sessiontracker

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 25, 2023 License: Apache-2.0 Imports: 8 Imported by: 0

README

Session Tracking Using Audito Maldito

Auditor Interface

The Auditor interface can be implemented by adding AuditdEvent() method. The AuditdEvent() requires that the input event is validated, against the list of available event sessions.

type Auditor interface {
	AuditdEvent(event *aucoalesce.Event) error
}

Session Tracker

Session Tracker, sessionTracker is an implementation of the Auditor Interface. You may create a new seesion tracker object as

import "sessiontracker"

var tracker = sessiontracker.NewSessionTracker(o.EventW, logger)

It takes an auditevent.EventWriter and a zap.SugaredLogger object as parameters.

It contains active auditd sessions, a map of PIDs and remote user logins, and obviously an auditevent.EventWriter and a zap.SugaredLogger.

It has these methods

  1. RemoteLogin It validates and sets a remote login input

    Usage
    import "github.com/metal-toolbox/audito-maldito/processors/auditd/sessiontracker"

func foo() {
    tracker := sessiontracker.NewSessionTracker(o.EventW, logger)
    err := tracker.RemoteLogin(common.RemoteUserLogin{
        Source:     nil,
        PID:        999,
        CredUserID: "foo",
    })
    if err != nil {
        return fmt.Errorf("failed to handle remote user login - %w", err)
    }
}

  2. AuditdEvent It's the primary method of this type, i.e., sessionTracker. It triggers the audit of the input audit event. A session is bound to it, if it matches a session in the session cache. If a session is bound then it calls auditEventWithSession, else it calls auditEventWithoutSession

    Usage
    import "github.com/metal-toolbox/audito-maldito/processors/auditd/sessiontracker"

func foo() error {
    st := sessiontracker.NewSessionTracker(o.EventW, logger)
    ae := &aucoalesce.Event{
        Session:   sessionID
    }
    err := st.AuditdEvent(ae)
    return err
}

  3. DeleteUsersWithoutLoginsBefore This method, as the name says, deletes the audit session before a given timestamp, if the user doesn't have a remote login.

    Usage
    import "github.com/metal-toolbox/audito-maldito/processors/auditd/sessiontracker"

func foo() error {
    st := sessiontracker.NewSessionTracker(o.EventW, logger)
    st.DeleteUsersWithoutLoginsBefore(time.Now())
}

  4. DeleteRemoteUserLoginsBefore It iterates over remote user logins and checks if a login was before the timestamp, then it deletes that remote user login.

    Usage
    import "github.com/metal-toolbox/audito-maldito/processors/auditd/sessiontracker"

func foo() error {
    st := sessiontracker.NewSessionTracker(o.EventW, logger)

    var staleDataCleanupInterval = 1 * time.Minute
    aMinuteAgo := time.Now().Add(-staleDataCleanupInterval)

	st.DeleteRemoteUserLoginsBefore(aMinuteAgo)
}

Error Definitions

Error Types

  1. SessionTrackerError

    SesstionTrackerError tracks three different kinds of failures.

    1. Remote Login Failure
    2. Parse PID Failure
    3. Audit Write Failure

    Here is the struct for it

    // SessionTrackerError is used to return errors pertaining to session audits
type SessionTrackerError struct {
    remoteLoginFail bool   // set when remote login cannot be validated
    parsePIDFail    bool   // set when PID of the session cannot be parsed
    auditWriteFail  bool   // set when the audit event fails to write to event writer
    message         string // the error message
    inner           error  // the error object
}
    Usage

    You may retun a session tracker error, SessionTrackerError, as below

    return &SessionTrackerError{
    auditWriteFail: true,
    message: fmt.Sprintf(
        "failed to write cached events for user '%s' - %s",
        u.login.CredUserID, 
        err,
    ),
    inner: err,
}

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewSessionTracker 

func NewSessionTracker(eventWriter *auditevent.EventWriter, l *zap.SugaredLogger) *sessionTracker

NewSessionTracker returns a new instance of a sessionTracker.

Types

type Auditor 

type Auditor interface {
	AuditdEvent(event *aucoalesce.Event) error
}

Auditor is the interface that wraps the AuditdEvent method. It allows the session tracker to audit events.

type SessionTrackerError 

type SessionTrackerError struct {
	// contains filtered or unexported fields
}

SessionTrackerError is used to return errors pertaining to session audits.

func (*SessionTrackerError) AuditEventWriteFailed 

func (o *SessionTrackerError) AuditEventWriteFailed() bool

AuditEventWriteFailed returns true when the audit event write fails.

func (*SessionTrackerError) Error 

func (o *SessionTrackerError) Error() string

Error returns the error message.

func (*SessionTrackerError) ParsePIDFailed 

func (o *SessionTrackerError) ParsePIDFailed() bool

ParsePIDFailed returns true if the PID of the session could not be parsed.

func (*SessionTrackerError) RemoteLoginFailed 

func (o *SessionTrackerError) RemoteLoginFailed() bool

RemoteLoginFailed returns true if the remote login validation has failed.

func (*SessionTrackerError) Unwrap 

func (o *SessionTrackerError) Unwrap() error

Unwrap unwraps the error content.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.