Documentation ¶
Overview ¶
Package aucoalesce provides functions to coalesce compound audit messages into a single event and normalize all message types with some common fields.
Index ¶
- func LoadNormalizationConfig(b []byte) (syscalls map[string]*Normalization, recordTypes map[string]*Normalization, ...)
- func ResolveIDs(event *Event)
- type AuditEventType
- type Event
- type GroupCache
- type HowMapping
- type Normalization
- type NormalizationConfig
- type Object
- type ObjectMapping
- type Strings
- type Subject
- type SubjectMapping
- type UserCache
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func LoadNormalizationConfig ¶ added in v0.0.3
func LoadNormalizationConfig(b []byte) (syscalls map[string]*Normalization, recordTypes map[string]*Normalization, err error)
func ResolveIDs ¶ added in v0.0.3
func ResolveIDs(event *Event)
ResolveIDs translates all uid and gid values to their associated names. This requires cgo on Linux.
Types ¶
type AuditEventType ¶ added in v0.0.3
type AuditEventType uint16
AuditEventType is a categorization of a simple or compound audit event.
const ( EventTypeUnknown AuditEventType = iota EventTypeUserspace EventTypeSystemServices EventTypeConfig EventTypeTTY EventTypeUserAccount EventTypeUserLogin EventTypeAuditDaemon EventTypeMACDecision EventTypeAnomoly EventTypeIntegrity EventTypeAnomolyResponse EventTypeMAC EventTypeCrypto EventTypeVirt EventTypeAuditRule EventTypeDACDecision EventTypeGroupChange )
func GetAuditEventType ¶ added in v0.0.3
func GetAuditEventType(t AuditMessageType) AuditEventType
func (AuditEventType) MarshalText ¶ added in v0.0.3
func (t AuditEventType) MarshalText() (text []byte, err error)
func (AuditEventType) String ¶ added in v0.0.3
func (t AuditEventType) String() string
type Event ¶ added in v0.0.3
type Event struct { Timestamp time.Time `json:"@timestamp" yaml:"timestamp"` Sequence uint32 `json:"sequence" yaml:"sequence"` Category AuditEventType `json:"category" yaml:"category"` Type auparse.AuditMessageType `json:"record_type" yaml:"type"` Result string `json:"result,omitempty" yaml"result,omitempty"` Session string `json:"session" yaml:"session"` Subject Subject `json:"actor" yaml:"actor"` Action string `json:"action,omitempty" yaml:"action,omitempty"` Object Object `json:"thing,omitempty" yaml:"thing,omitempty"` How string `json:"how,omitempty" yaml:"how,omitempty"` Key string `json:"key,omitempty" yaml:"key,omitempty"` Data map[string]string `json:"data,omitempty" yaml:"data,omitempty"` Paths []map[string]string `json:"paths,omitempty" yaml:"paths,omitempty"` Socket map[string]string `json:"socket,omitempty" yaml:"socket,omitempty"` Warnings []error `json:"-" yaml:"-"` }
func CoalesceMessages ¶
func CoalesceMessages(msgs []*auparse.AuditMessage) (*Event, error)
CoalesceMessages combines the given messages into a single event. It assumes that all the messages in the slice have the same timestamp and sequence number. An error is returned is msgs is empty or nil or only contains and EOE (end-of-event) message.
type GroupCache ¶ added in v0.0.3
type GroupCache map[string]stringItem
GroupCache is a cache of GID to group name.
func NewGroupCache ¶ added in v0.0.3
func NewGroupCache() GroupCache
NewGroupCache returns a new GroupCache.
func (GroupCache) LookupGID ¶ added in v0.0.3
func (c GroupCache) LookupGID(gid string) string
LookupGID looks up a GID and returns the group associated with it. If no group could be found an empty string is returned. The value will be cached for a minute. This requires cgo on Linux.
type HowMapping ¶ added in v0.0.3
type HowMapping struct {
FieldName string `yaml:"field"`
}
type Normalization ¶ added in v0.0.3
type Normalization struct { Subject SubjectMapping `yaml:"subject"` Action string `yaml:"action"` Object ObjectMapping `yaml:"object"` How Strings `yaml:"how"` RecordTypes Strings `yaml:"record_types"` Syscalls Strings `yaml:"syscalls"` }
type NormalizationConfig ¶ added in v0.0.3
type NormalizationConfig struct { Default Normalization `yaml:"default"` Normalizations []Normalization }
type ObjectMapping ¶ added in v0.0.3
type Strings ¶ added in v0.0.3
type Strings struct {
Values []string
}
Strings is a custom type to enable YAML values that can be either a string or a list of strings.
func (*Strings) UnmarshalYAML ¶ added in v0.0.3
type Subject ¶ added in v0.0.3
type Subject struct { Primary string `json:"primary,omitempty" yaml:"primary,omitempty"` Secondary string `json:"secondary,omitempty" yaml:"secondary,omitempty"` Attributes map[string]string `json:"attrs,omitempty" yaml:"attrs,omitempty"` // Other identifying data like euid, suid, fsuid, gid, egid, sgid, fsgid. SELinux map[string]string `json:"selinux,omitempty" yaml:"selinux,omitempty"` // SELinux labels. }