2022-01-04 09:35:55 +01:00
// Copyright 2021, johan@nosd.in
2023-09-06 21:19:32 +02:00
//go:build freebsd
2022-01-04 09:35:55 +01:00
// +build freebsd
2023-09-06 21:19:32 +02:00
2022-01-04 09:35:55 +01:00
//
// godit is a search tool for BSM audit trails used by FreeBSD auditd
//
/ *
2022-01-06 17:29:16 +01:00
% time praudit - l / home / yo / Dev / go / godit / 20211228134923.20211228151348 > praudit . log
101.728 u 7.315 s 1 : 49.09 99.9 % 10 + 167 k 0 + 191152i o 0 pf + 0 w
2022-01-10 17:51:12 +01:00
% time . / godit 20211228134923.20211228151348 > godit . log
11.599 u 38.235 s 0 : 48.25 103.2 % 1045 + 553 k 1 + 2262168i o 4 pf + 0 w
2022-01-06 17:29:16 +01:00
% . / godit - V
Godit v0 .03
2022-01-10 17:51:12 +01:00
% time . / godit 20211228134923.20211228151348 > 20211228134923.20211228151348 . godit3
7.183 u 19.590 s 0 : 25.98 103.0 % 1038 + 559 k 0 + 2262168i o 0 pf + 0 w
% . / godit - V
Godit v0 .4 .3
2022-01-04 09:35:55 +01:00
* /
2022-01-06 17:29:16 +01:00
package main
2022-01-04 09:35:55 +01:00
import (
2022-01-04 11:03:58 +01:00
"io"
2022-01-04 09:35:55 +01:00
"os"
"fmt"
2023-12-18 11:55:23 +01:00
"sync"
2022-01-10 17:51:12 +01:00
"bufio"
"strings"
2023-12-18 11:55:23 +01:00
"syscall"
"os/signal"
2022-01-04 09:35:55 +01:00
"github.com/spf13/pflag"
)
const (
2023-12-18 11:55:23 +01:00
version = "0.6.2"
2022-01-04 09:35:55 +01:00
)
var (
2023-09-06 21:19:32 +02:00
randFlag bool
showVersion bool
2022-01-04 09:35:55 +01:00
// Default delimiter
2023-09-06 21:19:32 +02:00
delimiter = ","
2023-12-18 11:55:23 +01:00
Writer * bufio . Writer
2022-01-04 09:35:55 +01:00
)
2023-12-18 11:55:23 +01:00
func NewWriter ( file string ) ( * bufio . Writer , * os . File , error ) {
if len ( file ) > 0 {
var f * os . File
var err error
f , err = os . OpenFile ( file , os . O_CREATE | os . O_WRONLY , 0640 )
if err != nil {
return nil , nil , err
}
Writer = bufio . NewWriter ( f )
return Writer , f , nil
} else {
Writer = bufio . NewWriter ( os . Stdout )
return Writer , nil , nil
}
}
2022-01-04 09:35:55 +01:00
func main ( ) {
2022-01-04 17:50:34 +01:00
var flags int
var oneLine bool
var noUserResolve bool
2023-09-10 16:32:05 +02:00
var syslog23 bool
2023-09-06 21:19:32 +02:00
var json bool
2023-12-18 11:55:23 +01:00
var outputFile string
// Output file mutex
var outfMtx sync . Mutex
var outFile * os . File
2022-01-04 17:50:34 +01:00
2023-09-11 16:04:31 +02:00
pflag . BoolVarP ( & oneLine , "oneline" , "l" , false , "Prints the entire record on the same line" )
pflag . BoolVarP ( & noUserResolve , "numeric" , "n" , false , "Do not convert user and group IDs to their names but leave in their numeric forms" )
2023-09-06 21:19:32 +02:00
pflag . BoolVarP ( & json , "json" , "j" , false , "Print compact json" )
2023-09-11 16:04:31 +02:00
pflag . BoolVarP ( & syslog23 , "syslog23" , "s" , false , "Print time as \"2006-01-02T15:04:05.000Z07:00\", RFC339 with ms, also used on RSYSLOG_SyslogProtocol23Format. \"msec\" field will not be print in json output" )
2023-12-18 11:55:23 +01:00
pflag . StringVarP ( & outputFile , "out" , "o" , "" , "Output to file, overwrite existing. File will be re-opened receiving SIGUSR1." )
2023-09-11 16:04:31 +02:00
pflag . BoolVarP ( & showVersion , "version" , "V" , false , "Show version and exit" )
2022-01-04 09:35:55 +01:00
2023-09-11 14:41:10 +02:00
var Usage = func ( ) {
fmt . Fprintf ( os . Stderr , "Usage of \"%s [opts] auditfile\":\n" , os . Args [ 0 ] )
pflag . PrintDefaults ( )
fmt . Fprintf ( os . Stderr , "Set auditfile to \"-\" to read stdin\n" )
}
pflag . Usage = Usage
2022-01-04 09:35:55 +01:00
pflag . Parse ( )
if showVersion {
fmt . Printf ( "Godit v%s\n" , version )
return
}
2022-01-04 17:50:34 +01:00
if oneLine {
flags = flags + PRT_ONELINE
}
if noUserResolve {
flags = flags + PRT_NORESOLVE_USER
}
2023-09-10 16:32:05 +02:00
if syslog23 {
flags = flags + PRT_TIMESYSLOG23
2022-01-06 17:56:28 +01:00
}
2023-09-06 21:19:32 +02:00
if json {
flags |= PRT_JSON
}
2022-01-06 17:56:28 +01:00
2022-01-04 09:35:55 +01:00
args := os . Args
2023-09-11 16:14:33 +02:00
if len ( os . Args ) < 2 {
pflag . Usage ( )
os . Exit ( 1 )
}
2022-01-04 09:35:55 +01:00
filename := args [ len ( args ) - 1 ]
2023-09-06 21:19:32 +02:00
2023-12-18 11:55:23 +01:00
// Get a writer, file or stdout
_ , outFile , err := NewWriter ( outputFile )
if err != nil {
fmt . Fprintf ( os . Stderr , "%v\n" , err )
os . Exit ( 1 )
}
if len ( outputFile ) > 0 {
// Manage output file rotation when receiving SIGUSR1
sig := make ( chan os . Signal )
signal . Notify ( sig , syscall . SIGUSR1 )
go func ( ) {
for {
<- sig
outfMtx . Lock ( )
fmt . Println ( "SIGUSR1 received, recreating output file" )
outFile . Close ( )
_ , outFile , err = NewWriter ( outputFile )
if err != nil {
outfMtx . Unlock ( )
fmt . Fprintf ( os . Stderr , "%v\n" , err )
os . Exit ( 1 )
}
outfMtx . Unlock ( )
}
} ( )
}
2022-01-10 17:51:12 +01:00
var f * os . File
var r * bufio . Reader
2022-01-04 09:35:55 +01:00
if len ( filename ) > 0 {
2022-01-10 17:51:12 +01:00
// If arg is "-", open stdin to read content
if true == strings . EqualFold ( filename , "-" ) {
r = bufio . NewReader ( os . Stdin )
} else {
f , err = os . Open ( filename )
if err != nil {
2023-12-18 11:55:23 +01:00
fmt . Fprintf ( os . Stderr , "Impossible d'ouvrir le fichier %s\n" , filename )
2023-09-06 21:33:44 +02:00
os . Exit ( - 1 )
2022-01-10 17:51:12 +01:00
}
r = bufio . NewReader ( f )
2022-01-04 09:35:55 +01:00
}
2022-01-10 17:51:12 +01:00
2022-01-04 09:35:55 +01:00
for {
2022-01-10 17:51:12 +01:00
rec , err := readRecordToStruct ( r )
2022-01-04 11:03:58 +01:00
if err != nil {
if err != io . EOF {
fmt . Printf ( "Erreur : %v\n" , err )
2023-09-06 21:19:32 +02:00
} else { // v.0.4.2 : Continue on error
2022-01-10 17:51:12 +01:00
return
2022-01-04 11:03:58 +01:00
}
2022-01-04 09:35:55 +01:00
}
2023-12-18 11:55:23 +01:00
if len ( outputFile ) > 0 {
outfMtx . Lock ( )
rec . Print ( Writer , "," , flags )
Writer . Flush ( ) // Performance ?
outfMtx . Unlock ( )
} else {
// No need for mutex with stdout
rec . Print ( Writer , "," , flags )
}
2022-01-04 09:35:55 +01:00
}
}
2023-12-18 11:55:23 +01:00
if len ( outputFile ) > 0 && outFile != nil {
outfMtx . Lock ( )
outFile . Close ( )
outfMtx . Unlock ( )
}
2022-01-04 09:35:55 +01:00
}
