1 files changed, 127 insertions, 0 deletions
diff --git a/old/audit.go b/old/audit.go
new file mode 100644
index 0000000..2b9faa5
--- /dev/null
+++ b/old/audit.go
@@ -0,0 +1,127 @@
+package main
+import (
+        "errors"
+        "flag"
+        "fmt"
+        "io"
+        "log"
+        "os"
+        "github.com/elastic/go-libaudit/v2"
+        "github.com/elastic/go-libaudit/v2/auparse"
+)
+var (
+        fs          = flag.NewFlagSet("audit", flag.ExitOnError)
+        diag        = fs.String("diag", "", "dump raw information from kernel to file")
+        rate        = fs.Uint("rate", 0, "rate limit in kernel (default 0, no rate limit)")
+        backlog     = fs.Uint("backlog", 8192, "backlog limit")
+        immutable   = fs.Bool("immutable", false, "make kernel audit settings immutable (requires reboot to undo)")
+        receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+")
+)
+func main() {
+        if err := fs.Parse(os.Args[1:]); err != nil {
+                log.Fatal(err)
+        }
+        if err := read(); err != nil {
+                log.Fatalf("error: %v", err)
+        }
+}
+func read() error {
+        if os.Geteuid() != 0 {
+                return errors.New("you must be root to receive audit data")
+        }
+        // Write netlink response to a file for further analysis or for writing
+        // tests cases.
+        var diagWriter io.Writer
+        if *diag != "" {
+                f, err := os.OpenFile(*diag, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0o600)
+                if err != nil {
+                        return err
+                }
+                defer f.Close()
+                diagWriter = f
+        }
+        log.Println("starting netlink client")
+        var err error
+        var client *libaudit.AuditClient
+        if *receiveOnly {
+                client, err = libaudit.NewMulticastAuditClient(diagWriter)
+                if err != nil {
+                        return fmt.Errorf("failed to create receive-only audit client: %w", err)
+                }
+                defer client.Close()
+        } else {
+                client, err = libaudit.NewAuditClient(diagWriter)
+                if err != nil {
+                        return fmt.Errorf("failed to create audit client: %w", err)
+                }
+                defer client.Close()
+                status, err := client.GetStatus()
+                if err != nil {
+                        return fmt.Errorf("failed to get audit status: %w", err)
+                }
+                log.Printf("received audit status=%+v", status)
+                if status.Enabled == 0 {
+                        log.Println("enabling auditing in the kernel")
+                        if err = client.SetEnabled(true, libaudit.WaitForReply); err != nil {
+                                return fmt.Errorf("failed to set enabled=true: %w", err)
+                        }
+                }
+                if status.RateLimit != uint32(*rate) {
+                        log.Printf("setting rate limit in kernel to %v", *rate)
+                        if err = client.SetRateLimit(uint32(*rate), libaudit.NoWait); err != nil {
+                                return fmt.Errorf("failed to set rate limit to unlimited: %w", err)
+                        }
+                }
+                if status.BacklogLimit != uint32(*backlog) {
+                        log.Printf("setting backlog limit in kernel to %v", *backlog)
+                        if err = client.SetBacklogLimit(uint32(*backlog), libaudit.NoWait); err != nil {
+                                return fmt.Errorf("failed to set backlog limit: %w", err)
+                        }
+                }
+                if status.Enabled != 2 && *immutable {
+                        log.Printf("setting kernel settings as immutable")
+                        if err = client.SetImmutable(libaudit.NoWait); err != nil {
+                                return fmt.Errorf("failed to set kernel as immutable: %w", err)
+                        }
+                }
+                log.Printf("sending message to kernel registering our PID (%v) as the audit daemon", os.Getpid())
+                if err = client.SetPID(libaudit.NoWait); err != nil {
+                        return fmt.Errorf("failed to set audit PID: %w", err)
+                }
+        }
+        return receive(client)
+}
+func receive(r *libaudit.AuditClient) error {
+        for {
+                rawEvent, err := r.Receive(false)
+                if err != nil {
+                        return fmt.Errorf("receive failed: %w", err)
+                }
+                // Messages from 1300-2999 are valid audit messages.
