From 4b06c3064b171badebe5ce5044c697ca91e657f7 Mon Sep 17 00:00:00 2001 From: yo Date: Wed, 18 Jan 2023 17:19:39 +0100 Subject: [PATCH] Manual merge --- libbsm.go | 2150 +++++++++++++++++++++++++++++++++-------------------- 1 file changed, 1342 insertions(+), 808 deletions(-) diff --git a/libbsm.go b/libbsm.go index be146f5..0475c21 100644 --- a/libbsm.go +++ b/libbsm.go @@ -1,7 +1,9 @@ // This is an implementation of libbsm // Copyright johan@nosd.in 2021 // +//go:build freebsd // +build freebsd + // // Use libc to get pw name from uid @@ -19,318 +21,363 @@ package main import "C" import ( - "io" - "os" - "fmt" - "time" "bufio" "bytes" - "strings" - "strconv" "encoding/binary" + "fmt" + "io" + "os" + "strconv" + "strings" + "time" ) const ( - // bsm/libbsm.h - AUDIT_MAX_ARGS = 128 - AUDIT_EVENT_FILE = "/etc/security/audit_event" + // bsm/libbsm.h + AUDIT_MAX_ARGS = 128 + AUDIT_EVENT_FILE = "/etc/security/audit_event" - // sys/bsm/audit.h - MAXAUDITDATA = (0x8000 - 1) - MAX_AUDIT_RECORD_SIZE = MAXAUDITDATA + // sys/bsm/audit.h + MAXAUDITDATA = (0x8000 - 1) + MAX_AUDIT_RECORD_SIZE = MAXAUDITDATA - // Max length for a Path (AUT_PATH) or an arg (AUT_EXEC_ARGS) - MAX_AUDIT_ARG_LENGTH = 1024 + // Max length for a Path (AUT_PATH) or an arg (AUT_EXEC_ARGS) + MAX_AUDIT_ARG_LENGTH = 1024 -/* - * Token type identifiers. - From https://github.com/freebsd/freebsd-src/blob/main/contrib/openbsm/sys/bsm/audit_record.h - */ - AUT_INVALID = 0x00 - AUT_OTHER_FILE32 = 0x11 - AUT_OHEADER = 0x12 - AUT_TRAILER = 0x13 - AUT_HEADER32 = 0x14 - AUT_HEADER32_EX = 0x15 - AUT_DATA = 0x21 - AUT_IPC = 0x22 - AUT_PATH = 0x23 - AUT_SUBJECT32 = 0x24 - AUT_XATPATH = 0x25 - AUT_PROCESS32 = 0x26 - AUT_RETURN32 = 0x27 - AUT_TEXT = 0x28 - AUT_OPAQUE = 0x29 - AUT_IN_ADDR = 0x2a - AUT_IP = 0x2b - AUT_IPORT = 0x2c - AUT_ARG32 = 0x2d - AUT_SOCKET = 0x2e - AUT_SEQ = 0x2f - AUT_ACL = 0x30 - AUT_ATTR = 0x31 - AUT_IPC_PERM = 0x32 - AUT_LABEL = 0x33 - AUT_GROUPS = 0x34 - AUT_ACE = 0x35 - AUT_PRIV = 0x38 - AUT_UPRIV = 0x39 - AUT_LIAISON = 0x3a - AUT_NEWGROUPS = 0x3b - AUT_EXEC_ARGS = 0x3c - AUT_EXEC_ENV = 0x3d - AUT_ATTR32 = 0x3e - AUT_UNAUTH = 0x3f - AUT_XATOM = 0x40 - AUT_XOBJ = 0x41 - AUT_XPROTO = 0x42 - AUT_XSELECT = 0x43 - AUT_XCOLORMAP = 0x44 - AUT_XCURSOR = 0x45 - AUT_XFONT = 0x46 - AUT_XGC = 0x47 - AUT_XPIXMAP = 0x48 - AUT_XPROPERTY = 0x49 - AUT_XWINDOW = 0x4a - AUT_XCLIENT = 0x4b - AUT_CMD = 0x51 - AUT_EXIT = 0x52 - AUT_ZONENAME = 0x60 - AUT_HOST = 0x70 - AUT_ARG64 = 0x71 - AUT_RETURN64 = 0x72 - AUT_ATTR64 = 0x73 - AUT_HEADER64 = 0x74 - AUT_SUBJECT64 = 0x75 - AUT_PROCESS64 = 0x77 - AUT_OTHER_FILE64 = 0x78 - AUT_HEADER64_EX = 0x79 - AUT_SUBJECT32_EX = 0x7a - AUT_PROCESS32_EX = 0x7b - AUT_SUBJECT64_EX = 0x7c - AUT_PROCESS64_EX = 0x7d - AUT_IN_ADDR_EX = 0x7e - AUT_SOCKET_EX = 0x7f + ISIPV4 = 4 + ISIPV6 = 16 + /* + * Token type identifiers. + From https://github.com/freebsd/freebsd-src/blob/main/contrib/openbsm/sys/bsm/audit_record.h + */ + AUT_INVALID = 0x00 + AUT_OTHER_FILE32 = 0x11 + AUT_OHEADER = 0x12 + AUT_TRAILER = 0x13 + AUT_HEADER32 = 0x14 + AUT_HEADER32_EX = 0x15 + AUT_DATA = 0x21 + AUT_IPC = 0x22 + AUT_PATH = 0x23 + AUT_SUBJECT32 = 0x24 + AUT_XATPATH = 0x25 + AUT_PROCESS32 = 0x26 + AUT_RETURN32 = 0x27 + AUT_TEXT = 0x28 + AUT_OPAQUE = 0x29 + AUT_IN_ADDR = 0x2a + AUT_IP = 0x2b + AUT_IPORT = 0x2c + AUT_ARG32 = 0x2d + AUT_SOCKET = 0x2e + AUT_SEQ = 0x2f + AUT_ACL = 0x30 + AUT_ATTR = 0x31 + AUT_IPC_PERM = 0x32 + AUT_LABEL = 0x33 + AUT_GROUPS = 0x34 + AUT_ACE = 0x35 + AUT_PRIV = 0x38 + AUT_UPRIV = 0x39 + AUT_LIAISON = 0x3a + AUT_NEWGROUPS = 0x3b + AUT_EXEC_ARGS = 0x3c + AUT_EXEC_ENV = 0x3d + AUT_ATTR32 = 0x3e + AUT_UNAUTH = 0x3f + AUT_XATOM = 0x40 + AUT_XOBJ = 0x41 + AUT_XPROTO = 0x42 + AUT_XSELECT = 0x43 + AUT_XCOLORMAP = 0x44 + AUT_XCURSOR = 0x45 + AUT_XFONT = 0x46 + AUT_XGC = 0x47 + AUT_XPIXMAP = 0x48 + AUT_XPROPERTY = 0x49 + AUT_XWINDOW = 0x4a + AUT_XCLIENT = 0x4b + AUT_CMD = 0x51 + AUT_EXIT = 0x52 + AUT_ZONENAME = 0x60 + AUT_HOST = 0x70 + AUT_ARG64 = 0x71 + AUT_RETURN64 = 0x72 + AUT_ATTR64 = 0x73 + AUT_HEADER64 = 0x74 + AUT_SUBJECT64 = 0x75 + AUT_PROCESS64 = 0x77 + AUT_OTHER_FILE64 = 0x78 + AUT_HEADER64_EX = 0x79 + AUT_SUBJECT32_EX = 0x7a + AUT_PROCESS32_EX = 0x7b + AUT_SUBJECT64_EX = 0x7c + AUT_PROCESS64_EX = 0x7d + AUT_IN_ADDR_EX = 0x7e + AUT_SOCKET_EX = 0x7f + AUT_SOCKINET32 = 0x80 + AUT_SOCKINET128 = 0x81 + AUT_SOCKUNIX = 0x82 - // Display control - PRT_ONELINE = 1 - PRT_NORESOLVE_USER = 2 - PRT_TIMESTAMP = 4 + // Display control + PRT_ONELINE = 1 + PRT_NORESOLVE_USER = 2 + PRT_TIMESTAMP = 4 ) var ( - // A global user/uid cache - gUsers []user - // A global group/gid cache - gGroups []group - // Cache of audit_event file - gEventDB []event + // A global user/uid cache + gUsers []user + // A global group/gid cache + gGroups []group + // Cache of audit_event file + gEventDB []event ) - type event struct { - Type int - Name string - Desc string - Class string + Type int + Name string + Desc string + Class string } - // Fields types, from https://github.com/freebsd/freebsd-src/blob/main/contrib/openbsm/bsm/libbsm.h // Abstraction of a record type Record interface { - GetType() uint8 - //Length() - LoadFromBinary(rdr *bufio.Reader) error - Print(*os.File, string, int) + GetType() uint8 + // Length() + LoadFromBinary(rdr *bufio.Reader) error + Print(*os.File, string, int) } type Header32 struct { - Size uint32 // Record byte count - Version uint8 // version # (uchar) - E_type uint16 // Event type - E_mod uint16 // Event modifier - S uint32 // Seconds of time - Msec uint32 // Milliseconds of time + Size uint32 // Record byte count + Version uint8 // version # (uchar) + E_type uint16 // Event type + E_mod uint16 // Event modifier + S uint32 // Seconds of time + Msec uint32 // Milliseconds of time } type Header32Ex struct { - Size uint32 // Record byte count - Version uint8 // version # (uchar) - E_type uint16 // Event type - E_mod uint16 // Event modifier - Ad_type uint32 // Address type/Length - Addr [4]uint32 // Ipv4 or IPv6 - S uint32 // Seconds of time - Msec uint32 // Milliseconds of time + Size uint32 // Record byte count + Version uint8 // version # (uchar) + E_type uint16 // Event type + E_mod uint16 // Event modifier + Ad_type uint32 // Address type/Length + Addr [4]uint32 // Ipv4 or IPv6 + S uint32 // Seconds of time + Msec uint32 // Milliseconds of time } type Trailer struct { - Magic uint16 - Count uint32 + Magic uint16 + Count uint32 } type Arg32 struct { - No byte // Argument # - Val uint32 // Argument value - Length uint16 // Text length - Text []byte // Text + No byte // Argument # + Val uint32 // Argument value + Length uint16 // Text length + Text []byte // Text } type Arg64 struct { - No byte // Argument # - Val uint64 // Argument value - Length uint16 // Text length - Text []byte // Text + No byte // Argument # + Val uint64 // Argument value + Length uint16 // Text length + Text []byte // Text } type Attribute32 struct { - Mode uint32 // file access mode - Uid uint32 // Owner user ID - Gid uint32 // Owner group ID - Fsid uint32 // File system ID - Nid uint64 // Node ID - Dev uint32 // Device + Mode uint32 // file access mode + Uid uint32 // Owner user ID + Gid uint32 // Owner group ID + Fsid uint32 // File system ID + Nid uint64 // Node ID + Dev uint32 // Device } type Attribute64 struct { - Mode uint32 // file access mode - Uid uint32 // Owner user ID - Gid uint32 // Owner group ID - Fsid uint32 // File system ID - Nid uint64 // Node ID - Dev uint64 // Device + Mode uint32 // file access mode + Uid uint32 // Owner user ID + Gid uint32 // Owner group ID + Fsid uint32 // File system ID + Nid uint64 // Node ID + Dev uint64 // Device } /* * count 4 bytes * text count null-terminated string(s) -*/ + */ type ExecArg struct { - Count uint32 -//Text [AUDIT_MAX_ARGS][]byte - Text [][]byte + Count uint32 + //Text [AUDIT_MAX_ARGS][]byte + Text [][]byte } type Path struct { - Length uint16 // path length - Path []byte + Length uint16 // path length + Path []byte } type Return32 struct { - Status byte // Error status - Ret uint32 // Return code + Status byte // Error status + Ret uint32 // Return code } type Return64 struct { - Status byte // Error status - Ret uint64 // Return code + Status byte // Error status + Ret uint64 // Return code } type Subject32 struct { - Auid uint32 // Audit ID - Euid uint32 // Effective user ID - Egid uint32 // Effective Group ID - Ruid uint32 // Real User ID - Rgid uint32 // Real Group ID - Pid uint32 // Process ID - Sid uint32 // Session ID - Tid Tid32 + Auid uint32 // Audit ID + Euid uint32 // Effective user ID + Egid uint32 // Effective Group ID + Ruid uint32 // Real User ID + Rgid uint32 // Real Group ID + Pid uint32 // Process ID + Sid uint32 // Session ID + Tid Tid32 } type Process32 Subject32 type Subject32Ex struct { - Auid uint32 // Audit ID - Euid uint32 // Effective user ID - Egid uint32 // Effective Group ID - Ruid uint32 // Real User ID - Rgid uint32 // Real Group ID - Pid uint32 // Process ID - Sid uint32 // Session ID - Tid Tid32Ex + Auid uint32 // Audit ID + Euid uint32 // Effective user ID + Egid uint32 // Effective Group ID + Ruid uint32 // Real User ID + Rgid uint32 // Real Group ID + Pid uint32 // Process ID + Sid uint32 // Session ID + Tid Tid32Ex } type Process32Ex Subject32Ex type Tid32 struct { - Port uint32 - IpVers uint32 // 0x10 = IPv6 - Addr uint32 + Port uint32 + IpVers uint32 // 0x10 = IPv6 + Addr uint32 } type Tid32Ex struct { - Port uint32 - Ttype uint32 - IpVers uint32 // 0x10 = IPv6, 0x04 = IPv4 - Addr4 uint32 // 4 bytes long if IpVers == 0x04 - Addr6 [4]uint32 // 4x4 bytes long if IpVers == 0x10 + Port uint32 + Ttype uint32 + IpVers uint32 // 0x10 = IPv6, 0x04 = IPv4 + Addr4 uint32 // 4 bytes long if IpVers == 0x04 + Addr6 [4]uint32 // 4x4 bytes long if IpVers == 0x10 } type Subject64 struct { - Auid uint32 // Audit ID - Euid uint32 // Effective user ID - Egid uint32 // Effective Group ID - Ruid uint32 // Real User ID - Rgid uint32 // Real Group ID - Pid uint32 // Process ID - Sid uint32 // Session ID - Tid Tid64 + Auid uint32 // Audit ID + Euid uint32 // Effective user ID + Egid uint32 // Effective Group ID + Ruid uint32 // Real User ID + Rgid uint32 // Real Group ID + Pid uint32 // Process ID + Sid uint32 // Session ID + Tid Tid64 } type Process64 Subject64 type Subject64Ex struct { - Auid uint32 // Audit ID - Euid uint32 // Effective user ID - Egid uint32 // Effective Group ID - Ruid uint32 // Real User ID - Rgid uint32 // Real Group ID - Pid uint32 // Process ID - Sid uint32 // Session ID - Tid Tid64Ex + Auid uint32 // Audit ID + Euid uint32 // Effective user ID + Egid uint32 // Effective Group ID + Ruid uint32 // Real User ID + Rgid uint32 // Real Group ID + Pid uint32 // Process ID + Sid uint32 // Session ID + Tid Tid64Ex } type Process64Ex Subject64Ex type Tid64 struct { - Port uint64 - IpVers uint32 - Addr uint32 + Port uint64 + IpVers uint32 + Addr uint32 } type Tid64Ex struct { - Port uint64 - Ttype uint32 - IpVers uint32 // 0x10 = IPv6, 0x04 = IPv4 - Addr4 uint32 - Addr6 [4]uint32 + Port uint64 + Ttype uint32 + IpVers uint32 // 0x10 = IPv6, 0x04 = IPv4 + Addr4 uint32 + Addr6 [4]uint32 +} + +/* + * socket domain 2 bytes + * socket type 2 bytes + * address type 2 bytes + * local port 2 bytes + * local Internet address 4/16 bytes + * remote port 2 bytes + * remote Internet address 4/16 bytes + */ +type SocketEx struct { + Domain uint16 + SockType uint16 + AddrType uint16 + LocalPort uint16 + LocalAddr4 uint32 + LocalAddr6 [4]uint32 + RemotePort uint16 + RemoteAddr4 uint32 + RemoteAddr6 [4]uint32 +} + +type SockInet32 struct { + Family uint16 + Lport uint16 + Addr4 uint32 +} + +type SockInet128 struct { + Family uint16 + Lport uint16 + Addr6 [4]uint32 +} + +/* + * token ID 1 byte + * socket family 2 bytes + * path (up to) 104 bytes + NULL (NULL terminated string) + */ +type SockUnix struct { + Family uint16 + Path []byte } type Exit struct { - Status uint32 - Ret uint32 + Status uint32 + Ret uint32 } type Text struct { - Length uint16 - Text []byte + Length uint16 + Text []byte } - /* Utilities */ // users ID for resolution type user struct { - uid uint32 - name string + uid uint32 + name string } // groups ID for resolution type group struct { - gid uint32 - name string + gid uint32 + name string } /* Utilities */ @@ -358,21 +405,20 @@ func getUserName(uid uint32) (string, error) { return u.name, nil } func getUserNameByUid(uid uint32) (user, error) { - var pw *C.struct_passwd - var usr user + var pw *C.struct_passwd + var usr user - pw = C.getpwuid((C.uint32_t)(uid)) - if pw == nil { - return usr, fmt.Errorf("User ID not found") - } + pw = C.getpwuid((C.uint32_t)(uid)) + if pw == nil { + return usr, fmt.Errorf("User ID not found") + } - usr.uid = uid - usr.name = C.GoString(pw.pw_name) + usr.uid = uid + usr.name = C.GoString(pw.pw_name) - return usr, nil + return usr, nil } - func getGroupName(gid uint32) (string, error) { for _, g := range gGroups { if g.gid == gid { @@ -396,21 +442,21 @@ func getGroupName(gid uint32) (string, error) { return g.name, nil } func getGroupNameByGid(gid uint32) (group, error) { - var gr *C.struct_group - var grp group + var gr *C.struct_group + var grp group - gr = C.getgrgid((C.uint32_t)(gid)) - if gr == nil { - return grp, fmt.Errorf("Group ID not found") - } + gr = C.getgrgid((C.uint32_t)(gid)) + if gr == nil { + return grp, fmt.Errorf("Group ID not found") + } - grp.gid = gid - grp.name = C.GoString(gr.gr_name) + grp.gid = gid + grp.name = C.GoString(gr.gr_name) - return grp, nil + return grp, nil } -func getEventName(event uint16) (string,error) { +func getEventName(event uint16) (string, error) { if len(gEventDB) == 0 { err := loadEventDB() if err != nil { @@ -453,42 +499,42 @@ func loadEventDB() error { // Wait for https://github.com/openbsm/openbsm/pull/75 if t == 43082 && (len(eventStr) == 5) { gEventDB = append(gEventDB, event{Type: t, - Name: eventStr[1], - Desc: eventStr[3], - Class: eventStr[4],}) + Name: eventStr[1], + Desc: eventStr[3], + Class: eventStr[4]}) } else { gEventDB = append(gEventDB, event{Type: t, - Name: eventStr[1], - Desc: eventStr[2], - Class: eventStr[3],}) + Name: eventStr[1], + Desc: eventStr[2], + Class: eventStr[3]}) } } return nil } func PrintIpv4FromInt(ipv4int uint32) string { - return fmt.Sprintf("%d.%d.%d.%d", ipv4int & 0xFF000000 >> 24, ipv4int & 0x00FF0000 >> 16, - ipv4int & 0x0000FF00 >> 8, ipv4int & 0x000000FF) + return fmt.Sprintf("%d.%d.%d.%d", ipv4int&0xFF000000>>24, ipv4int&0x00FF0000>>16, + ipv4int&0x0000FF00>>8, ipv4int&0x000000FF) } func PrintIpv6FromInt(ipv6int [4]uint32) string { - //return fmt.Sprintf("%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x", - return fmt.Sprintf("%x:%x:%x:%x:%x:%x:%x:%x", - ipv6int[0] & 0xFFFF0000 >> 16, ipv6int[0] & 0x0000FFFF, - ipv6int[1] & 0xFFFF0000 >> 16, ipv6int[1] & 0x0000FFFF, - ipv6int[2] & 0xFFFF0000 >> 16, ipv6int[2] & 0x0000FFFF, - ipv6int[3] & 0xFFFF0000 >> 16, ipv6int[3] & 0x0000FFFF) + //return fmt.Sprintf("%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x", + return fmt.Sprintf("%x:%x:%x:%x:%x:%x:%x:%x", + ipv6int[0]&0xFFFF0000>>16, ipv6int[0]&0x0000FFFF, + ipv6int[1]&0xFFFF0000>>16, ipv6int[1]&0x0000FFFF, + ipv6int[2]&0xFFFF0000>>16, ipv6int[2]&0x0000FFFF, + ipv6int[3]&0xFFFF0000>>16, ipv6int[3]&0x0000FFFF) } /* Records structs implementation */ func NewHeader32(h Header32) *Header32 { return &Header32{ - Size: h.Size, + Size: h.Size, Version: h.Version, - E_type: h.E_type, - E_mod: h.E_mod, - S: h.S, - Msec: h.Msec, + E_type: h.E_type, + E_mod: h.E_mod, + S: h.S, + Msec: h.Msec, } } @@ -499,7 +545,9 @@ func (h *Header32) GetType() uint8 { // TODO : Take *io.Reader as arg? func (h *Header32) LoadFromBinary(rdr *bufio.Reader) error { err := binary.Read(rdr, binary.BigEndian, &h.Size) - if err != nil { return fmt.Errorf("Unable to read Header32.Size: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Header32.Size: %v", err) + } /* Check for recsize sanity: We already read 32 bits + 8 bits */ if h.Size < (4 + 1) { @@ -507,31 +555,40 @@ func (h *Header32) LoadFromBinary(rdr *bufio.Reader) error { } err = binary.Read(rdr, binary.BigEndian, &h.Version) - if err != nil { return fmt.Errorf("Unable to read Header32.Version: %v", err) } - + if err != nil { + return fmt.Errorf("Unable to read Header32.Version: %v", err) + } + err = binary.Read(rdr, binary.BigEndian, &h.E_type) - if err != nil { return fmt.Errorf("Unable to read Header32.E_type: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Header32.E_type: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &h.E_mod) - if err != nil { return fmt.Errorf("Unable to read Header32.E_mod: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Header32.E_mod: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &h.S) - if err != nil { return fmt.Errorf("Unable to read Header32.S: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Header32.S: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &h.Msec) - if err != nil { return fmt.Errorf("Unable to read Header32.Msec: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Header32.Msec: %v", err) + } return nil } - /* Implementation of - static void - print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) +static void +print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) */ func (h *Header32) Print(file *os.File, delimiter string, flags int) { var timeval string - if PRT_TIMESTAMP == flags & PRT_TIMESTAMP { + if PRT_TIMESTAMP == flags&PRT_TIMESTAMP { timeval = strconv.Itoa(int(h.S)) } else { t := time.Unix((int64)(h.S), 0) @@ -543,8 +600,8 @@ func (h *Header32) Print(file *os.File, delimiter string, flags int) { return } fmt.Fprintf(file, "header%s%d%s%d%s%s%s%v%s%s%s%d", delimiter, h.Size, delimiter, h.Version, delimiter, - //h.E_type, delimiter, h.E_mod, delimiter, t.Format(time.UnixDate), delimiter, h.Msec) - evdesc, delimiter, h.E_mod, delimiter, timeval, delimiter, h.Msec) + //h.E_type, delimiter, h.E_mod, delimiter, t.Format(time.UnixDate), delimiter, h.Msec) + evdesc, delimiter, h.E_mod, delimiter, timeval, delimiter, h.Msec) if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } else { @@ -554,8 +611,8 @@ func (h *Header32) Print(file *os.File, delimiter string, flags int) { func NewExecArg(e ExecArg) *ExecArg { return &ExecArg{ - Count: e.Count, - Text: e.Text, + Count: e.Count, + Text: e.Text, } } @@ -565,9 +622,11 @@ func (e *ExecArg) GetType() uint8 { func (e *ExecArg) LoadFromBinary(rdr *bufio.Reader) error { err := binary.Read(rdr, binary.BigEndian, &e.Count) - if err != nil { return fmt.Errorf("Unable to read ExecArg.Count: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read ExecArg.Count: %v", err) + } - for i := uint32(0) ; i < e.Count ; i++ { + for i := uint32(0); i < e.Count; i++ { // Get this arg length arg, err := rdr.ReadBytes((byte)(0x00)) if err != nil { @@ -576,13 +635,13 @@ func (e *ExecArg) LoadFromBinary(rdr *bufio.Reader) error { e.Text = append(e.Text, arg[:len(arg)-1]) } - return nil + return nil } func (e *ExecArg) Print(file *os.File, delimiter string, flags int) { fmt.Fprintf(file, "exec arg%s", delimiter) - for i := uint32(0) ; i < e.Count ; i++ { - if i < e.Count - 1 { + for i := uint32(0); i < e.Count; i++ { + if i < e.Count-1 { fmt.Fprintf(file, "%s%s", string(e.Text[i]), delimiter) } else { fmt.Fprintf(file, "%s", string(e.Text[i])) @@ -597,8 +656,8 @@ func (e *ExecArg) Print(file *os.File, delimiter string, flags int) { func NewPath(p Path) *Path { return &Path{ - Length: p.Length, - Path: p.Path, + Length: p.Length, + Path: p.Path, } } @@ -608,7 +667,9 @@ func (p *Path) GetType() uint8 { func (p *Path) LoadFromBinary(rdr *bufio.Reader) error { err := binary.Read(rdr, binary.BigEndian, &p.Length) - if err != nil { return fmt.Errorf("Unable to read Path.Length: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Path.Length: %v", err) + } arg, err := rdr.ReadBytes((byte)(0x00)) if err != nil { @@ -630,55 +691,67 @@ func (p *Path) Print(file *os.File, delimiter string, flags int) { func NewAttribute32(a Attribute32) *Attribute32 { return &Attribute32{ - Mode: a.Mode, - Uid: a.Uid, - Gid: a.Gid, - Fsid: a.Fsid, - Nid: a.Nid, - Dev: a.Dev, + Mode: a.Mode, + Uid: a.Uid, + Gid: a.Gid, + Fsid: a.Fsid, + Nid: a.Nid, + Dev: a.Dev, } } -func (a* Attribute32) GetType() uint8 { +func (a *Attribute32) GetType() uint8 { return AUT_ATTR32 } func (a *Attribute32) LoadFromBinary(rdr *bufio.Reader) error { err := binary.Read(rdr, binary.BigEndian, &a.Mode) - if err != nil { return fmt.Errorf("Unable to read Attribute32.Mode: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Attribute32.Mode: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &a.Uid) - if err != nil { return fmt.Errorf("Unable to read Attribute32.Uid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Attribute32.Uid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &a.Gid) - if err != nil { return fmt.Errorf("Unable to read Attribute32.Gid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Attribute32.Gid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &a.Fsid) - if err != nil { return fmt.Errorf("Unable to read Attribute32.Fsid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Attribute32.Fsid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &a.Nid) - if err != nil { return fmt.Errorf("Unable to read Attribute32.Nid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Attribute32.Nid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &a.Dev) - if err != nil { return fmt.Errorf("Unable to read Attribute32.Dev: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Attribute32.Dev: %v", err) + } return nil } func (a *Attribute32) Print(file *os.File, delimiter string, flags int) { - var user string - var group string + var user string + var group string - if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER { + if PRT_NORESOLVE_USER == flags&PRT_NORESOLVE_USER { user = strconv.Itoa(int(a.Uid)) group = strconv.Itoa(int(a.Gid)) } else { user, _ = getUserName(a.Uid) group, _ = getGroupName(a.Gid) } - + fmt.Fprintf(file, "attribute%s%o%s%s%s%s%s%v%s%v%s%v", delimiter, a.Mode, delimiter, user, delimiter, - group, delimiter, a.Fsid, delimiter, a.Nid, delimiter, a.Dev) + group, delimiter, a.Fsid, delimiter, a.Nid, delimiter, a.Dev) if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") @@ -689,37 +762,49 @@ func (a *Attribute32) Print(file *os.File, delimiter string, flags int) { func NewAttribute64(a Attribute64) *Attribute64 { return &Attribute64{ - Mode: a.Mode, - Uid: a.Uid, - Gid: a.Gid, - Fsid: a.Fsid, - Nid: a.Nid, - Dev: a.Dev, + Mode: a.Mode, + Uid: a.Uid, + Gid: a.Gid, + Fsid: a.Fsid, + Nid: a.Nid, + Dev: a.Dev, } } -func (a* Attribute64) GetType() uint8 { +func (a *Attribute64) GetType() uint8 { return AUT_ATTR64 } func (a *Attribute64) LoadFromBinary(rdr *bufio.Reader) error { err := binary.Read(rdr, binary.BigEndian, &a.Mode) - if err != nil { return fmt.Errorf("Unable to read Attribute64.Mode: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Attribute64.Mode: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &a.Uid) - if err != nil { return fmt.Errorf("Unable to read Attribute64.Uid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Attribute64.Uid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &a.Gid) - if err != nil { return fmt.Errorf("Unable to read Attribute64.Gid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Attribute64.Gid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &a.Fsid) - if err != nil { return fmt.Errorf("Unable to read Attribute64.Fsid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Attribute64.Fsid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &a.Nid) - if err != nil { return fmt.Errorf("Unable to read Attribute64.Nid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Attribute64.Nid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &a.Dev) - if err != nil { return fmt.Errorf("Unable to read Attribute64.Dev: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Attribute64.Dev: %v", err) + } return nil } @@ -728,15 +813,15 @@ func (a *Attribute64) Print(file *os.File, delimiter string, flags int) { var user string var group string // TODO : resolve Uid and Gid (also support domain accounts) - if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER { - user = strconv.Itoa(int(a.Uid)) - group = strconv.Itoa(int(a.Gid)) + if PRT_NORESOLVE_USER == flags&PRT_NORESOLVE_USER { + user = strconv.Itoa(int(a.Uid)) + group = strconv.Itoa(int(a.Gid)) } else { - user, _ = getUserName(a.Uid) - group, _ = getGroupName(a.Gid) + user, _ = getUserName(a.Uid) + group, _ = getGroupName(a.Gid) } fmt.Fprintf(file, "attribute%s%o%s%v%s%v%s%v%s%v%s%v", delimiter, a.Mode, delimiter, user, delimiter, - group, delimiter, a.Fsid, delimiter, a.Nid, delimiter, a.Dev) + group, delimiter, a.Fsid, delimiter, a.Nid, delimiter, a.Dev) if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } else { @@ -746,14 +831,14 @@ func (a *Attribute64) Print(file *os.File, delimiter string, flags int) { func NewSubject32(s Subject32) *Subject32 { return &Subject32{ - Auid: s.Auid, - Euid: s.Euid, - Egid: s.Egid, - Ruid: s.Ruid, - Rgid: s.Rgid, - Pid: s.Pid, - Sid: s.Sid, - Tid: s.Tid, + Auid: s.Auid, + Euid: s.Euid, + Egid: s.Egid, + Ruid: s.Ruid, + Rgid: s.Rgid, + Pid: s.Pid, + Sid: s.Sid, + Tid: s.Tid, } } @@ -763,51 +848,65 @@ func (s *Subject32) GetType() uint8 { func (s *Subject32) LoadFromBinary(rdr *bufio.Reader) error { err := binary.Read(rdr, binary.BigEndian, &s.Auid) - if err != nil { return fmt.Errorf("Unable to read Sibject32.Auid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Sibject32.Auid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Euid) - if err != nil { return fmt.Errorf("Unable to read Subject32.Euid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject32.Euid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Egid) - if err != nil { return fmt.Errorf("Unable to read Subject32.Egid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject32.Egid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Ruid) - if err != nil { return fmt.Errorf("Unable to read Subject32.Ruid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject32.Ruid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Rgid) - if err != nil { return fmt.Errorf("Unable to read Subject32.Rgid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject32.Rgid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Sid) - if err != nil { return fmt.Errorf("Unable to read Subject32.Sid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject32.Sid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Tid) - if err != nil { return fmt.Errorf("Unable to read Subject32.Tid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject32.Tid: %v", err) + } return nil } func (s *Subject32) Print(file *os.File, delimiter string, flags int) { - var auser string - var euser string - var egroup string - var ruser string - var rgroup string - if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER { - auser = strconv.Itoa(int(s.Auid)) - euser = strconv.Itoa(int(s.Euid)) - egroup = strconv.Itoa(int(s.Egid)) - ruser = strconv.Itoa(int(s.Ruid)) - rgroup = strconv.Itoa(int(s.Rgid)) + var auser string + var euser string + var egroup string + var ruser string + var rgroup string + if PRT_NORESOLVE_USER == flags&PRT_NORESOLVE_USER { + auser = strconv.Itoa(int(s.Auid)) + euser = strconv.Itoa(int(s.Euid)) + egroup = strconv.Itoa(int(s.Egid)) + ruser = strconv.Itoa(int(s.Ruid)) + rgroup = strconv.Itoa(int(s.Rgid)) } else { - auser, _ = getUserName(s.Auid) - euser, _ = getUserName(s.Euid) - egroup, _ = getGroupName(s.Egid) - ruser, _ = getUserName(s.Ruid) - rgroup, _ = getGroupName(s.Rgid) + auser, _ = getUserName(s.Auid) + euser, _ = getUserName(s.Euid) + egroup, _ = getGroupName(s.Egid) + ruser, _ = getUserName(s.Ruid) + rgroup, _ = getGroupName(s.Rgid) } fmt.Fprintf(file, "subject%s%s%s%s%s%s%s%s%s%s%s%v%s%v%s%v%s%s", delimiter, auser, delimiter, euser, delimiter, egroup, - delimiter, ruser, delimiter, rgroup, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter, s.Tid.IpVers, - delimiter, PrintIpv4FromInt(s.Tid.Addr)) + delimiter, ruser, delimiter, rgroup, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter, s.Tid.IpVers, + delimiter, PrintIpv4FromInt(s.Tid.Addr)) if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } else { @@ -817,14 +916,14 @@ func (s *Subject32) Print(file *os.File, delimiter string, flags int) { func NewProcess32(s Process32) *Process32 { return &Process32{ - Auid: s.Auid, - Euid: s.Euid, - Egid: s.Egid, - Ruid: s.Ruid, - Rgid: s.Rgid, - Pid: s.Pid, - Sid: s.Sid, - Tid: s.Tid, + Auid: s.Auid, + Euid: s.Euid, + Egid: s.Egid, + Ruid: s.Ruid, + Rgid: s.Rgid, + Pid: s.Pid, + Sid: s.Sid, + Tid: s.Tid, } } @@ -834,51 +933,65 @@ func (p *Process32) GetType() uint8 { func (p *Process32) LoadFromBinary(rdr *bufio.Reader) error { err := binary.Read(rdr, binary.BigEndian, &p.Auid) - if err != nil { return fmt.Errorf("Unable to read Process32.Auid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process32.Auid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Euid) - if err != nil { return fmt.Errorf("Unable to read Process32.Euid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process32.Euid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Egid) - if err != nil { return fmt.Errorf("Unable to read Process32.Egid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process32.Egid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Ruid) - if err != nil { return fmt.Errorf("Unable to read Process32.Ruid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process32.Ruid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Rgid) - if err != nil { return fmt.Errorf("Unable to read Process32.Rgid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process32.Rgid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Sid) - if err != nil { return fmt.Errorf("Unable to read Process32.Sid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process32.Sid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Tid) - if err != nil { return fmt.Errorf("Unable to read Process32.Tid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process32.Tid: %v", err) + } return nil } func (p *Process32) Print(file *os.File, delimiter string, flags int) { - var auser string - var euser string - var egroup string - var ruser string - var rgroup string - if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER { - auser = strconv.Itoa(int(p.Auid)) - euser = strconv.Itoa(int(p.Euid)) - egroup = strconv.Itoa(int(p.Egid)) - ruser = strconv.Itoa(int(p.Ruid)) - rgroup = strconv.Itoa(int(p.Rgid)) + var auser string + var euser string + var egroup string + var ruser string + var rgroup string + if PRT_NORESOLVE_USER == flags&PRT_NORESOLVE_USER { + auser = strconv.Itoa(int(p.Auid)) + euser = strconv.Itoa(int(p.Euid)) + egroup = strconv.Itoa(int(p.Egid)) + ruser = strconv.Itoa(int(p.Ruid)) + rgroup = strconv.Itoa(int(p.Rgid)) } else { - auser, _ = getUserName(p.Auid) - euser, _ = getUserName(p.Euid) - egroup, _ = getGroupName(p.Egid) - ruser, _ = getUserName(p.Ruid) - rgroup, _ = getGroupName(p.Rgid) + auser, _ = getUserName(p.Auid) + euser, _ = getUserName(p.Euid) + egroup, _ = getGroupName(p.Egid) + ruser, _ = getUserName(p.Ruid) + rgroup, _ = getGroupName(p.Rgid) } fmt.Fprintf(file, "process%s%s%s%s%s%s%s%s%s%s%s%v%s%v%s%v%s%s", delimiter, auser, delimiter, euser, delimiter, egroup, - delimiter, ruser, delimiter, rgroup, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter, p.Tid.IpVers, - delimiter, PrintIpv4FromInt(p.Tid.Addr)) + delimiter, ruser, delimiter, rgroup, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter, p.Tid.IpVers, + delimiter, PrintIpv4FromInt(p.Tid.Addr)) if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } else { @@ -888,14 +1001,14 @@ func (p *Process32) Print(file *os.File, delimiter string, flags int) { func NewSubject32Ex(s Subject32Ex) *Subject32Ex { return &Subject32Ex{ - Auid: s.Auid, - Euid: s.Euid, - Egid: s.Egid, - Ruid: s.Ruid, - Rgid: s.Rgid, - Pid: s.Pid, - Sid: s.Sid, - Tid: s.Tid, + Auid: s.Auid, + Euid: s.Euid, + Egid: s.Egid, + Ruid: s.Ruid, + Rgid: s.Rgid, + Pid: s.Pid, + Sid: s.Sid, + Tid: s.Tid, } } @@ -906,62 +1019,84 @@ func (s *Subject32Ex) GetType() uint8 { func (s *Subject32Ex) LoadFromBinary(rdr *bufio.Reader) error { err := binary.Read(rdr, binary.BigEndian, &s.Auid) - if err != nil { return fmt.Errorf("Unable to read Sibject32Ex.Auid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Sibject32Ex.Auid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Euid) - if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Euid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject32Ex.Euid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Egid) - if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Egid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject32Ex.Egid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Ruid) - if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Ruid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject32Ex.Ruid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Rgid) - if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Rgid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject32Ex.Rgid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Sid) - if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Sid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject32Ex.Sid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Tid.Port) - if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Port: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject32Ex.Tid.Port: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Tid.Ttype) - if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Ttype: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject32Ex.Tid.Ttype: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Tid.IpVers) - if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.IpVers: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject32Ex.Tid.IpVers: %v", err) + } if s.Tid.IpVers == 0x10 { err = binary.Read(rdr, binary.BigEndian, &s.Tid.Addr6) - if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Addr6: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject32Ex.Tid.Addr6: %v", err) + } } else if s.Tid.IpVers == 0x04 { err = binary.Read(rdr, binary.BigEndian, &s.Tid.Addr4) - if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Addr4: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject32Ex.Tid.Addr4: %v", err) + } } return nil } func (s *Subject32Ex) Print(file *os.File, delimiter string, flags int) { - var auser string - var euser string - var egroup string - var ruser string - var rgroup string - var ip string - if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER { - auser = strconv.Itoa(int(s.Auid)) - euser = strconv.Itoa(int(s.Euid)) - egroup = strconv.Itoa(int(s.Egid)) - ruser = strconv.Itoa(int(s.Ruid)) - rgroup = strconv.Itoa(int(s.Rgid)) + var auser string + var euser string + var egroup string + var ruser string + var rgroup string + var ip string + if PRT_NORESOLVE_USER == flags&PRT_NORESOLVE_USER { + auser = strconv.Itoa(int(s.Auid)) + euser = strconv.Itoa(int(s.Euid)) + egroup = strconv.Itoa(int(s.Egid)) + ruser = strconv.Itoa(int(s.Ruid)) + rgroup = strconv.Itoa(int(s.Rgid)) } else { - auser, _ = getUserName(s.Auid) - euser, _ = getUserName(s.Euid) - egroup, _ = getGroupName(s.Egid) - ruser, _ = getUserName(s.Ruid) - rgroup, _ = getGroupName(s.Rgid) + auser, _ = getUserName(s.Auid) + euser, _ = getUserName(s.Euid) + egroup, _ = getGroupName(s.Egid) + ruser, _ = getUserName(s.Ruid) + rgroup, _ = getGroupName(s.Rgid) } if s.Tid.IpVers == 0x04 { ip = PrintIpv4FromInt(s.Tid.Addr4) @@ -969,9 +1104,9 @@ func (s *Subject32Ex) Print(file *os.File, delimiter string, flags int) { ip = PrintIpv6FromInt(s.Tid.Addr6) } fmt.Fprintf(file, "subject_ex%s%s%s%s%s%s%s%s%s%s%s%v%s%v%s%v%s%s", delimiter, auser, delimiter, euser, - delimiter, egroup, delimiter, ruser, delimiter, rgroup, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter, - s.Tid.Ttype, delimiter, ip) - + delimiter, egroup, delimiter, ruser, delimiter, rgroup, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter, + s.Tid.Ttype, delimiter, ip) + if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } else { @@ -981,14 +1116,14 @@ func (s *Subject32Ex) Print(file *os.File, delimiter string, flags int) { func NewProcess32Ex(p Process32Ex) *Process32Ex { return &Process32Ex{ - Auid: p.Auid, - Euid: p.Euid, - Egid: p.Egid, - Ruid: p.Ruid, - Rgid: p.Rgid, - Pid: p.Pid, - Sid: p.Sid, - Tid: p.Tid, + Auid: p.Auid, + Euid: p.Euid, + Egid: p.Egid, + Ruid: p.Ruid, + Rgid: p.Rgid, + Pid: p.Pid, + Sid: p.Sid, + Tid: p.Tid, } } @@ -999,64 +1134,86 @@ func (s *Process32Ex) GetType() uint8 { func (p *Process32Ex) LoadFromBinary(rdr *bufio.Reader) error { err := binary.Read(rdr, binary.BigEndian, &p.Auid) - if err != nil { return fmt.Errorf("Unable to read Process32Ex.Auid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process32Ex.Auid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Euid) - if err != nil { return fmt.Errorf("Unable to read Process32Ex.Euid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process32Ex.Euid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Egid) - if err != nil { return fmt.Errorf("Unable to read Process32Ex.Egid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process32Ex.Egid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Ruid) - if err != nil { return fmt.Errorf("Unable to read Process32Ex.Ruid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process32Ex.Ruid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Rgid) - if err != nil { return fmt.Errorf("Unable to read Process32Ex.Rgid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process32Ex.Rgid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Sid) - if err != nil { return fmt.Errorf("Unable to read Process32Ex.Sid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process32Ex.Sid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Tid.Port) - if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Port: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process32Ex.Tid.Port: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Tid.Ttype) - if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Ttype: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process32Ex.Tid.Ttype: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Tid.IpVers) - if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.IpVers: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process32Ex.Tid.IpVers: %v", err) + } if p.Tid.IpVers == 0x10 { err = binary.Read(rdr, binary.BigEndian, &p.Tid.Addr6) - if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Addr6: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process32Ex.Tid.Addr6: %v", err) + } } else if p.Tid.IpVers == 0x04 { err = binary.Read(rdr, binary.BigEndian, &p.Tid.Addr4) - if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Addr4: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process32Ex.Tid.Addr4: %v", err) + } } return nil } func (p *Process32Ex) Print(file *os.File, delimiter string, flags int) { - var auser string - var euser string - var egroup string - var ruser string - var rgroup string - var ip string - if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER { - auser = strconv.Itoa(int(p.Auid)) - euser = strconv.Itoa(int(p.Euid)) - egroup = strconv.Itoa(int(p.Egid)) - ruser = strconv.Itoa(int(p.Ruid)) - rgroup = strconv.Itoa(int(p.Rgid)) + var auser string + var euser string + var egroup string + var ruser string + var rgroup string + var ip string + if PRT_NORESOLVE_USER == flags&PRT_NORESOLVE_USER { + auser = strconv.Itoa(int(p.Auid)) + euser = strconv.Itoa(int(p.Euid)) + egroup = strconv.Itoa(int(p.Egid)) + ruser = strconv.Itoa(int(p.Ruid)) + rgroup = strconv.Itoa(int(p.Rgid)) } else { - auser, _ = getUserName(p.Auid) - euser, _ = getUserName(p.Euid) - egroup, _ = getGroupName(p.Egid) - ruser, _ = getUserName(p.Ruid) - rgroup, _ = getGroupName(p.Rgid) + auser, _ = getUserName(p.Auid) + euser, _ = getUserName(p.Euid) + egroup, _ = getGroupName(p.Egid) + ruser, _ = getUserName(p.Ruid) + rgroup, _ = getGroupName(p.Rgid) } - + if p.Tid.IpVers == 0x04 { ip = PrintIpv4FromInt(p.Tid.Addr4) } else { @@ -1064,9 +1221,9 @@ func (p *Process32Ex) Print(file *os.File, delimiter string, flags int) { } fmt.Fprintf(file, "process_ex%s%s%s%s%s%s%s%s%s%s%s%v%s%v%s%v%s%s", delimiter, auser, delimiter, euser, - delimiter, egroup, delimiter, ruser, delimiter, rgroup, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter, - p.Tid.Ttype, delimiter, ip) - + delimiter, egroup, delimiter, ruser, delimiter, rgroup, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter, + p.Tid.Ttype, delimiter, ip) + if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } else { @@ -1076,14 +1233,14 @@ func (p *Process32Ex) Print(file *os.File, delimiter string, flags int) { func NewSubject64(s Subject64) *Subject64 { return &Subject64{ - Auid: s.Auid, - Euid: s.Euid, - Egid: s.Egid, - Ruid: s.Ruid, - Rgid: s.Rgid, - Pid: s.Pid, - Sid: s.Sid, - Tid: s.Tid, + Auid: s.Auid, + Euid: s.Euid, + Egid: s.Egid, + Ruid: s.Ruid, + Rgid: s.Rgid, + Pid: s.Pid, + Sid: s.Sid, + Tid: s.Tid, } } @@ -1093,51 +1250,65 @@ func (s *Subject64) GetType() uint8 { func (s *Subject64) LoadFromBinary(rdr *bufio.Reader) error { err := binary.Read(rdr, binary.BigEndian, &s.Auid) - if err != nil { return fmt.Errorf("Unable to read Sibject64.Auid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Sibject64.Auid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Euid) - if err != nil { return fmt.Errorf("Unable to read Subject64.Euid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject64.Euid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Egid) - if err != nil { return fmt.Errorf("Unable to read Subject64.Egid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject64.Egid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Ruid) - if err != nil { return fmt.Errorf("Unable to read Subject64.Ruid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject64.Ruid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Rgid) - if err != nil { return fmt.Errorf("Unable to read Subject64.Rgid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject64.Rgid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Sid) - if err != nil { return fmt.Errorf("Unable to read Subject64.Sid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject64.Sid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Tid) - if err != nil { return fmt.Errorf("Unable to read Subject64.Tid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject64.Tid: %v", err) + } return nil } func (s *Subject64) Print(file *os.File, delimiter string, flags int) { - var auser string - var euser string - var egroup string - var ruser string - var rgroup string - if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER { - auser = strconv.Itoa(int(s.Auid)) - euser = strconv.Itoa(int(s.Euid)) - egroup = strconv.Itoa(int(s.Egid)) - ruser = strconv.Itoa(int(s.Ruid)) - rgroup = strconv.Itoa(int(s.Rgid)) + var auser string + var euser string + var egroup string + var ruser string + var rgroup string + if PRT_NORESOLVE_USER == flags&PRT_NORESOLVE_USER { + auser = strconv.Itoa(int(s.Auid)) + euser = strconv.Itoa(int(s.Euid)) + egroup = strconv.Itoa(int(s.Egid)) + ruser = strconv.Itoa(int(s.Ruid)) + rgroup = strconv.Itoa(int(s.Rgid)) } else { - auser, _ = getUserName(s.Auid) - euser, _ = getUserName(s.Euid) - egroup, _ = getGroupName(s.Egid) - ruser, _ = getUserName(s.Ruid) - rgroup, _ = getGroupName(s.Rgid) + auser, _ = getUserName(s.Auid) + euser, _ = getUserName(s.Euid) + egroup, _ = getGroupName(s.Egid) + ruser, _ = getUserName(s.Ruid) + rgroup, _ = getGroupName(s.Rgid) } fmt.Fprintf(file, "subject%s%s%s%s%s%s%s%s%s%s%s%v%s%v%s%v%s%s", delimiter, auser, delimiter, euser, delimiter, egroup, - delimiter, ruser, delimiter, rgroup, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter, s.Tid.IpVers, - delimiter, PrintIpv4FromInt(s.Tid.Addr)) + delimiter, ruser, delimiter, rgroup, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter, s.Tid.IpVers, + delimiter, PrintIpv4FromInt(s.Tid.Addr)) if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } else { @@ -1147,14 +1318,14 @@ func (s *Subject64) Print(file *os.File, delimiter string, flags int) { func NewProcess64(p Process64) *Process64 { return &Process64{ - Auid: p.Auid, - Euid: p.Euid, - Egid: p.Egid, - Ruid: p.Ruid, - Rgid: p.Rgid, - Pid: p.Pid, - Sid: p.Sid, - Tid: p.Tid, + Auid: p.Auid, + Euid: p.Euid, + Egid: p.Egid, + Ruid: p.Ruid, + Rgid: p.Rgid, + Pid: p.Pid, + Sid: p.Sid, + Tid: p.Tid, } } @@ -1164,51 +1335,65 @@ func (s *Process64) GetType() uint8 { func (p *Process64) LoadFromBinary(rdr *bufio.Reader) error { err := binary.Read(rdr, binary.BigEndian, &p.Auid) - if err != nil { return fmt.Errorf("Unable to read Process64.Auid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process64.Auid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Euid) - if err != nil { return fmt.Errorf("Unable to read Process64.Euid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process64.Euid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Egid) - if err != nil { return fmt.Errorf("Unable to read Process64.Egid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process64.Egid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Ruid) - if err != nil { return fmt.Errorf("Unable to read Process64.Ruid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process64.Ruid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Rgid) - if err != nil { return fmt.Errorf("Unable to read Process64.Rgid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process64.Rgid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Sid) - if err != nil { return fmt.Errorf("Unable to read Process64.Sid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process64.Sid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Tid) - if err != nil { return fmt.Errorf("Unable to read Process64.Tid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process64.Tid: %v", err) + } return nil } func (p *Process64) Print(file *os.File, delimiter string, flags int) { - var auser string - var euser string - var egroup string - var ruser string - var rgroup string - if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER { - auser = strconv.Itoa(int(p.Auid)) - euser = strconv.Itoa(int(p.Euid)) - egroup = strconv.Itoa(int(p.Egid)) - ruser = strconv.Itoa(int(p.Ruid)) - rgroup = strconv.Itoa(int(p.Rgid)) + var auser string + var euser string + var egroup string + var ruser string + var rgroup string + if PRT_NORESOLVE_USER == flags&PRT_NORESOLVE_USER { + auser = strconv.Itoa(int(p.Auid)) + euser = strconv.Itoa(int(p.Euid)) + egroup = strconv.Itoa(int(p.Egid)) + ruser = strconv.Itoa(int(p.Ruid)) + rgroup = strconv.Itoa(int(p.Rgid)) } else { - auser, _ = getUserName(p.Auid) - euser, _ = getUserName(p.Euid) - egroup, _ = getGroupName(p.Egid) - ruser, _ = getUserName(p.Ruid) - rgroup, _ = getGroupName(p.Rgid) + auser, _ = getUserName(p.Auid) + euser, _ = getUserName(p.Euid) + egroup, _ = getGroupName(p.Egid) + ruser, _ = getUserName(p.Ruid) + rgroup, _ = getGroupName(p.Rgid) } fmt.Fprintf(file, "process%s%s%s%s%s%s%s%s%s%s%s%v%s%v%s%v%s%s", delimiter, auser, delimiter, euser, delimiter, egroup, - delimiter, ruser, delimiter, rgroup, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter, p.Tid.IpVers, - delimiter, PrintIpv4FromInt(p.Tid.Addr)) + delimiter, ruser, delimiter, rgroup, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter, p.Tid.IpVers, + delimiter, PrintIpv4FromInt(p.Tid.Addr)) if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } else { @@ -1218,14 +1403,14 @@ func (p *Process64) Print(file *os.File, delimiter string, flags int) { func NewSubject64Ex(s Subject64Ex) *Subject64Ex { return &Subject64Ex{ - Auid: s.Auid, - Euid: s.Euid, - Egid: s.Egid, - Ruid: s.Ruid, - Rgid: s.Rgid, - Pid: s.Pid, - Sid: s.Sid, - Tid: s.Tid, + Auid: s.Auid, + Euid: s.Euid, + Egid: s.Egid, + Ruid: s.Ruid, + Rgid: s.Rgid, + Pid: s.Pid, + Sid: s.Sid, + Tid: s.Tid, } } @@ -1235,73 +1420,95 @@ func (s *Subject64Ex) GetType() uint8 { func (s *Subject64Ex) LoadFromBinary(rdr *bufio.Reader) error { err := binary.Read(rdr, binary.BigEndian, &s.Auid) - if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Auid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject64Ex.Auid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Euid) - if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Euid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject64Ex.Euid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Egid) - if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Egid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject64Ex.Egid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Ruid) - if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Ruid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject64Ex.Ruid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Rgid) - if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Rgid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject64Ex.Rgid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Sid) - if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Sid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject64Ex.Sid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Tid.Port) - if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Port: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject64Ex.Tid.Port: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Tid.Ttype) - if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Ttype: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject64Ex.Tid.Ttype: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &s.Tid.IpVers) - if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.IpVers: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject64Ex.Tid.IpVers: %v", err) + } - if s.Tid.IpVers == 0x10 { + if s.Tid.IpVers == ISIPV6 { err = binary.Read(rdr, binary.BigEndian, &s.Tid.Addr6) - if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Addr6: %v", err) } - } else if s.Tid.IpVers == 0x04 { + if err != nil { + return fmt.Errorf("Unable to read Subject64Ex.Tid.Addr6: %v", err) + } + } else if s.Tid.IpVers == ISIPV4 { err = binary.Read(rdr, binary.BigEndian, &s.Tid.Addr4) - if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Addr4: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Subject64Ex.Tid.Addr4: %v", err) + } } return nil } func (s *Subject64Ex) Print(file *os.File, delimiter string, flags int) { - var auser string - var euser string - var egroup string - var ruser string - var rgroup string - var ip string - if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER { - auser = strconv.Itoa(int(s.Auid)) - euser = strconv.Itoa(int(s.Euid)) - egroup = strconv.Itoa(int(s.Egid)) - ruser = strconv.Itoa(int(s.Ruid)) - rgroup = strconv.Itoa(int(s.Rgid)) + var auser string + var euser string + var egroup string + var ruser string + var rgroup string + var ip string + if PRT_NORESOLVE_USER == flags&PRT_NORESOLVE_USER { + auser = strconv.Itoa(int(s.Auid)) + euser = strconv.Itoa(int(s.Euid)) + egroup = strconv.Itoa(int(s.Egid)) + ruser = strconv.Itoa(int(s.Ruid)) + rgroup = strconv.Itoa(int(s.Rgid)) } else { - auser, _ = getUserName(s.Auid) - euser, _ = getUserName(s.Euid) - egroup, _ = getGroupName(s.Egid) - ruser, _ = getUserName(s.Ruid) - rgroup, _ = getGroupName(s.Rgid) + auser, _ = getUserName(s.Auid) + euser, _ = getUserName(s.Euid) + egroup, _ = getGroupName(s.Egid) + ruser, _ = getUserName(s.Ruid) + rgroup, _ = getGroupName(s.Rgid) } - if s.Tid.IpVers == 0x04 { + if s.Tid.IpVers == ISIPV4 { ip = PrintIpv4FromInt(s.Tid.Addr4) } else { ip = PrintIpv6FromInt(s.Tid.Addr6) } fmt.Fprintf(file, "subject_ex%s%s%s%s%s%s%s%s%s%s%s%v%s%v%s%v%s%s", delimiter, auser, delimiter, euser, - delimiter, egroup, delimiter, ruser, delimiter, rgroup, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter, - s.Tid.Ttype, delimiter, ip) - + delimiter, egroup, delimiter, ruser, delimiter, rgroup, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter, + s.Tid.Ttype, delimiter, ip) + if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } else { @@ -1311,14 +1518,14 @@ func (s *Subject64Ex) Print(file *os.File, delimiter string, flags int) { func NewProcess64Ex(p Process64Ex) *Process64Ex { return &Process64Ex{ - Auid: p.Auid, - Euid: p.Euid, - Egid: p.Egid, - Ruid: p.Ruid, - Rgid: p.Rgid, - Pid: p.Pid, - Sid: p.Sid, - Tid: p.Tid, + Auid: p.Auid, + Euid: p.Euid, + Egid: p.Egid, + Ruid: p.Ruid, + Rgid: p.Rgid, + Pid: p.Pid, + Sid: p.Sid, + Tid: p.Tid, } } @@ -1328,62 +1535,84 @@ func (p *Process64Ex) GetType() uint8 { func (p *Process64Ex) LoadFromBinary(rdr *bufio.Reader) error { err := binary.Read(rdr, binary.BigEndian, &p.Auid) - if err != nil { return fmt.Errorf("Unable to read Process64Ex.Auid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process64Ex.Auid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Euid) - if err != nil { return fmt.Errorf("Unable to read Process64Ex.Euid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process64Ex.Euid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Egid) - if err != nil { return fmt.Errorf("Unable to read Process64Ex.Egid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process64Ex.Egid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Ruid) - if err != nil { return fmt.Errorf("Unable to read Process64Ex.Ruid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process64Ex.Ruid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Rgid) - if err != nil { return fmt.Errorf("Unable to read Process64Ex.Rgid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process64Ex.Rgid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Sid) - if err != nil { return fmt.Errorf("Unable to read Process64Ex.Sid: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process64Ex.Sid: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Tid.Port) - if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Port: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process64Ex.Tid.Port: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Tid.Ttype) - if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Ttype: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process64Ex.Tid.Ttype: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &p.Tid.IpVers) - if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.IpVers: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process64Ex.Tid.IpVers: %v", err) + } if p.Tid.IpVers == 0x10 { err = binary.Read(rdr, binary.BigEndian, &p.Tid.Addr6) - if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Addr6: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process64Ex.Tid.Addr6: %v", err) + } } else if p.Tid.IpVers == 0x04 { err = binary.Read(rdr, binary.BigEndian, &p.Tid.Addr4) - if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Addr4: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Process64Ex.Tid.Addr4: %v", err) + } } return nil } func (p *Process64Ex) Print(file *os.File, delimiter string, flags int) { - var auser string - var euser string - var egroup string - var ruser string - var rgroup string - var ip string - if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER { - auser = strconv.Itoa(int(p.Auid)) - euser = strconv.Itoa(int(p.Euid)) - egroup = strconv.Itoa(int(p.Egid)) - ruser = strconv.Itoa(int(p.Ruid)) - rgroup = strconv.Itoa(int(p.Rgid)) + var auser string + var euser string + var egroup string + var ruser string + var rgroup string + var ip string + if PRT_NORESOLVE_USER == flags&PRT_NORESOLVE_USER { + auser = strconv.Itoa(int(p.Auid)) + euser = strconv.Itoa(int(p.Euid)) + egroup = strconv.Itoa(int(p.Egid)) + ruser = strconv.Itoa(int(p.Ruid)) + rgroup = strconv.Itoa(int(p.Rgid)) } else { - auser, _ = getUserName(p.Auid) - euser, _ = getUserName(p.Euid) - egroup, _ = getGroupName(p.Egid) - ruser, _ = getUserName(p.Ruid) - rgroup, _ = getGroupName(p.Rgid) + auser, _ = getUserName(p.Auid) + euser, _ = getUserName(p.Euid) + egroup, _ = getGroupName(p.Egid) + ruser, _ = getUserName(p.Ruid) + rgroup, _ = getGroupName(p.Rgid) } if p.Tid.IpVers == 0x04 { ip = PrintIpv4FromInt(p.Tid.Addr4) @@ -1392,9 +1621,9 @@ func (p *Process64Ex) Print(file *os.File, delimiter string, flags int) { } fmt.Fprintf(file, "process_ex%s%s%s%s%s%s%s%s%s%s%s%v%s%v%s%v%s%s", delimiter, auser, delimiter, euser, - delimiter, egroup, delimiter, ruser, delimiter, rgroup, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter, - p.Tid.Ttype, delimiter, ip) - + delimiter, egroup, delimiter, ruser, delimiter, rgroup, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter, + p.Tid.Ttype, delimiter, ip) + if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } else { @@ -1404,8 +1633,8 @@ func (p *Process64Ex) Print(file *os.File, delimiter string, flags int) { func NewReturn32(r Return32) *Return32 { return &Return32{ - Status: r.Status, - Ret: r.Ret, + Status: r.Status, + Ret: r.Ret, } } @@ -1415,27 +1644,36 @@ func (r *Return32) GetType() uint8 { func (r *Return32) LoadFromBinary(rdr *bufio.Reader) error { err := binary.Read(rdr, binary.BigEndian, &r.Status) - if err != nil { return fmt.Errorf("Unable to read Return32.Status: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Return32.Status: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &r.Ret) - if err != nil { return fmt.Errorf("Unable to read Return32.Ret: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Return32.Ret: %v", err) + } return nil } func (r *Return32) Print(file *os.File, delimiter string, flags int) { - fmt.Fprintf(file, "return%s%v%s%v", delimiter, r.Status, delimiter, r.Ret) - if 0 == (flags & PRT_ONELINE) { - fmt.Fprintf(file, "\n") + errNo, err := lookupErrno(r.Status) + if err == nil { + fmt.Fprintf(file, "return%s%s%s%v", delimiter, errNo.StrError, delimiter, r.Ret) + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } else { + fmt.Fprintf(file, "%s", delimiter) + } } else { - fmt.Fprintf(file, "%s", delimiter) + fmt.Fprintf(file, "return%sgodit error: error code not found(%v)%s%s%v", delimiter, r.Status, delimiter, r.Ret) } } func NewReturn64(r Return64) *Return64 { return &Return64{ - Status: r.Status, - Ret: r.Ret, + Status: r.Status, + Ret: r.Ret, } } @@ -1445,10 +1683,14 @@ func (r *Return64) GetType() uint8 { func (r *Return64) LoadFromBinary(rdr *bufio.Reader) error { err := binary.Read(rdr, binary.BigEndian, &r.Status) - if err != nil { return fmt.Errorf("Unable to read Return64.Status: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Return64.Status: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &r.Ret) - if err != nil { return fmt.Errorf("Unable to read Return64.Ret: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Return64.Ret: %v", err) + } return nil } @@ -1464,8 +1706,8 @@ func (r *Return64) Print(file *os.File, delimiter string, flags int) { func NewTrailer(t Trailer) *Trailer { return &Trailer{ - Magic: t.Magic, - Count: t.Count, + Magic: t.Magic, + Count: t.Count, } } @@ -1475,26 +1717,30 @@ func (t *Trailer) GetType() uint8 { func (t *Trailer) LoadFromBinary(rdr *bufio.Reader) error { err := binary.Read(rdr, binary.BigEndian, &t.Magic) - if err != nil { return fmt.Errorf("Unable to read Trailer.Magic: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Trailer.Magic: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &t.Count) - if err != nil { return fmt.Errorf("Unable to read Trailer.Count: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Trailer.Count: %v", err) + } return nil } func (t *Trailer) Print(file *os.File, delimiter string, flags int) { fmt.Fprintf(file, "trailer%s%v", delimiter, t.Count) -// The trailer close the record print, whatever the oneLine flag value + // The trailer close the record print, whatever the oneLine flag value fmt.Fprintf(file, "\n") } func NewArg32(a Arg32) *Arg32 { return &Arg32{ - No: a.No, - Val: a.Val, - Length: a.Length, - Text: a.Text, + No: a.No, + Val: a.Val, + Length: a.Length, + Text: a.Text, } } @@ -1504,13 +1750,19 @@ func (a *Arg32) GetType() uint8 { func (a *Arg32) LoadFromBinary(rdr *bufio.Reader) error { err := binary.Read(rdr, binary.BigEndian, &a.No) - if err != nil { return fmt.Errorf("Unable to read Arg32.No: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Arg32.No: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &a.Val) - if err != nil { return fmt.Errorf("Unable to read Arg32.Val: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Arg32.Val: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &a.Length) - if err != nil { return fmt.Errorf("Unable to read Arg32.Length: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Arg32.Length: %v", err) + } // Search for null terminating byte arg, err := rdr.ReadBytes((byte)(0x00)) @@ -1533,10 +1785,10 @@ func (a *Arg32) Print(file *os.File, delimiter string, flags int) { func NewArg64(a Arg64) *Arg64 { return &Arg64{ - No: a.No, - Val: a.Val, - Length: a.Length, - Text: a.Text, + No: a.No, + Val: a.Val, + Length: a.Length, + Text: a.Text, } } @@ -1546,13 +1798,19 @@ func (a *Arg64) GetType() uint8 { func (a *Arg64) LoadFromBinary(rdr *bufio.Reader) error { err := binary.Read(rdr, binary.BigEndian, &a.No) - if err != nil { return fmt.Errorf("Unable to read Arg64.No: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Arg64.No: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &a.Val) - if err != nil { return fmt.Errorf("Unable to read Arg64.Val: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Arg64.Val: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &a.Length) - if err != nil { return fmt.Errorf("Unable to read Arg64.Length: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Arg64.Length: %v", err) + } // Search for null terminating byte arg, err := rdr.ReadBytes((byte)(0x00)) @@ -1573,10 +1831,220 @@ func (a *Arg64) Print(file *os.File, delimiter string, flags int) { } } +func NewSocketEx(s SocketEx) *SocketEx { + return &SocketEx{ + Domain: s.Domain, + SockType: s.SockType, + AddrType: s.AddrType, + LocalPort: s.LocalPort, + LocalAddr4: s.LocalAddr4, + LocalAddr6: s.LocalAddr6, + RemotePort: s.RemotePort, + RemoteAddr4: s.RemoteAddr4, + RemoteAddr6: s.RemoteAddr6, + } +} + +func (s *SocketEx) GetType() uint8 { + return AUT_SOCKET_EX +} + +func (s *SocketEx) LoadFromBinary(rdr *bufio.Reader) error { + err := binary.Read(rdr, binary.BigEndian, &s.Domain) + if err != nil { + return fmt.Errorf("Unable to read SocketEx.Domain: %v", err) + } + + err = binary.Read(rdr, binary.BigEndian, &s.SockType) + if err != nil { + return fmt.Errorf("Unable to read SocketEx.SockType: %v", err) + } + + err = binary.Read(rdr, binary.BigEndian, &s.AddrType) + if err != nil { + return fmt.Errorf("Unable to read SocketEx.AddrType: %v", err) + } + + err = binary.Read(rdr, binary.BigEndian, &s.LocalPort) + if err != nil { + return fmt.Errorf("Unable to read SocketEx.LocalPort: %v", err) + } + + if s.AddrType == ISIPV4 { + err = binary.Read(rdr, binary.BigEndian, &s.LocalAddr4) + if err != nil { + return fmt.Errorf("Unable to read SocketEx.LocalAddr4: %v", err) + } + } else if s.AddrType == ISIPV6 { + err = binary.Read(rdr, binary.BigEndian, &s.LocalAddr6) + if err != nil { + return fmt.Errorf("Unable to read SocketEx.LocalAddr6: %v", err) + } + } + + err = binary.Read(rdr, binary.BigEndian, &s.RemotePort) + if err != nil { + return fmt.Errorf("Unable to read SocketEx.RemotePort: %v", err) + } + + if s.AddrType == ISIPV4 { + err = binary.Read(rdr, binary.BigEndian, &s.RemoteAddr4) + if err != nil { + return fmt.Errorf("Unable to read SocketEx.RemoteAddr4: %v", err) + } + } else if s.AddrType == ISIPV6 { + err = binary.Read(rdr, binary.BigEndian, &s.RemoteAddr6) + if err != nil { + return fmt.Errorf("Unable to read SocketEx.RemoteAddr6: %v", err) + } + } else { + // TODO: Invalid packet + } + + return nil +} + +func (s *SocketEx) Print(file *os.File, delimiter string, flags int) { + var lip string + var rip string + if s.AddrType == ISIPV4 { + lip = PrintIpv4FromInt(s.LocalAddr4) + rip = PrintIpv4FromInt(s.RemoteAddr4) + } else if s.AddrType == ISIPV6 { + lip = PrintIpv6FromInt(s.LocalAddr6) + rip = PrintIpv6FromInt(s.RemoteAddr6) + } else { + // TODO : Handle error + } + fmt.Fprintf(file, "socket%s%v%s%v%s%v%s%s%s%v%s%s", delimiter, s.Domain, delimiter, s.SockType, delimiter, s.LocalPort, delimiter, + lip, delimiter, s.RemotePort, delimiter, rip) + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } else { + fmt.Fprintf(file, "%s", delimiter) + } +} + +func NewSockInet32(s SockInet32) *SockInet32 { + return &SockInet32{ + Family: s.Family, + Lport: s.Lport, + Addr4: s.Addr4, + } +} + +func (s *SockInet32) GetType() uint8 { + return AUT_SOCKINET32 +} + +func (s *SockInet32) LoadFromBinary(rdr *bufio.Reader) error { + err := binary.Read(rdr, binary.BigEndian, &s.Family) + if err != nil { + return fmt.Errorf("Unable to read SockInet32.Family: %v", err) + } + + err = binary.Read(rdr, binary.BigEndian, &s.Lport) + if err != nil { + return fmt.Errorf("Unable to read SockInet32.Lport: %v", err) + } + + err = binary.Read(rdr, binary.BigEndian, &s.Addr4) + if err != nil { + return fmt.Errorf("Unable to read SockInet32.Addr4: %v", err) + } + + return nil +} + +func (s *SockInet32) Print(file *os.File, delimiter string, flags int) { + fmt.Fprintf(file, "socket-inet%s%v%s%v%s%s", delimiter, s.Family, delimiter, s.Lport, delimiter, PrintIpv4FromInt(s.Addr4)) + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } else { + fmt.Fprintf(file, "%s", delimiter) + } +} + +func NewSockInet128(s SockInet128) *SockInet128 { + return &SockInet128{ + Family: s.Family, + Lport: s.Lport, + Addr6: s.Addr6, + } +} + +func (s *SockInet128) GetType() uint8 { + return AUT_SOCKINET128 +} + +func (s *SockInet128) LoadFromBinary(rdr *bufio.Reader) error { + err := binary.Read(rdr, binary.BigEndian, &s.Family) + if err != nil { + return fmt.Errorf("Unable to read SockInet128.Family: %v", err) + } + + err = binary.Read(rdr, binary.BigEndian, &s.Lport) + if err != nil { + return fmt.Errorf("Unable to read SockInet128.Lport: %v", err) + } + + err = binary.Read(rdr, binary.BigEndian, &s.Addr6) + if err != nil { + return fmt.Errorf("Unable to read SockInet128.Addr6: %v", err) + } + + return nil +} + +func (s *SockInet128) Print(file *os.File, delimiter string, flags int) { + fmt.Fprintf(file, "socket-inet6%s%v%s%v%s%s", delimiter, s.Family, delimiter, s.Lport, delimiter, PrintIpv6FromInt(s.Addr6)) + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } else { + fmt.Fprintf(file, "%s", delimiter) + } +} + +func NewSockUnix(s SockUnix) *SockUnix { + return &SockUnix{ + Family: s.Family, + Path: s.Path, + } +} + +func (s *SockUnix) GetType() uint8 { + return AUT_SOCKUNIX +} + +func (s *SockUnix) LoadFromBinary(rdr *bufio.Reader) error { + err := binary.Read(rdr, binary.BigEndian, &s.Family) + if err != nil { + return fmt.Errorf("Unable to read SockUnix.Family: %v", err) + } + + // Search for null terminating byte + arg, err := rdr.ReadBytes((byte)(0x00)) + if err != nil { + return fmt.Errorf("Error searching for null terminated SockUnix.Path: %v", err) + } + s.Path = arg[:len(arg)-1] + + return nil +} + +func (s *SockUnix) Print(file *os.File, delimiter string, flags int) { + fmt.Fprintf(file, "socket-unix%s%v%s%s", delimiter, s.Family, delimiter, string(s.Path)) + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } else { + fmt.Fprintf(file, "%s", delimiter) + } +} + func NewExit(e Exit) *Exit { return &Exit{ - Status: e.Status, - Ret: e.Ret, + Status: e.Status, + Ret: e.Ret, } } @@ -1586,10 +2054,14 @@ func (e *Exit) GetType() uint8 { func (e *Exit) LoadFromBinary(rdr *bufio.Reader) error { err := binary.Read(rdr, binary.BigEndian, &e.Status) - if err != nil { return fmt.Errorf("Unable to read Exit.Status: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Exit.Status: %v", err) + } err = binary.Read(rdr, binary.BigEndian, &e.Ret) - if err != nil { return fmt.Errorf("Unable to read Exit.Ret: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Exit.Ret: %v", err) + } return nil } @@ -1605,8 +2077,8 @@ func (e *Exit) Print(file *os.File, delimiter string, flags int) { func NewText(t Text) *Text { return &Text{ - Length: t.Length, - Text: t.Text, + Length: t.Length, + Text: t.Text, } } @@ -1616,12 +2088,15 @@ func (t *Text) GetType() uint8 { func (t *Text) LoadFromBinary(rdr *bufio.Reader) error { err := binary.Read(rdr, binary.BigEndian, &t.Length) - if err != nil { return fmt.Errorf("Unable to read Text.Length: %v", err) } - + if err != nil { + return fmt.Errorf("Unable to read Text.Length: %v", err) + } text := make([]byte, t.Length) err = binary.Read(rdr, binary.BigEndian, &text) - if err != nil { return fmt.Errorf("Unable to read Text.Text: %v", err) } + if err != nil { + return fmt.Errorf("Unable to read Text.Text: %v", err) + } t.Text = text[:len(text)-1] return nil @@ -1648,99 +2123,160 @@ func readRecordToStruct(reader *bufio.Reader) (Record, error) { return rec, err } - switch (int8)(hdr[0]) { - case AUT_HEADER32: - var h Header32 - err := h.LoadFromBinary(reader) - if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } - return NewHeader32(h), nil - case AUT_EXEC_ARGS: - var e ExecArg - err := e.LoadFromBinary(reader) - if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } - return NewExecArg(e), nil - case AUT_PATH: - var p Path - err := p.LoadFromBinary(reader) - if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } - return NewPath(p), nil - case AUT_ATTR32: - var a Attribute32 - err := a.LoadFromBinary(reader) - if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } - return NewAttribute32(a), nil - case AUT_ATTR64: - var a Attribute64 - err := a.LoadFromBinary(reader) - if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } - return NewAttribute64(a), nil - case AUT_SUBJECT32: - var s Subject32 - err := s.LoadFromBinary(reader) - if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } - return NewSubject32(s), nil - case AUT_SUBJECT32_EX: - var s Subject32Ex - err := s.LoadFromBinary(reader) - if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } - return NewSubject32Ex(s), nil - case AUT_RETURN32: - var r Return32 - err := r.LoadFromBinary(reader) - if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } - return NewReturn32(r), nil - case AUT_TRAILER: - var t Trailer - err := t.LoadFromBinary(reader) - if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } - return NewTrailer(t), nil - case AUT_ARG32: - var a Arg32 - err := a.LoadFromBinary(reader) - if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } - return NewArg32(a), nil - case AUT_ARG64: - var a Arg64 - err := a.LoadFromBinary(reader) - if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } - return NewArg64(a), nil - case AUT_EXIT: - var e Exit - err := e.LoadFromBinary(reader) - if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } - return NewExit(e), nil - case AUT_PROCESS32: - var p Process32 - err := p.LoadFromBinary(reader) - if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } - return NewProcess32(p), nil - case AUT_PROCESS32_EX: - var p Process32Ex - err := p.LoadFromBinary(reader) - if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } - return NewProcess32Ex(p), nil - case AUT_PROCESS64: - var p Process64 - err := p.LoadFromBinary(reader) - if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } - return NewProcess64(p), nil - case AUT_PROCESS64_EX: - var p Process64Ex - err := p.LoadFromBinary(reader) - if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } - return NewProcess64Ex(p), nil - case AUT_TEXT: - var t Text - err := t.LoadFromBinary(reader) - if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) } - return NewText(t), nil + switch (uint8)(hdr[0]) { + case AUT_HEADER32: + var h Header32 + err := h.LoadFromBinary(reader) + if err != nil { + return rec, fmt.Errorf("Unable to read: %v", err) + } + return NewHeader32(h), nil + case AUT_EXEC_ARGS: + var e ExecArg + err := e.LoadFromBinary(reader) + if err != nil { + return rec, fmt.Errorf("Unable to read: %v", err) + } + return NewExecArg(e), nil + case AUT_PATH: + var p Path + err := p.LoadFromBinary(reader) + if err != nil { + return rec, fmt.Errorf("Unable to read: %v", err) + } + return NewPath(p), nil + case AUT_ATTR32: + var a Attribute32 + err := a.LoadFromBinary(reader) + if err != nil { + return rec, fmt.Errorf("Unable to read: %v", err) + } + return NewAttribute32(a), nil + case AUT_ATTR64: + var a Attribute64 + err := a.LoadFromBinary(reader) + if err != nil { + return rec, fmt.Errorf("Unable to read: %v", err) + } + return NewAttribute64(a), nil + case AUT_SUBJECT32: + var s Subject32 + err := s.LoadFromBinary(reader) + if err != nil { + return rec, fmt.Errorf("Unable to read: %v", err) + } + return NewSubject32(s), nil + case AUT_SUBJECT32_EX: + var s Subject32Ex + err := s.LoadFromBinary(reader) + if err != nil { + return rec, fmt.Errorf("Unable to read: %v", err) + } + return NewSubject32Ex(s), nil + case AUT_RETURN32: + var r Return32 + err := r.LoadFromBinary(reader) + if err != nil { + return rec, fmt.Errorf("Unable to read: %v", err) + } + return NewReturn32(r), nil + case AUT_TRAILER: + var t Trailer + err := t.LoadFromBinary(reader) + if err != nil { + return rec, fmt.Errorf("Unable to read: %v", err) + } + return NewTrailer(t), nil + case AUT_ARG32: + var a Arg32 + err := a.LoadFromBinary(reader) + if err != nil { + return rec, fmt.Errorf("Unable to read: %v", err) + } + return NewArg32(a), nil + case AUT_ARG64: + var a Arg64 + err := a.LoadFromBinary(reader) + if err != nil { + return rec, fmt.Errorf("Unable to read: %v", err) + } + return NewArg64(a), nil + case AUT_EXIT: + var e Exit + err := e.LoadFromBinary(reader) + if err != nil { + return rec, fmt.Errorf("Unable to read: %v", err) + } + return NewExit(e), nil + case AUT_PROCESS32: + var p Process32 + err := p.LoadFromBinary(reader) + if err != nil { + return rec, fmt.Errorf("Unable to read: %v", err) + } + return NewProcess32(p), nil + case AUT_PROCESS32_EX: + var p Process32Ex + err := p.LoadFromBinary(reader) + if err != nil { + return rec, fmt.Errorf("Unable to read: %v", err) + } + return NewProcess32Ex(p), nil + case AUT_PROCESS64: + var p Process64 + err := p.LoadFromBinary(reader) + if err != nil { + return rec, fmt.Errorf("Unable to read: %v", err) + } + return NewProcess64(p), nil + case AUT_PROCESS64_EX: + var p Process64Ex + err := p.LoadFromBinary(reader) + if err != nil { + return rec, fmt.Errorf("Unable to read: %v", err) + } + return NewProcess64Ex(p), nil + case AUT_TEXT: + var t Text + err := t.LoadFromBinary(reader) + if err != nil { + return rec, fmt.Errorf("Unable to read: %v", err) + } + return NewText(t), nil + case AUT_SOCKET_EX: + var s SocketEx + err := s.LoadFromBinary(reader) + if err != nil { + return rec, fmt.Errorf("Unable to read: %v", err) + } + return NewSocketEx(s), nil + case AUT_SOCKINET32: + var s SockInet32 + err := s.LoadFromBinary(reader) + if err != nil { + return rec, fmt.Errorf("Unable to read: %v", err) + } + return NewSockInet32(s), nil + case AUT_SOCKINET128: + var s SockInet128 + err := s.LoadFromBinary(reader) + if err != nil { + return rec, fmt.Errorf("Unable to read: %v", err) + } + return NewSockInet128(s), nil + case AUT_SOCKUNIX: + var s SockUnix + err := s.LoadFromBinary(reader) + if err != nil { + return rec, fmt.Errorf("Unable to read: %v", err) + } + return NewSockUnix(s), nil } return rec, fmt.Errorf("Event type not supported: 0x%x", hdr[0]) } - -/* Implementation of +/* Implementation of int au_read_rec(FILE *fp, u_char **buf) source: https://github.com/freebsd/freebsd-src/blob/main/contrib/openbsm/libbsm/bsm_io.c @@ -1757,96 +2293,94 @@ func readRecord(file *os.File) ([]byte, error) { //switch hdr.(int8) { switch (int8)(hdr[0]) { - case AUT_HEADER32, AUT_HEADER32_EX, AUT_HEADER64, AUT_HEADER64_EX: - err := binary.Read(file, binary.BigEndian, &recSize) - if err != nil { - return hdr, fmt.Errorf("Unable to read file") - } + case AUT_HEADER32, AUT_HEADER32_EX, AUT_HEADER64, AUT_HEADER64_EX: + err := binary.Read(file, binary.BigEndian, &recSize) + if err != nil { + return hdr, fmt.Errorf("Unable to read file") + } - /* Check for recsize sanity: We already read 32 bits + 8 bits */ - if recSize < (4 + 1) { - return hdr, fmt.Errorf("Record size is corrupted: %d", recSize) - } + /* Check for recsize sanity: We already read 32 bits + 8 bits */ + if recSize < (4 + 1) { + return hdr, fmt.Errorf("Record size is corrupted: %d", recSize) + } - /* store the token contents already read, back to the buffer*/ - data := make([]byte, 0) - buf = bytes.NewBuffer(data) - err = binary.Write(buf, binary.BigEndian, (int8)(hdr[0])) - if err != nil { - return hdr, fmt.Errorf("Unable to concatenate header to data") - } - err = binary.Write(buf, binary.BigEndian, recSize) - if err != nil { - return hdr, fmt.Errorf("Unable to concatenate recordsize to existing data") - } + /* store the token contents already read, back to the buffer*/ + data := make([]byte, 0) + buf = bytes.NewBuffer(data) + err = binary.Write(buf, binary.BigEndian, (int8)(hdr[0])) + if err != nil { + return hdr, fmt.Errorf("Unable to concatenate header to data") + } + err = binary.Write(buf, binary.BigEndian, recSize) + if err != nil { + return hdr, fmt.Errorf("Unable to concatenate recordsize to existing data") + } - /* now read remaining record bytes */ - remainSize := recSize - (4 + 1) - remain := make([]byte, remainSize) - n, err = file.Read(remain) - if err != nil || (int32)(n) < remainSize { - return hdr, fmt.Errorf("Unable to read data from file") - } - n, err = buf.Write(remain) - if err != nil { - return hdr, fmt.Errorf("Unable to write data to buffer") - } + /* now read remaining record bytes */ + remainSize := recSize - (4 + 1) + remain := make([]byte, remainSize) + n, err = file.Read(remain) + if err != nil || (int32)(n) < remainSize { + return hdr, fmt.Errorf("Unable to read data from file") + } + n, err = buf.Write(remain) + if err != nil { + return hdr, fmt.Errorf("Unable to write data to buffer") + } - case AUT_OTHER_FILE32: - var sec int32 - var msec int32 - var filenamelen int16 + case AUT_OTHER_FILE32: + var sec int32 + var msec int32 + var filenamelen int16 - err := binary.Read(file, binary.BigEndian, &sec) - if err != nil { - return hdr, fmt.Errorf("Unable to read file") - } - err = binary.Read(file, binary.BigEndian, &msec) - if err != nil { - return hdr, fmt.Errorf("Unable to read file") - } - err = binary.Read(file, binary.BigEndian, &filenamelen) - if err != nil { - return hdr, fmt.Errorf("Unable to read file") - } - - recSize = 1 + 4 + 4 + 2 + int32(filenamelen) - data := make([]byte, 0) - buf = bytes.NewBuffer(data) + err := binary.Read(file, binary.BigEndian, &sec) + if err != nil { + return hdr, fmt.Errorf("Unable to read file") + } + err = binary.Read(file, binary.BigEndian, &msec) + if err != nil { + return hdr, fmt.Errorf("Unable to read file") + } + err = binary.Read(file, binary.BigEndian, &filenamelen) + if err != nil { + return hdr, fmt.Errorf("Unable to read file") + } - /* store the token contents already read, back to the buffer*/ - err = binary.Write(buf, binary.BigEndian, (int8)(hdr[0])) - if err != nil { - return hdr, fmt.Errorf("Unable to concatenate header to data") - } - err = binary.Write(buf, binary.BigEndian, sec) - if err != nil { - return hdr, fmt.Errorf("Unable to concatenate sec to data") - } - err = binary.Write(buf, binary.BigEndian, msec) - if err != nil { - return hdr, fmt.Errorf("Unable to concatenate msec to data") - } - err = binary.Write(buf, binary.BigEndian, filenamelen) - if err != nil { - return hdr, fmt.Errorf("Unable to concatenate filenamelen to data") - } - - filename := make([]byte, filenamelen) - n, err = file.Read(filename) - if err != nil || n < int(filenamelen) { - return hdr, fmt.Errorf("Unable to read filename from file") - } - n, err = buf.Write(filename) - if err != nil { - return hdr, fmt.Errorf("Unable to concatenate filename to buffer") - } - - default: - return hdr, fmt.Errorf("Record type not implemented: %v", hdr) + recSize = 1 + 4 + 4 + 2 + int32(filenamelen) + data := make([]byte, 0) + buf = bytes.NewBuffer(data) + + /* store the token contents already read, back to the buffer*/ + err = binary.Write(buf, binary.BigEndian, (int8)(hdr[0])) + if err != nil { + return hdr, fmt.Errorf("Unable to concatenate header to data") + } + err = binary.Write(buf, binary.BigEndian, sec) + if err != nil { + return hdr, fmt.Errorf("Unable to concatenate sec to data") + } + err = binary.Write(buf, binary.BigEndian, msec) + if err != nil { + return hdr, fmt.Errorf("Unable to concatenate msec to data") + } + err = binary.Write(buf, binary.BigEndian, filenamelen) + if err != nil { + return hdr, fmt.Errorf("Unable to concatenate filenamelen to data") + } + + filename := make([]byte, filenamelen) + n, err = file.Read(filename) + if err != nil || n < int(filenamelen) { + return hdr, fmt.Errorf("Unable to read filename from file") + } + n, err = buf.Write(filename) + if err != nil { + return hdr, fmt.Errorf("Unable to concatenate filename to buffer") + } + + default: + return hdr, fmt.Errorf("Record type not implemented: %v", hdr) } return buf.Bytes(), nil } - -