libaudit

package module
v2.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 6, 2024 License: Apache-2.0 Imports: 11 Imported by: 19

README

go-libaudit

Go Documentation

go-libaudit is a library for Go (golang) for communicating with the Linux Audit Framework. The Linux Audit Framework provides system call auditing in the kernel and logs the events to user-space using netlink sockets. This library facilitates user-space applications that want to receive audit events.

Installation and Usage

Package documentation can be found on GoDoc.

Installation can be done with a normal go get:

$ go get github.com/elastic/go-libaudit
audit example

go-libaudit has two example applications that you can use to try the library. The first is audit which registers to receive audit events from the kernel and outputs the data it receives to stdout. The system's auditd process should be stopped first.

$ go install github.com/elastic/go-libaudit/cmd/audit@main
$ sudo $GOPATH/bin/audit -d
auparse example

The second is auparse which parses the log files from the Linux auditd process or the output of the audit example command. It combines related log messages that are a part of the same event.

$ go install github.com/elastic/go-libaudit/cmd/auparse@main
$ sudo cat /var/log/audit/audit.log | auparse
---
type=CRED_ACQ msg=audit(1481077334.302:545): pid=1444 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
---
type=USER_START msg=audit(1481077334.303:546): pid=1444 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
---
type=SYSCALL msg=audit(1481077334.304:547): arch=c000003e syscall=59 success=yes exit=0 a0=7f683953a5d8 a1=7f683953fd38 a2=7f6839543a90 a3=6 items=2 ppid=1444 pid=1445 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="su" exe="/usr/bin/su" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=EXECVE msg=audit(1481077334.304:547): argc=1 a0="su"
type=CWD msg=audit(1481077334.304:547):  cwd="/home/andrew_kroh"
type=PATH msg=audit(1481077334.304:547): item=0 name="/bin/su" inode=5026 dev=08:01 mode=0104755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:su_exec_t:s0 objtype=NORMAL
type=PATH msg=audit(1481077334.304:547): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=16778495 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL

It supports outputting the messages as plain text (default), JSON, or YAML by using -format=yaml for example.

$ sudo cat /var/log/audit/audit.log | auparse -format=json
---
{"@timestamp":"2016-12-07 02:22:14.302 +0000 UTC","acct":"root","auid":"1000","exe":"/usr/bin/sudo","grantors":"pam_env,pam_unix","op":"PAM:setcred","pid":"1444","raw_msg":"audit(1481077334.302:545): pid=1444 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct=\"root\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=/dev/pts/1 res=success'","record_type":"CRED_ACQ","result":"success","sequence":"545","ses":"4","subj_category":"c0.c1023","subj_domain":"unconfined_t","subj_level":"s0-s0","subj_role":"unconfined_r","subj_user":"unconfined_u","terminal":"/dev/pts/1","uid":"0"}
---
{"@timestamp":"2016-12-07 02:22:14.303 +0000 UTC","acct":"root","auid":"1000","exe":"/usr/bin/sudo","grantors":"pam_keyinit,pam_limits","op":"PAM:session_open","pid":"1444","raw_msg":"audit(1481077334.303:546): pid=1444 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits acct=\"root\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=/dev/pts/1 res=success'","record_type":"USER_START","result":"success","sequence":"546","ses":"4","subj_category":"c0.c1023","subj_domain":"unconfined_t","subj_level":"s0-s0","subj_role":"unconfined_r","subj_user":"unconfined_u","terminal":"/dev/pts/1","uid":"0"}
---
{"@timestamp":"2016-12-07 02:22:14.304 +0000 UTC","a0":"7f683953a5d8","a1":"7f683953fd38","a2":"7f6839543a90","a3":"6","arch":"x86_64","auid":"1000","comm":"su","egid":"0","euid":"0","exe":"/usr/bin/su","exit":"0","fsgid":"0","fsuid":"0","gid":"0","items":"2","pid":"1445","ppid":"1444","raw_msg":"audit(1481077334.304:547): arch=c000003e syscall=59 success=yes exit=0 a0=7f683953a5d8 a1=7f683953fd38 a2=7f6839543a90 a3=6 items=2 ppid=1444 pid=1445 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm=\"su\" exe=\"/usr/bin/su\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)","record_type":"SYSCALL","result":"success","sequence":"547","ses":"4","sgid":"0","subj_category":"c0.c1023","subj_domain":"unconfined_t","subj_level":"s0-s0","subj_role":"unconfined_r","subj_user":"unconfined_u","suid":"0","syscall":"execve","tty":"pts1","uid":"0"}
{"@timestamp":"2016-12-07 02:22:14.304 +0000 UTC","a0":"su","argc":"1","raw_msg":"audit(1481077334.304:547): argc=1 a0=\"su\"","record_type":"EXECVE","sequence":"547"}
{"@timestamp":"2016-12-07 02:22:14.304 +0000 UTC","cwd":"/home/andrew_kroh","raw_msg":"audit(1481077334.304:547):  cwd=\"/home/andrew_kroh\"","record_type":"CWD","sequence":"547"}
{"@timestamp":"2016-12-07 02:22:14.304 +0000 UTC","dev":"08:01","inode":"5026","item":"0","mode":"0104755","name":"/bin/su","obj_domain":"su_exec_t","obj_level":"s0","obj_role":"object_r","obj_user":"system_u","objtype":"NORMAL","ogid":"0","ouid":"0","raw_msg":"audit(1481077334.304:547): item=0 name=\"/bin/su\" inode=5026 dev=08:01 mode=0104755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:su_exec_t:s0 objtype=NORMAL","rdev":"00:00","record_type":"PATH","sequence":"547"}
{"@timestamp":"2016-12-07 02:22:14.304 +0000 UTC","dev":"08:01","inode":"16778495","item":"1","mode":"0100755","name":"/lib64/ld-linux-x86-64.so.2","obj_domain":"ld_so_t","obj_level":"s0","obj_role":"object_r","obj_user":"system_u","objtype":"NORMAL","ogid":"0","ouid":"0","raw_msg":"audit(1481077334.304:547): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=16778495 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL","rdev":"00:00","record_type":"PATH","sequence":"547"}

To normalize and interpret the messages, use the -i flag for "interpret". This adds a category to the event and creates the actor, action, thing, and how fields based on data from the event. By default it will resolve UID and GID values to their names (use -id=false to disable this).

$ sudo cat /var/log/audit/audit.log | auparse -format=yaml -i
---
timestamp: 2016-12-07T02:22:14.302Z
sequence: 545
category: user-login
record_type: cred_acq
result: success
session: "4"
summary:
  actor:
    primary: vagrant
    secondary: root
  action: acquired-credentials
  object:
    type: user-session
    primary: /dev/pts/1
  how: /usr/bin/sudo
user:
  ids:
    auid: "1000"
    uid: "0"
  names:
    auid: vagrant
    uid: root
  selinux:
    category: c0.c1023
    domain: unconfined_t
    level: s0-s0
    role: unconfined_r
    user: unconfined_u
process:
  pid: "1444"
  exe: /usr/bin/sudo
data:
  acct: root
  grantors: pam_env,pam_unix
  op: PAM:setcred
  terminal: /dev/pts/1
ecs:
  event:
    category:
    - authentication
    type:
    - info
  user:
    name: vagrant
    id: "1000"
    effective:
      name: root
      id: "0"
    target: {}
    changes: {}
  group: {}

---
timestamp: 2016-12-07T02:22:14.303Z
sequence: 546
category: user-login
record_type: user_start
result: success
session: "4"
summary:
  actor:
    primary: vagrant
    secondary: root
  action: started-session
  object:
    type: user-session
    primary: /dev/pts/1
  how: /usr/bin/sudo
user:
  ids:
    auid: "1000"
    uid: "0"
  names:
    auid: vagrant
    uid: root
  selinux:
    category: c0.c1023
    domain: unconfined_t
    level: s0-s0
    role: unconfined_r
    user: unconfined_u
process:
  pid: "1444"
  exe: /usr/bin/sudo
data:
  acct: root
  grantors: pam_keyinit,pam_limits
  op: PAM:session_open
  terminal: /dev/pts/1
ecs:
  event:
    category:
    - authentication
    type:
    - info
  user:
    name: vagrant
    id: "1000"
    effective:
      name: root
      id: "0"
    target: {}
    changes: {}
  group: {}