+                if rawEvent.Type < auparse.AUDIT_USER_AUTH ||
+                        rawEvent.Type > auparse.AUDIT_LAST_USER_MSG2 {
+                        continue
+                }
+                fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data)
+                // fmt.Printf("type=%v\n", rawEvent.Type)
+        }
+}

diff --git a/old/audit.go b/old/audit.go new file mode 100644 index 0000000..2b9faa5 --- /dev/null +++ b/old/audit.go
@@ -0,0 +1,127 @@
	1	package main
	2
	3	import (
	4	"errors"
	5	"flag"
	6	"fmt"
	7	"io"
	8	"log"
	9	"os"
	10
	11	"github.com/elastic/go-libaudit/v2"
	12	"github.com/elastic/go-libaudit/v2/auparse"
	13	)
	14
	15	var (
	16	fs = flag.NewFlagSet("audit", flag.ExitOnError)
	17	diag = fs.String("diag", "", "dump raw information from kernel to file")
	18	rate = fs.Uint("rate", 0, "rate limit in kernel (default 0, no rate limit)")
	19	backlog = fs.Uint("backlog", 8192, "backlog limit")
	20	immutable = fs.Bool("immutable", false, "make kernel audit settings immutable (requires reboot to undo)")
	21	receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+")
	22	)
	23
	24	func main() {
	25	if err := fs.Parse(os.Args[1:]); err != nil {
	26	log.Fatal(err)
	27	}
	28
	29	if err := read(); err != nil {
	30	log.Fatalf("error: %v", err)
	31	}
	32	}
	33
	34	func read() error {
	35	if os.Geteuid() != 0 {
	36	return errors.New("you must be root to receive audit data")
	37	}
	38
	39	// Write netlink response to a file for further analysis or for writing
	40	// tests cases.
	41	var diagWriter io.Writer
	42	if *diag != "" {
	43	f, err := os.OpenFile(*diag, os.O_CREATE\|os.O_RDWR\|os.O_TRUNC, 0o600)
	44	if err != nil {
	45	return err
	46	}
	47	defer f.Close()
	48	diagWriter = f
	49	}
	50
	51	log.Println("starting netlink client")
	52
	53	var err error
	54	var client *libaudit.AuditClient
	55	if *receiveOnly {
	56	client, err = libaudit.NewMulticastAuditClient(diagWriter)
	57	if err != nil {
	58	return fmt.Errorf("failed to create receive-only audit client: %w", err)
	59	}
	60	defer client.Close()
	61	} else {
	62	client, err = libaudit.NewAuditClient(diagWriter)
	63	if err != nil {
	64	return fmt.Errorf("failed to create audit client: %w", err)
	65	}
	66	defer client.Close()
	67
	68	status, err := client.GetStatus()
	69	if err != nil {
	70	return fmt.Errorf("failed to get audit status: %w", err)
	71	}
	72	log.Printf("received audit status=%+v", status)
	73
	74	if status.Enabled == 0 {
	75	log.Println("enabling auditing in the kernel")
	76	if err = client.SetEnabled(true, libaudit.WaitForReply); err != nil {
	77	return fmt.Errorf("failed to set enabled=true: %w", err)
	78	}
	79	}
	80
	81	if status.RateLimit != uint32(*rate) {
	82	log.Printf("setting rate limit in kernel to %v", *rate)
	83	if err = client.SetRateLimit(uint32(*rate), libaudit.NoWait); err != nil {
	84	return fmt.Errorf("failed to set rate limit to unlimited: %w", err)
	85	}
	86	}
	87
	88	if status.BacklogLimit != uint32(*backlog) {
	89	log.Printf("setting backlog limit in kernel to %v", *backlog)
	90	if err = client.SetBacklogLimit(uint32(*backlog), libaudit.NoWait); err != nil {
	91	return fmt.Errorf("failed to set backlog limit: %w", err)
	92	}
	93	}
	94
	95	if status.Enabled != 2 && *immutable {
	96	log.Printf("setting kernel settings as immutable")
	97	if err = client.SetImmutable(libaudit.NoWait); err != nil {
	98	return fmt.Errorf("failed to set kernel as immutable: %w", err)
	99	}
	100	}
	101
	102	log.Printf("sending message to kernel registering our PID (%v) as the audit daemon", os.Getpid())
	103	if err = client.SetPID(libaudit.NoWait); err != nil {
	104	return fmt.Errorf("failed to set audit PID: %w", err)
	105	}
	106	}
	107
	108	return receive(client)
	109	}
	110
	111	func receive(r *libaudit.AuditClient) error {
	112	for {
	113	rawEvent, err := r.Receive(false)
	114	if err != nil {
	115	return fmt.Errorf("receive failed: %w", err)
	116	}
	117
	118	// Messages from 1300-2999 are valid audit messages.
	119	if rawEvent.Type < auparse.AUDIT_USER_AUTH \|\|
	120	rawEvent.Type > auparse.AUDIT_LAST_USER_MSG2 {
	121	continue
	122	}
	123
	124	fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data)
	125	// fmt.Printf("type=%v\n", rawEvent.Type)
	126	}
	127	}