From 079361c8cdff712375bfc650c44ad267f624e6fd Mon Sep 17 00:00:00 2001 From: yo Date: Sun, 10 Sep 2023 09:32:45 +0200 Subject: [PATCH] Add support for zone name --- libbsm.go | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/libbsm.go b/libbsm.go index 0475c21..6702820 100644 --- a/libbsm.go +++ b/libbsm.go @@ -367,6 +367,11 @@ type Text struct { Text []byte } +type ZoneName struct { + Length uint16 `json:"length"` // zone name length + Zone []byte `json:"zone"` +} + /* Utilities */ // users ID for resolution type user struct { @@ -2111,6 +2116,44 @@ func (t *Text) Print(file *os.File, delimiter string, flags int) { } } +func NewZoneName(z ZoneName) *ZoneName { + return &ZoneName{ + Length: z.Length, + Zone: z.Zone, + } +} + +func (z *ZoneName) GetType() uint8 { + return AUT_ZONENAME +} + +func (z *ZoneName) LoadFromBinary(rdr *bufio.Reader) error { + err := binary.Read(rdr, binary.BigEndian, &z.Length) + if err != nil { + return fmt.Errorf("Unable to read ZoneName.Length: %v", err) + } + + zone := make([]byte, z.Length) + err = binary.Read(rdr, binary.BigEndian, &zone) + if err != nil { + return fmt.Errorf("Unable to read ZoneName.Zone: %v", err) + } + z.Zone = zone[:len(zone)-1] + + return nil +} + +func (z *ZoneName) Print(file *os.File, delimiter string, flags int) { + fmt.Fprintf(file, "zone%s%s", delimiter, z.Zone) + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } else { + fmt.Fprintf(file, "%s", delimiter) + } +} + + +// From sys/bsm/audit_record.h func readRecordToStruct(reader *bufio.Reader) (Record, error) { var rec Record @@ -2271,6 +2314,13 @@ func readRecordToStruct(reader *bufio.Reader) (Record, error) { return rec, fmt.Errorf("Unable to read: %v", err) } return NewSockUnix(s), nil + case AUT_ZONENAME: + var z ZoneName + err := z.LoadFromBinary(reader) + if err != nil { + return rec, fmt.Errorf("Unable to read: %v", err) + } + return NewZoneName(z), nil } return rec, fmt.Errorf("Event type not supported: 0x%x", hdr[0])