From 7cf8e470471d30fc821a8be350dcb97dc64e5add Mon Sep 17 00:00:00 2001 From: We-unite <3205135446@qq.com> Date: Fri, 19 Jul 2024 17:02:11 +0800 Subject: Depart the whole program into several files. Put all the src code in only one file is to ugly, so devide it! and mv them into src dir to keep the whole repo clear. --- src/audit.go | 84 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 src/audit.go (limited to 'src/audit.go') diff --git a/src/audit.go b/src/audit.go new file mode 100644 index 0000000..ed48691 --- /dev/null +++ b/src/audit.go @@ -0,0 +1,84 @@ +package main + +import ( + "fmt" + "io" + "log" + "os" + + "github.com/elastic/go-libaudit/v2" +) + +func read() error { + // Write netlink response to a file for further analysis or for writing + // tests cases. + var diagWriter io.Writer + if *diag != "" { + f, err := os.OpenFile(*diag, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0o600) + if err != nil { + return err + } + defer f.Close() + diagWriter = f + } + + log.Println("starting netlink client") + + var err error + var client *libaudit.AuditClient + if *receiveOnly { + client, err = libaudit.NewMulticastAuditClient(diagWriter) + if err != nil { + return fmt.Errorf("failed to create receive-only audit client: %w", err) + } + defer client.Close() + } else { + client, err = libaudit.NewAuditClient(diagWriter) + if err != nil { + return fmt.Errorf("failed to create audit client: %w", err) + } + defer client.Close() + + status, err := client.GetStatus() + if err != nil { + return fmt.Errorf("failed to get audit status: %w", err) + } + log.Printf("received audit status=%+v", status) + + if status.Enabled == 0 { + log.Println("enabling auditing in the kernel") + if err = client.SetEnabled(true, libaudit.WaitForReply); err != nil { + return fmt.Errorf("failed to set enabled=true: %w", err) + } + } + + if status.RateLimit != uint32(*rate) { + log.Printf("setting rate limit in kernel to %v", *rate) + if err = client.SetRateLimit(uint32(*rate), libaudit.NoWait); err != nil { + return fmt.Errorf("failed to set rate limit to unlimited: %w", err) + } + } + + if status.BacklogLimit != uint32(*backlog) { + log.Printf("setting backlog limit in kernel to %v", *backlog) + if err = client.SetBacklogLimit(uint32(*backlog), libaudit.NoWait); err != nil { + return fmt.Errorf("failed to set backlog limit: %w", err) + } + } + + if status.Enabled != 2 && *immutable { + log.Printf("setting kernel settings as immutable") + if err = client.SetImmutable(libaudit.NoWait); err != nil { + return fmt.Errorf("failed to set kernel as immutable: %w", err) + } + } + + log.Printf("sending message to kernel registering our PID (%v) as the audit daemon", os.Getpid()) + if err = client.SetPID(libaudit.NoWait); err != nil { + return fmt.Errorf("failed to set audit PID: %w", err) + } + } + + coroutine(client) + return nil +} -- cgit v1.2.3-70-g09d2