parser

package
v1.1.20 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 8, 2022 License: MIT Imports: 10 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	HEADER_MIN_LENGTH         = 7               // Minimum length of an audit header
	HEADER_START_POS          = 6               // Position in the audit header that the data starts
	COMPLETE_AFTER            = time.Second * 2 // Log a message after this time or EOE
	MAX_AUDIT_RULE_KEY_LENGTH = 128

	AUDIT_TTY      = 1319 // Input on an administrative TTY
	AUDIT_SYSCALL  = 1300 // Syscall event
	AUDIT_EXECVE   = 1309 // execve arguments
	AUDIT_CWD      = 1307 // Current working directory
	AUDIT_SOCKADDR = 1306 // sockaddr copied as syscall arg

	// TTY_RULE_KEY is the rule key that will be used when TTY messages are detected
	TTY_RULE_KEY = "tty"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type AuditMessage 

type AuditMessage struct {
	Type      uint16 `json:"type"`
	Data      string `json:"data"`
	Seq       int    `json:"-"`
	AuditTime string `json:"-"`
}

func NewAuditMessage 

func NewAuditMessage(nlm *syscall.NetlinkMessage) *AuditMessage

Creates a new pauditd message from a netlink message

type AuditMessageGroup 

type AuditMessageGroup struct {
	Seq           int               `json:"sequence"`
	AuditTime     string            `json:"timestamp"`
	CompleteAfter time.Time         `json:"-"`
	Msgs          []*AuditMessage   `json:"messages"`
	UidMap        map[string]string `json:"uid_map"`
	Syscall       string            `json:"-"`
	RuleKey       string            `json:"rule_key"`
}

func NewAuditMessageGroup 

func NewAuditMessageGroup(am *AuditMessage) *AuditMessageGroup

Creates a new message group from the details parsed from the message

func (*AuditMessageGroup) AddMessage 

func (amg *AuditMessageGroup) AddMessage(am *AuditMessage)

Add a new message to the current message group

type CachingUsernameResolver 

type CachingUsernameResolver struct {
	// contains filtered or unexported fields
}

CachingUsernameResolver is the caching based resolver

func (*CachingUsernameResolver) Resolve 

func (r *CachingUsernameResolver) Resolve(uid string) string

Resolve takes a UID and resolves it to a username

type DefaultUsernameResolver 

type DefaultUsernameResolver struct{}

DefaultUsernameResolver is the default system resolver

func (*DefaultUsernameResolver) Resolve 

func (r *DefaultUsernameResolver) Resolve(uid string) string

Resolve takes a UID and resolves it to a username

type UsernameResolver 

type UsernameResolver interface {
	Resolve(uid string) string
}

UsernameResolver is the abstraction for ways to get usernames from uids 

var (
	// UsernameResolver set to default non-caching
	ActiveUsernameResolver UsernameResolver
)

This global is not great but since parser is a package with no specific construct this is about the only way to inject deps

func NewCachingUsernameResolver 

func NewCachingUsernameResolver(passwdPath string) UsernameResolver

NewCachingUsernameResolver constructs a new username resolver with caching

func NewDefaultUsernameResolver 

func NewDefaultUsernameResolver() UsernameResolver

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.