yo/libbsm
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add AUT_RIGHTS (capabilities)

Browse Source
This commit is contained in:
yo 2023-09-11 14:41:10 +02:00
parent ad4a46104c
commit 23441feaae
2 changed files with 134 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

125
libbsm.go
View File

@ -120,9 +120,11 @@ const (
AUT_PROCESS64_EX = 0x7d AUT_PROCESS64_EX = 0x7d
AUT_IN_ADDR_EX = 0x7e AUT_IN_ADDR_EX = 0x7e
AUT_SOCKET_EX = 0x7f AUT_SOCKET_EX = 0x7f
// From sys/bsm/audit_record.h
AUT_SOCKINET32 = 0x80 AUT_SOCKINET32 = 0x80
AUT_SOCKINET128 = 0x81 AUT_SOCKINET128 = 0x81
AUT_SOCKUNIX = 0x82 AUT_SOCKUNIX = 0x82
AUT_RIGHTS = 0x83
// Display control // Display control
PRT_ONELINE = 1 PRT_ONELINE = 1
@ -373,6 +375,17 @@ type ZoneName struct {
Zone []byte `json:"zone"` Zone []byte `json:"zone"`
} }
type Capabilities struct {
Index uint8 `json:"index"`
Value uint64 `json:"value"`
}
type Rights struct {
Length uint8 `json:"length"` // Should it be nr of indices, or nr of capabilities? (in which case it should be calculated)
// Let it be nr of indices for now, we'll see when we will decode rights
Rights []Capabilities `json:"rights"`
}
/* Utilities */ /* Utilities */
// users ID for resolution // users ID for resolution
type user struct { type user struct {
@ -3014,6 +3027,111 @@ func (z *ZoneName) Print(file *os.File, delimiter string, flags int) {
} }
} }
func NewRights(r Rights) *Rights {
return &Rights{
Length: r.Length,
Rights: r.Rights,
}
}
func (r *Rights) GetType() uint8 {
return AUT_RIGHTS
}
func (r *Rights) getIndex(value uint64) uint8 {
var index uint8
idx := (value >> 57) & 0b11111
switch idx {
case 1: index = 0
case 2: index = 1
case 4: index = 2
case 8: index = 3
case 16: index = 4
}
return index
}
func (r *Rights) LoadFromBinary(rdr *bufio.Reader) error {
var firstVal uint64
var nextVal uint64
err := binary.Read(rdr, binary.BigEndian, &firstVal)
if err != nil {
return fmt.Errorf("Unable to read Rights.Length: %v", err)
}
/* The top two bits in the first element of the cr_rights[] array contain
* total number of elements in the array - 2 */
r.Length = uint8((firstVal >> 62) + 2)
rights := make([]Capabilities, r.Length)
capab := &Capabilities{
Index: r.getIndex(firstVal),
Value: firstVal,
}
rights[0] = *capab
for i := 1; i < int(r.Length); i++ {
err = binary.Read(rdr, binary.BigEndian, &nextVal)
if err != nil {
return fmt.Errorf("Unable to read Rights.Rights: %v", err)
} else {
capab := &Capabilities{
Index: r.getIndex(nextVal),
Value: nextVal,
}
rights[i] = *capab
}
}
r.Rights = rights[:r.Length]
return nil
}
// Override Capabilities Marshaling so we can print as hex
func (c *Capabilities) MarshalJSON() ([]byte, error) {
val := fmt.Sprintf("%0.16x", c.Value)
type CapabilitiesJSON Capabilities
cJSON := struct {
Capabilities
Value string `json:"value"`
}{
Capabilities: Capabilities(*c),
Value: val,
}
return json.Marshal(cJSON)
}
func (r *Rights) Print(file *os.File, delimiter string, flags int) {
if flags&PRT_JSON == PRT_JSON {
// Do not print Rights.Length, only capabilities array
j, err := json.Marshal(r.Rights)
if err != nil {
// TODO
return
}
fmt.Fprintf(file, "\"rights\":")
fmt.Fprintf(file, "%s", j)
// Rights is always followed by something
fmt.Fprintf(file, ",")
} else {
fmt.Fprintf(file, "rights%s%d", delimiter, r.Length)
for i:=0; i < int(r.Length); i++ {
if i < int(r.Length) {
fmt.Fprintf(file, "%s", delimiter)
}
fmt.Fprintf(file, "%d%s%0.16x", r.Rights[i].Index, delimiter, r.Rights[i].Value)
}
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
} else {
fmt.Fprintf(file, "%s", delimiter)
}
}
}
// From sys/bsm/audit_record.h // From sys/bsm/audit_record.h
func readRecordToStruct(reader *bufio.Reader) (Record, error) { func readRecordToStruct(reader *bufio.Reader) (Record, error) {
@ -3183,6 +3301,13 @@ func readRecordToStruct(reader *bufio.Reader) (Record, error) {
return rec, fmt.Errorf("Unable to read: %v", err) return rec, fmt.Errorf("Unable to read: %v", err)
} }
return NewZoneName(z), nil return NewZoneName(z), nil
case AUT_RIGHTS:
var r Rights
err := r.LoadFromBinary(reader)
if err != nil {
return rec, fmt.Errorf("Unable to read: %v", err)
}
return NewRights(r), nil
} }
return rec, fmt.Errorf("Event type not supported: 0x%x", hdr[0]) return rec, fmt.Errorf("Event type not supported: 0x%x", hdr[0])

11
main.go
View File

@ -33,7 +33,7 @@ import (
) )
const ( const (
version = "5.9.9b" version = "5.9.9c"
) )
var ( var (
@ -51,12 +51,19 @@ func main() {
var syslog23 bool var syslog23 bool
var json bool var json bool
pflag.BoolVarP(&oneLine, "oneline", "l", false, "Prints the entire record on the same line. If this option is not specified, every token is displayed on a different line.") pflag.BoolVarP(&oneLine, "oneline", "l", false, "Prints the entire record on the same line.")
pflag.BoolVarP(&noUserResolve, "numeric", "n", false, "Do not convert user and group IDs to their names but leave in their numeric forms.") pflag.BoolVarP(&noUserResolve, "numeric", "n", false, "Do not convert user and group IDs to their names but leave in their numeric forms.")
pflag.BoolVarP(&json, "json", "j", false, "Print compact json") pflag.BoolVarP(&json, "json", "j", false, "Print compact json")
pflag.BoolVarP(&syslog23, "syslog23", "s", false, "Print time as \"2006-01-02T15:04:05.000Z07:00\", RFC339 with ms, also used on RSYSLOG_SyslogProtocol23Format. \"msec\" field will not be print in json output.") pflag.BoolVarP(&syslog23, "syslog23", "s", false, "Print time as \"2006-01-02T15:04:05.000Z07:00\", RFC339 with ms, also used on RSYSLOG_SyslogProtocol23Format. \"msec\" field will not be print in json output.")
pflag.BoolVarP(&showVersion, "version", "V", false, "Show version then exit") pflag.BoolVarP(&showVersion, "version", "V", false, "Show version then exit")
var Usage = func() {
fmt.Fprintf(os.Stderr, "Usage of \"%s [opts] auditfile\":\n", os.Args[0])
pflag.PrintDefaults()
fmt.Fprintf(os.Stderr, "Set auditfile to \"-\" to read stdin\n")
}
pflag.Usage = Usage
pflag.Parse() pflag.Parse()
if showVersion { if showVersion {