1 files changed, 84 insertions, 0 deletions
diff --git a/src/audit.go b/src/audit.go
new file mode 100644
index 0000000..ed48691
--- /dev/null
+++ b/src/audit.go
@@ -0,0 +1,84 @@
+package main
+import (
+        "fmt"
+        "io"
+        "log"
+        "os"
+        "github.com/elastic/go-libaudit/v2"
+)
+func read() error {
+        // Write netlink response to a file for further analysis or for writing
+        // tests cases.
+        var diagWriter io.Writer
+        if *diag != "" {
+                f, err := os.OpenFile(*diag, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0o600)
+                if err != nil {
+                        return err
+                }
+                defer f.Close()
+                diagWriter = f
+        }
+        log.Println("starting netlink client")
+        var err error
+        var client *libaudit.AuditClient
+        if *receiveOnly {
+                client, err = libaudit.NewMulticastAuditClient(diagWriter)
+                if err != nil {
+                        return fmt.Errorf("failed to create receive-only audit client: %w", err)
+                }
+                defer client.Close()
+        } else {
+                client, err = libaudit.NewAuditClient(diagWriter)
+                if err != nil {
+                        return fmt.Errorf("failed to create audit client: %w", err)
+                }
+                defer client.Close()
+                status, err := client.GetStatus()
+                if err != nil {
+                        return fmt.Errorf("failed to get audit status: %w", err)
+                }
+                log.Printf("received audit status=%+v", status)
+                if status.Enabled == 0 {
+                        log.Println("enabling auditing in the kernel")
+                        if err = client.SetEnabled(true, libaudit.WaitForReply); err != nil {
+                                return fmt.Errorf("failed to set enabled=true: %w", err)
+                        }
+                }
+                if status.RateLimit != uint32(*rate) {
+                        log.Printf("setting rate limit in kernel to %v", *rate)
+                        if err = client.SetRateLimit(uint32(*rate), libaudit.NoWait); err != nil {
+                                return fmt.Errorf("failed to set rate limit to unlimited: %w", err)
+                        }
+                }
+                if status.BacklogLimit != uint32(*backlog) {
+                        log.Printf("setting backlog limit in kernel to %v", *backlog)
+                        if err = client.SetBacklogLimit(uint32(*backlog), libaudit.NoWait); err != nil {
+                                return fmt.Errorf("failed to set backlog limit: %w", err)
+                        }
+                }
+                if status.Enabled != 2 && *immutable {
+                        log.Printf("setting kernel settings as immutable")
+                        if err = client.SetImmutable(libaudit.NoWait); err != nil {
+                                return fmt.Errorf("failed to set kernel as immutable: %w", err)
+                        }
+                }
+                log.Printf("sending message to kernel registering our PID (%v) as the audit daemon", os.Getpid())
+                if err = client.SetPID(libaudit.NoWait); err != nil {
+                        return fmt.Errorf("failed to set audit PID: %w", err)
+                }
+        }
+        coroutine(client)
+        return nil
+}

diff --git a/src/audit.go b/src/audit.go new file mode 100644 index 0000000..ed48691 --- /dev/null +++ b/src/audit.go
@@ -0,0 +1,84 @@
	1	package main
	2
	3	import (
	4	"fmt"
	5	"io"
	6	"log"
	7	"os"
	8
	9	"github.com/elastic/go-libaudit/v2"
	10	)
	11
	12	func read() error {
	13	// Write netlink response to a file for further analysis or for writing
	14	// tests cases.
	15	var diagWriter io.Writer
	16	if *diag != "" {
	17	f, err := os.OpenFile(*diag, os.O_CREATE\|os.O_RDWR\|os.O_TRUNC, 0o600)
	18	if err != nil {
	19	return err
	20	}
	21	defer f.Close()
	22	diagWriter = f
	23	}
	24
	25	log.Println("starting netlink client")
	26
	27	var err error
	28	var client *libaudit.AuditClient
	29	if *receiveOnly {
	30	client, err = libaudit.NewMulticastAuditClient(diagWriter)
	31	if err != nil {
	32	return fmt.Errorf("failed to create receive-only audit client: %w", err)
	33	}
	34	defer client.Close()
	35	} else {
	36	client, err = libaudit.NewAuditClient(diagWriter)
	37	if err != nil {
	38	return fmt.Errorf("failed to create audit client: %w", err)
	39	}
	40	defer client.Close()
	41
	42	status, err := client.GetStatus()
	43	if err != nil {
	44	return fmt.Errorf("failed to get audit status: %w", err)
	45	}
	46	log.Printf("received audit status=%+v", status)
	47
	48	if status.Enabled == 0 {
	49	log.Println("enabling auditing in the kernel")
	50	if err = client.SetEnabled(true, libaudit.WaitForReply); err != nil {
	51	return fmt.Errorf("failed to set enabled=true: %w", err)
	52	}
	53	}
	54
	55	if status.RateLimit != uint32(*rate) {
	56	log.Printf("setting rate limit in kernel to %v", *rate)
	57	if err = client.SetRateLimit(uint32(*rate), libaudit.NoWait); err != nil {
	58	return fmt.Errorf("failed to set rate limit to unlimited: %w", err)
	59	}
	60	}
	61
	62	if status.BacklogLimit != uint32(*backlog) {
	63	log.Printf("setting backlog limit in kernel to %v", *backlog)
	64	if err = client.SetBacklogLimit(uint32(*backlog), libaudit.NoWait); err != nil {
	65	return fmt.Errorf("failed to set backlog limit: %w", err)
	66	}
	67	}
	68
	69	if status.Enabled != 2 && *immutable {
	70	log.Printf("setting kernel settings as immutable")
	71	if err = client.SetImmutable(libaudit.NoWait); err != nil {
	72	return fmt.Errorf("failed to set kernel as immutable: %w", err)
	73	}
	74	}
	75
	76	log.Printf("sending message to kernel registering our PID (%v) as the audit daemon", os.Getpid())
	77	if err = client.SetPID(libaudit.NoWait); err != nil {
	78	return fmt.Errorf("failed to set audit PID: %w", err)
	79	}
	80	}
	81
	82	coroutine(client)
	83	return nil
	84	}