modulepackage
0.0.0-20220131231527-e86f3d3d3156
Repository: https://github.com/lacework/libaudit-go.git
Documentation: pkg.go.dev
# README
Libaudit in Golang
Golang package (lib) for Linux Audit
Libaudit-go is a pure Go client library for dealing directly with linux audit framework. The idea is provide a replacement to the existing auditd daemon and its libraries. Originally developed for Audit Go Heka Plugin
To get started see package documentation at godoc.
See main.go for an example implementation of the client using libaudit-go.
Supported Methods (API)
General
NewNetlinkConnection
Open a audit netlink socket connection
Similar to audit_open, NewNetlinkConnection creates a NETLINK_AUDIT socket for communication with the kernel part of the Linux Audit Subsystem.
It provide three methods
- Close
- Send
- Receive
Example :
s, err := libaudit.NewNetlinkConnection()
if err != nil {
log.Println(err)
log.Fatalln("Error while availing socket! Exiting!")
}
defer s.Close()
Definations of Send and Receive are :
Send
func (s *NetlinkConnection) Send(request *NetlinkMessage) error
Receive
func (s *NetlinkConnection) Receive(bytesize int, block int) ([]NetlinkMessage, error)
GetAuditEvents
Starts an Audit event monitor in a go-routine.
func AuditGetEvents(s *NetlinkConnection, cb EventCallback, ec chan error, args ...interface{})
This function start a audit event monitor and accept a callback that is called on each audit event received from the Audit Subsysten.
Example:
func EventCallback(msg *libaudit.AuditEvent, ce chan error, args ...interface{}) {
// print the info map
log.Println(msg.Data)
// print the raw event
log.Println(msg.Raw)
}
// Go rutine to monitor events and call callback for each event fired
libaudit.GetAuditEvents(s, EventCallback, errchan)
The callback accept AuditEvent type variable as an argument. AuditEvent is defined as
type AuditEvent struct {
Serial int
Timestamp float64
Type string
Data map[string]string
Raw string
}
AuditGetRawEvents
Starts an Audit event monitor which emits raw events in a go-routine
func GetRawAuditEvents(s *NetlinkConnection, cb RawEventCallback, ec chan error, args ...interface{})
Same as GetAuditEvents but accept a string type in callback instead of AuditEvent type.
Example -
func RawEventCallback(msg string, ce chan error, args ...interface{}) {
log.Println(msg)
}
// Go rutine to monitor events and feed raw events to the callback
libaudit.GetRawAuditEvents(s, RawEventCallback, errchan)
AuditIsEnabled
This function will return 0 if audit is not enabled and 1 if enabled, and -1 on error.
func AuditIsEnabled(s *NetlinkConnection) (state int, err error)
Example :
status, err := libaudit.AuditIsEnabled(s)
AuditRequestStatus
Not yet implemented
Audit Set
AuditSetEnabled
Enable or disable auditing, 1 to enable and 0 to disable.
func AuditSetEnabled(s *NetlinkConnection) error
Example :
err := libaudit.AuditSetEnabled(s, 1)
AuditSetRateLimit
Sets rate limit for audit messages from kernel
func AuditSetRateLimit(s *NetlinkConnection, limit int) error
This function set the maximum number of messages that the kernel will send per second.
Example:
err = libaudit.AuditSetRateLimit(s, 600)
AuditSetBacklogLimit
Sets backlog limit for audit messages from kernel
func AuditSetBacklogLimit(s *NetlinkConnection, limit int) error
This function sets the queue length for audit events awaiting transfer to the audit daemon
Example :
err = libaudit.AuditSetBacklogLimit(s, 420)
AuditSetPid
Set audit daemon process ID
func AuditSetPid(s *NetlinkConnection, pid uint32 ) error
This function registers the given PID with kernel as the program for receiving audit messages.
