1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
package main
import (
"errors"
"flag"
"fmt"
"io"
"log"
"os"
"github.com/elastic/go-libaudit/v2"
"github.com/elastic/go-libaudit/v2/auparse"
)
var (
fs = flag.NewFlagSet("audit", flag.ExitOnError)
diag = fs.String("diag", "", "dump raw information from kernel to file")
rate = fs.Uint("rate", 0, "rate limit in kernel (default 0, no rate limit)")
backlog = fs.Uint("backlog", 8192, "backlog limit")
immutable = fs.Bool("immutable", false, "make kernel audit settings immutable (requires reboot to undo)")
receiveOnly = fs.Bool("ro", false, "receive only using multicast, requires kernel 3.16+")
)
func main() {
if err := fs.Parse(os.Args[1:]); err != nil {
log.Fatal(err)
}
if err := read(); err != nil {
log.Fatalf("error: %v", err)
}
}
func read() error {
if os.Geteuid() != 0 {
return errors.New("you must be root to receive audit data")
}
// Write netlink response to a file for further analysis or for writing
// tests cases.
var diagWriter io.Writer
if *diag != "" {
f, err := os.OpenFile(*diag, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0o600)
if err != nil {
return err
}
defer f.Close()
diagWriter = f
}
log.Println("starting netlink client")
var err error
var client *libaudit.AuditClient
if *receiveOnly {
client, err = libaudit.NewMulticastAuditClient(diagWriter)
if err != nil {
return fmt.Errorf("failed to create receive-only audit client: %w", err)
}
defer client.Close()
} else {
client, err = libaudit.NewAuditClient(diagWriter)
if err != nil {
return fmt.Errorf("failed to create audit client: %w", err)
}
defer client.Close()
status, err := client.GetStatus()
if err != nil {
return fmt.Errorf("failed to get audit status: %w", err)
}
log.Printf("received audit status=%+v", status)
if status.Enabled == 0 {
log.Println("enabling auditing in the kernel")
if err = client.SetEnabled(true, libaudit.WaitForReply); err != nil {
return fmt.Errorf("failed to set enabled=true: %w", err)
}
}
if status.RateLimit != uint32(*rate) {
log.Printf("setting rate limit in kernel to %v", *rate)
if err = client.SetRateLimit(uint32(*rate), libaudit.NoWait); err != nil {
return fmt.Errorf("failed to set rate limit to unlimited: %w", err)
}
}
if status.BacklogLimit != uint32(*backlog) {
log.Printf("setting backlog limit in kernel to %v", *backlog)
if err = client.SetBacklogLimit(uint32(*backlog), libaudit.NoWait); err != nil {
return fmt.Errorf("failed to set backlog limit: %w", err)
}
}
if status.Enabled != 2 && *immutable {
log.Printf("setting kernel settings as immutable")
if err = client.SetImmutable(libaudit.NoWait); err != nil {
return fmt.Errorf("failed to set kernel as immutable: %w", err)
}
}
log.Printf("sending message to kernel registering our PID (%v) as the audit daemon", os.Getpid())
if err = client.SetPID(libaudit.NoWait); err != nil {
return fmt.Errorf("failed to set audit PID: %w", err)
}
}
return receive(client)
}
func receive(r *libaudit.AuditClient) error {
for {
rawEvent, err := r.Receive(false)
if err != nil {
return fmt.Errorf("receive failed: %w", err)
}
// Messages from 1300-2999 are valid audit messages.
if rawEvent.Type < auparse.AUDIT_USER_AUTH ||
rawEvent.Type > auparse.AUDIT_LAST_USER_MSG2 {
continue
}
fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data)
// fmt.Printf("type=%v\n", rawEvent.Type)
}
}
|
