go package for interfacing with Linux audit

Перейти к файлу

Aaron Meihm cd5411408f minor cleanup in event processor		2017-08-24 11:07:27 -05:00
headers	Add reverse Mapping for syscall values => names to avoid map assigns	2016-08-16 15:16:44 +05:30
vendor/github.com	Fix vendor directory structure	2016-08-16 22:46:15 +05:30
.gitignore	gitignore	2017-03-02 09:34:22 -06:00
LICENSE	Initial commit	2014-11-06 15:37:37 -05:00
Makefile	run benchmarks in test target	2017-08-24 10:50:19 -05:00
README.md	Update generated string audit constants	2016-07-31 22:01:36 +05:30
audit_constant.go	add license header to source, remove example from package comments	2017-08-23 09:36:27 -05:00
audit_events.go	minor cleanup in event processor	2017-08-24 11:07:27 -05:00
auditconstant_string.go	update generated auditconstant_string.go	2017-08-23 09:37:45 -05:00
interpret.go	minor cleanup in token interpreter	2017-08-24 10:40:09 -05:00
libaudit.go	fix linter warnings in libaudit.go	2017-08-23 11:14:26 -05:00
libaudit_test.go	add license header to source, remove example from package comments	2017-08-23 09:36:27 -05:00
lookup_tables.go	add license header to source, remove example from package comments	2017-08-23 09:36:27 -05:00
parser.go	correct spelling for fixPunctuations	2017-08-24 10:57:48 -05:00
parser_test.go	minor cleanup in parser	2017-08-24 10:55:55 -05:00
rules.go	consistent use of receiver name in rule parser	2017-08-23 17:16:05 -05:00
rules_test.go	additional syscall test with key	2017-08-23 16:48:25 -05:00
s2i_type_conversion.json	removed autid-go components	2015-11-20 02:54:28 +05:30

README.md

Libaudit in Golang

Golang package (lib) for Linux Audit

Libaudit-go is a pure Go client library for dealing directly with linux audit framework. The idea is provide a replacement to the existing auditd daemon and its libraries. Originally developed for Audit Go Heka Plugin

To get started see package documentation at godoc.

See main.go for an example implementation of the client using libaudit-go.

Supported Methods (API)

General

NewNetlinkConnection

Open a audit netlink socket connection Similar to audit_open, NewNetlinkConnection creates a NETLINK_AUDIT socket for communication with the kernel part of the Linux Audit Subsystem.

It provide three methods

Close
Send
Receive

Example :

s, err := libaudit.NewNetlinkConnection()

if err != nil {
    log.Println(err)
    log.Fatalln("Error while availing socket! Exiting!")
} 

defer s.Close()

Definations of Send and Receive are :

Send

func (s *NetlinkConnection) Send(request *NetlinkMessage) error

Receive

func (s *NetlinkConnection) Receive(bytesize int, block int) ([]NetlinkMessage, error)

GetAuditEvents

Starts an Audit event monitor in a go-routine.

func AuditGetEvents(s *NetlinkConnection, cb EventCallback, ec chan error, args ...interface{})

This function start a audit event monitor and accept a callback that is called on each audit event received from the Audit Subsysten.

Example:


func EventCallback(msg *libaudit.AuditEvent, ce chan error, args ...interface{}) {
	// print the info map
	log.Println(msg.Data)
	// print the raw event
	log.Println(msg.Raw)
}

// Go rutine to monitor events and call callback for each event fired
libaudit.GetAuditEvents(s, EventCallback, errchan)

The callback accept AuditEvent type variable as an argument. AuditEvent is defined as

type AuditEvent struct {
	Serial				int
	Timestamp			float64
	Type 				string
	Data 				map[string]string
	Raw 				string
}

AuditGetRawEvents

Starts an Audit event monitor which emits raw events in a go-routine

func GetRawAuditEvents(s *NetlinkConnection, cb RawEventCallback, ec chan error, args ...interface{})

Same as GetAuditEvents but accept a string type in callback instead of AuditEvent type.

Example -

func RawEventCallback(msg string, ce chan error, args ...interface{}) {
	log.Println(msg)
}

// Go rutine to monitor events and feed raw events to the callback
libaudit.GetRawAuditEvents(s, RawEventCallback, errchan)

AuditIsEnabled

This function will return 0 if audit is not enabled and 1 if enabled, and -1 on error.

func AuditIsEnabled(s *NetlinkConnection) (state int, err error)

Example :

status, err := libaudit.AuditIsEnabled(s)

AuditRequestStatus

Not yet implemented

Audit Set

AuditSetEnabled

Enable or disable auditing, 1 to enable and 0 to disable.

func AuditSetEnabled(s *NetlinkConnection) error

Example :

err := libaudit.AuditSetEnabled(s, 1)

AuditSetRateLimit

Sets rate limit for audit messages from kernel

func AuditSetRateLimit(s *NetlinkConnection, limit int) error

This function set the maximum number of messages that the kernel will send per second.

Example:

err = libaudit.AuditSetRateLimit(s, 600)

AuditSetBacklogLimit

Sets backlog limit for audit messages from kernel

func AuditSetBacklogLimit(s *NetlinkConnection, limit int) error

This function sets the queue length for audit events awaiting transfer to the audit daemon

Example :

err = libaudit.AuditSetBacklogLimit(s, 420)

AuditSetPid

Set audit daemon process ID

func AuditSetPid(s *NetlinkConnection, pid uint32 ) error

This function registers the given PID with kernel as the program for receiving audit messages.

Example :

err = libaudit.AuditSetPid(s, uint32(syscall.Getpid()))

AuditSetFailure

Not yet implemented

Audit Rules

SetRules

Set audit rules from a configuration file

func SetRules(s *NetlinkConnection, content []byte) error

This function accept the json rules file as byte array and register rules with audit. See audit.rules.json for example

Example:

// Load all rules
content, err := ioutil.ReadFile("audit.rules.json")
if err != nil {
	log.Print("Error:", err)
	os.Exit(0)
}

// Set audit rules
err = libaudit.SetRules(s, content)

DeleteAllRules

Delete all audit rules.

func DeleteAllRules(s *NetlinkConnection) error

Example:

err := DeleteAllRules(s)

ListAllRules

ListAllRules lists all audit rules currently loaded in audit kernel in the same format as shown by auditctl utility.

func ListAllRules(s *NetlinkConnection) ([]string, error)

Example:

	rulesArray, err := libaudit.ListAllRules(s)