From 92ba4e4ca6045896361b1e6d9100692ef5d5662f Mon Sep 17 00:00:00 2001 From: yo Date: Thu, 6 Jan 2022 17:29:16 +0100 Subject: [PATCH] Resolve event name --- libbsm.go | 65 ++++++++++++++++++++++++++++++++++++++--- main.go | 86 ++++++------------------------------------------------- 2 files changed, 70 insertions(+), 81 deletions(-) diff --git a/libbsm.go b/libbsm.go index 926f1b4..819ee45 100644 --- a/libbsm.go +++ b/libbsm.go @@ -23,16 +23,20 @@ import ( "os" "fmt" "time" + "bufio" "bytes" + "strings" "strconv" "encoding/binary" ) const ( // bsm/libbsm.h - AUDIT_MAX_ARGS = 128 + AUDIT_MAX_ARGS = 128 + AUDIT_EVENT_FILE = "/etc/security/audit_event" + // sys/bsm/audit.h - MAXAUDITDATA = (0x8000 - 1) + MAXAUDITDATA = (0x8000 - 1) MAX_AUDIT_RECORD_SIZE = MAXAUDITDATA // Max length for a Path (AUT_PATH) or an arg (AUT_EXEC_ARGS) @@ -119,8 +123,19 @@ var ( gUsers []user // A global group/gid cache gGroups []group + // Cache of audit_event file + gEventDB []event ) + +type event struct { + Type int + Name string + Desc string + Class string +} + + // Fields types, from https://github.com/freebsd/freebsd-src/blob/main/contrib/openbsm/bsm/libbsm.h // Abstraction of a record @@ -394,6 +409,45 @@ func getGroupNameByGid(gid uint32) (group, error) { return grp, nil } +func getEventName(event uint16) (string,error) { + if len(gEventDB) == 0 { + loadEventDB() + } + for _, ev := range gEventDB { + if ev.Type == int(event) { + return ev.Desc, nil + } + } + return "", fmt.Errorf("Event ID not found: %x\n", event) +} + +// We load the entire file in memory +func loadEventDB() error { + file, err := os.Open(AUDIT_EVENT_FILE) + if err != nil { + return err + } + defer file.Close() + + fileScan := bufio.NewScanner(file) + fileScan.Split(bufio.ScanLines) + for fileScan.Scan() { + line := fileScan.Text() + if strings.HasPrefix(line, "#") { + continue + } + eventStr := strings.Split(line, ":") + if len(eventStr) != 4 { + continue + } + t, _ := strconv.Atoi(eventStr[0]) + gEventDB = append(gEventDB, event{Type: t, + Name: eventStr[1], + Desc: eventStr[2], + Class: eventStr[3],}) + } + return nil +} func PrintIpv4FromInt(ipv4int uint32) string { return fmt.Sprintf("%d.%d.%d.%d", ipv4int & 0xFF000000 >> 24, ipv4int & 0x00FF0000 >> 16, @@ -460,8 +514,11 @@ func (h *Header32) LoadFromBinary(file *os.File) error { */ func (h *Header32) Print(file *os.File, delimiter string, flags int) { t := time.Unix((int64)(h.S), 0) - fmt.Fprintf(file, "header%s%v%s%v%s%v%s%v%s%v%s%v", delimiter, h.Size, delimiter, h.Version, delimiter, - h.E_type, delimiter, h.E_mod, delimiter, t.Format(time.UnixDate), delimiter, h.Msec) + // We dont care for error + evdesc, _ := getEventName(h.E_type) + fmt.Fprintf(file, "header%s%v%s%v%s%s%s%v%s%v%s%v", delimiter, h.Size, delimiter, h.Version, delimiter, + //h.E_type, delimiter, h.E_mod, delimiter, t.Format(time.UnixDate), delimiter, h.Msec) + evdesc, delimiter, h.E_mod, delimiter, t.Format(time.UnixDate), delimiter, h.Msec) if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } else { diff --git a/main.go b/main.go index 7185bca..8e42086 100644 --- a/main.go +++ b/main.go @@ -4,27 +4,26 @@ // godit is a search tool for BSM audit trails used by FreeBSD auditd // -package main - /* -#cgo CFLAGS: -I /usr/lib -#cgo LDFLAGS: -L. -lbsm -lc -#include -#include +% time ./godit 20211228134923.20211228151348 > godit.log +11.599u 38.235s 0:48.25 103.2% 1045+553k 1+2262168io 4pf+0w +% time praudit -l /home/yo/Dev/go/godit/20211228134923.20211228151348 > praudit.log +101.728u 7.315s 1:49.09 99.9% 10+167k 0+191152io 0pf+0w +% ./godit -V +Godit v0.03 */ -import "C" -import "unsafe" + +package main import ( "io" "os" "fmt" -// "encoding/hex" "github.com/spf13/pflag" ) const ( - version = "0.02" + version = "0.03" ) var ( @@ -36,73 +35,6 @@ var ( ) -/* -// This function only work on full file for the moment -// It is essentially a rip of praudit:print_tokens function - - It is SLOW: - -yo@martine:~/Dev/go/godit % time praudit -l /home/yo/Dev/go/godit/20211228134923.20211228151348 > praudit.log -102.428u 8.496s 1:50.98 99.9% 10+167k 0+191152io 0pf+0w - -yo@martine:~/Dev/go/godit % time ./godit 20211228134923.20211228151348 > godit.log -232.573u 56.834s 5:12.00 92.7% 859+553k 0+381988io 0pf+0w - -*/ -func print_tokens(filename string) error { - var buf *C.u_char - var recLen C.int - var bytesRead C.int - var tok C.tokenstr_t - var del *C.char - var fp *C.FILE - var cFilename *C.char - var r *C.char - - del = C.CString(delimiter) - r = C.CString("r") - - cFilename = C.CString(filename) - fp = C.fopen(cFilename, r) - if fp == nil { - return fmt.Errorf("Error opening file %s\n", filename) - } - - for recLen != -1 { - recLen = C.au_read_rec(fp, &buf) - if recLen == -1 { - break - } - bytesRead = 0 - for bytesRead < recLen { - newstart := unsafe.Add(unsafe.Pointer(buf), bytesRead) - if( -1 == C.au_fetch_tok(&tok, (*C.u_char)(newstart), recLen - bytesRead)) { - break - } - C.au_print_flags_tok((*C.FILE)(C.stdout), &tok, del, C.AU_OFLAG_NONE) - - bytesRead += (C.int)(tok.len) - // fmt.Printf is buffered, its use cause a time glitch on display - C.putchar((C.int)(*del)) - } - fmt.Printf("\n") - C.fflush((*C.FILE)(C.stdout)) - - // buf was allocated by au_read_rec(), we need to free it - C.free(unsafe.Pointer(buf)) - - } - - C.fclose(fp) - - C.free(unsafe.Pointer(cFilename)) - C.free(unsafe.Pointer(del)) - C.free(unsafe.Pointer(r)) - - return nil -} - - func main() { var flags int var oneLine bool