From 65afab1eec2274495c167ae351dae45bf9e3aa36 Mon Sep 17 00:00:00 2001 From: yo Date: Tue, 17 Jan 2023 11:17:01 +0100 Subject: [PATCH 1/2] WIP: json output option --- libbsm.go | 238 +++++++++++++++++++++++++++++++----------------------- 1 file changed, 139 insertions(+), 99 deletions(-) diff --git a/libbsm.go b/libbsm.go index 5e1376f..42ac5e8 100644 --- a/libbsm.go +++ b/libbsm.go @@ -114,9 +114,11 @@ const ( // Display control - PRT_ONELINE = 1 - PRT_NORESOLVE_USER = 2 - PRT_TIMESTAMP = 4 + PRT_ONELINE = 1 + PRT_NORESOLVE_USER = 2 + PRT_TIMESTAMP = 4 + PRT_JSON = 8 + PRT_JSON_PRETTY = 16 ) var ( @@ -148,60 +150,60 @@ type Record interface { } type Header32 struct { - Size uint32 // Record byte count - Version uint8 // version # (uchar) - E_type uint16 // Event type - E_mod uint16 // Event modifier - S uint32 // Seconds of time - Msec uint32 // Milliseconds of time + Size uint32 `json:"size"` // Record byte count + Version uint8 `json:"version"` // version # (uchar) + E_type uint16 `json:"event_type"` // Event type + E_mod uint16 `json:"event_modifier"` // Event modifier + S uint32 `json:"timestamp"` // Seconds of time + Msec uint32 `json:"msec"` // Milliseconds of time } type Header32Ex struct { - Size uint32 // Record byte count - Version uint8 // version # (uchar) - E_type uint16 // Event type - E_mod uint16 // Event modifier - Ad_type uint32 // Address type/Length - Addr [4]uint32 // Ipv4 or IPv6 - S uint32 // Seconds of time - Msec uint32 // Milliseconds of time + Size uint32 `json:"size"` // Record byte count + Version uint8 `json:"version"` // version # (uchar) + E_type uint16 `json:"event_type"` // Event type + E_mod uint16 `json:"event_modifier"` // Event modifier + Ad_type uint32 `json:"address_type"` // Address type/Length + Addr [4]uint32 `json:"address"` // Ipv4 or IPv6 + S uint32 `json:"timestamp"` // Seconds of time + Msec uint32 `json:"msec"` // Milliseconds of time } type Trailer struct { - Magic uint16 - Count uint32 + Magic uint16 `json:"magic"` + Count uint32 `json:"size"` } type Arg32 struct { - No byte // Argument # - Val uint32 // Argument value - Length uint16 // Text length - Text []byte // Text + No byte `json:"count"` // Argument # + Val uint32 `json:"value"` // Argument value + Length uint16 `json:"lentgh"` // Text length + Text []byte `json:"text"` // Text } type Arg64 struct { - No byte // Argument # - Val uint64 // Argument value - Length uint16 // Text length - Text []byte // Text + No byte `json:"count"` // Argument # + Val uint64 `json:"value"` // Argument value + Length uint16 `json:"lentgh"` // Text length + Text []byte `json:"text"` // Text } type Attribute32 struct { - Mode uint32 // file access mode - Uid uint32 // Owner user ID - Gid uint32 // Owner group ID - Fsid uint32 // File system ID - Nid uint64 // Node ID - Dev uint32 // Device + Mode uint32 `json:"mode"` // file access mode + Uid uint32 `json:"user_id"` // Owner user ID + Gid uint32 `json:"group_id"` // Owner group ID + Fsid uint32 `json:"filesystem_id"` // File system ID + Nid uint64 `json:"node_id"` // Node ID + Dev uint32 `json:"device"` // Device } type Attribute64 struct { - Mode uint32 // file access mode - Uid uint32 // Owner user ID - Gid uint32 // Owner group ID - Fsid uint32 // File system ID - Nid uint64 // Node ID - Dev uint64 // Device + Mode uint32 `json:"mode"` // file access mode + Uid uint32 `json:"user_id"` // Owner user ID + Gid uint32 `json:"group_id"` // Owner group ID + Fsid uint32 `json:"filesystem_id"` // File system ID + Nid uint64 `json:"node_id"` // Node ID + Dev uint64 `json:"device"` // Device } /* @@ -209,114 +211,114 @@ type Attribute64 struct { * text count null-terminated string(s) */ type ExecArg struct { - Count uint32 + Count uint32 `json:"count"` //Text [AUDIT_MAX_ARGS][]byte - Text [][]byte + Text [][]byte `json:"text"` } type Path struct { - Length uint16 // path length - Path []byte + Length uint16 `json:"length"` // path length + Path []byte `json:"path"` } type Return32 struct { - Status byte // Error status - Ret uint32 // Return code + Status byte `json:"status"` // Error status + Ret uint32 `json:"code"` // Return code } type Return64 struct { - Status byte // Error status - Ret uint64 // Return code + Status byte `json:"status"` // Error status + Ret uint64 `json:"code"` // Return code } type Subject32 struct { - Auid uint32 // Audit ID - Euid uint32 // Effective user ID - Egid uint32 // Effective Group ID - Ruid uint32 // Real User ID - Rgid uint32 // Real Group ID - Pid uint32 // Process ID - Sid uint32 // Session ID - Tid Tid32 + Auid uint32 `json:"audit_id"` // Audit ID + Euid uint32 `json:"effective_user_id"` // Effective user ID + Egid uint32 `json:"effective_group_id"` // Effective Group ID + Ruid uint32 `json:"real_user_id"` // Real User ID + Rgid uint32 `json:"real_group_id"` // Real Group ID + Pid uint32 `json:"process_id"` // Process ID + Sid uint32 `json:"session_id"` // Session ID + Tid Tid32 `json:"terminal_id"` } type Process32 Subject32 type Subject32Ex struct { - Auid uint32 // Audit ID - Euid uint32 // Effective user ID - Egid uint32 // Effective Group ID - Ruid uint32 // Real User ID - Rgid uint32 // Real Group ID - Pid uint32 // Process ID - Sid uint32 // Session ID - Tid Tid32Ex + Auid uint32 `json:"audit_id"` // Audit ID + Euid uint32 `json:"effective_user_id"` // Effective user ID + Egid uint32 `json:"effective_group_id"` // Effective Group ID + Ruid uint32 `json:"real_user_id"` // Real User ID + Rgid uint32 `json:"real_group_id"` // Real Group ID + Pid uint32 `json:"process_id"` // Process ID + Sid uint32 `json:"session_id"` // Session ID + Tid Tid32Ex `json:"terminal_id_ex"` } type Process32Ex Subject32Ex type Tid32 struct { - Port uint32 - IpVers uint32 // 0x10 = IPv6 - Addr uint32 + Port uint32 `json:"port"` + IpVers uint32 `json:"ip_version"` // 0x10 = IPv6 + Addr uint32 `json:"ip"` } type Tid32Ex struct { - Port uint32 - Ttype uint32 - IpVers uint32 // 0x10 = IPv6, 0x04 = IPv4 - Addr4 uint32 // 4 bytes long if IpVers == 0x04 - Addr6 [4]uint32 // 4x4 bytes long if IpVers == 0x10 + Port uint32 `json:"port"` + Ttype uint32 `json:"terminal_type"` + IpVers uint32 `json:"ip_version"` // 0x10 = IPv6, 0x04 = IPv4 + Addr4 uint32 `json:"ip4"` // 4 bytes long if IpVers == 0x04 + Addr6 [4]uint32 `json:"ip6"` // 4x4 bytes long if IpVers == 0x10 } type Subject64 struct { - Auid uint32 // Audit ID - Euid uint32 // Effective user ID - Egid uint32 // Effective Group ID - Ruid uint32 // Real User ID - Rgid uint32 // Real Group ID - Pid uint32 // Process ID - Sid uint32 // Session ID - Tid Tid64 + Auid uint32 `json:"audit_id"` // Audit ID + Euid uint32 `json:"effective_user_id"` // Effective user ID + Egid uint32 `json:"effective_group_id"` // Effective Group ID + Ruid uint32 `json:"real_user_id"` // Real User ID + Rgid uint32 `json:"real_group_id"` // Real Group ID + Pid uint32 `json:"process_id"` // Process ID + Sid uint32 `json:"session_id"` // Session ID + Tid Tid64 `json:"terminal_id"` } type Process64 Subject64 type Subject64Ex struct { - Auid uint32 // Audit ID - Euid uint32 // Effective user ID - Egid uint32 // Effective Group ID - Ruid uint32 // Real User ID - Rgid uint32 // Real Group ID - Pid uint32 // Process ID - Sid uint32 // Session ID - Tid Tid64Ex + Auid uint32 `json:"audit_id"` // Audit ID + Euid uint32 `json:"effective_user_id"` // Effective user ID + Egid uint32 `json:"effective_group_id"` // Effective Group ID + Ruid uint32 `json:"real_user_id"` // Real User ID + Rgid uint32 `json:"real_group_id"` // Real Group ID + Pid uint32 `json:"process_id"` // Process ID + Sid uint32 `json:"session_id"` // Session ID + Tid Tid64Ex `json:"terminal_id_ex"` } type Process64Ex Subject64Ex type Tid64 struct { - Port uint64 - IpVers uint32 - Addr uint32 + Port uint64 `json:"port"` + IpVers uint32 `json:"ip_version"` + Addr uint32 `json:"ip"` } type Tid64Ex struct { - Port uint64 - Ttype uint32 - IpVers uint32 // 0x10 = IPv6, 0x04 = IPv4 - Addr4 uint32 - Addr6 [4]uint32 + Port uint64 `json:"port"` + Ttype uint32 `json:"terminal_type"` + IpVers uint32 `json:"ip_version"` // 0x10 = IPv6, 0x04 = IPv4 + Addr4 uint32 `json:"ip4"` + Addr6 [4]uint32 `json:"ip6"` } type Exit struct { - Status uint32 - Ret uint32 + Status uint32 `json:"status"` + Ret uint32 `json:"code"` } type Text struct { - Length uint16 - Text []byte + Length uint16 `json:"length"` + Text []byte `json:"text"` } @@ -533,6 +535,44 @@ func (h *Header32) Print(file *os.File, delimiter string, flags int) { } } +func (h *Header32) PrintJson(file *os.File, flags int) { + var timeval string + if PRT_TIMESTAMP == flags & PRT_TIMESTAMP { + timeval = strconv.Itoa(int(h.S)) + } else { + t := time.Unix((int64)(h.S), 0) + timeval = t.Format(time.UnixDate) + } + // We dont care for error + evdesc, _ := getEventName(h.E_type) + /*fmt.Fprintf(file, "header%s%d%s%d%s%s%s%v%s%s%s%d", delimiter, h.Size, delimiter, h.Version, delimiter, + //h.E_type, delimiter, h.E_mod, delimiter, t.Format(time.UnixDate), delimiter, h.Msec) + evdesc, delimiter, h.E_mod, delimiter, timeval, delimiter, h.Msec)*/ + + +/* +type Header32 struct { + Size uint32 `json:"size"` // Record byte count + Version uint8 `json:"version"` // version # (uchar) + E_type uint16 `json:"event_type"` // Event type + E_mod uint16 `json:"event_modifier"` // Event modifier + S uint32 `json:"timestamp"` // Seconds of time + Msec uint32 `json:"msec"` // Milliseconds of time +} +*/ + + // 1. convert to json + json := fmt.Sprintf("\"size\":%d,\"version\":%d,\"event_type\":\"%s\",event_modifier\":\"%s\",\"timestamp\":%d,\"msec\":%d,", + h.Size, h.Version, evdesc, h.E_mod, h.S, h.Msec) + // 2. Prettify if flag is set + + if flags == (flags & PRT_JSON_PRETTY) { + fmt.Fprintf(file, "NOT IMPLEMENTED\n") + } else { + fmt.Fprintf(file, "%s", json) + } +} + func NewExecArg(e ExecArg) *ExecArg { return &ExecArg{ Count: e.Count, From 9eb1d557b6595239d3f93a5b9327da8ad221dafb Mon Sep 17 00:00:00 2001 From: yo Date: Wed, 6 Sep 2023 21:19:32 +0200 Subject: [PATCH 2/2] json support --- main.go | 30 +++++++++++++----------------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/main.go b/main.go index 65a54e0..d79c62f 100644 --- a/main.go +++ b/main.go @@ -1,5 +1,7 @@ // Copyright 2021, johan@nosd.in +//go:build freebsd // +build freebsd + // // godit is a search tool for BSM audit trails used by FreeBSD auditd // @@ -31,27 +33,27 @@ import ( ) const ( - version = "0.5.1" + version = "5.9.9a" ) var ( - randFlag bool - showVersion bool + randFlag bool + showVersion bool // Default delimiter - delimiter = "," + delimiter = "," ) - func main() { var flags int var oneLine bool var noUserResolve bool var timestamp bool + var json bool pflag.BoolVarP(&oneLine, "oneline", "l", false, "Prints the entire record on the same line. If this option is not specified, every token is displayed on a different line.") pflag.BoolVarP(&noUserResolve, "numeric", "n", false, "Do not convert user and group IDs to their names but leave in their numeric forms.") - pflag.BoolVarP(×tamp, "timestamp", "t", false, "Print unix timestamp instead of formatted date/time.") + pflag.BoolVarP(&json, "json", "j", false, "Print compact json") pflag.BoolVarP(&showVersion, "version", "V", false, "Show version then exit") pflag.Parse() @@ -60,26 +62,22 @@ func main() { fmt.Printf("Godit v%s\n", version) return } - if oneLine { flags = flags + PRT_ONELINE } - if noUserResolve { flags = flags + PRT_NORESOLVE_USER } - if timestamp { flags = flags + PRT_TIMESTAMP } + if json { + flags |= PRT_JSON + } args := os.Args filename := args[len(args)-1] - -/* fmt.Printf("Args: %s\n", args) - fmt.Printf("Filename: %s\n", filename) -*/ - + var f *os.File var r *bufio.Reader var err error @@ -102,7 +100,7 @@ func main() { if err != nil { if err != io.EOF { fmt.Printf("Erreur : %v\n", err) - } else { // v.0.4.2 : Continue on error + } else { // v.0.4.2 : Continue on error return } } @@ -110,5 +108,3 @@ func main() { } } } - -