зеркало из https://github.com/mozilla/libaudit-go.git
359 строки
13 KiB
Go
359 строки
13 KiB
Go
// This Source Code Form is subject to the terms of the Mozilla Public
|
|
// License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
package libaudit
|
|
|
|
// fieldLookupMap is for interpreting field names in audit messages for their integer values
|
|
var fieldLookupMap = map[string]fieldType{
|
|
"auid": typeUID,
|
|
"uid": typeUID,
|
|
"euid": typeUID,
|
|
"suid": typeUID,
|
|
"fsuid": typeUID,
|
|
"ouid": typeUID,
|
|
"oauid": typeUID,
|
|
"iuid": typeUID,
|
|
"id": typeUID,
|
|
"inode_uid": typeUID,
|
|
"sauid": typeUID,
|
|
"obj_uid": typeUID,
|
|
"obj_gid": typeGID,
|
|
"gid": typeGID,
|
|
"egid": typeGID,
|
|
"sgid": typeGID,
|
|
"fsgid": typeGID,
|
|
"ogid": typeGID,
|
|
"igid": typeGID,
|
|
"inode_gid": typeGID,
|
|
"new_gid": typeGID,
|
|
"syscall": typeSyscall,
|
|
"arch": typeArch,
|
|
"exit": typeExit,
|
|
"path": typeEscaped,
|
|
"comm": typeEscaped,
|
|
"exe": typeEscaped,
|
|
"file": typeEscaped,
|
|
"name": typeEscaped,
|
|
"watch": typeEscaped,
|
|
"cwd": typeEscaped,
|
|
"cmd": typeEscaped,
|
|
"acct": typeEscaped,
|
|
"dir": typeEscaped,
|
|
"key": typeEscaped,
|
|
"vm": typeEscaped,
|
|
"old-disk": typeEscaped,
|
|
"new-disk": typeEscaped,
|
|
"old-fs": typeEscaped,
|
|
"new-fs": typeEscaped,
|
|
"device": typeEscaped,
|
|
"cgroup": typeEscaped,
|
|
"perm": typePerm,
|
|
"perm_mask": typePerm,
|
|
"mode": typeMode,
|
|
"saddr": typeSockaddr,
|
|
"prom": typePromisc,
|
|
"old_prom": typePromisc,
|
|
"capability": typeCapability,
|
|
"res": typeSuccess,
|
|
"result": typeSuccess,
|
|
"a0": typeA0,
|
|
"a1": typeA1,
|
|
"a2": typeA2,
|
|
"a3": typeA3,
|
|
"sig": typeSignal,
|
|
"list": typeList,
|
|
"data": typeTTYData,
|
|
"ses": typeSession,
|
|
"cap_pi": typeCapBitmap,
|
|
"cap_pe": typeCapBitmap,
|
|
"cap_pp": typeCapBitmap,
|
|
"cap_fi": typeCapBitmap,
|
|
"cap_fp": typeCapBitmap,
|
|
"fp": typeCapBitmap,
|
|
"fi": typeCapBitmap,
|
|
"fe": typeCapBitmap,
|
|
"old_pp": typeCapBitmap,
|
|
"old_pi": typeCapBitmap,
|
|
"old_pe": typeCapBitmap,
|
|
"new_pp": typeCapBitmap,
|
|
"new_pi": typeCapBitmap,
|
|
"new_pe": typeCapBitmap,
|
|
"family": typeNFProto,
|
|
"icmptype": typeICMP,
|
|
"proto": typeProtocol,
|
|
"addr": typeAddr,
|
|
"apparmor": typeEscaped,
|
|
"operation": typeEscaped,
|
|
"denied_mask": typeEscaped,
|
|
"info": typeEscaped,
|
|
"profile": typeEscaped,
|
|
"requested_mask": typeEscaped,
|
|
"per": typePersonality,
|
|
"code": typeSeccomp,
|
|
"old-rng": typeEscaped,
|
|
"new-rng": typeEscaped,
|
|
"oflag": typeOFlag,
|
|
"ocomm": typeEscaped,
|
|
"flags": typeMmap,
|
|
"sigev_signo": typeEscaped,
|
|
"subj": typeMacLabel,
|
|
"obj": typeMacLabel,
|
|
"scontext": typeMacLabel,
|
|
"tcontext": typeMacLabel,
|
|
"vm-ctx": typeMacLabel,
|
|
"img-ctx": typeMacLabel,
|
|
"proctitle": typeProctile,
|
|
"grp": typeEscaped,
|
|
"new_group": typeEscaped,
|
|
}
|
|
|
|
// actionLookup is for mapping audit actions applied on auditRuleData
|
|
var actionLookup = map[int]string{
|
|
AUDIT_NEVER: "never",
|
|
AUDIT_POSSIBLE: "possible",
|
|
AUDIT_ALWAYS: "always",
|
|
}
|
|
|
|
// flagLookup is for mapping flags applied on auditRuleData
|
|
var flagLookup = map[int]string{
|
|
AUDIT_FILTER_TASK: "task",
|
|
AUDIT_FILTER_ENTRY: "entry",
|
|
AUDIT_FILTER_EXIT: "exit",
|
|
AUDIT_FILTER_USER: "user",
|
|
AUDIT_FILTER_EXCLUDE: "exclude",
|
|
}
|
|
|
|
// opLookup is for mapping operators applied on auditRuleData
|
|
var opLookup = map[int]string{
|
|
AUDIT_EQUAL: "=",
|
|
AUDIT_NOT_EQUAL: "!=",
|
|
AUDIT_GREATER_THAN: ">",
|
|
AUDIT_GREATER_THAN_OR_EQUAL: ">=",
|
|
AUDIT_LESS_THAN: "<",
|
|
AUDIT_LESS_THAN_OR_EQUAL: "<=",
|
|
AUDIT_BIT_MASK: "&",
|
|
AUDIT_BIT_TEST: "&=",
|
|
}
|
|
|
|
// fieldLookup is for mapping fields applied on auditRuleData and also used for interpreting
|
|
// fields set in auditRuleData struct
|
|
var fieldLookup = map[int]string{
|
|
AUDIT_PID: "pid",
|
|
AUDIT_UID: "uid",
|
|
AUDIT_EUID: "euid",
|
|
AUDIT_SUID: "suid",
|
|
AUDIT_FSUID: "fsuid",
|
|
AUDIT_GID: "gid",
|
|
AUDIT_EGID: "egid",
|
|
AUDIT_SGID: "sgid",
|
|
AUDIT_FSGID: "fsgid",
|
|
AUDIT_LOGINUID: "auid",
|
|
// AUDIT_LOGINUID: "loginuid",
|
|
AUDIT_PERS: "pers",
|
|
AUDIT_ARCH: "arch",
|
|
AUDIT_MSGTYPE: "msgtype",
|
|
AUDIT_SUBJ_USER: "subj_user",
|
|
AUDIT_SUBJ_ROLE: "subj_role",
|
|
AUDIT_SUBJ_TYPE: "subj_type",
|
|
AUDIT_SUBJ_SEN: "subj_sen",
|
|
AUDIT_SUBJ_CLR: "subj_clr",
|
|
AUDIT_PPID: "ppid",
|
|
AUDIT_OBJ_USER: "obj_user",
|
|
AUDIT_OBJ_ROLE: "obj_role",
|
|
AUDIT_OBJ_TYPE: "obj_type",
|
|
AUDIT_OBJ_LEV_LOW: "obj_lev_low",
|
|
AUDIT_OBJ_LEV_HIGH: "obj_lev_high",
|
|
AUDIT_DEVMAJOR: "devmajor",
|
|
AUDIT_DEVMINOR: "devminor",
|
|
AUDIT_INODE: "inode",
|
|
AUDIT_EXIT: "exit",
|
|
AUDIT_SUCCESS: "success",
|
|
AUDIT_WATCH: "path",
|
|
AUDIT_PERM: "perm",
|
|
AUDIT_DIR: "dir",
|
|
AUDIT_FILETYPE: "filetype",
|
|
AUDIT_OBJ_UID: "obj_uid",
|
|
AUDIT_OBJ_GID: "obj_gid",
|
|
AUDIT_FIELD_COMPARE: "field_compare",
|
|
AUDIT_ARG0: "a0",
|
|
AUDIT_ARG1: "a1",
|
|
AUDIT_ARG2: "a2",
|
|
AUDIT_ARG3: "a3",
|
|
AUDIT_FILTERKEY: "key",
|
|
AUDIT_EXE: "exe",
|
|
}
|
|
|
|
// msgTypeTab is to look up audit header type based on string prefixes attached to audit messages
|
|
var msgTypeTab = map[string]auditConstant{
|
|
"USER": AUDIT_USER,
|
|
"LOGIN": AUDIT_LOGIN,
|
|
"USER_AUTH": AUDIT_USER_AUTH,
|
|
"USER_ACCT": AUDIT_USER_ACCT,
|
|
"USER_MGMT": AUDIT_USER_MGMT,
|
|
"CRED_ACQ": AUDIT_CRED_ACQ,
|
|
"CRED_DISP": AUDIT_CRED_DISP,
|
|
"USER_START": AUDIT_USER_START,
|
|
"USER_END": AUDIT_USER_END,
|
|
"USER_AVC": AUDIT_USER_AVC,
|
|
"USER_CHAUTHTOK": AUDIT_USER_CHAUTHTOK,
|
|
"USER_ERR": AUDIT_USER_ERR,
|
|
"CRED_REFR": AUDIT_CRED_REFR,
|
|
"USYS_CONFIG": AUDIT_USYS_CONFIG,
|
|
"USER_LOGIN": AUDIT_USER_LOGIN,
|
|
"USER_LOGOUT": AUDIT_USER_LOGOUT,
|
|
"ADD_USER": AUDIT_ADD_USER,
|
|
"DEL_USER": AUDIT_DEL_USER,
|
|
"ADD_GROUP": AUDIT_ADD_GROUP,
|
|
"DEL_GROUP": AUDIT_DEL_GROUP,
|
|
"DAC_CHECK": AUDIT_DAC_CHECK,
|
|
"CHGRP_ID": AUDIT_CHGRP_ID,
|
|
"TEST": AUDIT_TEST,
|
|
"TRUSTED_APP": AUDIT_TRUSTED_APP,
|
|
"USER_SELINUX_ERR": AUDIT_USER_SELINUX_ERR,
|
|
"USER_CMD": AUDIT_USER_CMD,
|
|
"USER_TTY": AUDIT_USER_TTY,
|
|
"CHUSER_ID": AUDIT_CHUSER_ID,
|
|
"GRP_AUTH": AUDIT_GRP_AUTH,
|
|
"MAC_CHECK": AUDIT_MAC_CHECK,
|
|
"ACCT_LOCK": AUDIT_ACCT_LOCK,
|
|
"ACCT_UNLOCK": AUDIT_ACCT_UNLOCK,
|
|
"SYSTEM_BOOT": AUDIT_SYSTEM_BOOT,
|
|
"SYSTEM_SHUTDOWN": AUDIT_SYSTEM_SHUTDOWN,
|
|
"SYSTEM_RUNLEVEL": AUDIT_SYSTEM_RUNLEVEL,
|
|
"SERVICE_START": AUDIT_SERVICE_START,
|
|
"SERVICE_STOP": AUDIT_SERVICE_STOP,
|
|
"GRP_MGMT": AUDIT_GRP_MGMT,
|
|
"GRP_CHAUTHTOK": AUDIT_GRP_CHAUTHTOK,
|
|
// "DAEMON_START": AUDIT_DAEMON_START,
|
|
// "DAEMON_END": AUDIT_DAEMON_END,
|
|
// "DAEMON_ABORT": AUDIT_DAEMON_ABORT,
|
|
"DAEMON_CONFIG": AUDIT_DAEMON_CONFIG,
|
|
"DAEMON_RECONFIG": AUDIT_DAEMON_RECONFIG,
|
|
"DAEMON_ROTATE": AUDIT_DAEMON_ROTATE,
|
|
"DAEMON_RESUME": AUDIT_DAEMON_RESUME,
|
|
"DAEMON_ACCEPT": AUDIT_DAEMON_ACCEPT,
|
|
"DAEMON_CLOSE": AUDIT_DAEMON_CLOSE,
|
|
// "DAEMON_ERR": AUDIT_DAEMON_ERR,
|
|
"SYSCALL": AUDIT_SYSCALL,
|
|
// "FS_WATCH": AUDIT_FS_WATCH,
|
|
"PATH": AUDIT_PATH,
|
|
"IPC": AUDIT_IPC,
|
|
"SOCKETCALL": AUDIT_SOCKETCALL,
|
|
"CONFIG_CHANGE": AUDIT_CONFIG_CHANGE,
|
|
"SOCKADDR": AUDIT_SOCKADDR,
|
|
"CWD": AUDIT_CWD,
|
|
// "FS_INODE": AUDIT_FS_INODE,
|
|
"EXECVE": AUDIT_EXECVE,
|
|
"IPC_SET_PERM": AUDIT_IPC_SET_PERM,
|
|
"MQ_OPEN": AUDIT_MQ_OPEN,
|
|
"MQ_SENDRECV": AUDIT_MQ_SENDRECV,
|
|
"MQ_NOTIFY": AUDIT_MQ_NOTIFY,
|
|
"MQ_GETSETATTR": AUDIT_MQ_GETSETATTR,
|
|
"KERNEL_OTHER": AUDIT_KERNEL_OTHER,
|
|
"FD_PAIR": AUDIT_FD_PAIR,
|
|
"OBJ_PID": AUDIT_OBJ_PID,
|
|
"TTY": AUDIT_TTY,
|
|
"EOE": AUDIT_EOE,
|
|
"BPRM_FCAPS": AUDIT_BPRM_FCAPS,
|
|
"CAPSET": AUDIT_CAPSET,
|
|
"MMAP": AUDIT_MMAP,
|
|
"NETFILTER_PKT": AUDIT_NETFILTER_PKT,
|
|
"NETFILTER_CFG": AUDIT_NETFILTER_CFG,
|
|
"SECCOMP": AUDIT_SECCOMP,
|
|
"PROCTITLE": AUDIT_PROCTITLE,
|
|
"FEATURE_CHANGE": AUDIT_FEATURE_CHANGE,
|
|
"AVC": AUDIT_AVC,
|
|
"SELINUX_ERR": AUDIT_SELINUX_ERR,
