Resolve event name

This commit is contained in:
yo 2022-01-06 17:29:16 +01:00
parent 8fd6e20cbd
commit 92ba4e4ca6
2 changed files with 70 additions and 81 deletions

View File

@ -23,16 +23,20 @@ import (
"os" "os"
"fmt" "fmt"
"time" "time"
"bufio"
"bytes" "bytes"
"strings"
"strconv" "strconv"
"encoding/binary" "encoding/binary"
) )
const ( const (
// bsm/libbsm.h // bsm/libbsm.h
AUDIT_MAX_ARGS = 128 AUDIT_MAX_ARGS = 128
AUDIT_EVENT_FILE = "/etc/security/audit_event"
// sys/bsm/audit.h // sys/bsm/audit.h
MAXAUDITDATA = (0x8000 - 1) MAXAUDITDATA = (0x8000 - 1)
MAX_AUDIT_RECORD_SIZE = MAXAUDITDATA MAX_AUDIT_RECORD_SIZE = MAXAUDITDATA
// Max length for a Path (AUT_PATH) or an arg (AUT_EXEC_ARGS) // Max length for a Path (AUT_PATH) or an arg (AUT_EXEC_ARGS)
@ -119,8 +123,19 @@ var (
gUsers []user gUsers []user
// A global group/gid cache // A global group/gid cache
gGroups []group gGroups []group
// Cache of audit_event file
gEventDB []event
) )
type event struct {
Type int
Name string
Desc string
Class string
}
// Fields types, from https://github.com/freebsd/freebsd-src/blob/main/contrib/openbsm/bsm/libbsm.h // Fields types, from https://github.com/freebsd/freebsd-src/blob/main/contrib/openbsm/bsm/libbsm.h
// Abstraction of a record // Abstraction of a record
@ -394,6 +409,45 @@ func getGroupNameByGid(gid uint32) (group, error) {
return grp, nil return grp, nil
} }
func getEventName(event uint16) (string,error) {
if len(gEventDB) == 0 {
loadEventDB()
}
for _, ev := range gEventDB {
if ev.Type == int(event) {
return ev.Desc, nil
}
}
return "", fmt.Errorf("Event ID not found: %x\n", event)
}
// We load the entire file in memory
func loadEventDB() error {
file, err := os.Open(AUDIT_EVENT_FILE)
if err != nil {
return err
}
defer file.Close()
fileScan := bufio.NewScanner(file)
fileScan.Split(bufio.ScanLines)
for fileScan.Scan() {
line := fileScan.Text()
if strings.HasPrefix(line, "#") {
continue
}
eventStr := strings.Split(line, ":")
if len(eventStr) != 4 {
continue
}
t, _ := strconv.Atoi(eventStr[0])
gEventDB = append(gEventDB, event{Type: t,
Name: eventStr[1],
Desc: eventStr[2],
Class: eventStr[3],})
}
return nil
}
func PrintIpv4FromInt(ipv4int uint32) string { func PrintIpv4FromInt(ipv4int uint32) string {
return fmt.Sprintf("%d.%d.%d.%d", ipv4int & 0xFF000000 >> 24, ipv4int & 0x00FF0000 >> 16, return fmt.Sprintf("%d.%d.%d.%d", ipv4int & 0xFF000000 >> 24, ipv4int & 0x00FF0000 >> 16,
@ -460,8 +514,11 @@ func (h *Header32) LoadFromBinary(file *os.File) error {
*/ */
func (h *Header32) Print(file *os.File, delimiter string, flags int) { func (h *Header32) Print(file *os.File, delimiter string, flags int) {
t := time.Unix((int64)(h.S), 0) t := time.Unix((int64)(h.S), 0)
fmt.Fprintf(file, "header%s%v%s%v%s%v%s%v%s%v%s%v", delimiter, h.Size, delimiter, h.Version, delimiter, // We dont care for error
h.E_type, delimiter, h.E_mod, delimiter, t.Format(time.UnixDate), delimiter, h.Msec) evdesc, _ := getEventName(h.E_type)
fmt.Fprintf(file, "header%s%v%s%v%s%s%s%v%s%v%s%v", delimiter, h.Size, delimiter, h.Version, delimiter,
//h.E_type, delimiter, h.E_mod, delimiter, t.Format(time.UnixDate), delimiter, h.Msec)
evdesc, delimiter, h.E_mod, delimiter, t.Format(time.UnixDate), delimiter, h.Msec)
if 0 == (flags & PRT_ONELINE) { if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n") fmt.Fprintf(file, "\n")
} else { } else {

86
main.go
View File

@ -4,27 +4,26 @@
// godit is a search tool for BSM audit trails used by FreeBSD auditd // godit is a search tool for BSM audit trails used by FreeBSD auditd
// //
package main
/* /*
#cgo CFLAGS: -I /usr/lib % time ./godit 20211228134923.20211228151348 > godit.log
#cgo LDFLAGS: -L. -lbsm -lc 11.599u 38.235s 0:48.25 103.2% 1045+553k 1+2262168io 4pf+0w
#include <stdlib.h> % time praudit -l /home/yo/Dev/go/godit/20211228134923.20211228151348 > praudit.log
#include <bsm/libbsm.h> 101.728u 7.315s 1:49.09 99.9% 10+167k 0+191152io 0pf+0w
% ./godit -V
Godit v0.03
*/ */
import "C"
import "unsafe" package main
import ( import (
"io" "io"
"os" "os"
"fmt" "fmt"
// "encoding/hex"
"github.com/spf13/pflag" "github.com/spf13/pflag"
) )
const ( const (
version = "0.02" version = "0.03"
) )
var ( var (
@ -36,73 +35,6 @@ var (
) )
/*
// This function only work on full file for the moment
// It is essentially a rip of praudit:print_tokens function
It is SLOW:
yo@martine:~/Dev/go/godit % time praudit -l /home/yo/Dev/go/godit/20211228134923.20211228151348 > praudit.log
102.428u 8.496s 1:50.98 99.9% 10+167k 0+191152io 0pf+0w
yo@martine:~/Dev/go/godit % time ./godit 20211228134923.20211228151348 > godit.log
232.573u 56.834s 5:12.00 92.7% 859+553k 0+381988io 0pf+0w
*/
func print_tokens(filename string) error {
var buf *C.u_char
var recLen C.int
var bytesRead C.int
var tok C.tokenstr_t
var del *C.char
var fp *C.FILE
var cFilename *C.char
var r *C.char
del = C.CString(delimiter)
r = C.CString("r")
cFilename = C.CString(filename)
fp = C.fopen(cFilename, r)
if fp == nil {
return fmt.Errorf("Error opening file %s\n", filename)
}
for recLen != -1 {
recLen = C.au_read_rec(fp, &buf)
if recLen == -1 {
break
}
bytesRead = 0
for bytesRead < recLen {
newstart := unsafe.Add(unsafe.Pointer(buf), bytesRead)
if( -1 == C.au_fetch_tok(&tok, (*C.u_char)(newstart), recLen - bytesRead)) {
break
}
C.au_print_flags_tok((*C.FILE)(C.stdout), &tok, del, C.AU_OFLAG_NONE)
bytesRead += (C.int)(tok.len)
// fmt.Printf is buffered, its use cause a time glitch on display
C.putchar((C.int)(*del))
}
fmt.Printf("\n")
C.fflush((*C.FILE)(C.stdout))
// buf was allocated by au_read_rec(), we need to free it
C.free(unsafe.Pointer(buf))
}
C.fclose(fp)
C.free(unsafe.Pointer(cFilename))
C.free(unsafe.Pointer(del))
C.free(unsafe.Pointer(r))
return nil
}
func main() { func main() {
var flags int var flags int
var oneLine bool var oneLine bool