_MAX_DAC             auditConstant = 2105 // Max DAC failures reached
	AUDIT_ANOM_MAX_MAC             auditConstant = 2106 // Max MAC failures reached
	AUDIT_ANOM_AMTU_FAIL           auditConstant = 2107 // AMTU failure
	AUDIT_ANOM_RBAC_FAIL           auditConstant = 2108 // RBAC self test failure
	AUDIT_ANOM_RBAC_INTEGRITY_FAIL auditConstant = 2109 // RBAC file Tegrity failure
	AUDIT_ANOM_CRYPTO_FAIL         auditConstant = 2110 // Crypto system test failure
	AUDIT_ANOM_ACCESS_FS           auditConstant = 2111 // Access of file or dir
	AUDIT_ANOM_EXEC                auditConstant = 2112 // Execution of file
	AUDIT_ANOM_MK_EXEC             auditConstant = 2113 // Make an executable
	AUDIT_ANOM_ADD_ACCT            auditConstant = 2114 // Adding an acct
	AUDIT_ANOM_DEL_ACCT            auditConstant = 2115 // Deleting an acct
	AUDIT_ANOM_MOD_ACCT            auditConstant = 2116 // Changing an acct
	AUDIT_ANOM_ROOT_TRANS          auditConstant = 2117 // User became root

	AUDIT_FIRST_ANOM_RESP        auditConstant = 2200
	AUDIT_LAST_ANOM_RESP         auditConstant = 2299
	AUDIT_RESP_ANOMALY           auditConstant = 2200 /* Anomaly not reacted to */
	AUDIT_RESP_ALERT             auditConstant = 2201 /* Alert email was sent */
	AUDIT_RESP_KILL_PROC         auditConstant = 2202 /* Kill program */
	AUDIT_RESP_TERM_ACCESS       auditConstant = 2203 /* Terminate session */
	AUDIT_RESP_ACCT_REMOTE       auditConstant = 2204 /* Acct locked from remote access*/
	AUDIT_RESP_ACCT_LOCK_TIMED   auditConstant = 2205 /* User acct locked for time */
	AUDIT_RESP_ACCT_UNLOCK_TIMED auditConstant = 2206 /* User acct unlocked from time */
	AUDIT_RESP_ACCT_LOCK         auditConstant = 2207 /* User acct was locked */
	AUDIT_RESP_TERM_LOCK         auditConstant = 2208 /* Terminal was locked */
	AUDIT_RESP_SEBOOL            auditConstant = 2209 /* Set an SE Linux boolean */
	AUDIT_RESP_EXEC              auditConstant = 2210 /* Execute a script */
	AUDIT_RESP_SINGLE            auditConstant = 2211 /* Go to single user mode */
	AUDIT_RESP_HALT              auditConstant = 2212 /* take the system down */

	AUDIT_FIRST_USER_LSPP_MSG    auditConstant = 2300
	AUDIT_LAST_USER_LSPP_MSG     auditConstant = 2399
	AUDIT_USER_ROLE_CHANGE       auditConstant = 2300 /* User changed to a new role */
	AUDIT_ROLE_ASSIGN            auditConstant = 2301 /* Admin assigned user to role */
	AUDIT_ROLE_REMOVE            auditConstant = 2302 /* Admin removed user from role */
	AUDIT_LABEL_OVERRIDE         auditConstant = 2303 /* Admin is overriding a label */
	AUDIT_LABEL_LEVEL_CHANGE     auditConstant = 2304 /* Object's level was changed */
	AUDIT_USER_LABELED_EXPORT    auditConstant = 2305 /* Object exported with label */
	AUDIT_USER_UNLABELED_EXPORT  auditConstant = 2306 /* Object exported without label */
	AUDIT_DEV_ALLOC              auditConstant = 2307 /* Device was allocated */
	AUDIT_DEV_DEALLOC            auditConstant = 2308 /* Device was deallocated */
	AUDIT_FS_RELABEL             auditConstant = 2309 /* Filesystem relabeled */
	AUDIT_USER_MAC_POLICY_LOAD   auditConstant = 2310 /* Userspc daemon loaded policy */
	AUDIT_ROLE_MODIFY            auditConstant = 2311 /* Admin modified a role */
	AUDIT_USER_MAC_CONFIG_CHANGE auditConstant = 2312 /* Change made to MAC policy */

	AUDIT_FIRST_CRYPTO_MSG         auditConstant = 2400
	AUDIT_CRYPTO_TEST_USER         auditConstant = 2400 /* Crypto test results */
	AUDIT_CRYPTO_PARAM_CHANGE_USER auditConstant = 2401 /* Crypto attribute change */
	AUDIT_CRYPTO_LOGIN             auditConstant = 2402 /* Logged in as crypto officer */
	AUDIT_CRYPTO_LOGOUT            auditConstant = 2403 /* Logged out from crypto */
	AUDIT_CRYPTO_KEY_USER          auditConstant = 2404 /* Create,delete,negotiate */
	AUDIT_CRYPTO_FAILURE_USER      auditConstant = 2405 /* Fail decrypt,encrypt,randomiz */
	AUDIT_CRYPTO_REPLAY_USER       auditConstant = 2406 /* Crypto replay detected */
	AUDIT_CRYPTO_SESSION           auditConstant = 2407 /* Record parameters set during TLS session establishment */
	AUDIT_CRYPTO_IKE_SA            auditConstant = 2408 /* Record parameters related to IKE SA */
	AUDIT_CRYPTO_IPSEC_SA          auditConstant = 2409 /* Record parameters related to IPSEC SA */

	AUDIT_LAST_CRYPTO_MSG auditConstant = 2499

	AUDIT_FIRST_VIRT_MSG  auditConstant = 2500
	AUDIT_VIRT_CONTROL    auditConstant = 2500 /* Start, Pause, Stop VM */
	AUDIT_VIRT_RESOURCE   auditConstant = 2501 /* Resource assignment */
	AUDIT_VIRT_MACHINE_ID auditConstant = 2502 /* Binding of label to VM */
	AUDIT_LAST_VIRT_MSG   auditConstant = 2599
	AUDIT_LAST_USER_MSG2  auditConstant = 2999
	// Field Comparing Constants
	AUDIT_COMPARE_UID_TO_OBJ_UID   auditConstant = 1
	AUDIT_COMPARE_GID_TO_OBJ_GID   auditConstant = 2
	AUDIT_COMPARE_EUID_TO_OBJ_UID  auditConstant = 3
	AUDIT_COMPARE_EGID_TO_OBJ_GID  auditConstant = 4
	AUDIT_COMPARE_AUID_TO_OBJ_UID  auditConstant = 5
	AUDIT_COMPARE_SUID_TO_OBJ_UID  auditConstant = 6
	AUDIT_COMPARE_SGID_TO_OBJ_GID  auditConstant = 7
	AUDIT_COMPARE_FSUID_TO_OBJ_UID auditConstant = 8
	AUDIT_COMPARE_FSGID_TO_OBJ_GID auditConstant = 9
	AUDIT_COMPARE_UID_TO_AUID      auditConstant = 10
	AUDIT_COMPARE_UID_TO_EUID      auditConstant = 11
	AUDIT_COMPARE_UID_TO_FSUID     auditConstant = 12
	AUDIT_COMPARE_UID_TO_SUID      auditConstant = 13
	AUDIT_COMPARE_AUID_TO_FSUID    auditConstant = 14
	AUDIT_COMPARE_AUID_TO_SUID     auditConstant = 15
	AUDIT_COMPARE_AUID_TO_EUID     auditConstant = 16
	AUDIT_COMPARE_EUID_TO_SUID     auditConstant = 17
	AUDIT_COMPARE_EUID_TO_FSUID    auditConstant = 18
	AUDIT_COMPARE_SUID_TO_FSUID    auditConstant = 19
	AUDIT_COMPARE_GID_TO_EGID      auditConstant = 20
	AUDIT_COMPARE_GID_TO_FSGID     auditConstant = 21
	AUDIT_COMPARE_GID_TO_SGID      auditConstant = 22
	AUDIT_COMPARE_EGID_TO_FSGID    auditConstant = 23
	AUDIT_COMPARE_EGID_TO_SGID     auditConstant = 24
	AUDIT_COMPARE_SGID_TO_FSGID    auditConstant = 25
)

const (
	AUDIT_STATUS_SIZE = 40 // Size of auditStatus
)

