aucoalesce

package

v0.0.5 Latest Latest Go to latest Published: Jul 24, 2017 License: Apache-2.0 Imports: 11 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/cloudlinux/go-libaudit

Links

Open Source Insights

Documentation ¶

Overview ¶

Package aucoalesce provides functions to coalesce compound audit messages into a single event and normalize all message types with some common fields.

Index ¶

func LoadNormalizationConfig(b []byte) (syscalls map[string]*Normalization, recordTypes map[string]*Normalization, ...)
func ResolveIDs(event *Event)
type AuditEventType
- func GetAuditEventType(t AuditMessageType) AuditEventType
- func (t AuditEventType) MarshalText() (text []byte, err error)
- func (t AuditEventType) String() string
type Event
- func CoalesceMessages(msgs []*auparse.AuditMessage) (*Event, error)
type GroupCache
- func NewGroupCache() GroupCache
- func (c GroupCache) LookupGID(gid string) string
type HowMapping
type Normalization
type NormalizationConfig
type Object
type ObjectMapping
type Strings
- func (s *Strings) UnmarshalYAML(unmarshal func(interface{}) error) error
type Subject
type SubjectMapping
type UserCache
- func NewUserCache() UserCache
- func (c UserCache) LookupUID(uid string) string

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func LoadNormalizationConfig ¶ added in v0.0.3

func LoadNormalizationConfig(b []byte) (syscalls map[string]*Normalization, recordTypes map[string]*Normalization, err error)

func ResolveIDs ¶ added in v0.0.3

func ResolveIDs(event *Event)

ResolveIDs translates all uid and gid values to their associated names. This requires cgo on Linux.

Types ¶

type AuditEventType ¶ added in v0.0.3

type AuditEventType uint16

AuditEventType is a categorization of a simple or compound audit event.

const (
	EventTypeUnknown AuditEventType = iota
	EventTypeUserspace
	EventTypeSystemServices
	EventTypeConfig
	EventTypeTTY
	EventTypeUserAccount
	EventTypeUserLogin
	EventTypeAuditDaemon
	EventTypeMACDecision
	EventTypeAnomoly
	EventTypeIntegrity
	EventTypeAnomolyResponse
	EventTypeMAC
	EventTypeCrypto
	EventTypeVirt
	EventTypeAuditRule
	EventTypeDACDecision
	EventTypeGroupChange
)

func GetAuditEventType ¶ added in v0.0.3

func GetAuditEventType(t AuditMessageType) AuditEventType

func (AuditEventType) MarshalText ¶ added in v0.0.3

func (t AuditEventType) MarshalText() (text []byte, err error)

func (AuditEventType) String ¶ added in v0.0.3

func (t AuditEventType) String() string

type Event ¶ added in v0.0.3

type Event struct {
	Timestamp time.Time                `json:"@timestamp"       yaml:"timestamp"`
	Sequence  uint32                   `json:"sequence"         yaml:"sequence"`
	Category  AuditEventType           `json:"category"         yaml:"category"`
	Type      auparse.AuditMessageType `json:"record_type"      yaml:"type"`
	Result    string                   `json:"result,omitempty" yaml:"result,omitempty"`
	Session   string                   `json:"session"          yaml:"session"`
	Subject   Subject                  `json:"actor"            yaml:"actor"`
	Action    string                   `json:"action,omitempty" yaml:"action,omitempty"`
	Object    Object                   `json:"thing,omitempty"  yaml:"thing,omitempty"`
	How       string                   `json:"how,omitempty"    yaml:"how,omitempty"`
	Key       string                   `json:"key,omitempty"    yaml:"key,omitempty"`

	Data   map[string]string   `json:"data,omitempty"   yaml:"data,omitempty"`
	Paths  []map[string]string `json:"paths,omitempty"  yaml:"paths,omitempty"`
	Socket map[string]string   `json:"socket,omitempty" yaml:"socket,omitempty"`

	Warnings []error `json:"-" yaml:"-"`
}

func CoalesceMessages ¶

func CoalesceMessages(msgs []*auparse.AuditMessage) (*Event, error)

CoalesceMessages combines the given messages into a single event. It assumes that all the messages in the slice have the same timestamp and sequence number. An error is returned is msgs is empty or nil or only contains and EOE (end-of-event) message.

type GroupCache ¶ added in v0.0.3

type GroupCache map[string]stringItem

GroupCache is a cache of GID to group name.

func NewGroupCache ¶ added in v0.0.3

func NewGroupCache() GroupCache

NewGroupCache returns a new GroupCache.

func (GroupCache) LookupGID ¶ added in v0.0.3

func (c GroupCache) LookupGID(gid string) string

LookupGID looks up a GID and returns the group associated with it. If no group could be found an empty string is returned. The value will be cached for a minute. This requires cgo on Linux.

type HowMapping ¶ added in v0.0.3

type HowMapping struct {
	FieldName string `yaml:"field"`
}

type Normalization ¶ added in v0.0.3

type Normalization struct {
	Subject     SubjectMapping `yaml:"subject"`
	Action      string         `yaml:"action"`
	Object      ObjectMapping  `yaml:"object"`
	How         Strings        `yaml:"how"`
	RecordTypes Strings        `yaml:"record_types"`
	Syscalls    Strings        `yaml:"syscalls"`
}

type NormalizationConfig ¶ added in v0.0.3

type NormalizationConfig struct {
	Default        Normalization `yaml:"default"`
	Normalizations []Normalization
}

type Object ¶ added in v0.0.3

type Object struct {
	Primary   string            `json:"primary,omitempty"   yaml:"primary,omitempty"`
	Secondary string            `json:"secondary,omitempty" yaml:"secondary,omitempty"`
	What      string            `json:"what,omitempty"      yaml:"what,omitempty"`
	SELinux   map[string]string `json:"selinux,omitempty"   yaml:"selinux,omitempty"`
}

type ObjectMapping ¶ added in v0.0.3

type ObjectMapping struct {
	PrimaryFieldName   Strings `yaml:"primary"`
	SecondaryFieldName Strings `yaml:"secondary"`
	What               string  `yaml:"what"`
	PathIndex          int     `yaml:"path_index"`
}

type Strings ¶ added in v0.0.3

type Strings struct {
	Values []string
}

Strings is a custom type to enable YAML values that can be either a string or a list of strings.

func (*Strings) UnmarshalYAML ¶ added in v0.0.3

func (s *Strings) UnmarshalYAML(unmarshal func(interface{}) error) error

type Subject ¶ added in v0.0.3

type Subject struct {
	Primary    string            `json:"primary,omitempty"   yaml:"primary,omitempty"`
	Secondary  string            `json:"secondary,omitempty" yaml:"secondary,omitempty"`
	Attributes map[string]string `json:"attrs,omitempty"     yaml:"attrs,omitempty"`   // Other identifying data like euid, suid, fsuid, gid, egid, sgid, fsgid.
	SELinux    map[string]string `json:"selinux,omitempty"   yaml:"selinux,omitempty"` // SELinux labels.
}

type SubjectMapping ¶ added in v0.0.3

type SubjectMapping struct {
	PrimaryFieldName   Strings `yaml:"primary"`
	SecondaryFieldName Strings `yaml:"secondary"`
}

type UserCache ¶ added in v0.0.3

type UserCache map[string]stringItem

UserCache is a cache of UID to username.

func NewUserCache ¶ added in v0.0.3

func NewUserCache() UserCache

NewUserCache returns a new UserCache.

func (UserCache) LookupUID ¶ added in v0.0.3

func (c UserCache) LookupUID(uid string) string

LookupUID looks up a UID and returns the username associated with it. If no username could be found an empty string is returned. The value will be cached for a minute. This requires cgo on Linux.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL