audit: make including raw audit message optional

modules/audit/audit.go

@@ -49,10 +49,9 @@ var logChan chan string
 var alertChan chan string
 var handlerErrChan chan error
 var configChan chan modules.ConfigParams
+var cfg config
 
 func moduleMain() {
-	var cfg config
-
 	incfg := <-configChan
 	buf, err := json.Marshal(incfg.Config)
 	if err != nil {
@@ -102,6 +101,7 @@ type config struct {
 		RulesPath    string `json:"rulespath"`
 		RateLimit    int    `json:"ratelimit"`
 		BacklogLimit int    `json:"backloglimit"`
+		IncludeRaw   bool   `json:"includeraw"`
 	} `json:"audit"`
 }
 

modules/audit/doc.rst

@@ -37,6 +37,7 @@ The audit module is configured using ``audit.cfg`` in the agent configuration di
         rulespath = /etc/mig/audit.rules.json
         ratelimit = 500
         backloglimit = 16384
+        includeraw = no
 
 ``rulespath`` indicates the path to load audit rules into the kernel from. Note that this is not a
 standard audit configuration, but a JSON based rule set as is used in
@@ -44,3 +45,5 @@ standard audit configuration, but a JSON based rule set as is used in
 
 ``ratelimit`` and ``backloglimit`` can be used to configure the Linux auditing rate and back log
 limits. If respective defaults of 500 and 16384 will be used.
+
+``includeraw`` causes the raw audit message to be included with the parsed audit fields in the output.

modules/audit/osaudit_linux.go

@@ -86,6 +86,11 @@ func runAudit() error {
 func callback(msg *libaudit.AuditEvent, callerr error) {
 	// In our callback, we want to simply marshal the audit event and write it to the
 	// modules alert channel
+	//
+	// If includeraw is off, remove the raw data from the AuditEvent before we marshal it.
+	if !cfg.Audit.IncludeRaw {
+		msg.Raw = ""
+	}
 	buf, err := json.Marshal(msg)
 	if err != nil {
 		return