yo/libbsm
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
92ba4e4ca6
libbsm/libbsm.go

1918 lines
53 KiB
Go
Raw Normal View History

Init repo
2022-01-04 09:35:55 +01:00
// This is an implementation of libbsm
// Copyright johan@nosd.in 2021
//
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
// +build freebsd
//
// Use libc to get pw name from uid
Init repo
2022-01-04 09:35:55 +01:00
package main
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
/*
#cgo CFLAGS: -I /usr/lib
#cgo LDFLAGS: -L. -lc
#include <sys/types.h>
#include <stdlib.h>
#include <utmpx.h>
#include <grp.h>
#include <pwd.h>
*/
import "C"
Init repo
2022-01-04 09:35:55 +01:00
import (
"io"
"os"
"fmt"
"time"
Resolve event name
2022-01-06 17:29:16 +01:00
"bufio"
Init repo
2022-01-04 09:35:55 +01:00
"bytes"
Resolve event name
2022-01-06 17:29:16 +01:00
"strings"
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
"strconv"
Init repo
2022-01-04 09:35:55 +01:00
"encoding/binary"
)
const (
// bsm/libbsm.h
Resolve event name
2022-01-06 17:29:16 +01:00
AUDIT_MAX_ARGS = 128
AUDIT_EVENT_FILE = "/etc/security/audit_event"
Init repo
2022-01-04 09:35:55 +01:00
// sys/bsm/audit.h
Resolve event name
2022-01-06 17:29:16 +01:00
MAXAUDITDATA = (0x8000 - 1)
Init repo
2022-01-04 09:35:55 +01:00
MAX_AUDIT_RECORD_SIZE = MAXAUDITDATA
// Max length for a Path (AUT_PATH) or an arg (AUT_EXEC_ARGS)
MAX_AUDIT_ARG_LENGTH = 1024
/*
* Token type identifiers.
From https://github.com/freebsd/freebsd-src/blob/main/contrib/openbsm/sys/bsm/audit_record.h
*/
AUT_INVALID = 0x00
AUT_OTHER_FILE32 = 0x11
AUT_OHEADER = 0x12
AUT_TRAILER = 0x13
AUT_HEADER32 = 0x14
AUT_HEADER32_EX = 0x15
AUT_DATA = 0x21
AUT_IPC = 0x22
AUT_PATH = 0x23
AUT_SUBJECT32 = 0x24
AUT_XATPATH = 0x25
AUT_PROCESS32 = 0x26
AUT_RETURN32 = 0x27
AUT_TEXT = 0x28
AUT_OPAQUE = 0x29
AUT_IN_ADDR = 0x2a
AUT_IP = 0x2b
AUT_IPORT = 0x2c
AUT_ARG32 = 0x2d
AUT_SOCKET = 0x2e
AUT_SEQ = 0x2f
AUT_ACL = 0x30
AUT_ATTR = 0x31
AUT_IPC_PERM = 0x32
AUT_LABEL = 0x33
AUT_GROUPS = 0x34
AUT_ACE = 0x35
AUT_PRIV = 0x38
AUT_UPRIV = 0x39
AUT_LIAISON = 0x3a
AUT_NEWGROUPS = 0x3b
AUT_EXEC_ARGS = 0x3c
AUT_EXEC_ENV = 0x3d
AUT_ATTR32 = 0x3e
AUT_UNAUTH = 0x3f
AUT_XATOM = 0x40
AUT_XOBJ = 0x41
AUT_XPROTO = 0x42
AUT_XSELECT = 0x43
AUT_XCOLORMAP = 0x44
AUT_XCURSOR = 0x45
AUT_XFONT = 0x46
AUT_XGC = 0x47
AUT_XPIXMAP = 0x48
AUT_XPROPERTY = 0x49
AUT_XWINDOW = 0x4a
AUT_XCLIENT = 0x4b
AUT_CMD = 0x51
AUT_EXIT = 0x52
AUT_ZONENAME = 0x60
AUT_HOST = 0x70
AUT_ARG64 = 0x71
AUT_RETURN64 = 0x72
AUT_ATTR64 = 0x73
AUT_HEADER64 = 0x74
AUT_SUBJECT64 = 0x75
AUT_PROCESS64 = 0x77
AUT_OTHER_FILE64 = 0x78
AUT_HEADER64_EX = 0x79
AUT_SUBJECT32_EX = 0x7a
AUT_PROCESS32_EX = 0x7b
AUT_SUBJECT64_EX = 0x7c
AUT_PROCESS64_EX = 0x7d
AUT_IN_ADDR_EX = 0x7e
AUT_SOCKET_EX = 0x7f
// Display control
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
PRT_ONELINE = 1
PRT_NORESOLVE_USER = 2
)
var (
// A global user/uid cache
gUsers []user
// A global group/gid cache
gGroups []group
Resolve event name
2022-01-06 17:29:16 +01:00
// Cache of audit_event file
gEventDB []event
Init repo
2022-01-04 09:35:55 +01:00
)
Resolve event name
2022-01-06 17:29:16 +01:00
type event struct {
Type int
Name string
Desc string
Class string
}
Init repo
2022-01-04 09:35:55 +01:00
// Fields types, from https://github.com/freebsd/freebsd-src/blob/main/contrib/openbsm/bsm/libbsm.h
// Abstraction of a record
type Record interface {
GetType() uint8
// Length()
LoadFromBinary(file *os.File) error
Print(*os.File, string, int)
}
type Header32 struct {
Size uint32 // Record byte count
Version uint8 // version # (uchar)
E_type uint16 // Event type
E_mod uint16 // Event modifier
S uint32 // Seconds of time
Msec uint32 // Milliseconds of time
}
type Header32Ex struct {
Size uint32 // Record byte count
Version uint8 // version # (uchar)
E_type uint16 // Event type
E_mod uint16 // Event modifier
Ad_type uint32 // Address type/Length
Addr [4]uint32 // Ipv4 or IPv6
S uint32 // Seconds of time
Msec uint32 // Milliseconds of time
}
type Trailer struct {
Magic uint16
Count uint32
}
type Arg32 struct {
No byte // Argument #
Val uint32 // Argument value
Length uint16 // Text length
Text []byte // Text
}
type Arg64 struct {
No byte // Argument #
Val uint64 // Argument value
Length uint16 // Text length
Text []byte // Text
}
type Attribute32 struct {
Mode uint32 // file access mode
Uid uint32 // Owner user ID
Gid uint32 // Owner group ID
Fsid uint32 // File system ID
Nid uint64 // Node ID
Dev uint32 // Device
}
type Attribute64 struct {
Mode uint32 // file access mode
Uid uint32 // Owner user ID
Gid uint32 // Owner group ID
Fsid uint32 // File system ID
Nid uint64 // Node ID
Dev uint64 // Device
}
/*
* count 4 bytes
* text count null-terminated string(s)
*/
type ExecArg struct {
Count uint32
//Text [AUDIT_MAX_ARGS][]byte
Text [][]byte
}
type Path struct {
Length uint16 // path length
Path []byte
}
type Return32 struct {
Status byte // Error status
Ret uint32 // Return code
}
type Return64 struct {
Status byte // Error status
Ret uint64 // Return code
}
type Subject32 struct {
Auid uint32 // Audit ID
Euid uint32 // Effective user ID
Egid uint32 // Effective Group ID
Ruid uint32 // Real User ID
Rgid uint32 // Real Group ID
Pid uint32 // Process ID
Sid uint32 // Session ID
Tid Tid32
}
type Process32 Subject32
type Subject32Ex struct {
Auid uint32 // Audit ID
Euid uint32 // Effective user ID
Egid uint32 // Effective Group ID
Ruid uint32 // Real User ID
Rgid uint32 // Real Group ID
Pid uint32 // Process ID
Sid uint32 // Session ID
Tid Tid32Ex
}
type Process32Ex Subject32Ex
type Tid32 struct {
Port uint32
IpVers uint32 // 0x10 = IPv6
Addr uint32
}
type Tid32Ex struct {
Port uint32
Ttype uint32
Ipv4/v6 distinction fix
2022-01-04 10:22:57 +01:00
IpVers uint32 // 0x10 = IPv6, 0x04 = IPv4
Addr4 uint32 // 4 bytes long if IpVers == 0x04
Addr6 [4]uint32 // 4x4 bytes long if IpVers == 0x10
Init repo
2022-01-04 09:35:55 +01:00
}
type Subject64 struct {
Auid uint32 // Audit ID
Euid uint32 // Effective user ID
Egid uint32 // Effective Group ID
Ruid uint32 // Real User ID
Rgid uint32 // Real Group ID
Pid uint32 // Process ID
Sid uint32 // Session ID
Tid Tid64
}
type Process64 Subject64
type Subject64Ex struct {
Auid uint32 // Audit ID
Euid uint32 // Effective user ID
Egid uint32 // Effective Group ID
Ruid uint32 // Real User ID
Rgid uint32 // Real Group ID
Pid uint32 // Process ID
Sid uint32 // Session ID
Tid Tid64Ex
}
type Process64Ex Subject64Ex
type Tid64 struct {
Port uint64
IpVers uint32
Addr uint32
}
type Tid64Ex struct {
Port uint64
Ttype uint32
Ipv4/v6 distinction fix
2022-01-04 10:22:57 +01:00
IpVers uint32 // 0x10 = IPv6, 0x04 = IPv4
Addr4 uint32
Addr6 [4]uint32
Init repo
2022-01-04 09:35:55 +01:00
}
type Exit struct {
Status uint32
Ret uint32
}
AUT_TEXT support
2022-01-04 10:47:10 +01:00
type Text struct {
Length uint16
Text []byte
}
Init repo
2022-01-04 09:35:55 +01:00
/* Utilities */
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
// users ID for resolution
type user struct {
uid uint32
name string
}
// groups ID for resolution
type group struct {
gid uint32
name string
}
/* Utilities */
// Return uid if user not found
func getUserName(uid uint32) (string, error) {
for _, u := range gUsers {
if u.uid == uid {
return u.name, nil
}
}
// Not found in cache, get it from system query
u, err := getUserNameByUid(uid)
if err != nil {
// If not found, return user object with name = uid
if err.Error() == "User ID not found" {
u.uid = uid
u.name = strconv.FormatUint(uint64(uid), 10)
gUsers = append(gUsers, u)
return u.name, err
} else {
return "", err
}
}
gUsers = append(gUsers, u)
return u.name, nil
}
func getUserNameByUid(uid uint32) (user, error) {
var pw *C.struct_passwd
var usr user
pw = C.getpwuid((C.uint32_t)(uid))
if pw == nil {
return usr, fmt.Errorf("User ID not found")
}
usr.uid = uid
usr.name = C.GoString(pw.pw_name)
return usr, nil
}
func getGroupName(gid uint32) (string, error) {
for _, g := range gGroups {
if g.gid == gid {
return g.name, nil
}
}
// Not found in cache, get it from system query
g, err := getGroupNameByGid(gid)
if err != nil {
// If not found, return group object with name = gid
if err.Error() == "Group ID not found" {
g.gid = gid
g.name = strconv.FormatUint(uint64(gid), 10)
gGroups = append(gGroups, g)
return g.name, err
} else {
return "", err
}
}
gGroups = append(gGroups, g)
return g.name, nil
}
func getGroupNameByGid(gid uint32) (group, error) {
var gr *C.struct_group
var grp group
gr = C.getgrgid((C.uint32_t)(gid))
if gr == nil {
return grp, fmt.Errorf("Group ID not found")
}
grp.gid = gid
grp.name = C.GoString(gr.gr_name)
return grp, nil
}
Resolve event name
2022-01-06 17:29:16 +01:00
func getEventName(event uint16) (string,error) {
if len(gEventDB) == 0 {
loadEventDB()
}
for _, ev := range gEventDB {
if ev.Type == int(event) {
return ev.Desc, nil
}
}
return "", fmt.Errorf("Event ID not found: %x\n", event)
}
// We load the entire file in memory
func loadEventDB() error {
file, err := os.Open(AUDIT_EVENT_FILE)
if err != nil {
return err
}
defer file.Close()
fileScan := bufio.NewScanner(file)
fileScan.Split(bufio.ScanLines)
for fileScan.Scan() {
line := fileScan.Text()
if strings.HasPrefix(line, "#") {
continue
}
eventStr := strings.Split(line, ":")
if len(eventStr) != 4 {
continue
}
t, _ := strconv.Atoi(eventStr[0])
gEventDB = append(gEventDB, event{Type: t,
Name: eventStr[1],
Desc: eventStr[2],
Class: eventStr[3],})
}
return nil
}
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
Version bump, fix EOF error, move PrintIPv4FromInt
2022-01-04 11:03:58 +01:00
func PrintIpv4FromInt(ipv4int uint32) string {
return fmt.Sprintf("%d.%d.%d.%d", ipv4int & 0xFF000000 >> 24, ipv4int & 0x00FF0000 >> 16,
ipv4int & 0x0000FF00 >> 8, ipv4int & 0x000000FF)
}
Init repo
2022-01-04 09:35:55 +01:00
func PrintIpv6FromInt(ipv6int [4]uint32) string {
//return fmt.Sprintf("%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x",
return fmt.Sprintf("%x:%x:%x:%x:%x:%x:%x:%x",
ipv6int[0] & 0xFFFF0000 >> 16, ipv6int[0] & 0x0000FFFF,
ipv6int[1] & 0xFFFF0000 >> 16, ipv6int[1] & 0x0000FFFF,
ipv6int[2] & 0xFFFF0000 >> 16, ipv6int[2] & 0x0000FFFF,
ipv6int[3] & 0xFFFF0000 >> 16, ipv6int[3] & 0x0000FFFF)
}
/* Records structs implementation */
func NewHeader32(h Header32) *Header32 {
return &Header32{
Size: h.Size,
Version: h.Version,
E_type: h.E_type,
E_mod: h.E_mod,
S: h.S,
Msec: h.Msec,
}
}
func (h *Header32) GetType() uint8 {
return AUT_HEADER32
}
// TODO : Take *io.Reader as arg?
func (h *Header32) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &h.Size)
if err != nil { return fmt.Errorf("Unable to read Header32.Size from file: %v", err) }
/* Check for recsize sanity: We already read 32 bits + 8 bits */
if h.Size < (4 + 1) {
return fmt.Errorf("Record size is corrupted: %d", h.Size)
}
err = binary.Read(file, binary.BigEndian, &h.Version)
if err != nil { return fmt.Errorf("Unable to read Header32.Version from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &h.E_type)
if err != nil { return fmt.Errorf("Unable to read Header32.E_type from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &h.E_mod)
if err != nil { return fmt.Errorf("Unable to read Header32.E_mod from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &h.S)
if err != nil { return fmt.Errorf("Unable to read Header32.S from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &h.Msec)
if err != nil { return fmt.Errorf("Unable to read Header32.Msec from file: %v", err) }
return nil
}
/* Implementation of
static void
print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
*/
func (h *Header32) Print(file *os.File, delimiter string, flags int) {
t := time.Unix((int64)(h.S), 0)
Resolve event name
2022-01-06 17:29:16 +01:00
// We dont care for error
evdesc, _ := getEventName(h.E_type)
fmt.Fprintf(file, "header%s%v%s%v%s%s%s%v%s%v%s%v", delimiter, h.Size, delimiter, h.Version, delimiter,
//h.E_type, delimiter, h.E_mod, delimiter, t.Format(time.UnixDate), delimiter, h.Msec)
evdesc, delimiter, h.E_mod, delimiter, t.Format(time.UnixDate), delimiter, h.Msec)
Init repo
2022-01-04 09:35:55 +01:00
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
} else {
fmt.Fprintf(file, "%s", delimiter)
Init repo
2022-01-04 09:35:55 +01:00
}
}
func NewExecArg(e ExecArg) *ExecArg {
return &ExecArg{
Count: e.Count,
Text: e.Text,
}
}
func (e *ExecArg) GetType() uint8 {
return AUT_EXEC_ARGS
}
func (e *ExecArg) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &e.Count)
if err != nil { return fmt.Errorf("Unable to read ExecArg.Count from file: %v", err) }
// Get current offset in file
startOf, err := file.Seek(0, io.SeekCurrent)
if err != nil {
return fmt.Errorf("Unable to seek to current position: %v", err)
}
// TODO : Reinject these alreday read bytes into working flow, to avoir rereading them
chunk := make([]byte, e.Count*MAX_AUDIT_ARG_LENGTH + e.Count)
_, err = file.Read(chunk)
if err != nil {
return fmt.Errorf("Unable to read %d * MAX_AUDIT_ARG_LENGTH from current position: %v", err)
}
// Search for null terminating byte, Count times
totLen := int64(0)
buf := bytes.NewBuffer(chunk)
for i := uint32(0) ; i < e.Count ; i++ {
// TODO : Needs a bufio.Reader
// Get this arg length
arg, err := buf.ReadBytes((byte)(0x00))
if err != nil {
return fmt.Errorf("Error searching for null terminated exec arg: Loop exec n%d, offset of record start: %x, error : %v", i, startOf, err)
}
// Allocate before reading
totLen += int64(len(arg))
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
//e.Text = append(e.Text, arg) // Discard last 0
e.Text = append(e.Text, arg[:len(arg)-1])
Init repo
2022-01-04 09:35:55 +01:00
}
startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart)
if err != nil {
return fmt.Errorf("Error seeking offset %x from file", startOf)
}
return nil
}
func (e *ExecArg) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "exec arg%s", delimiter)
for i := uint32(0) ; i < e.Count ; i++ {
if i < e.Count - 1 {
fmt.Fprintf(file, "%s%s", string(e.Text[i]), delimiter)
} else {
fmt.Fprintf(file, "%s", string(e.Text[i]))
}
}
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
} else {
fmt.Fprintf(file, "%s", delimiter)
Init repo
2022-01-04 09:35:55 +01:00
}
}
func NewPath(p Path) *Path {
return &Path{
Length: p.Length,
Path: p.Path,
}
}
func (p *Path) GetType() uint8 {
return AUT_PATH
}
func (p *Path) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &p.Length)
if err != nil { return fmt.Errorf("Unable to read Path.Length from file: %v", err) }
// Get current offset in file
startOf, err := file.Seek(0, io.SeekCurrent)
if err != nil {
return fmt.Errorf("Unable to seek to current position: %v", err)
}
// TODO : Reinject these already read bytes into working flow, to avoir rereading them
chunk := make([]byte, MAX_AUDIT_ARG_LENGTH+1)
_, err = file.Read(chunk)
if err != nil {
return fmt.Errorf("Unable to read MAX_AUDIT_ARG_LENGTH from current position: %v", err)
}
// Search for null terminating byte
buf := bytes.NewBuffer(chunk)
// TODO : Needs a bufio.Reader
// Get this arg length
arg, err := buf.ReadBytes((byte)(0x00))
if err != nil {
return fmt.Errorf("Error searching for null terminated path: offset of record start: %x, error : %v", startOf, err)
}
totLen := int64(len(arg))
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
p.Path = arg[:totLen-1]
Init repo
2022-01-04 09:35:55 +01:00
startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart)
if err != nil {
return fmt.Errorf("Error seeking offset %x from file", startOf)
}
return nil
}
func (p *Path) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "path%s%s", delimiter, string(p.Path))
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
} else {
fmt.Fprintf(file, "%s", delimiter)
Init repo
2022-01-04 09:35:55 +01:00
}
}
func NewAttribute32(a Attribute32) *Attribute32 {
return &Attribute32{
Mode: a.Mode,
Uid: a.Uid,
Gid: a.Gid,
Fsid: a.Fsid,
Nid: a.Nid,
Dev: a.Dev,
}
}
func (a* Attribute32) GetType() uint8 {
return AUT_ATTR32
}
func (a *Attribute32) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &a.Mode)
if err != nil { return fmt.Errorf("Unable to read Attribute32.Mode from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Uid)
if err != nil { return fmt.Errorf("Unable to read Attribute32.Uid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Gid)
if err != nil { return fmt.Errorf("Unable to read Attribute32.Gid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Fsid)
if err != nil { return fmt.Errorf("Unable to read Attribute32.Fsid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Nid)
if err != nil { return fmt.Errorf("Unable to read Attribute32.Nid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Dev)
if err != nil { return fmt.Errorf("Unable to read Attribute32.Dev from file: %v", err) }
return nil
}
func (a *Attribute32) Print(file *os.File, delimiter string, flags int) {
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
var user string
var group string
Init repo
2022-01-04 09:35:55 +01:00
// TODO : resolve Uid and Gid (also support domain accounts)
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER {
user = string(a.Uid)
group = string(a.Gid)
} else {
user, _ = getUserName(a.Uid)
group, _ = getGroupName(a.Gid)
}
fmt.Fprintf(file, "attribute%s%o%s%v%s%v%s%v%s%v%s%v", delimiter, a.Mode, delimiter, user, delimiter,
group, delimiter, a.Fsid, delimiter, a.Nid, delimiter, a.Dev)
Init repo
2022-01-04 09:35:55 +01:00
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
} else {
fmt.Fprintf(file, "%s", delimiter)
Init repo
2022-01-04 09:35:55 +01:00
}
}
func NewAttribute64(a Attribute64) *Attribute64 {
return &Attribute64{
Mode: a.Mode,
Uid: a.Uid,
Gid: a.Gid,
Fsid: a.Fsid,
Nid: a.Nid,
Dev: a.Dev,
}
}
func (a* Attribute64) GetType() uint8 {
return AUT_ATTR64
}
func (a *Attribute64) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &a.Mode)
if err != nil { return fmt.Errorf("Unable to read Attribute64.Mode from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Uid)
if err != nil { return fmt.Errorf("Unable to read Attribute64.Uid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Gid)
if err != nil { return fmt.Errorf("Unable to read Attribute64.Gid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Fsid)
if err != nil { return fmt.Errorf("Unable to read Attribute64.Fsid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Nid)
if err != nil { return fmt.Errorf("Unable to read Attribute64.Nid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Dev)
if err != nil { return fmt.Errorf("Unable to read Attribute64.Dev from file: %v", err) }
return nil
}
func (a *Attribute64) Print(file *os.File, delimiter string, flags int) {
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
var user string
var group string
Init repo
2022-01-04 09:35:55 +01:00
// TODO : resolve Uid and Gid (also support domain accounts)
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER {
user = string(a.Uid)
group = string(a.Gid)
} else {
user, _ = getUserName(a.Uid)
group, _ = getGroupName(a.Gid)
}
fmt.Fprintf(file, "attribute%s%o%s%v%s%v%s%v%s%v%s%v", delimiter, a.Mode, delimiter, user, delimiter,
group, delimiter, a.Fsid, delimiter, a.Nid, delimiter, a.Dev)
Init repo
2022-01-04 09:35:55 +01:00
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
} else {
fmt.Fprintf(file, "%s", delimiter)
Init repo
2022-01-04 09:35:55 +01:00
}
}
func NewSubject32(s Subject32) *Subject32 {
return &Subject32{
Auid: s.Auid,
Euid: s.Euid,
Egid: s.Egid,
Ruid: s.Ruid,
Rgid: s.Rgid,
Pid: s.Pid,
Sid: s.Sid,
Tid: s.Tid,
}
}
func (s *Subject32) GetType() uint8 {
return AUT_SUBJECT32
}
func (s *Subject32) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &s.Auid)
if err != nil { return fmt.Errorf("Unable to read Sibject32.Auid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Euid)
if err != nil { return fmt.Errorf("Unable to read Subject32.Euid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Egid)
if err != nil { return fmt.Errorf("Unable to read Subject32.Egid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Ruid)
if err != nil { return fmt.Errorf("Unable to read Subject32.Ruid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Rgid)
if err != nil { return fmt.Errorf("Unable to read Subject32.Rgid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Sid)
if err != nil { return fmt.Errorf("Unable to read Subject32.Sid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid)
if err != nil { return fmt.Errorf("Unable to read Subject32.Tid from file: %v", err) }
return nil
}
func (s *Subject32) Print(file *os.File, delimiter string, flags int) {
Resolve auid
2022-01-04 18:48:18 +01:00
var auser string
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
var euser string
var egroup string
var ruser string
var rgroup string
if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER {
Resolve auid
2022-01-04 18:48:18 +01:00
auser = string(s.Auid)
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
euser = string(s.Euid)
egroup = string(s.Egid)
ruser = string(s.Ruid)
rgroup = string(s.Rgid)
} else {
Resolve auid
2022-01-04 18:48:18 +01:00
auser, _ = getUserName(s.Auid)
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
euser, _ = getUserName(s.Euid)
egroup, _ = getGroupName(s.Egid)
ruser, _ = getUserName(s.Ruid)
rgroup, _ = getGroupName(s.Rgid)
}
Resolve auid
2022-01-04 18:48:18 +01:00
fmt.Fprintf(file, "subject%s%s%s%s%s%s%s%s%s%s%s%v%s%v%s%v%s%s", delimiter, auser, delimiter, euser, delimiter, egroup,
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
delimiter, ruser, delimiter, rgroup, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter, s.Tid.IpVers,
Init repo
2022-01-04 09:35:55 +01:00
delimiter, PrintIpv4FromInt(s.Tid.Addr))
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
} else {
fmt.Fprintf(file, "%s", delimiter)
Init repo
2022-01-04 09:35:55 +01:00
}
}
func NewProcess32(s Process32) *Process32 {
return &Process32{
Auid: s.Auid,
Euid: s.Euid,
Egid: s.Egid,
Ruid: s.Ruid,
Rgid: s.Rgid,
Pid: s.Pid,
Sid: s.Sid,
Tid: s.Tid,
}
}
func (p *Process32) GetType() uint8 {
return AUT_PROCESS32
}
func (p *Process32) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &p.Auid)
if err != nil { return fmt.Errorf("Unable to read Process32.Auid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Euid)
if err != nil { return fmt.Errorf("Unable to read Process32.Euid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Egid)
if err != nil { return fmt.Errorf("Unable to read Process32.Egid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Ruid)
if err != nil { return fmt.Errorf("Unable to read Process32.Ruid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Rgid)
if err != nil { return fmt.Errorf("Unable to read Process32.Rgid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Sid)
if err != nil { return fmt.Errorf("Unable to read Process32.Sid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid)
if err != nil { return fmt.Errorf("Unable to read Process32.Tid from file: %v", err) }
return nil
}
func (p *Process32) Print(file *os.File, delimiter string, flags int) {
Resolve auid
2022-01-04 18:48:18 +01:00
var auser string
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
var euser string
var egroup string
var ruser string
var rgroup string
if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER {
Resolve auid
2022-01-04 18:48:18 +01:00
auser = string(p.Auid)
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
euser = string(p.Euid)
egroup = string(p.Egid)
ruser = string(p.Ruid)
rgroup = string(p.Rgid)
} else {
Resolve auid
2022-01-04 18:48:18 +01:00
auser, _ = getUserName(p.Auid)
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
euser, _ = getUserName(p.Euid)
egroup, _ = getGroupName(p.Egid)
ruser, _ = getUserName(p.Ruid)
rgroup, _ = getGroupName(p.Rgid)
}
Resolve auid
2022-01-04 18:48:18 +01:00
fmt.Fprintf(file, "process%s%s%s%s%s%s%s%s%s%s%s%v%s%v%s%v%s%s", delimiter, auser, delimiter, euser, delimiter, egroup,
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
delimiter, ruser, delimiter, rgroup, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter, p.Tid.IpVers,
Init repo
2022-01-04 09:35:55 +01:00
delimiter, PrintIpv4FromInt(p.Tid.Addr))
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
} else {
fmt.Fprintf(file, "%s", delimiter)
Init repo
2022-01-04 09:35:55 +01:00
}
}
func NewSubject32Ex(s Subject32Ex) *Subject32Ex {
return &Subject32Ex{
Auid: s.Auid,
Euid: s.Euid,
Egid: s.Egid,
Ruid: s.Ruid,
Rgid: s.Rgid,
Pid: s.Pid,
Sid: s.Sid,
Tid: s.Tid,
}
}
func (s *Subject32Ex) GetType() uint8 {
return AUT_SUBJECT32_EX
}
func (s *Subject32Ex) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &s.Auid)
if err != nil { return fmt.Errorf("Unable to read Sibject32Ex.Auid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Euid)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Euid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Egid)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Egid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Ruid)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Ruid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Rgid)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Rgid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Sid)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Sid from file: %v", err) }
Ipv4/v6 distinction fix
2022-01-04 10:22:57 +01:00
err = binary.Read(file, binary.BigEndian, &s.Tid.Port)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Port from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid.Ttype)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Ttype from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid.IpVers)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.IpVers from file: %v", err) }
if s.Tid.IpVers == 0x10 {
err = binary.Read(file, binary.BigEndian, &s.Tid.Addr6)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Addr6 from file: %v", err) }
} else if s.Tid.IpVers == 0x04 {