Example :
err = libaudit.AuditSetPid(s, uint32(syscall.Getpid()))
AuditSetFailure
Not yet implemented
Audit Rules
SetRules
Set audit rules from a configuration file
func SetRules(s *NetlinkConnection, content []byte) error
This function accept the json rules file as byte array and register rules with audit. See audit.rules.json for example
Example:
// Load all rules
content, err := ioutil.ReadFile("audit.rules.json")
if err != nil {
log.Print("Error:", err)
os.Exit(0)
}
// Set audit rules
err = libaudit.SetRules(s, content)
DeleteAllRules
Delete all audit rules.
func DeleteAllRules(s *NetlinkConnection) error
Example:
err := DeleteAllRules(s)
ListAllRules
ListAllRules lists all audit rules currently loaded in audit kernel in the same format as shown by auditctl utility.
func ListAllRules(s *NetlinkConnection) ([]string, error)
Example:
rulesArray, err := libaudit.ListAllRules(s)
# Packages
No description provided by the author
# Functions
AuditIsEnabled returns 0 if audit is not enabled and 1 if enabled, and -1 on failure.
AuditSetBacklogLimit sets backlog limit for audit messages from kernel.
AuditSetEnabled enables or disables audit in kernel.
AuditSetBacklogLimit sets backlog limit for audit messages from kernel.
AuditSetPID sends a message to kernel for setting of program PID.
AuditSetRateLimit sets rate limit for audit messages from kernel.
AuditSyscallToName takes syscall number and returns the syscall name.
No description provided by the author
DeleteAllRules deletes all previous audit rules listed in the kernel.
GetAuditEvents receives audit messages from the kernel and parses them to AuditEvent struct.
GetAuditMessages is a blocking function (runs in forever for loop) that receives audit messages from kernel and parses them to AuditEvent.
GetRawAuditEvents receives raw audit messages from kernel parses them to AuditEvent struct.
GetRawAuditEvents receives raw audit messages from kernel parses them to AuditEvent struct.
ListAllRules lists all audit rules currently loaded in audit kernel.
No description provided by the author
NewAuditEvent takes a NetlinkMessage passed from the netlink connectionand parses the data from the message header to return an AuditEvent struct.
NewNetlinkConnection creates a fresh netlink connection.
ParseAuditEvent parses an incoming audit message from kernel and returns an AuditEvent.
ParseAuditEventRegex takes an audit event message and returns the essentials to form an AuditEvent struct regex used in the function should always match for a proper audit event.
Parse a byte stream to an array of NetlinkMessage structs.
No description provided by the author
SetRules reads the configuration file for audit rules and sets them in kernel.
# Constants
Not upstream yet*/.
User's account locked by admin */.
User's account unlocked by admin */.
Add syscall rule -- deprecated */.
User space group added */.
Add syscall filtering rule */.
User space user account added */.
Generate audit record if rule matches */.
Process ended abnormally */.
Access of file or dir.
Adding an acct.
AMTU failure.
Crypto system test failure.
Deleting an acct.
Execution of file.
Suspicious use of file links */.
Login attempted to watched acct.
Failed login limit reached.
Login from forbidden location.
Max concurrent sessions reached.
Login attempted at bad time.
Max DAC failures reached.
Max MAC failures reached.
Make an executable.
Changing an acct.
Device changed promiscuous mode */.
RBAC self test failure.
RBAC file Tegrity failure.
User became root.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
AUDIT_ARCH_OPENRISC = (EM_OPENRISC) AUDIT_ARCH_PARISC = (EM_PARISC) AUDIT_ARCH_PARISC64 = (EM_PARISC | __AUDIT_ARCH_64BIT).
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
SE Linux avc denial or grant */.
dentry, vfsmount pair from avc */.
No description provided by the author
No description provided by the author
No description provided by the author
Information about fcaps increasing perms */.
Record showing argument to sys_capset */.
User space group ID changed */.
Changed user ID supplemental data */.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
Field Comparing Constants.
No description provided by the author
Audit system configuration change */.
User space credential acquired */.
User space credential disposed */.
User space credential refreshed */.
Fail decrypt,encrypt,randomiz */.
Record parameters related to IKE SA */.
Record parameters related to IPSEC SA */.
Create,delete,negotiate */.
Logged in as crypto officer */.
Logged out from crypto */.
Crypto attribute change */.
Crypto replay detected */.
Record parameters set during TLS session establishment */.
Crypto test results */.
Current working directory */.
User space DAC check results */.
Auditd accepted remote connection */.
Auditd closed remote connection */.
Daemon config change */.
Auditd should reconfigure */.
Auditd should resume logging */.
Auditd should rotate logs */.
Delete syscall rule -- deprecated */.
User space group deleted */.
Delete syscall filtering rule */.
User space user account deleted */.
Device was allocated */.
Device was deallocated */.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
End of multi-record event */.
No description provided by the author
No description provided by the author
No description provided by the author
execve arguments */.
No description provided by the author
No description provided by the author
No description provided by the author
Failure-to-log actions */.
audit record for pipe/socketpair */.
audit log listing feature changes */.
No description provided by the author
No description provided by the author
Apply rule at syscall entry */.
No description provided by the author
Apply rule at syscall exit */.
Mask to get actual filter */.
Mask to prepend actual filter */.
Apply rule at task creation (not syscall) */.
Apply rule at audit_log_start */.
This value means filter is unset */.
Apply rule to user-generated messages */.
Apply rule to file system watches */.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
First user space message */.
No description provided by the author
Filesystem relabeled */.
No description provided by the author
No description provided by the author
Get status */.
Get which features are enabled */.
No description provided by the author
No description provided by the author
No description provided by the author
Authentication for group password */.
Group acct password or pin changed */.
Group account attr was modified */.
No description provided by the author
Data integrity verification */.
No description provided by the author
integrity HASH type */.
Metadata integrity verification.
PCR invalidation msgs */.
Policy rule */.
integrity enable status */.
IPC record */.
IPC new permissions record type */.
Asynchronous audit record.
For use by 3rd party modules */.
Object's level was changed */.
Admin is overriding a label */.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
AUDIT_FIRST_EVENT 1300 */TODO: libaudit define this as AUDIT_FIRST_EVENT but audit.h differently.
AUDIT_FIRST_KERN_ANOM_MSG auditConstant = 1700.
No description provided by the author
No description provided by the author
No description provided by the author
Last user space message */.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
List syscall rules -- deprecated */.
List syscall filtering rules */.
Define the login id and information */.
No description provided by the author
No description provided by the author
User space MAC decision results */.
NetLabel: add CIPSOv4 DOI entry */.
NetLabel: del CIPSOv4 DOI entry */.
Changes to booleans */.
Not used */.
Not used */.
Not used */.
Not used */.
Audit an IPSec event */.
NetLabel: add LSM domain mapping */.
NetLabel: del LSM domain mapping */.
Policy file load */.
Changed enforcing,permissive,off */.
NetLabel: allow unlabeled traffic */.
NetLabel: add a static label */.
NetLabel: del a static label */.
Append to watched tree */.
No description provided by the author
No description provided by the author
Record showing descriptor and flags in mmap */.
POSIX MQ get/set attribute record type */.
POSIX MQ notify record type */.
POSIX MQ open record type */.
POSIX MQ send/receive record type */.
No description provided by the author
Netfilter chain modifications */.
Packets traversing netfilter chains */.
Do not build context if rule matches */.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
ptrace target */.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
Filename path information */.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
Rule fields */ These are useful when checking the
* task structure at task creation time
* (AUDIT_PER_TASK).
Build context if rule matches */.
No description provided by the author
Proctitle emit event */.
User acct was locked */.
User acct locked for time */.
Acct locked from remote access*/.
User acct unlocked from time */.
Alert email was sent */.
Anomaly not reacted to */.
Execute a script */.
take the system down */.
Kill program */.
Set an SE Linux boolean */.
Go to single user mode */.
Terminate session */.
Terminal was locked */.
Admin assigned user to role */.
Admin modified a role */.
Admin removed user from role */.
Secure Computing event */.
internal SE Linux Errors */.
Service (daemon) start */.
Service (daemon) stop */.
Set status (enable/disable/auditd) */.
Turn an audit feature on or off */.
No description provided by the author
Get info about sender of signal to auditd */.
sockaddr copied as syscall arg */.
sys_socketcall arguments */.
No description provided by the author
Status symbols */ Mask values */.
No description provided by the author
No description provided by the author
No description provided by the author
security label clearance label */.
security label role */.
security label sensitivity label */.
security label type */.
security label user */.
No description provided by the author
No description provided by the author
Syscall event */.
System boot */.
System runlevel change */.
System shutdown */.
Used for test success messages */.
No description provided by the author
Trim junk from watched tree */.
Trusted app msg - freestyle text */.
Input on an administrative TTY */.
Get TTY auditing status */.
Set TTY auditing status */.
No description provided by the author
Message from userspace -- deprecated */.
User space acct change */.
User space authentication */.
User space avc message */.
User space acct attr changed */.
User shell command and args */.
User space session end */.
User space acct state err */.
Object exported with label */.
User space user has logged in */.
User space user has logged out */.
Change made to MAC policy */.
Userspc daemon loaded policy */.
User space acct management */.
User changed to a new role */.
SE Linux user space error */.
User space session start */.
Non-ICANON TTY input meaning */.
Object exported without label */.
User space system config change */.
Start, Pause, Stop VM */.
Binding of label to VM */.
Resource assignment */.
No description provided by the author
Insert file/dir watch entry */.
List all file/dir watches */.
Remove file/dir watch entry */.
No description provided by the author
Perhaps disused */.
No description provided by the author
No description provided by the author
No description provided by the author
ARM 64 bit */.
* This is an interim value that we will use until the committee comes
* up with a final number.
ARM 32 bit */.
Atmel AVR32 */.
ADI Blackfin Processor */.
Axis Communications 32-bit embedded processor */.
Bogus old m32r magic number, used by old tools.
Also Panasonic/MEI MN10300, AM33 */.
Bogus old v850 magic number, used by old tools.
Fujitsu FR-V */.
HP/Intel IA-64 */.
No description provided by the author
Renesas M32R */.
MIPS R3000 (officially, big-endian only) */.
MIPS R3000 little-endian */.
MIPS R4000 big-endian */.
Panasonic/MEI MN10300, AM33 */.
Temporary Solution need to add linux/elf-em.h.
HPPA */.
PowerPC */.
PowerPC64 */.
IBM S/390 */.
This is the old interim value for S/390 architecture */.
SuperH */.
No description provided by the author
Sun's "v8plus" */.
SPARC v9 64-bit */.
Cell BE SPU */.
TI C6X DSPs */.
NEC v850 */.
AMD x86-64 */.
No description provided by the author
No description provided by the author
# Variables
MsgTypeTab is for looking audit header type based on string prefixes attached to audit messages.
# Structs
AuditEvent holds a parsed audit message.
auditRuleData stores rule information replication of c struct audit_rule_data.
NetlinkConnection holds the file descriptor and address for an opened netlink connection It implements the Netlink interface.
# Interfaces
Netlink is used for specifying the netlink connection types.
# Type aliases
EventCallback is the function signature for any function that wants to receive an AuditEvent as soon as it is received from the kernel.
NetlinkMessage is the struct type that is used for communicating on netlink sockets.
RawEventCallback is similar to EventCallback and provides a function signature but the difference is that the function will receive only the message string which contains the audit event and not the parsed AuditEvent struct.
No description provided by the author