Fix bug in setting of raw msg in AuditEvent [earlier the raw message was
stripped off]
Reason for stripping: It leads to bugs while parsing AUDIT_EXECVE argc
fields and quotes are used there as indication to left the field as is,
otherwise they are treated as hex encoded.
Update parser tests to reflect the same.(Note: Tests avoid interpretation
of fields as different systems will lead to different names, eg: uid=>1000
will translate differently on different systems.
Reason: We had a lot of exported functions that are used for internal
purposes and would not make sense directly on the client side. One such
example can be of auditRuleFieldPairData where we are setting the fields
of the rule struct according to passed operator, flags and field values.
It is unnecessary to expose such complex API to the user as they would
hardly use them.
Things that have been unexported:
fieldType => denoting the integer values of audit rule fields
type* => particular field types such as typeA0.
interpretField() => translates the encoded field values to simple strings
auditStatus => c compatible struct used for sending status messages to audit framework
auditGetReply() => used for receiving acks/replies from kernel
auditRuleData => c compatible struct used for storing audit rules
fieldArray => internal type to hold array of field values
fmap => internal type denoting a particular field
auditDeleteRuleData() => used for deleting rules: marks auditRuleData and send them to kernel
auditRuleSyscallData() => makes changes in auditRuleData according to syscall number
auditNameToFtype() => converts string fieldtypes to integer counterparts
auditRuleFieldPairData()
auditAddRuleData() => used for adding rules: marks auditRuleData and send them to kernel
auditSetupAndAddWatchDir() => marks auditRuleData to include watch params
auditAddWatchDir() => internal function for auditSetupAndAddWatchDir()
auditSetupAndUpdatePerms() => marks auditRuleData to include perms string
auditUpdateWatchPerms() => internal function for auditSetupAndUpdatePerms()
Add native parser for audit messages and test cases for parser, for performance benefits
Add interpretation support for audit message fields (further support can be added as needed)
Remove json files and include the tables directly as Go variables
Change package name to libaudit
Aaron Meihm
Arun Sori