Documentation ¶
Overview ¶
Parse BSM files
A simple tool to print BSM audit records
Index ¶
- func RecordGenerator(input io.Reader) chan ParsingResult
- func TokenFromByteInput(input io.Reader) (empty, error)
- type ArbitraryDataToken
- type ArgToken32bit
- type ArgToken64bit
- type AttributeToken32bit
- type AttributeToken64bit
- type BsmRecord
- type ExecArgsToken
- type ExecEnvToken
- type ExitToken
- type ExpandedHeaderToken32bit
- type ExpandedHeaderToken64bit
- type ExpandedInAddrToken
- type ExpandedProcessToken32bit
- type ExpandedProcessToken64bit
- type ExpandedSocketToken
- type ExpandedSubjectToken32bit
- type ExpandedSubjectToken64bit
- type FileToken
- type GroupsToken
- type HeaderToken32bit
- type HeaderToken64bit
- type IPortToken
- type InAddrToken
- type IpToken
- type ParsingResult
- type PathAttrToken
- type PathToken
- type ProcessToken32bit
- type ProcessToken64bit
- type ReturnToken32bit
- type ReturnToken64bit
- type SeqToken
- type SocketToken
- type SubjectToken32bit
- type SubjectToken64bit
- type SystemVIpcPermissionToken
- type SystemVIpcToken
- type TextToken
- type TrailerToken
- type ZonenameToken
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func RecordGenerator ¶
func RecordGenerator(input io.Reader) chan ParsingResult
RecordGenerator yields a continous stream of BSM records until the source is exhausted.
func TokenFromByteInput ¶
TokenFromByteInput converts bytes read from a given input to a BSM token.
Types ¶
type ArbitraryDataToken ¶
type ArbitraryDataToken struct { TokenID byte // token ID (1 byte): 0x21 HowToPrint byte // user-defined printing information (1 byte) BasicUnit uint8 // size of a unit in bytes (1 byte) UnitCount uint8 // number if units of data present (1 byte) DataItems [][]byte // user data }
ArbitraryDataToken (or 'arbitrary data' token) contains a byte stream of opaque (untyped) data. The size of the data is calculated as the size of each unit of data multiplied by the number of units of data. A 'How to print' field is present to specify how to print the data, but interpretation of that field is not currently defined.
type ArgToken32bit ¶
type ArgToken32bit struct { TokenID byte // Token ID (1 byte): 0x2d ArgumentID uint8 // argument ID/number (1 byte) ArgumentValue uint32 // argument value (4 bytes) Length uint16 // length of the text (2 bytes) Text string // the string including nul (Length + 1 NUL bytes) }
ArgToken32bit (or 'arg' token) contains information about arguments of the system call. These arguments are encoded in 32 bit
type ArgToken64bit ¶
type ArgToken64bit struct { TokenID byte // Token ID (1 byte): 0x71 ArgumentID uint8 // argument ID/number (1 byte) ArgumentValue uint64 // argument value (8 bytes) Length uint16 // length of the text (2 bytes) Text string // the string including nul (Length + 1 NUL bytes) }
ArgToken64bit (or 'arg' token) contains information about arguments of the system call. These arguments are encoded in 32 bit
type AttributeToken32bit ¶
type AttributeToken32bit struct { TokenID byte // Token ID (1 byte): 0x3e FileAccessMode uint32 // mode_t associated with file (4 bytes) OwnerUserID uint32 // uid_t associated with file (4 bytes) OwnerGroupID uint32 // gid_t associated with file (4 bytes) FileSystemID uint32 // fsid_t associated with file (4 bytes) FileSystemNodeID uint64 // ino_t associated with file (8 bytes) Device uint32 // Device major/minor number (4 bytes) }
AttributeToken32bit (or 'attribute' token) describes the attributes of a file associated with the audit event. As files may be identified by 0, 1, or many path names, a path name is not included with the attribute block for a file; optional 'path' tokens may also be present in an audit record indicating which path, if any, was used to reach the object. The device number is stored using 32 bit. TODO: check if token ID may be 0x31
type AttributeToken64bit ¶
type AttributeToken64bit struct { TokenID byte // Token ID (1 byte): 0x73 FileAccessMode uint32 // mode_t associated with file (4 bytes) OwnerUserID uint32 // uid_t associated with file (4 bytes) OwnerGroupID uint32 // gid_t associated with file (4 bytes) FileSystemID uint32 // fsid_t associated with file (4 bytes) FileSystemNodeID uint64 // ino_t associated with file (8 bytes) Device uint64 // Device major/minor number (8 bytes) }
AttributeToken64bit (or 'attribute' token) describes the attributes of a file associated with the audit event. As files may be identified by 0, 1, or many path names, a path name is not included with the attribute block for a file; optional 'path' tokens may also be present in an audit record indicating which path, if any, was used to reach the object. The device number is stored using 64 bit.
type BsmRecord ¶
type BsmRecord struct { Seconds uint64 // record time stamp (8 bytes) NanoSeconds uint64 // record time stamp (8 bytes) Tokens []empty // generic list of all tokens }
BsmRecord represents a BSM record.
type ExecArgsToken ¶
type ExecArgsToken struct { TokenID byte // Token ID (1 byte): 0x3c Count uint32 // number of arguments (4 bytes) Text []string // Count NUL-terminated strings }
ExecArgsToken (or 'exec_args' token) contains information about arguments of the exec() system call.
type ExecEnvToken ¶
type ExecEnvToken struct { TokenID byte // Token ID (1 byte): 0x3d Count uint32 // number of variables (4 bytes) Text []string // Count NUL-terminated strings }
ExecEnvToken (or 'exec_env' token) contains current environment variables to an exec() system call.
type ExitToken ¶
type ExitToken struct { TokenID byte // Token ID (1 byte): 0x52 Status uint32 // Process status on exit (4 bytes) ReturnValue int32 // Process return value on exit (4 bytes) }
ExitToken (or 'exit' token) contains process exit/return code information.
type ExpandedHeaderToken32bit ¶
type ExpandedHeaderToken32bit struct { TokenID byte // Token ID (1 byte): 0x15 RecordByteCount uint32 // number of bytes in record (4 bytes) VersionNumber byte // BSM record version number (2 bytes) EventType uint16 // event type (2 bytes) EventModifier uint16 // event sub-type (2 bytes) AddressType uint32 // host address type and length (1 byte in manpage / 4 bytes in Solaris 10) MachineAddress net.IP // IPv4/6 address (4/16 bytes) Seconds uint32 // record time stamp (4 bytes) NanoSeconds uint32 // record time stamp (4 bytes) }
ExpandedHeaderToken32bit (or 'expanded header' token) is an expanded version of the 'header' token, with the addition of a machine IPv4 or IPv6 address. This type uses 32 bits to encode time information.
type ExpandedHeaderToken64bit ¶
type ExpandedHeaderToken64bit struct { TokenID byte // Token ID (1 byte): 0x79 RecordByteCount uint32 // number of bytes in record (4 bytes) VersionNumber byte // BSM record version number (2 bytes) EventType uint16 // event type (2 bytes) EventModifier uint16 // event sub-type (2 bytes) AddressType uint32 // host address type and length (1 byte in manpage / 4 bytes in Solaris 10) MachineAddress net.IP // IPv4/6 address (4/16 bytes) Seconds uint64 // record time stamp (8 bytes) NanoSeconds uint64 // record time stamp (8 bytes) }
ExpandedHeaderToken64bit (or 'expanded header' token) is an expanded version of the 'header' token, with the addition of a machine IPv4 or IPv6 address. This type uses 64 bits to encode time information.
type ExpandedInAddrToken ¶
type ExpandedInAddrToken struct { TokenID byte // Token ID (1 byte): 0x7e IpAddressType byte // type of IP address (libbsm also calls this 'length') IpAddress net.IP // IP address (4/16 bytes) }
ExpandedInAddrToken (or 'expanded in_addr' token) holds a (network byte order) IPv4 or IPv6 address. TODO: determine value indicating address type BUGS: token layout documented in audit.log(5) appears to be in conflict with the libbsm(3) implementation of au_to_in_addr_ex(3).
type ExpandedProcessToken32bit ¶
type ExpandedProcessToken32bit struct { TokenID byte // Token ID (1 byte): 0x7b AuditID uint32 // audit user ID (4 bytes) EffectiveUserID uint32 // effective user ID (4 bytes) EffectiveGroupID uint32 // effective group ID (4 bytes) RealUserID uint32 // real user ID (4 bytes) RealGroupID uint32 // real group ID (4 bytes) ProcessID uint32 // process ID (4 bytes) SessionID uint32 // session ID (4 bytes) TerminalPortID uint32 // terminal port ID (4 byte) TerminalAddressLength uint32 // length of machine address (4 bytes) TerminalMachineAddress net.IP // IP address of machine (4 or 16 bytes) }
ExpandedProcessToken32bit (or 'expanded process' token contains the contents of the 'process' token, with the addition of a machine address type and variable length address storage capable of containing IPv6 addresses. The terminal port ID is encoded using 32 bit. TODO: check length of IP records (4 bytes for IPv6?)
type ExpandedProcessToken64bit ¶
type ExpandedProcessToken64bit struct { TokenID byte // Token ID (1 byte): 0x7d AuditID uint32 // audit user ID (4 bytes) EffectiveUserID uint32 // effective user ID (4 bytes) EffectiveGroupID uint32 // effective group ID (4 bytes) RealUserID uint32 // real user ID (4 bytes) RealGroupID uint32 // real group ID (4 bytes) ProcessID uint32 // process ID (4 bytes) SessionID uint32 // session ID (4 bytes) TerminalPortID uint64 // terminal port ID (8 byte) TerminalAddressLength uint32 // length of machine address (4 bytes) TerminalMachineAddress net.IP // IP address of machine (4 or 16 bytes) }
ExpandedProcessToken64bit (or 'expanded process' token contains the contents of the 'process' token, with the addition of a machine address type and variable length address storage capable of containing IPv6 addresses. The terminal port ID is encoded using 64 bit. TODO: check length of IP records (4 bytes for IPv6?)
type ExpandedSocketToken ¶
type ExpandedSocketToken struct { TokenID byte // Token ID (1 byte): 0x7f SocketDomain uint16 // socket domain (2 bytes) SocketType uint16 // socket type (2 bytes) AddressType uint16 // address type (IPv4/IPv6) (2 bytes) LocalPort uint16 // local port (2 bytes) LocalIpAddress net.IP // local IP address (4/16 bytes) RemotePort uint16 // remote port (2 bytes) RemoteIpAddress net.IP // remote IP address (4/16 bytes) }
ExpandedSocketToken (or 'expanded socket' token) contains information about IPv4 and IPv6 sockets.
type ExpandedSubjectToken32bit ¶
type ExpandedSubjectToken32bit struct { TokenID byte // Token ID (1 byte): 0x7a AuditID uint32 // audit user ID (4 bytes) EffectiveUserID uint32 // effective user ID (4 bytes) EffectiveGroupID uint32 // effective group ID (4 bytes) RealUserID uint32 // real user ID (4 bytes) RealGroupID uint32 // real group ID (4 bytes) ProcessID uint32 // process ID (4 bytes) SessionID uint32 // audit session ID (4 bytes) TerminalPortID uint32 // terminal port ID (4 bytes) TerminalAddressLength uint32 // length of machine address (4 bytes) TerminalMachineAddress net.IP // IP address of machine (4/16 bytes) }
ExpandedSubjectToken32bit (or 'expanded subject' token) token consists of the same elements as the 'subject' token, with the addition of type/length and variable size machine address information in the terminal ID. This type uses 32 bit to encode the terminal port ID.
type ExpandedSubjectToken64bit ¶
type ExpandedSubjectToken64bit struct { TokenID byte // Token ID (1 byte): 0x7c AuditID uint32 // audit user ID (4 bytes) EffectiveUserID uint32 // effective user ID (4 bytes) EffectiveGroupID uint32 // effective group ID (4 bytes) RealUserID uint32 // real user ID (4 bytes) RealGroupID uint32 // real group ID (4 bytes) ProcessID uint32 // process ID (4 bytes) SessionID uint32 // audit session ID (4 bytes) TerminalPortID uint64 // terminal port ID (8 bytes) TerminalAddressLength uint8 // length of machine address (1 byte) TerminalMachineAddress net.IP // IP address of machine (4/16 bytes) }
ExpandedSubjectToken64bit (or 'expanded subject' token) token consists of the same elements as the 'subject' token, with the addition of type/length and variable size machine address information in the terminal ID. This type uses 64 bit to encode the terminal port ID. TODO: check length of machine address field (4 bytes for IPv6?)
type FileToken ¶
type FileToken struct { TokenID byte // Token ID (1 byte): Seconds uint32 // file timestamp (4 bytes) Microseconds uint32 // file timestamp (4 bytes) FileNameLength uint16 // file name of audit trail (2 bytes) PathName string // file name of audit trail (FileNameLength + 1 (NULL)) }
FileToken (or 'file' token) is used at the beginning and end of an audit log file to indicate when the audit log begins and ends. It includes a pathname so that, if concatenated together, original file boundaries are still observable, and gaps in the audit log can be identified. BUG: unable to determine token ID (0x11 vs. 0x78 vs . ?)
type GroupsToken ¶
type GroupsToken struct { TokenID byte // Token ID (1 byte): 0x34 NumberOfGroups uint16 // Number of groups in token (2 bytes) GroupList []uint32 // List of N group IDs (N*4 bytes) }
GroupsToken (or 'groups' token) contains a list of group IDs associated with the audit event.
type HeaderToken32bit ¶
type HeaderToken32bit struct { TokenID byte // Token ID (1 byte): 0x14 RecordByteCount uint32 // number of bytes in record (4 bytes) VersionNumber byte // BSM record version number (1 byte) EventType uint16 // event type (2 bytes) EventModifier uint16 // event sub-type (2 bytes) Seconds uint32 // record time stamp (4 bytes) NanoSeconds uint32 // record time stamp (4 bytes) }
HeaderToken32bit (or 'header' token is used to mark the beginning of a complete audit record, and includes the length of the total record in bytes, a version number for the record layout, the event type and subtype, and the time at which the event occurred. This type uses 32 bits to encode time information.
func ParseHeaderToken32bit ¶
func ParseHeaderToken32bit(input []byte) (HeaderToken32bit, error)
ParseHeaderToken32bit parses a HeaderToken32bit out of the given bytes.
type HeaderToken64bit ¶
type HeaderToken64bit struct { TokenID byte // Token ID (1 byte): 0x74 RecordByteCount uint32 // number of bytes in record (4 bytes) VersionNumber byte // BSM record version number (1 byte) EventType uint16 // event type (2 bytes) EventModifier uint16 // event sub-type (2 bytes) Seconds uint64 // record time stamp (8 bytes) NanoSeconds uint64 // record time stamp (8 bytes) }
HeaderToken64bit (or 'header' token) is used to mark the beginning of a complete audit record, and includes the length of the total record in bytes, a version number for the record layout, the event type and subtype, and the time at which the event occurred. This type uses 64 bits to encode time information.
type IPortToken ¶
type IPortToken struct { TokenID byte // Token ID (1 byte): 0x2c PortNumber uint16 // Port number in network byte order (2 bytes) }
IPortToken (or 'iport' token) stores an IP port number in network byte order.
type InAddrToken ¶
type InAddrToken struct { TokenID byte // Token ID (1 byte): 0x2a IpAddress net.IP // IPv4 address (4 bytes) }
InAddrToken (or 'in_addr' token) holds a (network byte order) IPv4 address. BUGS: token layout documented in audit.log(5) appears to be in conflict with the libbsm(3) implementation of au_to_in_addr_ex(3).
type IpToken ¶
type IpToken struct { TokenID byte // Token ID (1 byte): 0x2b VersionAndIHL uint8 // Version and IP header length (1 byte) TypeOfService byte // IP TOS field (1 byte) Length uint16 // IP packet length in network byte order (2 bytes) ID uint16 // IP header ID for reassembly (2 bytes) Offset uint16 // IP fragment offset and flags, network byte order (2 bytes) TTL uint8 // IP Time-to-Live (1 byte) Protocol uint8 // IP protocol number (1 byte) Checksum uint16 // IP header checksum, network byte order (2 bytes) SourceAddress net.IP // IPv4 source address (4 bytes) DestinationAddress net.IP // IPv4 destination addess (4 bytes) }
IpToken (or 'ip' token) contains an IP(v4) packet header in network byte order.
type ParsingResult ¶
ParsingResult encapsulates the result of the parsing process to be used in conjunction with channels.
type PathAttrToken ¶
type PathAttrToken struct { TokenID byte // Token ID (1 byte): 0x25 ? Count uint16 // Number of NUL-terminated string(s) in token (2 bytes) Path []string // count NUL-terminated string(s) }
PathAttrToken (or 'path_attr' token) contains a set of NUL-terminated path names. TODO: verify Token ID
type PathToken ¶
type PathToken struct { TokenID byte // Token ID (1 byte): 0x23 PathLength uint16 // Length of path in bytes (2 bytes) Path string // Path name (PathLength bytes + 1 NUL) }
PathToken (or 'path' token) contains a pathname.
type ProcessToken32bit ¶
type ProcessToken32bit struct { TokenID byte // Token ID (1 byte): 0x26 AuditID uint32 // audit user ID (4 bytes) EffectiveUserID uint32 // effective user ID (4 bytes) EffectiveGroupID uint32 // effective group ID (4 bytes) RealUserID uint32 // real user ID (4 bytes) RealGroupID uint32 // real group ID (4 bytes) ProcessID uint32 // process ID (4 bytes) SessionID uint32 // session ID (4 bytes) TerminalPortID uint32 // terminal port ID (4 byte) TerminalMachineAddress net.IP // IP(v4) address of machine (4 bytes) }
ProcessToken32bit (or 'process' token) contains a description of the security properties of a process involved as the target of an auditable event, such as the destination for signal delivery. It should not be confused with the 'subject' token, which describes the subject performing an auditable event. This includes both the traditional UNIX security properties, such as user IDs and group IDs, but also audit information such as the audit user ID and session. The terminal port ID is encoded using 32 bit.
type ProcessToken64bit ¶
type ProcessToken64bit struct { TokenID byte // Token ID (1 byte): 0x77 AuditID uint32 // audit user ID (4 bytes) EffectiveUserID uint32 // effective user ID (4 bytes) EffectiveGroupID uint32 // effective group ID (4 bytes) RealUserID uint32 // real user ID (4 bytes) RealGroupID uint32 // real group ID (4 bytes) ProcessID uint32 // process ID (4 bytes) SessionID uint32 // session ID (4 bytes) TerminalPortID uint64 // terminal port ID (8 byte) TerminalMachineAddress net.IP // IP(v4) address of machine (4 bytes) }
ProcessToken64bit (or 'process' token) contains a description of the security properties of a process involved as the target of an auditable event, such as the destination for signal delivery. It should not be confused with the 'subject' token, which describes the subject performing an auditable event. This includes both the traditional UNIX security properties, such as user IDs and group IDs, but also audit information such as the audit user ID and session. The terminal port ID is encoded using 64 bit.
type ReturnToken32bit ¶
type ReturnToken32bit struct { TokenID byte // Token ID (1 byte): 0x27 ErrorNumber uint8 // errno number, or 0 if undefined (1 byte) ReturnValue uint32 // return value (4 bytes) }
ReturnToken32bit (or 'return' token) contains a system call or library function return condition, including return value and error number associated with the global (C) variable errno. This type uses 32 bit to encode the return value.
type ReturnToken64bit ¶
type ReturnToken64bit struct { TokenID byte // Token ID (1 byte): 0x72 ErrorNumber uint8 // errno number, or 0 if undefined (1 byte) ReturnValue uint64 // return value (8 bytes) }
ReturnToken64bit (or 'return' token) contains a system call or library function return condition, including return value and error number associated with the global (C) variable errno. This type uses 64 bit to encode the return value.
type SeqToken ¶
type SeqToken struct { TokenID byte // Token ID (1 byte): 0x2f SequenceNumber uint32 // audit event sequence number }
SeqToken ('seq' token) contains a unique and monotonically increasing audit event sequence ID. Due to the limited range of 32 bits, serial number arithmetic and caution should be used when comparing sequence numbers.
type SocketToken ¶
type SocketToken struct { TokenID byte // Token ID (1 byte): 0x2e (BSM spec), 0x80 (inet32 socket), 0x81 (inet128 token), 0x82 (Unix token) SocketFamily uint16 // socket family (2 bytes) LocalPort uint16 // local port (2 bytes) SocketAddress net.IP // socket address (4 bytes or 8 bytes for inet128 socket) }
SocketToken (or 'socket' token) contains information about UNIX domain and Internet sockets. Each token has four or eight fields. Possible values for token IDs: * BSM specification: 0x2e * inet32 (IPv4) socket: 0x80 * inet128 (IPv6) socket: 0x81 * Unix socket: 0x82 BUG: last sentence is confusing
type SubjectToken32bit ¶
type SubjectToken32bit struct { TokenID byte // Token ID (1 byte): 0x24 AuditID uint32 // audit user ID (4 bytes) EffectiveUserID uint32 // effective user ID (4 bytes) EffectiveGroupID uint32 // effective group ID (4 bytes) RealUserID uint32 // real user ID (4 bytes) RealGroupID uint32 // real group ID (4 bytes) ProcessID uint32 // process ID (4 bytes) SessionID uint32 // audit session ID (4 bytes) TerminalPortID uint32 // terminal port ID (4 bytes) TerminalMachineAddress net.IP // IP address of machine (4 bytes) }
SubjectToken32bit (or 'subject' token) contains information on the subject performing the operation described by an audit record, and includes similar information to that found in the 'process' and 'expanded process' tokens. However, those tokens are used where the process being described is the target of the operation, not the authorizing party. This type uses 32 bit to encode the terminal port ID.
type SubjectToken64bit ¶
type SubjectToken64bit struct { TokenID byte // Token ID (1 byte): 0x75 AuditID uint32 // audit user ID (4 bytes) EffectiveUserID uint32 // effective user ID (4 bytes) EffectiveGroupID uint32 // effective group ID (4 bytes) RealUserID uint32 // real user ID (4 bytes) RealGroupID uint32 // real group ID (4 bytes) ProcessID uint32 // process ID (4 bytes) SessionID uint32 // audit session ID (4 bytes) TerminalPortID uint64 // terminal port ID (8 bytes) TerminalMachineAddress net.IP // IP address of machine (4 bytes) }
SubjectToken64bit (or 'subject' token) contains information on the subject performing the operation described by an audit record, and includes similar information to that found in the 'process' and 'expanded process' tokens. However, those tokens are used where the process being described is the target of the operation, not the authorizing party. This type uses 64 bit to encode the terminal port ID.
type SystemVIpcPermissionToken ¶
type SystemVIpcPermissionToken struct { TokenID byte // Token ID (1 byte): 0x32 OwnerUserID uint32 // User ID of IPC owner (4 bytes) OwnerGroupID uint32 // Group ID of IPC owner (4 bytes) CreatorUserID uint32 // User ID of IPC creator (4 bytes) CreatorGroupID uint32 // Group ID of IPC creator (4 bytes) AccessMode uint32 // Access mode (4 bytes) SequenceNumber uint32 // Sequence number (4 bytes) Key uint32 // IPC key (4 bytes) }
SystemVIpcPermissionToken (or 'System V IPC permission' token) contains a System V IPC access permissions.
type SystemVIpcToken ¶
type SystemVIpcToken struct { TokenID byte // Token ID (1 byte): 0x22 ObjectIdType uint8 // Object ID (1 byte) ObjectID uint32 // Object ID (4 bytes) }
SystemVIpcToken (or 'System V IPC' token) contains the System V IPC message handle, semaphore handle or shared memory handle.
type TextToken ¶
type TextToken struct { TokenID byte // Token ID (1 byte): 0x28 TextLength uint16 // length of text string including NUL (2 bytes) Text string // Text string incl. NUL (TextLength bytes) }
TextToken (or 'text' token) contains a single NUL-terminated text string. TODO: check actual length (documentation looks like off-by-one)
type TrailerToken ¶
type TrailerToken struct { TokenID byte // Token ID (1 byte): 0x13 TrailerMagic uint16 // trailer magic number (2 bytes): 0xb105 RecordByteCount uint32 // number of bytes in record (4 bytes) }
TrailerToken (or 'trailer' terminates) a BSM audit record. This token contains a magic number, and length that can be used to validate that the record was read properly.
type ZonenameToken ¶
type ZonenameToken struct { TokenID byte // Token ID (1 byte): 0x60 ZonenameLength uint16 // length of zonename string including NUL (2 bytes) Zonename string // Zonename string including NUL }
ZonenameToken (or 'zonename' token) holds a NUL-terminated string with the name of the zone or jail from which the record originated.