|
|
"AVC_PATH": AUDIT_AVC_PATH,
|
|
"MAC_POLICY_LOAD": AUDIT_MAC_POLICY_LOAD,
|
|
"MAC_STATUS": AUDIT_MAC_STATUS,
|
|
"MAC_CONFIG_CHANGE": AUDIT_MAC_CONFIG_CHANGE,
|
|
"MAC_UNLBL_ALLOW": AUDIT_MAC_UNLBL_ALLOW,
|
|
"MAC_CIPSOV4_ADD": AUDIT_MAC_CIPSOV4_ADD,
|
|
"MAC_CIPSOV4_DEL": AUDIT_MAC_CIPSOV4_DEL,
|
|
"MAC_MAP_ADD": AUDIT_MAC_MAP_ADD,
|
|
"MAC_MAP_DEL": AUDIT_MAC_MAP_DEL,
|
|
"MAC_IPSEC_ADDSA": AUDIT_MAC_IPSEC_ADDSA,
|
|
"MAC_IPSEC_DELSA": AUDIT_MAC_IPSEC_DELSA,
|
|
"MAC_IPSEC_ADDSPD": AUDIT_MAC_IPSEC_ADDSPD,
|
|
"MAC_IPSEC_DELSPD": AUDIT_MAC_IPSEC_DELSPD,
|
|
"MAC_IPSEC_EVENT": AUDIT_MAC_IPSEC_EVENT,
|
|
"MAC_UNLBL_STCADD": AUDIT_MAC_UNLBL_STCADD,
|
|
"MAC_UNLBL_STCDEL": AUDIT_MAC_UNLBL_STCDEL,
|
|
"ANOM_PROMISCUOUS": AUDIT_ANOM_PROMISCUOUS,
|
|
"ANOM_ABEND": AUDIT_ANOM_ABEND,
|
|
"ANOM_LINK": AUDIT_ANOM_LINK,
|
|
"INTEGRITY_DATA": AUDIT_INTEGRITY_DATA,
|
|
"INTEGRITY_METADATA": AUDIT_INTEGRITY_METADATA,
|
|
"INTEGRITY_STATUS": AUDIT_INTEGRITY_STATUS,
|
|
"INTEGRITY_HASH": AUDIT_INTEGRITY_HASH,
|
|
"INTEGRITY_PCR": AUDIT_INTEGRITY_PCR,
|
|
"INTEGRITY_RULE": AUDIT_INTEGRITY_RULE,
|
|
"APPARMOR": AUDIT_AA,
|
|
"APPARMOR_AUDIT": AUDIT_APPARMOR_AUDIT,
|
|
"APPARMOR_ALLOWED": AUDIT_APPARMOR_ALLOWED,
|
|
"APPARMOR_DENIED": AUDIT_APPARMOR_DENIED,
|
|
// "APPARMOR_HINT": AUDIT_APPARMOR_HINT,
|
|
"APPARMOR_STATUS": AUDIT_APPARMOR_STATUS,
|
|
"APPARMOR_ERROR": AUDIT_APPARMOR_ERROR,
|
|
"KERNEL": AUDIT_KERNEL,
|
|
"ANOM_LOGIN_FAILURES": AUDIT_ANOM_LOGIN_FAILURES,
|
|
"ANOM_LOGIN_TIME": AUDIT_ANOM_LOGIN_TIME,
|
|
"ANOM_LOGIN_SESSIONS": AUDIT_ANOM_LOGIN_SESSIONS,
|
|
"ANOM_LOGIN_ACCT": AUDIT_ANOM_LOGIN_ACCT,
|
|
"ANOM_LOGIN_LOCATION": AUDIT_ANOM_LOGIN_LOCATION,
|
|
"ANOM_MAX_DAC": AUDIT_ANOM_MAX_DAC,
|
|
"ANOM_MAX_MAC": AUDIT_ANOM_MAX_MAC,
|
|
"ANOM_AMTU_FAIL": AUDIT_ANOM_AMTU_FAIL,
|
|
"ANOM_RBAC_FAIL": AUDIT_ANOM_RBAC_FAIL,
|
|
"ANOM_RBAC_INTEGRITY_FAIL": AUDIT_ANOM_RBAC_INTEGRITY_FAIL,
|
|
"ANOM_CRYPTO_FAIL": AUDIT_ANOM_CRYPTO_FAIL,
|
|
"ANOM_ACCESS_FS": AUDIT_ANOM_ACCESS_FS,
|
|
"ANOM_EXEC": AUDIT_ANOM_EXEC,
|
|
"ANOM_MK_EXEC": AUDIT_ANOM_MK_EXEC,
|
|
"ANOM_ADD_ACCT": AUDIT_ANOM_ADD_ACCT,
|
|
"ANOM_DEL_ACCT": AUDIT_ANOM_DEL_ACCT,
|
|
"ANOM_MOD_ACCT": AUDIT_ANOM_MOD_ACCT,
|
|
"ANOM_ROOT_TRANS": AUDIT_ANOM_ROOT_TRANS,
|
|
"RESP_ANOMALY": AUDIT_RESP_ANOMALY,
|
|
"RESP_ALERT": AUDIT_RESP_ALERT,
|
|
"RESP_KILL_PROC": AUDIT_RESP_KILL_PROC,
|
|
"RESP_TERM_ACCESS": AUDIT_RESP_TERM_ACCESS,
|
|
"RESP_ACCT_REMOTE": AUDIT_RESP_ACCT_REMOTE,
|
|
"RESP_ACCT_LOCK_TIMED": AUDIT_RESP_ACCT_LOCK_TIMED,
|
|
"RESP_ACCT_UNLOCK_TIMED": AUDIT_RESP_ACCT_UNLOCK_TIMED,
|
|
"RESP_ACCT_LOCK": AUDIT_RESP_ACCT_LOCK,
|
|
"RESP_TERM_LOCK": AUDIT_RESP_TERM_LOCK,
|
|
"RESP_SEBOOL": AUDIT_RESP_SEBOOL,
|
|
"RESP_EXEC": AUDIT_RESP_EXEC,
|
|
"RESP_SINGLE": AUDIT_RESP_SINGLE,
|
|
"RESP_HALT": AUDIT_RESP_HALT,
|
|
"USER_ROLE_CHANGE": AUDIT_USER_ROLE_CHANGE,
|
|
"ROLE_ASSIGN": AUDIT_ROLE_ASSIGN,
|
|
"ROLE_REMOVE": AUDIT_ROLE_REMOVE,
|
|
"LABEL_OVERRIDE": AUDIT_LABEL_OVERRIDE,
|
|
"LABEL_LEVEL_CHANGE": AUDIT_LABEL_LEVEL_CHANGE,
|
|
"USER_LABELED_EXPORT": AUDIT_USER_LABELED_EXPORT,
|
|
"USER_UNLABELED_EXPORT": AUDIT_USER_UNLABELED_EXPORT,
|
|
"DEV_ALLOC": AUDIT_DEV_ALLOC,
|
|
"DEV_DEALLOC": AUDIT_DEV_DEALLOC,
|
|
"FS_RELABEL": AUDIT_FS_RELABEL,
|
|
"USER_MAC_POLICY_LOAD": AUDIT_USER_MAC_POLICY_LOAD,
|
|
"ROLE_MODIFY": AUDIT_ROLE_MODIFY,
|
|
"USER_MAC_CONFIG_CHANGE": AUDIT_USER_MAC_CONFIG_CHANGE,
|
|
"CRYPTO_TEST_USER": AUDIT_CRYPTO_TEST_USER,
|
|
"CRYPTO_PARAM_CHANGE_USER": AUDIT_CRYPTO_PARAM_CHANGE_USER,
|
|
"CRYPTO_LOGIN": AUDIT_CRYPTO_LOGIN,
|
|
"CRYPTO_LOGOUT": AUDIT_CRYPTO_LOGOUT,
|
|
"CRYPTO_KEY_USER": AUDIT_CRYPTO_KEY_USER,
|
|
"CRYPTO_FAILURE_USER": AUDIT_CRYPTO_FAILURE_USER,
|
|
"CRYPTO_REPLAY_USER": AUDIT_CRYPTO_REPLAY_USER,
|
|
"CRYPTO_SESSION": AUDIT_CRYPTO_SESSION,
|
|
"CRYPTO_IKE_SA": AUDIT_CRYPTO_IKE_SA,
|
|
"CRYPTO_IPSEC_SA": AUDIT_CRYPTO_IPSEC_SA,
|
|
"VIRT_CONTROL": AUDIT_VIRT_CONTROL,
|
|
"VIRT_RESOURCE": AUDIT_VIRT_RESOURCE,
|
|
"VIRT_MACHINE_ID": AUDIT_VIRT_MACHINE_ID,
|
|
}
|