---
timestamp: 2016-12-07T02:22:14.304Z
sequence: 547
category: audit-rule
record_type: syscall
result: success
session: "4"
summary:
  actor:
    primary: vagrant
    secondary: root
  action: executed
  object:
    type: file
    primary: /bin/su
  how: /usr/bin/su
user:
  ids:
    auid: "1000"
    egid: "0"
    euid: "0"
    fsgid: "0"
    fsuid: "0"
    gid: "0"
    sgid: "0"
    suid: "0"
    uid: "0"
  names:
    auid: vagrant
    egid: root
    euid: root
    fsgid: root
    fsuid: root
    gid: root
    sgid: root
    suid: root
    uid: root
  selinux:
    category: c0.c1023
    domain: unconfined_t
    level: s0-s0
    role: unconfined_r
    user: unconfined_u
process:
  pid: "1445"
  ppid: "1444"
  name: su
  exe: /usr/bin/su
  cwd: /home/andrew_kroh
  args:
  - su
file:
  path: /bin/su
  device: "00:00"
  inode: "5026"
  mode: "0755"
  uid: "0"
  gid: "0"
  owner: root
  group: root
  selinux:
    domain: su_exec_t
    level: s0
    role: object_r
    user: system_u
data:
  a0: 7f683953a5d8
  a1: 7f683953fd38
  a2: 7f6839543a90
  a3: "6"
  arch: x86_64
  argc: "1"
  exit: "0"
  syscall: execve
  tty: pts1
paths:
- dev: "08:01"
  inode: "5026"
  item: "0"
  mode: "0104755"
  name: /bin/su
  obj_domain: su_exec_t
  obj_level: s0
  obj_role: object_r
  obj_user: system_u
  objtype: NORMAL
  ogid: "0"
  ouid: "0"
  rdev: "00:00"
- dev: "08:01"
  inode: "16778495"
  item: "1"
  mode: "0100755"
  name: /lib64/ld-linux-x86-64.so.2
  obj_domain: ld_so_t
  obj_level: s0
  obj_role: object_r
  obj_user: system_u
  objtype: NORMAL
  ogid: "0"
  ouid: "0"
  rdev: "00:00"
ecs:
  event:
    category:
    - process
    type:
    - start
  user:
    effective: {}
    target: {}
    changes: {}
  group: {}

ECS compatibility

This currently provides Elastic Common Schema (ECS) 1.8 categorization support for some of the more prominent or meaningful auditd events and syscalls.

Documentation

Overview

Package libaudit is a library for Go (golang) for communicating with the Linux Audit Framework. The Linux Audit Framework provides system call auditing in the kernel and logs the events to user-space using netlink sockets. This library facilitates user-space applications that want to receive audit events.

Index

Constants

View Source
const (
	AuditGet uint16 = iota + 1000
	AuditSet
)

Audit command and control message types.

View Source
const (
	NetlinkGroupNone    = iota // Group 0 not used
	NetlinkGroupReadLog        // "best effort" read only socket
)

Netlink groups.

View Source
const (
	AuditFeatureBitmapBacklogLimit = 1 << iota
	AuditFeatureBitmapBacklogWaitTime
	AuditFeatureBitmapExecutablePath
	AuditFeatureBitmapExcludeExtend
	AuditFeatureBitmapSessionIDFilter
	AuditFeatureBitmapLostReset
)
View Source
const (
	// AuditMessageMaxLength is the maximum length of an audit message (data
	// portion of a NetlinkMessage).
	// https://github.com/linux-audit/audit-userspace/blob/990aa27ccd02f9743c4f4049887ab89678ab362a/lib/libaudit.h#L435
	AuditMessageMaxLength = 8970
)
View Source
const (

	// MinSizeofAuditStatus is the minimum usable message size for
	// the earliest 2.6.32 kernel supported by Go.
	// https://elixir.bootlin.com/linux/v2.6.32/source/include/linux/audit.h#L317
	// Messages this size do not report features after the Backlog field.
	// Users should consult the feature bitmap to determine which
	// features are valid.
	MinSizeofAuditStatus = int(unsafe.Offsetof(AuditStatus{}.Backlog) + unsafe.Sizeof(AuditStatus{}.Backlog))
)

Variables

This section is empty.

Functions

func ParseNetlinkError

func ParseNetlinkError(netlinkData []byte) error

ParseNetlinkError parses the errno from the data section of a syscall.NetlinkMessage. If netlinkData is less than 4 bytes an error describing the problem will be returned.

Types

type AuditClient

type AuditClient struct {
	Netlink NetlinkSendReceiver
	// contains filtered or unexported fields
}

AuditClient is a client for communicating with the Linux kernels audit interface over netlink.

func NewAuditClient

func NewAuditClient(resp io.Writer) (*AuditClient, error)

NewAuditClient creates a new AuditClient. The resp parameter is optional. If provided resp will receive a copy of all data read from the netlink socket. This is useful for debugging purposes.

func NewMulticastAuditClient

func NewMulticastAuditClient(resp io.Writer) (*AuditClient, error)

NewMulticastAuditClient creates a new AuditClient that binds to the multicast socket subscribes to the audit group. The process should have the CAP_AUDIT_READ capability to use this. This audit client should not be used for command and control. The resp parameter is optional. If provided resp will receive a copy of all data read from the netlink socket. This is useful for debugging purposes.

func (*AuditClient) AddRule

func (c *AuditClient) AddRule(rule []byte) error

AddRule adds the given rule to the kernel's audit rule list.

func (*AuditClient) Close

func (c *AuditClient) Close() error

Close closes the AuditClient and frees any associated resources. If the audit PID was set it will be cleared (set 0). Any invocations beyond the first become no-ops.

func (*AuditClient) DeleteRule

func (c *AuditClient) DeleteRule(rule []byte) error

DeleteRule deletes the given rule (specified in binary format).

func (*AuditClient) DeleteRules

func (c *AuditClient) DeleteRules() (int, error)

DeleteRules deletes all rules.

func (*AuditClient) GetRules

func (c *AuditClient) GetRules() ([][]byte, error)

GetRules returns a list of audit rules (in binary format).

func (*AuditClient) GetStatus

func (c *AuditClient) GetStatus() (*AuditStatus, error)

GetStatus returns the current status of the kernel's audit subsystem.

func (*AuditClient) GetStatusAsync

func (c *AuditClient) GetStatusAsync(requireACK bool) (seq uint32, err error)

GetStatusAsync sends a request for the status of the kernel's audit subsystem and returns without waiting for a response.

func (*AuditClient) Receive

func (c *AuditClient) Receive(nonBlocking bool) (*RawAuditMessage, error)

Receive reads an audit message from the netlink socket. If you are going to use the returned message then you should make a copy of the raw data before calling receive again because the raw data is backed by the read buffer.

func (*AuditClient) SetBacklogLimit

func (c *AuditClient) SetBacklogLimit(limit uint32, wm WaitMode) error

SetBacklogLimit sets the queue length for audit events awaiting transfer to the audit daemon. The default value is 64 which can potentially be overrun by bursts of activity. When the backlog limit is reached, the kernel consults the failure_flag to see what action to take.

func (*AuditClient) SetBacklogWaitTime

func (c *AuditClient) SetBacklogWaitTime(waitTime int32, wm WaitMode) error

SetBacklogWaitTime sets the time that the kernel will wait for a buffer in the backlog queue to become available before dropping the event. This has the side effect of blocking the thread that was invoking the syscall being audited. waitTime is measured in jiffies, default in kernel is 60*HZ (60 seconds). A value of 0 disables the wait time completely, causing the failure mode to be invoked immediately when the backlog queue is full. Attempting to set a negative value or a value 10x larger than the default will fail with EINVAL.

func (*AuditClient) SetEnabled

func (c *AuditClient) SetEnabled(enabled bool, wm WaitMode) error

SetEnabled is used to control whether or not the audit system is active. When the audit system is enabled (enabled set to 1), every syscall will pass through the audit system to collect information and potentially trigger an event.

func (*AuditClient) SetFailure

func (c *AuditClient) SetFailure(fm FailureMode, wm WaitMode) error

SetFailure sets the action that the kernel will perform when the backlog limit is reached or when it encounters an error and cannot proceed.

func (*AuditClient) SetImmutable

func (c *AuditClient) SetImmutable(wm WaitMode) error

SetImmutable is used to lock the audit configuration so that it can't be changed. Locking the configuration is intended to be the last command you issue. Any attempt to change the configuration in this mode will be audited and denied. The configuration can only be changed by rebooting the machine.

func (*AuditClient) SetPID

func (c *AuditClient) SetPID(wm WaitMode) error

SetPID sends a netlink message to the kernel telling it the PID of the client that should receive audit messages. https://github.com/linux-audit/audit-userspace/blob/990aa27ccd02f9743c4f4049887ab89678ab362a/lib/libaudit.c#L432-L464

func (*AuditClient) SetRateLimit

func (c *AuditClient) SetRateLimit(perSecondLimit uint32, wm WaitMode) error

SetRateLimit will set the maximum number of messages that the kernel will send per second. This can be used to throttle the rate if systems become unresponsive. Of course the trade off is that events will be dropped. The default value is 0, meaning no limit.

func (*AuditClient) WaitForPendingACKs

func (c *AuditClient) WaitForPendingACKs() error

WaitForPendingACKs waits for acknowledgements messages for operations executed with a WaitMode of NoWait. Such ACK messages are expected in the same order as the operations have been performed. If it receives an error, it is returned and no further ACKs are processed.

type AuditFeatureBitmap

type AuditFeatureBitmap uint32

AuditFeatureBitmap is a mask used to indicate which features are currently supported by the audit subsystem.

type AuditStatus

type AuditStatus struct {
	Mask                  AuditStatusMask // Bit mask for valid entries.
	Enabled               uint32          // 1 = enabled, 0 = disabled, 2 = immutable
	Failure               uint32          // Failure-to-log action.
	PID                   uint32          // PID of auditd process.
	RateLimit             uint32          // Messages rate limit (per second).
	BacklogLimit          uint32          // Waiting messages limit.
	Lost                  uint32          // Messages lost.
	Backlog               uint32          // Messages waiting in queue.
	FeatureBitmap         uint32          // Bitmap of kernel audit features (previously to 3.19 it was the audit api version number).
	BacklogWaitTime       uint32          // Message queue wait timeout.
	BacklogWaitTimeActual uint32          // Time the kernel has spent waiting while the backlog limit is exceeded.
}

AuditStatus is a status message and command and control message exchanged between the kernel and user-space. https://github.com/linux-audit/audit-kernel/blob/v5.9/include/uapi/linux/audit.h#L457-L474

func (*AuditStatus) FromWireFormat

func (s *AuditStatus) FromWireFormat(buf []byte) error

FromWireFormat unmarshals the given buffer to an AuditStatus object. It returns io.ErrUnexpectedEOF if len(buf) is less than MinSizeofAuditStatus.

type AuditStatusMask

type AuditStatusMask uint32

AuditStatusMask is a bitmask used to convey the fields used in AuditStatus. https://github.com/linux-audit/audit-kernel/blob/v4.7/include/uapi/linux/audit.h#L318-L325

const (
	AuditStatusEnabled AuditStatusMask = 1 << iota
	AuditStatusFailure
	AuditStatusPID
	AuditStatusRateLimit
	AuditStatusBacklogLimit
	AuditStatusBacklogWaitTime
	AuditStatusLost
)

Mask types for AuditStatus.

type FailureMode

type FailureMode uint32

FailureMode defines the kernel's behavior on critical errors.

const (
	// SilentOnFailure ignores errors.
	SilentOnFailure FailureMode = 0
	// LogOnFailure logs errors using printk.
	LogOnFailure
	// PanicOnFailure causes a kernel panic on error.
	PanicOnFailure
)

type NetlinkClient

type NetlinkClient struct {
	// contains filtered or unexported fields
}

NetlinkClient is a generic client for sending and receiving netlink messages.

func NewNetlinkClient

func NewNetlinkClient(proto int, groups uint32, readBuf []byte, resp io.Writer) (*NetlinkClient, error)

NewNetlinkClient creates a new NetlinkClient. It creates a socket and binds it. readBuf is an optional byte buffer used for reading data from the socket. The size of the buffer limits the maximum message size the can be read. If no buffer is provided one will be allocated using the OS page size. resp is optional and can be used to receive a copy of all bytes read from the socket (this is useful for debugging).

The returned NetlinkClient must be closed with Close() when finished.

func (*NetlinkClient) Close

func (c *NetlinkClient) Close() error

Close closes the netlink client's raw socket.

func (*NetlinkClient) Receive

func (c *NetlinkClient) Receive(nonBlocking bool, p NetlinkParser) ([]syscall.NetlinkMessage, error)

Receive receives data from the netlink socket and uses the provided parser to convert the raw bytes to NetlinkMessages. See NetlinkReceiver docs.

func (*NetlinkClient) Send

Send sends a netlink message and returns the sequence number used in the message and an error if it occurred. If the PID is not set then the value will be populated automatically (recommended).

type NetlinkParser

type NetlinkParser func([]byte) ([]syscall.NetlinkMessage, error)

NetlinkParser parses the raw bytes read from the netlink socket into netlink messages.

type NetlinkReceiver

type NetlinkReceiver interface {
	Receive(nonBlocking bool, p NetlinkParser) ([]syscall.NetlinkMessage, error)
}

NetlinkReceiver receives data from the netlink socket and uses the provided parser to convert the raw bytes to NetlinkMessages. For most uses cases syscall.ParseNetlinkMessage should be used. If nonBlocking is true then instead of blocking when no data is available, EWOULDBLOCK is returned.

type NetlinkSendReceiver

type NetlinkSendReceiver interface {
	io.Closer
	NetlinkSender
	NetlinkReceiver
}

NetlinkSendReceiver combines the Send and Receive into one interface.

type NetlinkSender

type NetlinkSender interface {
	Send(msg syscall.NetlinkMessage) (uint32, error)
}

NetlinkSender sends a netlink message and returns the sequence number used in the message and an error if it occurred.

type RawAuditMessage

type RawAuditMessage struct {
	Type auparse.AuditMessageType
	Data []byte // RawData is backed by the read buffer so make a copy.
}

RawAuditMessage is a raw audit message received from the kernel.

type Reassembler

type Reassembler struct {
	// contains filtered or unexported fields
}

Reassembler combines related messages in to an event based on their timestamp and sequence number. It handles messages that may be have been received out of order or are interleaved. Reassembler is concurrency-safe.

The Reassembler uses callbacks (see Stream interface) to notify the user of completed messages. Callbacks for reassembled events will occur in order of sequence number unless a late message is received that falls outside of the sequences held in memory.

func NewReassembler

func NewReassembler(maxInFlight int, timeout time.Duration, stream Stream) (*Reassembler, error)

NewReassembler returns a new Reassembler. maxInFlight controls the maximum number of events (based on timestamp + sequence) that are buffered. timeout controls how long the Reassembler waits for an EOE message (end-of-event) before evicting the event. And stream receives the callbacks for completed events and lost events.

func (*Reassembler) Close

func (r *Reassembler) Close() error

Close flushes any cached events and closes the Reassembler.

func (*Reassembler) Maintain

func (r *Reassembler) Maintain() error

Maintain performs maintenance on the cached message. It can be called periodically to evict timed-out events. It returns a non-nil error if the Reassembler has been closed.

func (*Reassembler) Push

func (r *Reassembler) Push(typ auparse.AuditMessageType, rawData []byte) error

Push pushes a new audit message into the Reassembler. This is a convenience function that handles calling auparse.Parse() to extract the message's timestamp and sequence number. It copies the rawData contents. If parsing fails then an error will be returned. See PushMessage.

func (*Reassembler) PushMessage

func (r *Reassembler) PushMessage(msg *auparse.AuditMessage)

PushMessage pushes a new AuditMessage message into the Reassembler. Callbacks may be triggered as a result.

type Stream

type Stream interface {
	// ReassemblyComplete notifies that a complete group of events has been
	// received and provides those events.
	ReassemblyComplete(msgs []*auparse.AuditMessage)

	// EventsLost notifies that some events were lost. This is based on gaps
	// in the sequence numbers of received messages. Lost events can be caused
	// by a slow receiver or because the kernel is configured to rate limit
	// events.
	EventsLost(count int)
}

Stream is implemented by the user of the Reassembler to handle reassembled audit data.

type WaitMode

type WaitMode uint8

WaitMode is a flag to control the behavior of methods that abstract asynchronous communication for the caller.

const (
	// WaitForReply mode causes a call to wait for a reply message.
	WaitForReply WaitMode = iota + 1
	// NoWait mode causes a call to return without waiting for a reply message.
	NoWait
)

Directories

Path Synopsis
Package aucoalesce provides functions to coalesce compound audit messages into a single event and normalize all message types with some common fields.
Package aucoalesce provides functions to coalesce compound audit messages into a single event and normalize all message types with some common fields.
Package auparse is a pure Go audit log parsing library.
Package auparse is a pure Go audit log parsing library.
cmd
audit
audit is an example that receives audit messages from the kernel and outputs them to stdout.
audit is an example that receives audit messages from the kernel and outputs them to stdout.
flags
Package flags provides parsing of audit rules as specified using CLI flags in accordance to the man page for auditctl (from the auditd userspace tools).
Package flags provides parsing of audit rules as specified using CLI flags in accordance to the man page for auditctl (from the auditd userspace tools).

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL