parser

Documentation

Index

• Constants
• type AuditMessage
  • func NewAuditMessage(nlm *syscall.NetlinkMessage) *AuditMessage
• type AuditMessageGroup
  • func NewAuditMessageGroup(am *AuditMessage) *AuditMessageGroup
  • func (amg *AuditMessageGroup) AddMessage(am *AuditMessage)
• type CachingUsernameResolver
  • func (r *CachingUsernameResolver) Resolve(uid string) string
• type DefaultUsernameResolver
  • func (r *DefaultUsernameResolver) Resolve(uid string) string
• type UsernameResolver
  • func NewCachingUsernameResolver(passwdPath string) UsernameResolver
  • func NewDefaultUsernameResolver() UsernameResolver

Constants

const (
	HEADER_MIN_LENGTH         = 7               // Minimum length of an audit header
	HEADER_START_POS          = 6               // Position in the audit header that the data starts
	COMPLETE_AFTER            = time.Second * 2 // Log a message after this time or EOE
	MAX_AUDIT_RULE_KEY_LENGTH = 128

	AUDIT_TTY      = 1319 // Input on an administrative TTY
	AUDIT_SYSCALL  = 1300 // Syscall event
	AUDIT_EXECVE   = 1309 // execve arguments
	AUDIT_CWD      = 1307 // Current working directory
	AUDIT_SOCKADDR = 1306 // sockaddr copied as syscall arg

	// TTY_RULE_KEY is the rule key that will be used when TTY messages are detected
	TTY_RULE_KEY = "tty"
)

Types

type AuditMessage

type AuditMessage struct {
	Type      uint16 `json:"type"`
	Data      string `json:"data"`
	Seq       int    `json:"-"`
	AuditTime string `json:"-"`
}

func NewAuditMessage

func NewAuditMessage(nlm *syscall.NetlinkMessage) *AuditMessage

Creates a new pauditd message from a netlink message

type AuditMessageGroup

type AuditMessageGroup struct {
	Seq           int               `json:"sequence"`
	AuditTime     string            `json:"timestamp"`
	CompleteAfter time.Time         `json:"-"`
	Msgs          []*AuditMessage   `json:"messages"`
	UidMap        map[string]string `json:"uid_map"`
	Syscall       string            `json:"-"`
	RuleKey       string            `json:"rule_key"`
}

func NewAuditMessageGroup

func NewAuditMessageGroup(am *AuditMessage) *AuditMessageGroup

Creates a new message group from the details parsed from the message

func (*AuditMessageGroup) AddMessage

func (amg *AuditMessageGroup) AddMessage(am *AuditMessage)

Add a new message to the current message group

type CachingUsernameResolver

type CachingUsernameResolver struct {
	// contains filtered or unexported fields
}

CachingUsernameResolver is the caching based resolver

func (*CachingUsernameResolver) Resolve

func (r *CachingUsernameResolver) Resolve(uid string) string

Resolve takes a UID and resolves it to a username

type DefaultUsernameResolver

type DefaultUsernameResolver struct{}

DefaultUsernameResolver is the default system resolver

func (*DefaultUsernameResolver) Resolve

func (r *DefaultUsernameResolver) Resolve(uid string) string

Resolve takes a UID and resolves it to a username

type UsernameResolver

type UsernameResolver interface {
	Resolve(uid string) string
}

UsernameResolver is the abstraction for ways to get usernames from uids

var (
	// UsernameResolver set to default non-caching
	ActiveUsernameResolver UsernameResolver
)

This global is not great but since parser is a package with no specific construct this is about the only way to inject deps

func NewCachingUsernameResolver

func NewCachingUsernameResolver(passwdPath string) UsernameResolver

NewCachingUsernameResolver constructs a new username resolver with caching

func NewDefaultUsernameResolver

func NewDefaultUsernameResolver() UsernameResolver