err = binary.Read(file, binary.BigEndian, &s.Tid.Addr4)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Addr4 from file: %v", err) }
}
Init repo
2022-01-04 09:35:55 +01:00
return nil
}
func (s *Subject32Ex) Print(file *os.File, delimiter string, flags int) {
Resolve auid
2022-01-04 18:48:18 +01:00
var auser string
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
var euser string
var egroup string
var ruser string
var rgroup string
var ip string
if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER {
Resolve auid
2022-01-04 18:48:18 +01:00
auser = string(s.Auid)
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
euser = string(s.Euid)
egroup = string(s.Egid)
ruser = string(s.Ruid)
rgroup = string(s.Rgid)
} else {
Resolve auid
2022-01-04 18:48:18 +01:00
auser, _ = getUserName(s.Auid)
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
euser, _ = getUserName(s.Euid)
egroup, _ = getGroupName(s.Egid)
ruser, _ = getUserName(s.Ruid)
rgroup, _ = getGroupName(s.Rgid)
}
Ipv4/v6 distinction fix
2022-01-04 10:22:57 +01:00
if s.Tid.IpVers == 0x04 {
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
ip = PrintIpv4FromInt(s.Tid.Addr4)
Ipv4/v6 distinction fix
2022-01-04 10:22:57 +01:00
} else {
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
ip = PrintIpv6FromInt(s.Tid.Addr6)
Ipv4/v6 distinction fix
2022-01-04 10:22:57 +01:00
}
Resolve auid
2022-01-04 18:48:18 +01:00
fmt.Fprintf(file, "subject_ex%s%s%s%s%s%s%s%s%s%s%s%v%s%v%s%v%s%s", delimiter, auser, delimiter, euser,
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
delimiter, egroup, delimiter, ruser, delimiter, rgroup, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter,
s.Tid.Ttype, delimiter, ip)
Init repo
2022-01-04 09:35:55 +01:00
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
} else {
fmt.Fprintf(file, "%s", delimiter)
Init repo
2022-01-04 09:35:55 +01:00
}
}
func NewProcess32Ex(p Process32Ex) *Process32Ex {
return &Process32Ex{
Auid: p.Auid,
Euid: p.Euid,
Egid: p.Egid,
Ruid: p.Ruid,
Rgid: p.Rgid,
Pid: p.Pid,
Sid: p.Sid,
Tid: p.Tid,
}
}
func (s *Process32Ex) GetType() uint8 {
return AUT_PROCESS32_EX
}
func (p *Process32Ex) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &p.Auid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Auid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Euid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Euid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Egid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Egid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Ruid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Ruid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Rgid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Rgid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Sid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Sid from file: %v", err) }
Ipv4/v6 distinction fix
2022-01-04 10:22:57 +01:00
err = binary.Read(file, binary.BigEndian, &p.Tid.Port)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Port from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid.Ttype)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Ttype from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid.IpVers)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.IpVers from file: %v", err) }
if p.Tid.IpVers == 0x10 {
err = binary.Read(file, binary.BigEndian, &p.Tid.Addr6)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Addr6 from file: %v", err) }
} else if p.Tid.IpVers == 0x04 {
err = binary.Read(file, binary.BigEndian, &p.Tid.Addr4)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Addr4 from file: %v", err) }
}
Init repo
2022-01-04 09:35:55 +01:00
return nil
}
func (p *Process32Ex) Print(file *os.File, delimiter string, flags int) {
Resolve auid
2022-01-04 18:48:18 +01:00
var auser string
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
var euser string
var egroup string
var ruser string
var rgroup string
var ip string
if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER {
Resolve auid
2022-01-04 18:48:18 +01:00
auser = string(p.Auid)
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
euser = string(p.Euid)
egroup = string(p.Egid)
ruser = string(p.Ruid)
rgroup = string(p.Rgid)
} else {
Resolve auid
2022-01-04 18:48:18 +01:00
auser, _ = getUserName(p.Auid)
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
euser, _ = getUserName(p.Euid)
egroup, _ = getGroupName(p.Egid)
ruser, _ = getUserName(p.Ruid)
rgroup, _ = getGroupName(p.Rgid)
}
Ipv4/v6 distinction fix
2022-01-04 10:22:57 +01:00
if p.Tid.IpVers == 0x04 {
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
ip = PrintIpv4FromInt(p.Tid.Addr4)
Ipv4/v6 distinction fix
2022-01-04 10:22:57 +01:00
} else {
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
ip = PrintIpv6FromInt(p.Tid.Addr6)
Ipv4/v6 distinction fix
2022-01-04 10:22:57 +01:00
}
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
Resolve auid
2022-01-04 18:48:18 +01:00
fmt.Fprintf(file, "process_ex%s%s%s%s%s%s%s%s%s%s%s%v%s%v%s%v%s%s", delimiter, auser, delimiter, euser,
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
delimiter, egroup, delimiter, ruser, delimiter, rgroup, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter,
p.Tid.Ttype, delimiter, ip)
Init repo
2022-01-04 09:35:55 +01:00
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
} else {
fmt.Fprintf(file, "%s", delimiter)
Init repo
2022-01-04 09:35:55 +01:00
}
}
func NewSubject64(s Subject64) *Subject64 {
return &Subject64{
Auid: s.Auid,
Euid: s.Euid,
Egid: s.Egid,
Ruid: s.Ruid,
Rgid: s.Rgid,
Pid: s.Pid,
Sid: s.Sid,
Tid: s.Tid,
}
}
func (s *Subject64) GetType() uint8 {
return AUT_SUBJECT64
}
func (s *Subject64) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &s.Auid)
if err != nil { return fmt.Errorf("Unable to read Sibject64.Auid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Euid)
if err != nil { return fmt.Errorf("Unable to read Subject64.Euid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Egid)
if err != nil { return fmt.Errorf("Unable to read Subject64.Egid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Ruid)
if err != nil { return fmt.Errorf("Unable to read Subject64.Ruid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Rgid)
if err != nil { return fmt.Errorf("Unable to read Subject64.Rgid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Sid)
if err != nil { return fmt.Errorf("Unable to read Subject64.Sid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid)
if err != nil { return fmt.Errorf("Unable to read Subject64.Tid from file: %v", err) }
return nil
}
func (s *Subject64) Print(file *os.File, delimiter string, flags int) {
Resolve auid
2022-01-04 18:48:18 +01:00
var auser string
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
var euser string
var egroup string
var ruser string
var rgroup string
if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER {
Resolve auid
2022-01-04 18:48:18 +01:00
auser = string(s.Auid)
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
euser = string(s.Euid)
egroup = string(s.Egid)
ruser = string(s.Ruid)
rgroup = string(s.Rgid)
} else {
Resolve auid
2022-01-04 18:48:18 +01:00
auser, _ = getUserName(s.Auid)
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
euser, _ = getUserName(s.Euid)
egroup, _ = getGroupName(s.Egid)
ruser, _ = getUserName(s.Ruid)
rgroup, _ = getGroupName(s.Rgid)
}
Resolve auid
2022-01-04 18:48:18 +01:00
fmt.Fprintf(file, "subject%s%s%s%s%s%s%s%s%s%s%s%v%s%v%s%v%s%s", delimiter, auser, delimiter, euser, delimiter, egroup,
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
delimiter, ruser, delimiter, rgroup, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter, s.Tid.IpVers,
Init repo
2022-01-04 09:35:55 +01:00
delimiter, PrintIpv4FromInt(s.Tid.Addr))
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
} else {
fmt.Fprintf(file, "%s", delimiter)
Init repo
2022-01-04 09:35:55 +01:00
}
}
func NewProcess64(p Process64) *Process64 {
return &Process64{
Auid: p.Auid,
Euid: p.Euid,
Egid: p.Egid,
Ruid: p.Ruid,
Rgid: p.Rgid,
Pid: p.Pid,
Sid: p.Sid,
Tid: p.Tid,
}
}
func (s *Process64) GetType() uint8 {
return AUT_PROCESS64
}
func (p *Process64) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &p.Auid)
if err != nil { return fmt.Errorf("Unable to read Process64.Auid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Euid)
if err != nil { return fmt.Errorf("Unable to read Process64.Euid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Egid)
if err != nil { return fmt.Errorf("Unable to read Process64.Egid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Ruid)
if err != nil { return fmt.Errorf("Unable to read Process64.Ruid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Rgid)
if err != nil { return fmt.Errorf("Unable to read Process64.Rgid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Sid)
if err != nil { return fmt.Errorf("Unable to read Process64.Sid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid)
if err != nil { return fmt.Errorf("Unable to read Process64.Tid from file: %v", err) }
return nil
}
func (p *Process64) Print(file *os.File, delimiter string, flags int) {
Resolve auid
2022-01-04 18:48:18 +01:00
var auser string
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
var euser string
var egroup string
var ruser string
var rgroup string
if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER {
Resolve auid
2022-01-04 18:48:18 +01:00
auser = string(p.Auid)
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
euser = string(p.Euid)
egroup = string(p.Egid)
ruser = string(p.Ruid)
rgroup = string(p.Rgid)
} else {
Resolve auid
2022-01-04 18:48:18 +01:00
auser, _ = getUserName(p.Auid)
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
euser, _ = getUserName(p.Euid)
egroup, _ = getGroupName(p.Egid)
ruser, _ = getUserName(p.Ruid)
rgroup, _ = getGroupName(p.Rgid)
}
Resolve auid
2022-01-04 18:48:18 +01:00
fmt.Fprintf(file, "process%s%s%s%s%s%s%s%s%s%s%s%v%s%v%s%v%s%s", delimiter, auser, delimiter, euser, delimiter, egroup,
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
delimiter, ruser, delimiter, rgroup, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter, p.Tid.IpVers,
Init repo
2022-01-04 09:35:55 +01:00
delimiter, PrintIpv4FromInt(p.Tid.Addr))
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
} else {
fmt.Fprintf(file, "%s", delimiter)
Init repo
2022-01-04 09:35:55 +01:00
}
}
func NewSubject64Ex(s Subject64Ex) *Subject64Ex {
return &Subject64Ex{
Auid: s.Auid,
Euid: s.Euid,
Egid: s.Egid,
Ruid: s.Ruid,
Rgid: s.Rgid,
Pid: s.Pid,
Sid: s.Sid,
Tid: s.Tid,
}
}
func (s *Subject64Ex) GetType() uint8 {
return AUT_SUBJECT64_EX
}
func (s *Subject64Ex) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &s.Auid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Auid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Euid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Euid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Egid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Egid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Ruid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Ruid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Rgid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Rgid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Sid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Sid from file: %v", err) }
Ipv4/v6 distinction fix
2022-01-04 10:22:57 +01:00
err = binary.Read(file, binary.BigEndian, &s.Tid.Port)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Port from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid.Ttype)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Ttype from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid.IpVers)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.IpVers from file: %v", err) }
if s.Tid.IpVers == 0x10 {
err = binary.Read(file, binary.BigEndian, &s.Tid.Addr6)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Addr6 from file: %v", err) }
} else if s.Tid.IpVers == 0x04 {
err = binary.Read(file, binary.BigEndian, &s.Tid.Addr4)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Addr4 from file: %v", err) }
}
Init repo
2022-01-04 09:35:55 +01:00
return nil
}
func (s *Subject64Ex) Print(file *os.File, delimiter string, flags int) {
Resolve auid
2022-01-04 18:48:18 +01:00
var auser string
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
var euser string
var egroup string
var ruser string
var rgroup string
var ip string
if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER {
Resolve auid
2022-01-04 18:48:18 +01:00
auser = string(s.Auid)
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
euser = string(s.Euid)
egroup = string(s.Egid)
ruser = string(s.Ruid)
rgroup = string(s.Rgid)
} else {
Resolve auid
2022-01-04 18:48:18 +01:00
auser, _ = getUserName(s.Auid)
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
euser, _ = getUserName(s.Euid)
egroup, _ = getGroupName(s.Egid)
ruser, _ = getUserName(s.Ruid)
rgroup, _ = getGroupName(s.Rgid)
}
Ipv4/v6 distinction fix
2022-01-04 10:22:57 +01:00
if s.Tid.IpVers == 0x04 {
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
ip = PrintIpv4FromInt(s.Tid.Addr4)
Ipv4/v6 distinction fix
2022-01-04 10:22:57 +01:00
} else {
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
ip = PrintIpv6FromInt(s.Tid.Addr6)
Ipv4/v6 distinction fix
2022-01-04 10:22:57 +01:00
}
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
Resolve auid
2022-01-04 18:48:18 +01:00
fmt.Fprintf(file, "subject_ex%s%s%s%s%s%s%s%s%s%s%s%v%s%v%s%v%s%s", delimiter, auser, delimiter, euser,
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
delimiter, egroup, delimiter, ruser, delimiter, rgroup, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter,
s.Tid.Ttype, delimiter, ip)
Init repo
2022-01-04 09:35:55 +01:00
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
} else {
fmt.Fprintf(file, "%s", delimiter)
Init repo
2022-01-04 09:35:55 +01:00
}
}
func NewProcess64Ex(p Process64Ex) *Process64Ex {
return &Process64Ex{
Auid: p.Auid,
Euid: p.Euid,
Egid: p.Egid,
Ruid: p.Ruid,
Rgid: p.Rgid,
Pid: p.Pid,
Sid: p.Sid,
Tid: p.Tid,
}
}
func (p *Process64Ex) GetType() uint8 {
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
return AUT_PROCESS64_EX
Init repo
2022-01-04 09:35:55 +01:00
}
func (p *Process64Ex) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &p.Auid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Auid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Euid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Euid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Egid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Egid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Ruid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Ruid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Rgid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Rgid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Sid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Sid from file: %v", err) }
Ipv4/v6 distinction fix
2022-01-04 10:22:57 +01:00
err = binary.Read(file, binary.BigEndian, &p.Tid.Port)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Port from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid.Ttype)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Ttype from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid.IpVers)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.IpVers from file: %v", err) }
if p.Tid.IpVers == 0x10 {
err = binary.Read(file, binary.BigEndian, &p.Tid.Addr6)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Addr6 from file: %v", err) }
} else if p.Tid.IpVers == 0x04 {
err = binary.Read(file, binary.BigEndian, &p.Tid.Addr4)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Addr4 from file: %v", err) }
}
Init repo
2022-01-04 09:35:55 +01:00
return nil
}
func (p *Process64Ex) Print(file *os.File, delimiter string, flags int) {
Resolve auid
2022-01-04 18:48:18 +01:00
var auser string
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
var euser string
var egroup string
var ruser string
var rgroup string
var ip string
if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER {
Resolve auid
2022-01-04 18:48:18 +01:00
auser = string(p.Auid)
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
euser = string(p.Euid)
egroup = string(p.Egid)
ruser = string(p.Ruid)
rgroup = string(p.Rgid)
} else {
Resolve auid
2022-01-04 18:48:18 +01:00
auser, _ = getUserName(p.Auid)
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
euser, _ = getUserName(p.Euid)
egroup, _ = getGroupName(p.Egid)
ruser, _ = getUserName(p.Ruid)
rgroup, _ = getGroupName(p.Rgid)
}
Ipv4/v6 distinction fix
2022-01-04 10:22:57 +01:00
if p.Tid.IpVers == 0x04 {
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
ip = PrintIpv4FromInt(p.Tid.Addr4)
Ipv4/v6 distinction fix
2022-01-04 10:22:57 +01:00
} else {
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
ip = PrintIpv6FromInt(p.Tid.Addr6)
Ipv4/v6 distinction fix
2022-01-04 10:22:57 +01:00
}
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
Resolve auid
2022-01-04 18:48:18 +01:00
fmt.Fprintf(file, "process_ex%s%s%s%s%s%s%s%s%s%s%s%v%s%v%s%v%s%s", delimiter, auser, delimiter, euser,
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
delimiter, egroup, delimiter, ruser, delimiter, rgroup, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter,
p.Tid.Ttype, delimiter, ip)
Init repo
2022-01-04 09:35:55 +01:00
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
} else {
fmt.Fprintf(file, "%s", delimiter)
Init repo
2022-01-04 09:35:55 +01:00
}
}
func NewReturn32(r Return32) *Return32 {
return &Return32{
Status: r.Status,
Ret: r.Ret,
}
}
func (r *Return32) GetType() uint8 {
return AUT_RETURN32
}
func (r *Return32) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &r.Status)
if err != nil { return fmt.Errorf("Unable to read Return32.Status from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &r.Ret)
if err != nil { return fmt.Errorf("Unable to read Return32.Ret from file: %v", err) }
return nil
}
func (r *Return32) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "return%s%v%s%v", delimiter, r.Status, delimiter, r.Ret)
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
} else {
fmt.Fprintf(file, "%s", delimiter)
Init repo
2022-01-04 09:35:55 +01:00
}
}
func NewReturn64(r Return64) *Return64 {
return &Return64{
Status: r.Status,
Ret: r.Ret,
}
}
func (r *Return64) GetType() uint8 {
return AUT_RETURN64
}
func (r *Return64) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &r.Status)
if err != nil { return fmt.Errorf("Unable to read Return64.Status from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &r.Ret)
if err != nil { return fmt.Errorf("Unable to read Return64.Ret from file: %v", err) }
return nil
}
func (r *Return64) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "return%s%v%s%v", delimiter, r.Status, delimiter, r.Ret)
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
} else {
fmt.Fprintf(file, "%s", delimiter)
Init repo
2022-01-04 09:35:55 +01:00
}
}
func NewTrailer(t Trailer) *Trailer {
return &Trailer{
Magic: t.Magic,
Count: t.Count,
}
}
func (t *Trailer) GetType() uint8 {
return AUT_TRAILER
}
func (t *Trailer) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &t.Magic)
if err != nil { return fmt.Errorf("Unable to read Trailer.Magic from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &t.Count)
if err != nil { return fmt.Errorf("Unable to read Trailer.Count from file: %v", err) }
return nil
}
func (t *Trailer) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "trailer%s%v", delimiter, t.Count)
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
// The trailer close the record print, whatever the oneLine flag value
fmt.Fprintf(file, "\n")
Init repo
2022-01-04 09:35:55 +01:00
}
func NewArg32(a Arg32) *Arg32 {
return &Arg32{
No: a.No,
Val: a.Val,
Length: a.Length,
Text: a.Text,
}
}
func (a *Arg32) GetType() uint8 {
return AUT_ARG32
}
func (a *Arg32) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &a.No)
if err != nil { return fmt.Errorf("Unable to read Arg32.No from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Val)
if err != nil { return fmt.Errorf("Unable to read Arg32.Val from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Length)
if err != nil { return fmt.Errorf("Unable to read Arg32.Length from file: %v", err) }
// Get current offset in file
startOf, err := file.Seek(0, io.SeekCurrent)
if err != nil {
return fmt.Errorf("Unable to seek to current position: %v", err)
}
// TODO : Reinject these already read bytes into working flow, to avoir rereading them
chunk := make([]byte, MAX_AUDIT_ARG_LENGTH+1)
_, err = file.Read(chunk)
if err != nil {
return fmt.Errorf("Unable to read MAX_AUDIT_ARG_LENGTH from current position: %v", err)
}
// Search for null terminating byte
buf := bytes.NewBuffer(chunk)
// Get this arg length
arg, err := buf.ReadBytes((byte)(0x00))
if err != nil {
return fmt.Errorf("Error searching for null terminated path: offset of record start: %x, error : %v", startOf, err)
}
totLen := int64(len(arg))
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
a.Text = arg[:totLen-1]
Init repo
2022-01-04 09:35:55 +01:00
startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart)
if err != nil {
return fmt.Errorf("Error seeking offset %x from file", startOf)
}
return nil
}
func (a *Arg32) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "argument%s%v%s%v%s%s", delimiter, a.No, delimiter, a.Val, delimiter, string(a.Text))
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
} else {
fmt.Fprintf(file, "%s", delimiter)
Init repo
2022-01-04 09:35:55 +01:00
}
}
func NewArg64(a Arg64) *Arg64 {
return &Arg64{
No: a.No,
Val: a.Val,
Length: a.Length,
Text: a.Text,
}
}
func (a *Arg64) GetType() uint8 {
return AUT_ARG64
}
func (a *Arg64) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &a.No)
if err != nil { return fmt.Errorf("Unable to read Arg64.No from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Val)
if err != nil { return fmt.Errorf("Unable to read Arg64.Val from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Length)
if err != nil { return fmt.Errorf("Unable to read Arg64.Length from file: %v", err) }
// Get current offset in file
startOf, err := file.Seek(0, io.SeekCurrent)
if err != nil {
return fmt.Errorf("Unable to seek to current position: %v", err)
}
// TODO : Reinject these already read bytes into working flow, to avoir rereading them
chunk := make([]byte, MAX_AUDIT_ARG_LENGTH+1)
_, err = file.Read(chunk)
if err != nil {
return fmt.Errorf("Unable to read MAX_AUDIT_ARG_LENGTH from current position: %v", err)
}
// Search for null terminating byte
buf := bytes.NewBuffer(chunk)
// Get this arg length
arg, err := buf.ReadBytes((byte)(0x00))
if err != nil {
return fmt.Errorf("Error searching for null terminated path: offset of record start: %x, error : %v", startOf, err)
}
totLen := int64(len(arg))
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
a.Text = arg[:totLen-1]
Init repo
2022-01-04 09:35:55 +01:00
startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart)
if err != nil {
return fmt.Errorf("Error seeking offset %x from file", startOf)
}
return nil
}
func (a *Arg64) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "argument%s%v%s%v%s%s", delimiter, a.No, delimiter, a.Val, delimiter, string(a.Text))
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
} else {
fmt.Fprintf(file, "%s", delimiter)
Init repo
2022-01-04 09:35:55 +01:00
}
}
func NewExit(e Exit) *Exit {
return &Exit{
Status: e.Status,
Ret: e.Ret,
}
}
func (e *Exit) GetType() uint8 {
return AUT_EXIT
}
func (e *Exit) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &e.Status)
if err != nil { return fmt.Errorf("Unable to read Exit.Status from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &e.Ret)
if err != nil { return fmt.Errorf("Unable to read Exit.Ret from file: %v", err) }
return nil
}
func (e *Exit) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "exit%s%v%s%v", delimiter, e.Status, delimiter, e.Ret)
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
} else {
fmt.Fprintf(file, "%s", delimiter)
Init repo
2022-01-04 09:35:55 +01:00
}
}
AUT_TEXT support
2022-01-04 10:47:10 +01:00
func NewText(t Text) *Text {
return &Text{
Length: t.Length,
Text: t.Text,
}
}
func (t *Text) GetType() uint8 {
return AUT_TEXT
}
func (t *Text) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &t.Length)
if err != nil { return fmt.Errorf("Unable to read Text.Length from file: %v", err) }
text := make([]byte, t.Length)
err = binary.Read(file, binary.BigEndian, &text)
if err != nil { return fmt.Errorf("Unable to read Text.Text from file: %v", err) }
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
t.Text = text[:len(text)-1]
AUT_TEXT support
2022-01-04 10:47:10 +01:00
return nil
}
func (t *Text) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "text%s%s", delimiter, t.Text)
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
Uid & gid resolution, oneline, noresolve
2022-01-04 17:50:34 +01:00
} else {
fmt.Fprintf(file, "%s", delimiter)
AUT_TEXT support
2022-01-04 10:47:10 +01:00
}
}
Init repo
2022-01-04 09:35:55 +01:00
func readRecordToStruct(file *os.File) (Record, error) {
var rec Record
hdr := make([]byte, 1)
n, err := file.Read(hdr)
if err != nil || n < 1 {
Version bump, fix EOF error, move PrintIPv4FromInt
2022-01-04 11:03:58 +01:00
if err != io.EOF {
return rec, fmt.Errorf("Unable to read header ID in file: %v", err)
}
return rec, err
Init repo
2022-01-04 09:35:55 +01:00
}
// DEBUG
/* startOf, _ := file.Seek(0, io.SeekCurrent)
fmt.Printf("Offset dans le fichier : %x\n", startOf)
*/
switch (int8)(hdr[0]) {
case AUT_HEADER32:
var h Header32
err := h.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
return NewHeader32(h), nil
case AUT_EXEC_ARGS:
var e ExecArg
err := e.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
return NewExecArg(e), nil
case AUT_PATH:
var p Path
err := p.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
return NewPath(p), nil
case AUT_ATTR32:
var a Attribute32
err := a.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
return NewAttribute32(a), nil
case AUT_ATTR64:
var a Attribute64
err := a.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
return NewAttribute64(a), nil
case AUT_SUBJECT32:
var s Subject32
err := s.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
return NewSubject32(s), nil
case AUT_SUBJECT32_EX:
var s Subject32Ex
err := s.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
return NewSubject32Ex(s), nil
case AUT_RETURN32:
var r Return32
err := r.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
return NewReturn32(r), nil
case AUT_TRAILER:
var t Trailer
err := t.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
return NewTrailer(t), nil
case AUT_ARG32:
var a Arg32
err := a.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
return NewArg32(a), nil
case AUT_ARG64:
var a Arg64
err := a.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
return NewArg64(a), nil
case AUT_EXIT:
var e Exit
err := e.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
return NewExit(e), nil
case AUT_PROCESS32:
var p Process32
err := p.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
return NewProcess32(p), nil
case AUT_PROCESS32_EX:
var p Process32Ex
err := p.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
return NewProcess32Ex(p), nil
case AUT_PROCESS64:
var p Process64
err := p.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
return NewProcess64(p), nil
case AUT_PROCESS64_EX:
var p Process64Ex
err := p.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
return NewProcess64Ex(p), nil
AUT_TEXT support
2022-01-04 10:47:10 +01:00
case AUT_TEXT:
var t Text
err := t.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
return NewText(t), nil
Init repo
2022-01-04 09:35:55 +01:00
}
startOf, _ := file.Seek(0, io.SeekCurrent)
return rec, fmt.Errorf("Event type not supported: 0x%x at offset 0x%x", hdr[0], startOf)
}
/* Implementation of
int au_read_rec(FILE *fp, u_char **buf)
source: https://github.com/freebsd/freebsd-src/blob/main/contrib/openbsm/libbsm/bsm_io.c
*/
func readRecord(file *os.File) ([]byte, error) {
var buf *bytes.Buffer
var recSize int32
hdr := make([]byte, 1)
n, err := file.Read(hdr)
if err != nil || n < 1 {
return hdr, fmt.Errorf("Unable to read file")
}
//switch hdr.(int8) {
switch (int8)(hdr[0]) {
case AUT_HEADER32, AUT_HEADER32_EX, AUT_HEADER64, AUT_HEADER64_EX:
err := binary.Read(file, binary.BigEndian, &recSize)
if err != nil {
return hdr, fmt.Errorf("Unable to read file")
}
/* Check for recsize sanity: We already read 32 bits + 8 bits */
if recSize < (4 + 1) {
return hdr, fmt.Errorf("Record size is corrupted: %d", recSize)
}
/* store the token contents already read, back to the buffer*/
data := make([]byte, 0)
buf = bytes.NewBuffer(data)
err = binary.Write(buf, binary.BigEndian, (int8)(hdr[0]))
if err != nil {
return hdr, fmt.Errorf("Unable to concatenate header to data")
}
err = binary.Write(buf, binary.BigEndian, recSize)
if err != nil {
return hdr, fmt.Errorf("Unable to concatenate recordsize to existing data")
}
/* now read remaining record bytes */
remainSize := recSize - (4 + 1)
remain := make([]byte, remainSize)
n, err = file.Read(remain)
if err != nil || (int32)(n) < remainSize {
return hdr, fmt.Errorf("Unable to read data from file")
}
n, err = buf.Write(remain)
if err != nil {
return hdr, fmt.Errorf("Unable to write data to buffer")
}
case AUT_OTHER_FILE32:
var sec int32
var msec int32
var filenamelen int16
err := binary.Read(file, binary.BigEndian, &sec)
if err != nil {
return hdr, fmt.Errorf("Unable to read file")
}
err = binary.Read(file, binary.BigEndian, &msec)
if err != nil {
return hdr, fmt.Errorf("Unable to read file")
}
err = binary.Read(file, binary.BigEndian, &filenamelen)
if err != nil {
return hdr, fmt.Errorf("Unable to read file")
}
recSize = 1 + 4 + 4 + 2 + int32(filenamelen)
data := make([]byte, 0)
buf = bytes.NewBuffer(data)
/* store the token contents already read, back to the buffer*/
err = binary.Write(buf, binary.BigEndian, (int8)(hdr[0]))
if err != nil {
return hdr, fmt.Errorf("Unable to concatenate header to data")
}
err = binary.Write(buf, binary.BigEndian, sec)
if err != nil {
return hdr, fmt.Errorf("Unable to concatenate sec to data")
}
err = binary.Write(buf, binary.BigEndian, msec)
if err != nil {
return hdr, fmt.Errorf("Unable to concatenate msec to data")
}
err = binary.Write(buf, binary.BigEndian, filenamelen)
if err != nil {
return hdr, fmt.Errorf("Unable to concatenate filenamelen to data")
}
filename := make([]byte, filenamelen)
n, err = file.Read(filename)
if err != nil || n < int(filenamelen) {
return hdr, fmt.Errorf("Unable to read filename from file")
}
n, err = buf.Write(filename)
if err != nil {
return hdr, fmt.Errorf("Unable to concatenate filename to buffer")
}
default:
return hdr, fmt.Errorf("Record type not implemented: %v", hdr)
}
return buf.Bytes(), nil
}
Reference in New Issue Copy Permalink