Functions

func AuditIsEnabled

func AuditIsEnabled(s Netlink) (bool, error)

AuditIsEnabled returns true if auditing is enabled in the kernel.

func AuditSetBacklogLimit

func AuditSetBacklogLimit(s Netlink, limit int) error

AuditSetBacklogLimit sets the backlog limit for audit messages in the kernel

func AuditSetEnabled

func AuditSetEnabled(s Netlink, enabled bool) (err error)

AuditSetEnabled enables or disables auditing in the kernel.

func AuditSetPID

func AuditSetPID(s Netlink, pid int) error

AuditSetPID sets the PID for the audit daemon in the kernel (audit_set_pid(3))

func AuditSetRateLimit

func AuditSetRateLimit(s Netlink, limit int) error

AuditSetRateLimit sets the rate limit for audit messages from the kernel

func DeleteAllRules

func DeleteAllRules(s Netlink) error

DeleteAllRules removes all audit rules currently in use in the audit system

func GetAuditEvents

func GetAuditEvents(s Netlink, cb EventCallback)

GetAuditEvents receives audit messages from the kernel and parses them into an AuditEvent. It passes them along the callback function and if any error occurs while receiving the message, the same will be passed in the callback as well.

This function executes a go-routine (which does not return) and the function itself returns immediately.

func GetAuditMessages

func GetAuditMessages(s Netlink, cb EventCallback, done *chan bool)

GetAuditMessages is a blocking function (runs in forever for loop) that receives audit messages from the kernel and parses them to AuditEvent. It passes them along the callback function and if any error occurs while receiving the message, the same will be passed in the callback as well.

It will return when a signal is received on the done channel.

func GetRawAuditEvents

func GetRawAuditEvents(s Netlink, cb RawEventCallback)

GetRawAuditEvents is similar to GetAuditEvents, however it returns raw messages and does not parse incoming audit data.

func ListAllRules

func ListAllRules(s Netlink) (ret []string, err error)

ListAllRules returns a list of audit rules from the kernel. Note that the list is returned as a slice of strings, formatted in the way auditctl would display the audit rules.

XXX Conversion back to an AuditRules type is not currently supported. This function should likely instead return an AuditRules type, which can then be translated into an auditctl style output if desired.

func SetRules

func SetRules(s Netlink, content []byte) (warnings []string, err error)

SetRules sets the audit rule set in the kernel, based on the JSON audit rule data in content

Any warnings which are non-fatal (e.g., attempting to set a watch rule on a nonexistent file) are included in the warnings slice which is returned. If a fatal error occurs, err will be non-nil.

Types

type AuditEvent

type AuditEvent struct {
	Serial    string            // Message serial
	Timestamp string            // Timestamp
	Type      string            // Audit event type
	Data      map[string]string // Map of field values in the audit message
	Raw       string            // Raw audit message from kernel
}

AuditEvent is a parsed audit message.

func NewAuditEvent

func NewAuditEvent(msg NetlinkMessage) (*AuditEvent, error)

NewAuditEvent takes a NetlinkMessage passed from the netlink connection and parses the data from the message header to return an AuditEvent type.

Note that it is possible here that we don't have a full event to return. In some cases, a single audit event may be represented by multiple audit events from the kernel. This function looks after buffering partial fragments of a full event, and may only return the complete event once an AUDIT_EOE record has been recieved for the audit event.

See https://www.redhat.com/archives/linux-audit/2016-January/msg00019.html for additional information on the behavior of this function.

func ParseAuditEvent

func ParseAuditEvent(str string, msgType auditConstant, interpret bool) (*AuditEvent, error)

ParseAuditEvent parses an incoming audit message from kernel and returns an AuditEvent.

msgType is supposed to come from the calling function which holds the msg header indicating header type of the messages. It uses simple string parsing techniques and provider better performance than the regex parser, idea taken from parse_up_record(rnode* r) in ellist.c (libauparse).

type AuditFileRule

type AuditFileRule struct {
	Path            string `json:"path"`
	Key             string `json:"key"`
	Permission      string `json:"permission"`
	StrictPathCheck bool   `json:"strict_path_check"`
}

AuditFileRule describes the JSON format for a file type audit rule

If StrictPathCheck is true and the path the watch is being added for does not exist, this cause SetRules to return an error. If false (default), the rule will just be ignored.

type AuditRule

type AuditRule interface {
	// contains filtered or unexported methods
}

AuditRule is an interface abstraction for file system and system call type audit rules

type AuditRules

type AuditRules struct {
	RawRules interface{} `json:"audit_rules"`
	Delete   bool        `json:"delete"`
	Enable   string      `json:"enable"`
	Buffer   string      `json:"buffer"`
	Rate     string      `json:"rate"`

	AuditRules []AuditRule
}

AuditRules describes a set of audit rules in JSON format

type AuditSyscallRule

type AuditSyscallRule struct {
	Key    string `json:"key"`
	Fields []struct {
		Name  string      `json:"name"`
		Value interface{} `json:"value"` // Can be a string or int
		Op    string      `json:"op"`
	} `json:"fields"`
	Syscalls []string `json:"syscalls"`
	Actions  []string `json:"actions"`
}

AuditSyscallRule describes the JSON format for a syscall type audit rule

type ErrorAuditParse

type ErrorAuditParse struct {
	Msg string
	Raw string
}

ErrorAuditParse is an implementation of the error interface that is returned by ParseAuditEvent. msg will contain a description of the error, and the raw audit event which failed parsing is returned in raw for inspection by the calling program.

func (ErrorAuditParse) Error

func (e ErrorAuditParse) Error() string

Error returns a string representation of ErrorAuditParse e

type EventCallback

type EventCallback func(*AuditEvent, error)

EventCallback is the function definition for any function that wants to receive an AuditEvent as soon as it is received from the kernel. Error will be set to indicate any error that occurs while receiving messages.

type Netlink

type Netlink interface {
	Send(request *NetlinkMessage) error                 // Send a NetlinkMessage
	Receive(nonblocking bool) ([]NetlinkMessage, error) // Receive netlink message(s) from the kernel
	GetPID() (int, error)                               // Get netlink peer PID
}

Netlink is an abstracting netlink IO functions; generally used with NetlinkConnection

type NetlinkConnection

type NetlinkConnection struct {
	// contains filtered or unexported fields
}

NetlinkConnection describes a netlink interface with the kernel.

Programs should call NewNetlinkConnection() to create a new instance.

func NewNetlinkConnection

func NewNetlinkConnection() (ret *NetlinkConnection, err error)

NewNetlinkConnection creates a new netlink connection with the kernel audit subsystem and returns a NetlinkConnection describing it. The process should ensure it has the required privileges before calling. An error is returned if any error is encountered creating the netlink connection.

func (*NetlinkConnection) Close

func (s *NetlinkConnection) Close()

Close closes the Netlink connection.

func (*NetlinkConnection) GetPID

func (s *NetlinkConnection) GetPID() (int, error)

GetPID returns the netlink port ID of the netlink socket peer.

func (*NetlinkConnection) Receive

func (s *NetlinkConnection) Receive(nonblocking bool) ([]NetlinkMessage, error)

Receive returns any available netlink messages being sent to us by the kernel.

func (*NetlinkConnection) Send

func (s *NetlinkConnection) Send(request *NetlinkMessage) error

Send sends NetlinkMessage request using an allocated NetlinkConnection.

type NetlinkMessage

type NetlinkMessage syscall.NetlinkMessage

NetlinkMessage is the struct type that is used for communicating on netlink sockets.

func (*NetlinkMessage) ToWireFormat

func (rr *NetlinkMessage) ToWireFormat() []byte

ToWireFormat converts a given NetlinkMessage to a byte stream suitable to be sent to the kernel.

type RawEventCallback

type RawEventCallback func(string, error)

RawEventCallback is similar to EventCallback but the difference is that the function will receive only the message string which contains the audit event and not the parsed AuditEvent struct.