auditd

package
v6.2.3+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 12, 2018 License: Apache-2.0 Imports: 20 Imported by: 263

Documentation

Overview

Package auditd is a metricset that subscribes to the Linux Audit Framework to receive audit events from the the kernel.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func New

func New(base mb.BaseMetricSet) (mb.MetricSet, error)

New constructs a new MetricSet.

Types

type Config

type Config struct {
	ResolveIDs   bool   `config:"resolve_ids"`         // Resolve UID/GIDs to names.
	FailureMode  string `config:"failure_mode"`        // Failure mode for the kernel (silent, log, panic).
	BacklogLimit uint32 `config:"backlog_limit"`       // Max number of message to buffer in the auditd.
	RateLimit    uint32 `config:"rate_limit"`          // Rate limit in messages/sec of messages from auditd.
	RawMessage   bool   `config:"include_raw_message"` // Include the list of raw audit messages in the event.
	Warnings     bool   `config:"include_warnings"`    // Include warnings in the event (for dev/debug purposes only).
	RulesBlob    string `config:"audit_rules"`         // Audit rules. One rule per line.
	SocketType   string `config:"socket_type"`         // Socket type to use with the kernel (unicast or multicast).

	// Tuning options (advanced, use with care)
	ReassemblerMaxInFlight uint32        `config:"reassembler.max_in_flight"`
	ReassemblerTimeout     time.Duration `config:"reassembler.timeout"`
	StreamBufferQueueSize  uint32        `config:"reassembler.queue_size"`
}

Config defines the kernel metricset's possible configuration options.

func (*Config) Validate

func (c *Config) Validate() error

Validate validates the rules specified in the config.

type MetricSet

type MetricSet struct {
	mb.BaseMetricSet
	// contains filtered or unexported fields
}

MetricSet listens for audit messages from the Linux kernel using a netlink socket. It buffers the messages to ensure ordering and then streams the output. MetricSet implements the mb.PushMetricSet interface, and therefore does not rely on polling.

func (*MetricSet) Run

func (ms *MetricSet) Run(reporter mb.PushReporterV2)

Run initializes the audit client and receives audit messages from the kernel until the reporter's done channel is closed.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL