The highest tagged major version is v2.

rule

package

v0.1.1 Latest Latest Go to latest Published: Apr 5, 2018 License: Apache-2.0 Imports: 12 Imported by: 147

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/elastic/go-libaudit

Links

Open Source Insights

Documentation ¶

Rendered for

Index ¶

type AccessType
- func (t AccessType) String() string
type DeleteAllRule
- func (r *DeleteAllRule) TypeOf() Type
type FileWatchRule
- func (r *FileWatchRule) TypeOf() Type
type FilterSpec
- func (f *FilterSpec) String() string
type FilterType
type Rule
type SyscallRule
- func (r *SyscallRule) TypeOf() Type
type Type
type WireFormat
- func Build(rule Rule) (WireFormat, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type AccessType ¶

type AccessType uint8

AccessType specifies the type of file access to audit.

const (
	ReadAccessType AccessType = iota + 1
	WriteAccessType
	ExecuteAccessType
	AttributeChangeAccessType
)

The access types that can be audited for file watches.

func (AccessType) String ¶

func (t AccessType) String() string

type DeleteAllRule ¶

type DeleteAllRule struct {
	Type Type
	Keys []string // Delete rules that have these keys.
}

DeleteAllRule deletes all existing rules.

func (*DeleteAllRule) TypeOf ¶

func (r *DeleteAllRule) TypeOf() Type

TypeOf returns DeleteAllRuleType.

type FileWatchRule ¶

type FileWatchRule struct {
	Type        Type
	Path        string
	Permissions []AccessType
	Keys        []string
}

FileWatchRule is used to audit access to particular files or directories that you may be interested in.

func (*FileWatchRule) TypeOf ¶

func (r *FileWatchRule) TypeOf() Type

TypeOf returns FileWatchRuleType.

type FilterSpec ¶

type FilterSpec struct {
	Type       FilterType
	LHS        string
	Comparator string
	RHS        string
}

FilterSpec defines a filter to apply to a syscall rule.

func (*FilterSpec) String ¶

func (f *FilterSpec) String() string

type FilterType ¶

type FilterType uint8

FilterType specifies a type of filter to apply to a syscall rule.

const (
	InterFieldFilterType FilterType = iota + 1 // Inter-field comparison filtering (-C).
	ValueFilterType                            // Filtering based on values (-F).
)

The type of filters that can be applied.

type Rule ¶

type Rule interface {
	TypeOf() Type // TypeOf returns the type of rule.
}

Rule is the generic interface that all rule types implement.

type SyscallRule ¶

type SyscallRule struct {
	Type     Type
	List     string
	Action   string
	Filters  []FilterSpec
	Syscalls []string
	Keys     []string
}

SyscallRule is used to audit invocations of specific syscalls.

func (*SyscallRule) TypeOf ¶

func (r *SyscallRule) TypeOf() Type

TypeOf returns either AppendSyscallRuleType or PrependSyscallRuleType.

type Type ¶

type Type int

Type specifies the audit rule type.

const (
	DeleteAllRuleType      Type = iota + 1 // DeleteAllRule
	FileWatchRuleType                      // FileWatchRule
	AppendSyscallRuleType                  // SyscallRule
	PrependSyscallRuleType                 // SyscallRule
)

The rule types supported by this package.

type WireFormat ¶

type WireFormat []byte

WireFormat is the binary representation of a rule as used to exchange rules (commands) with the kernel.

func Build ¶

func Build(rule Rule) (WireFormat, error)

Build builds an audit rule.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
flags Package flags provides parsing of audit rules as specified using CLI flags in accordance to the man page for auditctl (from the auditd userspace tools).	Package flags provides parsing of audit rules as specified using CLI flags in accordance to the man page for auditctl (from the auditd userspace tools).

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL