aucoalesce

package
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 30, 2018 License: Apache-2.0 Imports: 12 Imported by: 192

Documentation

Overview

Package aucoalesce provides functions to coalesce compound audit messages into a single event and normalize all message types with some common fields.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func LoadNormalizationConfig added in v0.0.3

func LoadNormalizationConfig(b []byte) (syscalls map[string]*Normalization, recordTypes map[string][]*Normalization, err error)

func ResolveIDs added in v0.0.3

func ResolveIDs(event *Event)

ResolveIDs translates all uid and gid values to their associated names. Prior to Go 1.9 this requires cgo on Linux. UID and GID values are cached for 60 seconds from the time they are read.

func ResolveIDsFromCaches added in v0.2.0

func ResolveIDsFromCaches(event *Event, users *UserCache, groups *GroupCache)

ResolveIDsFromCaches translates all uid and gid values to their associated names using the provided caches. Prior to Go 1.9 this requires cgo on Linux.

Types

type Actor added in v0.0.7

type Actor struct {
	Primary   string `json:"primary,omitempty"   yaml:"primary,omitempty"`
	Secondary string `json:"secondary,omitempty" yaml:"secondary,omitempty"`
}

type Address added in v0.0.7

type Address struct {
	Hostname string `json:"hostname,omitempty" yaml:"hostname,omitempty"` // Hostname.
	IP       string `json:"ip,omitempty"       yaml:"ip,omitempty"`       // IPv4 or IPv6 address.
	Port     string `json:"port,omitempty"     yaml:"port,omitempty"`     // Port number.
	Path     string `json:"path,omitempty"     yaml:"path,omitempty"`     // Unix socket path.
}

type AuditEventType added in v0.0.3

type AuditEventType uint16

AuditEventType is a categorization of a simple or compound audit event.

const (
	EventTypeUnknown AuditEventType = iota
	EventTypeUserspace
	EventTypeSystemServices
	EventTypeConfig
	EventTypeTTY
	EventTypeUserAccount
	EventTypeUserLogin
	EventTypeAuditDaemon
	EventTypeMACDecision
	EventTypeAnomoly
	EventTypeIntegrity
	EventTypeAnomolyResponse
	EventTypeMAC
	EventTypeCrypto
	EventTypeVirt
	EventTypeAuditRule
	EventTypeDACDecision
	EventTypeGroupChange
)

func GetAuditEventType added in v0.0.3

func GetAuditEventType(t AuditMessageType) AuditEventType

func (AuditEventType) MarshalText added in v0.0.3

func (t AuditEventType) MarshalText() (text []byte, err error)

func (AuditEventType) String added in v0.0.3

func (t AuditEventType) String() string

type Direction added in v0.0.7

type Direction uint8
const (
	IncomingDir Direction = iota + 1
	OutgoingDir
)

func (Direction) MarshalText added in v0.0.7

func (d Direction) MarshalText() ([]byte, error)

func (Direction) String added in v0.0.7

func (d Direction) String() string

type Event added in v0.0.3

type Event struct {
	Timestamp time.Time                `json:"@timestamp"       yaml:"timestamp"`
	Sequence  uint32                   `json:"sequence"         yaml:"sequence"`
	Category  AuditEventType           `json:"category"         yaml:"category"`
	Type      auparse.AuditMessageType `json:"record_type"      yaml:"record_type"`
	Result    string                   `json:"result,omitempty" yaml:"result,omitempty"`
	Session   string                   `json:"session"          yaml:"session"`
	Tags      []string                 `json:"tags,omitempty"   yaml:"tags,omitempty"`

	Summary Summary  `json:"summary"               yaml:"summary"`
	User    User     `json:"user"                  yaml:"user"`
	Process Process  `json:"process,omitempty"     yaml:"process,omitempty"`
	File    *File    `json:"file,omitempty"        yaml:"file,omitempty"`
	Source  *Address `json:"source,omitempty"      yaml:"source,omitempty"`
	Dest    *Address `json:"destination,omitempty" yaml:"destination,omitempty"`
	Net     *Network `json:"network,omitempty"     yaml:"network,omitempty"`

	Data  map[string]string   `json:"data,omitempty"  yaml:"data,omitempty"`
	Paths []map[string]string `json:"paths,omitempty" yaml:"paths,omitempty"`

	Warnings []error `json:"-" yaml:"-"`
}

func CoalesceMessages

func CoalesceMessages(msgs []*auparse.AuditMessage) (*Event, error)

CoalesceMessages combines the given messages into a single event. It assumes that all the messages in the slice have the same timestamp and sequence number. An error is returned is msgs is empty or nil or only contains and EOE (end-of-event) message.

type File added in v0.0.7

type File struct {
	Path    string            `json:"path,omitempty"    yaml:"path,omitempty"`
	Device  string            `json:"device,omitempty"  yaml:"device,omitempty"`
	Inode   string            `json:"inode,omitempty"   yaml:"inode,omitempty"`
	Mode    string            `json:"mode,omitempty"    yaml:"mode,omitempty"` // Permissions
	UID     string            `json:"uid,omitempty"     yaml:"uid,omitempty"`
	GID     string            `json:"gid,omitempty"     yaml:"gid,omitempty"`
	Owner   string            `json:"owner,omitempty"   yaml:"owner,omitempty"`
	Group   string            `json:"group,omitempty"   yaml:"group,omitempty"`
	SELinux map[string]string `json:"selinux,omitempty" yaml:"selinux,omitempty"` // SELinux labels.
}

type GroupCache added in v0.0.3

type GroupCache struct {
	// contains filtered or unexported fields
}

GroupCache is a cache of GID to group name.

func NewGroupCache added in v0.0.3

func NewGroupCache(expiration time.Duration) *GroupCache

NewGroupCache returns a new GroupCache. GroupCache is thread-safe.

func (*GroupCache) LookupGID added in v0.0.3

func (c *GroupCache) LookupGID(gid string) string

LookupGID looks up a GID and returns the group associated with it. If no group could be found an empty string is returned. The value will be cached for a minute. This requires cgo on Linux.

type Network added in v0.0.7

type Network struct {
	Direction Direction `json:"direction" yaml:"direction"`
}

type Normalization added in v0.0.3

type Normalization struct {
	Subject     SubjectMapping `yaml:"subject"`
	Action      string         `yaml:"action"`
	Object      ObjectMapping  `yaml:"object"`
	How         Strings        `yaml:"how"`
	RecordTypes Strings        `yaml:"record_types"`
	Syscalls    Strings        `yaml:"syscalls"`
	SourceIP    Strings        `yaml:"source_ip"`
	HasFields   Strings        `yaml:"has_fields"`
}

type NormalizationConfig added in v0.0.3

type NormalizationConfig struct {
	Default        Normalization `yaml:"default"`
	Normalizations []Normalization
}

type Object added in v0.0.3

type Object struct {
	Type      string `json:"type,omitempty"      yaml:"type,omitempty"`
	Primary   string `json:"primary,omitempty"   yaml:"primary,omitempty"`
	Secondary string `json:"secondary,omitempty" yaml:"secondary,omitempty"`
}

type ObjectMapping added in v0.0.3

type ObjectMapping struct {
	PrimaryFieldName   Strings `yaml:"primary"`
	SecondaryFieldName Strings `yaml:"secondary"`
	What               string  `yaml:"what"`
	PathIndex          int     `yaml:"path_index"`
}

type Process added in v0.0.7

type Process struct {
	PID   string   `json:"pid,omitempty"   yaml:"pid,omitempty"`
	PPID  string   `json:"ppid,omitempty"  yaml:"ppid,omitempty"`
	Title string   `json:"title,omitempty" yaml:"title,omitempty"`
	Name  string   `json:"name,omitempty"  yaml:"name,omitempty"` // Comm
	Exe   string   `json:"exe,omitempty"   yaml:"exe,omitempty"`
	CWD   string   `json:"cwd,omitempty"   yaml:"cwd,omitempty"`
	Args  []string `json:"args,omitempty"  yaml:"args,omitempty"`
}

func (Process) IsEmpty added in v0.0.7

func (p Process) IsEmpty() bool

type Strings added in v0.0.3

type Strings struct {
	Values []string
}

Strings is a custom type to enable YAML values that can be either a string or a list of strings.

func (*Strings) UnmarshalYAML added in v0.0.3

func (s *Strings) UnmarshalYAML(unmarshal func(interface{}) error) error

type SubjectMapping added in v0.0.3

type SubjectMapping struct {
	PrimaryFieldName   Strings `yaml:"primary"`
	SecondaryFieldName Strings `yaml:"secondary"`
}

type Summary added in v0.0.7

type Summary struct {
	Actor  Actor  `json:"actor"             yaml:"actor"`
	Action string `json:"action,omitempty"  yaml:"action,omitempty"`
	Object Object `json:"object,omitempty"  yaml:"object,omitempty"`
	How    string `json:"how,omitempty"     yaml:"how,omitempty"`
}

type User added in v0.0.7

type User struct {
	IDs     map[string]string `json:"ids,omitempty"     yaml:"ids,omitempty"`     // Identifying data like auid, uid, euid, suid, fsuid, gid, egid, sgid, fsgid.
	Names   map[string]string `json:"names,omitempty"   yaml:"names,omitempty"`   // Mappings of ID to name (auid -> "root").
	SELinux map[string]string `json:"selinux,omitempty" yaml:"selinux,omitempty"` // SELinux labels.
}

type UserCache added in v0.0.3

type UserCache struct {
	// contains filtered or unexported fields
}

UserCache is a cache of UID to username.

func NewUserCache added in v0.0.3

func NewUserCache(expiration time.Duration) *UserCache

NewUserCache returns a new UserCache. UserCache is thread-safe.

func (*UserCache) LookupUID added in v0.0.3

func (c *UserCache) LookupUID(uid string) string

LookupUID looks up a UID and returns the username associated with it. If no username could be found an empty string is returned. The value will be cached for a minute. This requires cgo on Linux.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL