Use bufio.NewReader so we can read pipe (/dev/auditpipe or stdin)

This commit is contained in:
yo 2022-01-10 17:51:12 +01:00
parent 417f387f3c
commit 9e675658b6
2 changed files with 314 additions and 387 deletions

663
libbsm.go
View File

@ -144,7 +144,7 @@ type event struct {
type Record interface {
GetType() uint8
// Length()
LoadFromBinary(file *os.File) error
LoadFromBinary(rdr *bufio.Reader) error
Print(*os.File, string, int)
}
@ -482,29 +482,29 @@ func (h *Header32) GetType() uint8 {
}
// TODO : Take *io.Reader as arg?
func (h *Header32) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &h.Size)
if err != nil { return fmt.Errorf("Unable to read Header32.Size from file: %v", err) }
func (h *Header32) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(rdr, binary.BigEndian, &h.Size)
if err != nil { return fmt.Errorf("Unable to read Header32.Size: %v", err) }
/* Check for recsize sanity: We already read 32 bits + 8 bits */
if h.Size < (4 + 1) {
return fmt.Errorf("Record size is corrupted: %d", h.Size)
}
err = binary.Read(file, binary.BigEndian, &h.Version)
if err != nil { return fmt.Errorf("Unable to read Header32.Version from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &h.Version)
if err != nil { return fmt.Errorf("Unable to read Header32.Version: %v", err) }
err = binary.Read(file, binary.BigEndian, &h.E_type)
if err != nil { return fmt.Errorf("Unable to read Header32.E_type from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &h.E_type)
if err != nil { return fmt.Errorf("Unable to read Header32.E_type: %v", err) }
err = binary.Read(file, binary.BigEndian, &h.E_mod)
if err != nil { return fmt.Errorf("Unable to read Header32.E_mod from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &h.E_mod)
if err != nil { return fmt.Errorf("Unable to read Header32.E_mod: %v", err) }
err = binary.Read(file, binary.BigEndian, &h.S)
if err != nil { return fmt.Errorf("Unable to read Header32.S from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &h.S)
if err != nil { return fmt.Errorf("Unable to read Header32.S: %v", err) }
err = binary.Read(file, binary.BigEndian, &h.Msec)
if err != nil { return fmt.Errorf("Unable to read Header32.Msec from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &h.Msec)
if err != nil { return fmt.Errorf("Unable to read Header32.Msec: %v", err) }
return nil
}
@ -545,43 +545,19 @@ func (e *ExecArg) GetType() uint8 {
return AUT_EXEC_ARGS
}
func (e *ExecArg) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &e.Count)
if err != nil { return fmt.Errorf("Unable to read ExecArg.Count from file: %v", err) }
func (e *ExecArg) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(rdr, binary.BigEndian, &e.Count)
if err != nil { return fmt.Errorf("Unable to read ExecArg.Count: %v", err) }
// Get current offset in file
startOf, err := file.Seek(0, io.SeekCurrent)
if err != nil {
return fmt.Errorf("Unable to seek to current position: %v", err)
}
// TODO : Reinject these alreday read bytes into working flow, to avoir rereading them
chunk := make([]byte, e.Count*MAX_AUDIT_ARG_LENGTH + e.Count)
_, err = file.Read(chunk)
if err != nil {
return fmt.Errorf("Unable to read %d * MAX_AUDIT_ARG_LENGTH from current position: %v", err)
}
// Search for null terminating byte, Count times
totLen := int64(0)
buf := bytes.NewBuffer(chunk)
for i := uint32(0) ; i < e.Count ; i++ {
// TODO : Needs a bufio.Reader
// Get this arg length
arg, err := buf.ReadBytes((byte)(0x00))
arg, err := rdr.ReadBytes((byte)(0x00))
if err != nil {
return fmt.Errorf("Error searching for null terminated exec arg: Loop exec n%d, offset of record start: %x, error : %v", i, startOf, err)
return fmt.Errorf("Error searching for null terminated exec arg: Loop exec n%d, error : %v", i, err)
}
// Allocate before reading
totLen += int64(len(arg))
//e.Text = append(e.Text, arg) // Discard last 0
e.Text = append(e.Text, arg[:len(arg)-1])
}
startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart)
if err != nil {
return fmt.Errorf("Error seeking offset %x from file", startOf)
}
return nil
}
@ -612,37 +588,15 @@ func (p *Path) GetType() uint8 {
return AUT_PATH
}
func (p *Path) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &p.Length)
if err != nil { return fmt.Errorf("Unable to read Path.Length from file: %v", err) }
func (p *Path) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(rdr, binary.BigEndian, &p.Length)
if err != nil { return fmt.Errorf("Unable to read Path.Length: %v", err) }
// Get current offset in file
startOf, err := file.Seek(0, io.SeekCurrent)
arg, err := rdr.ReadBytes((byte)(0x00))
if err != nil {
return fmt.Errorf("Unable to seek to current position: %v", err)
}
// TODO : Reinject these already read bytes into working flow, to avoir rereading them
chunk := make([]byte, MAX_AUDIT_ARG_LENGTH+1)
_, err = file.Read(chunk)
if err != nil {
return fmt.Errorf("Unable to read MAX_AUDIT_ARG_LENGTH from current position: %v", err)
}
// Search for null terminating byte
buf := bytes.NewBuffer(chunk)
// TODO : Needs a bufio.Reader
// Get this arg length
arg, err := buf.ReadBytes((byte)(0x00))
if err != nil {
return fmt.Errorf("Error searching for null terminated path: offset of record start: %x, error : %v", startOf, err)
}
totLen := int64(len(arg))
p.Path = arg[:totLen-1]
startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart)
if err != nil {
return fmt.Errorf("Error seeking offset %x from file", startOf)
return fmt.Errorf("Error searching for null terminated path: error : %v", err)
}
p.Path = arg[:len(arg)-1]
return nil
}
@ -671,24 +625,24 @@ func (a* Attribute32) GetType() uint8 {
return AUT_ATTR32
}
func (a *Attribute32) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &a.Mode)
if err != nil { return fmt.Errorf("Unable to read Attribute32.Mode from file: %v", err) }
func (a *Attribute32) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(rdr, binary.BigEndian, &a.Mode)
if err != nil { return fmt.Errorf("Unable to read Attribute32.Mode: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Uid)
if err != nil { return fmt.Errorf("Unable to read Attribute32.Uid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &a.Uid)
if err != nil { return fmt.Errorf("Unable to read Attribute32.Uid: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Gid)
if err != nil { return fmt.Errorf("Unable to read Attribute32.Gid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &a.Gid)
if err != nil { return fmt.Errorf("Unable to read Attribute32.Gid: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Fsid)
if err != nil { return fmt.Errorf("Unable to read Attribute32.Fsid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &a.Fsid)
if err != nil { return fmt.Errorf("Unable to read Attribute32.Fsid: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Nid)
if err != nil { return fmt.Errorf("Unable to read Attribute32.Nid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &a.Nid)
if err != nil { return fmt.Errorf("Unable to read Attribute32.Nid: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Dev)
if err != nil { return fmt.Errorf("Unable to read Attribute32.Dev from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &a.Dev)
if err != nil { return fmt.Errorf("Unable to read Attribute32.Dev: %v", err) }
return nil
}
@ -730,24 +684,24 @@ func (a* Attribute64) GetType() uint8 {
return AUT_ATTR64
}
func (a *Attribute64) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &a.Mode)
if err != nil { return fmt.Errorf("Unable to read Attribute64.Mode from file: %v", err) }
func (a *Attribute64) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(rdr, binary.BigEndian, &a.Mode)
if err != nil { return fmt.Errorf("Unable to read Attribute64.Mode: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Uid)
if err != nil { return fmt.Errorf("Unable to read Attribute64.Uid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &a.Uid)
if err != nil { return fmt.Errorf("Unable to read Attribute64.Uid: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Gid)
if err != nil { return fmt.Errorf("Unable to read Attribute64.Gid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &a.Gid)
if err != nil { return fmt.Errorf("Unable to read Attribute64.Gid: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Fsid)
if err != nil { return fmt.Errorf("Unable to read Attribute64.Fsid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &a.Fsid)
if err != nil { return fmt.Errorf("Unable to read Attribute64.Fsid: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Nid)
if err != nil { return fmt.Errorf("Unable to read Attribute64.Nid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &a.Nid)
if err != nil { return fmt.Errorf("Unable to read Attribute64.Nid: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Dev)
if err != nil { return fmt.Errorf("Unable to read Attribute64.Dev from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &a.Dev)
if err != nil { return fmt.Errorf("Unable to read Attribute64.Dev: %v", err) }
return nil
}
@ -789,27 +743,27 @@ func (s *Subject32) GetType() uint8 {
return AUT_SUBJECT32
}
func (s *Subject32) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &s.Auid)
if err != nil { return fmt.Errorf("Unable to read Sibject32.Auid from file: %v", err) }
func (s *Subject32) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(rdr, binary.BigEndian, &s.Auid)
if err != nil { return fmt.Errorf("Unable to read Sibject32.Auid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Euid)
if err != nil { return fmt.Errorf("Unable to read Subject32.Euid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Euid)
if err != nil { return fmt.Errorf("Unable to read Subject32.Euid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Egid)
if err != nil { return fmt.Errorf("Unable to read Subject32.Egid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Egid)
if err != nil { return fmt.Errorf("Unable to read Subject32.Egid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Ruid)
if err != nil { return fmt.Errorf("Unable to read Subject32.Ruid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Ruid)
if err != nil { return fmt.Errorf("Unable to read Subject32.Ruid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Rgid)
if err != nil { return fmt.Errorf("Unable to read Subject32.Rgid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Rgid)
if err != nil { return fmt.Errorf("Unable to read Subject32.Rgid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Sid)
if err != nil { return fmt.Errorf("Unable to read Subject32.Sid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Sid)
if err != nil { return fmt.Errorf("Unable to read Subject32.Sid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid)
if err != nil { return fmt.Errorf("Unable to read Subject32.Tid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Tid)
if err != nil { return fmt.Errorf("Unable to read Subject32.Tid: %v", err) }
return nil
}
@ -860,27 +814,27 @@ func (p *Process32) GetType() uint8 {
return AUT_PROCESS32
}
func (p *Process32) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &p.Auid)
if err != nil { return fmt.Errorf("Unable to read Process32.Auid from file: %v", err) }
func (p *Process32) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(rdr, binary.BigEndian, &p.Auid)
if err != nil { return fmt.Errorf("Unable to read Process32.Auid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Euid)
if err != nil { return fmt.Errorf("Unable to read Process32.Euid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Euid)
if err != nil { return fmt.Errorf("Unable to read Process32.Euid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Egid)
if err != nil { return fmt.Errorf("Unable to read Process32.Egid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Egid)
if err != nil { return fmt.Errorf("Unable to read Process32.Egid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Ruid)
if err != nil { return fmt.Errorf("Unable to read Process32.Ruid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Ruid)
if err != nil { return fmt.Errorf("Unable to read Process32.Ruid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Rgid)
if err != nil { return fmt.Errorf("Unable to read Process32.Rgid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Rgid)
if err != nil { return fmt.Errorf("Unable to read Process32.Rgid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Sid)
if err != nil { return fmt.Errorf("Unable to read Process32.Sid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Sid)
if err != nil { return fmt.Errorf("Unable to read Process32.Sid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid)
if err != nil { return fmt.Errorf("Unable to read Process32.Tid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Tid)
if err != nil { return fmt.Errorf("Unable to read Process32.Tid: %v", err) }
return nil
}
@ -931,41 +885,41 @@ func (s *Subject32Ex) GetType() uint8 {
return AUT_SUBJECT32_EX
}
func (s *Subject32Ex) LoadFromBinary(file *os.File) error {
func (s *Subject32Ex) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(file, binary.BigEndian, &s.Auid)
if err != nil { return fmt.Errorf("Unable to read Sibject32Ex.Auid from file: %v", err) }
err := binary.Read(rdr, binary.BigEndian, &s.Auid)
if err != nil { return fmt.Errorf("Unable to read Sibject32Ex.Auid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Euid)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Euid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Euid)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Euid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Egid)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Egid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Egid)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Egid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Ruid)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Ruid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Ruid)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Ruid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Rgid)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Rgid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Rgid)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Rgid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Sid)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Sid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Sid)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Sid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid.Port)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Port from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Tid.Port)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Port: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid.Ttype)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Ttype from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Tid.Ttype)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Ttype: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid.IpVers)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.IpVers from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Tid.IpVers)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.IpVers: %v", err) }
if s.Tid.IpVers == 0x10 {
err = binary.Read(file, binary.BigEndian, &s.Tid.Addr6)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Addr6 from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Tid.Addr6)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Addr6: %v", err) }
} else if s.Tid.IpVers == 0x04 {
err = binary.Read(file, binary.BigEndian, &s.Tid.Addr4)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Addr4 from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Tid.Addr4)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Addr4: %v", err) }
}
return nil
@ -1024,41 +978,41 @@ func (s *Process32Ex) GetType() uint8 {
return AUT_PROCESS32_EX
}
func (p *Process32Ex) LoadFromBinary(file *os.File) error {
func (p *Process32Ex) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(file, binary.BigEndian, &p.Auid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Auid from file: %v", err) }
err := binary.Read(rdr, binary.BigEndian, &p.Auid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Auid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Euid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Euid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Euid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Euid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Egid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Egid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Egid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Egid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Ruid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Ruid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Ruid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Ruid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Rgid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Rgid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Rgid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Rgid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Sid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Sid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Sid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Sid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid.Port)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Port from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Tid.Port)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Port: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid.Ttype)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Ttype from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Tid.Ttype)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Ttype: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid.IpVers)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.IpVers from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Tid.IpVers)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.IpVers: %v", err) }
if p.Tid.IpVers == 0x10 {
err = binary.Read(file, binary.BigEndian, &p.Tid.Addr6)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Addr6 from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Tid.Addr6)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Addr6: %v", err) }
} else if p.Tid.IpVers == 0x04 {
err = binary.Read(file, binary.BigEndian, &p.Tid.Addr4)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Addr4 from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Tid.Addr4)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Addr4: %v", err) }
}
return nil
@ -1119,27 +1073,27 @@ func (s *Subject64) GetType() uint8 {
return AUT_SUBJECT64
}
func (s *Subject64) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &s.Auid)
if err != nil { return fmt.Errorf("Unable to read Sibject64.Auid from file: %v", err) }
func (s *Subject64) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(rdr, binary.BigEndian, &s.Auid)
if err != nil { return fmt.Errorf("Unable to read Sibject64.Auid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Euid)
if err != nil { return fmt.Errorf("Unable to read Subject64.Euid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Euid)
if err != nil { return fmt.Errorf("Unable to read Subject64.Euid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Egid)
if err != nil { return fmt.Errorf("Unable to read Subject64.Egid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Egid)
if err != nil { return fmt.Errorf("Unable to read Subject64.Egid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Ruid)
if err != nil { return fmt.Errorf("Unable to read Subject64.Ruid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Ruid)
if err != nil { return fmt.Errorf("Unable to read Subject64.Ruid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Rgid)
if err != nil { return fmt.Errorf("Unable to read Subject64.Rgid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Rgid)
if err != nil { return fmt.Errorf("Unable to read Subject64.Rgid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Sid)
if err != nil { return fmt.Errorf("Unable to read Subject64.Sid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Sid)
if err != nil { return fmt.Errorf("Unable to read Subject64.Sid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid)
if err != nil { return fmt.Errorf("Unable to read Subject64.Tid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Tid)
if err != nil { return fmt.Errorf("Unable to read Subject64.Tid: %v", err) }
return nil
}
@ -1190,27 +1144,27 @@ func (s *Process64) GetType() uint8 {
return AUT_PROCESS64
}
func (p *Process64) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &p.Auid)
if err != nil { return fmt.Errorf("Unable to read Process64.Auid from file: %v", err) }
func (p *Process64) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(rdr, binary.BigEndian, &p.Auid)
if err != nil { return fmt.Errorf("Unable to read Process64.Auid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Euid)
if err != nil { return fmt.Errorf("Unable to read Process64.Euid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Euid)
if err != nil { return fmt.Errorf("Unable to read Process64.Euid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Egid)
if err != nil { return fmt.Errorf("Unable to read Process64.Egid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Egid)
if err != nil { return fmt.Errorf("Unable to read Process64.Egid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Ruid)
if err != nil { return fmt.Errorf("Unable to read Process64.Ruid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Ruid)
if err != nil { return fmt.Errorf("Unable to read Process64.Ruid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Rgid)
if err != nil { return fmt.Errorf("Unable to read Process64.Rgid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Rgid)
if err != nil { return fmt.Errorf("Unable to read Process64.Rgid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Sid)
if err != nil { return fmt.Errorf("Unable to read Process64.Sid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Sid)
if err != nil { return fmt.Errorf("Unable to read Process64.Sid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid)
if err != nil { return fmt.Errorf("Unable to read Process64.Tid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Tid)
if err != nil { return fmt.Errorf("Unable to read Process64.Tid: %v", err) }
return nil
}
@ -1261,40 +1215,40 @@ func (s *Subject64Ex) GetType() uint8 {
return AUT_SUBJECT64_EX
}
func (s *Subject64Ex) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &s.Auid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Auid from file: %v", err) }
func (s *Subject64Ex) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(rdr, binary.BigEndian, &s.Auid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Auid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Euid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Euid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Euid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Euid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Egid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Egid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Egid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Egid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Ruid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Ruid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Ruid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Ruid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Rgid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Rgid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Rgid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Rgid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Sid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Sid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Sid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Sid: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid.Port)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Port from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Tid.Port)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Port: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid.Ttype)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Ttype from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Tid.Ttype)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Ttype: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid.IpVers)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.IpVers from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Tid.IpVers)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.IpVers: %v", err) }
if s.Tid.IpVers == 0x10 {
err = binary.Read(file, binary.BigEndian, &s.Tid.Addr6)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Addr6 from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Tid.Addr6)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Addr6: %v", err) }
} else if s.Tid.IpVers == 0x04 {
err = binary.Read(file, binary.BigEndian, &s.Tid.Addr4)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Addr4 from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &s.Tid.Addr4)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Addr4: %v", err) }
}
return nil
@ -1354,40 +1308,40 @@ func (p *Process64Ex) GetType() uint8 {
return AUT_PROCESS64_EX
}
func (p *Process64Ex) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &p.Auid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Auid from file: %v", err) }
func (p *Process64Ex) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(rdr, binary.BigEndian, &p.Auid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Auid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Euid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Euid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Euid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Euid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Egid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Egid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Egid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Egid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Ruid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Ruid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Ruid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Ruid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Rgid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Rgid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Rgid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Rgid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Sid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Sid from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Sid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Sid: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid.Port)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Port from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Tid.Port)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Port: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid.Ttype)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Ttype from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Tid.Ttype)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Ttype: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid.IpVers)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.IpVers from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Tid.IpVers)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.IpVers: %v", err) }
if p.Tid.IpVers == 0x10 {
err = binary.Read(file, binary.BigEndian, &p.Tid.Addr6)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Addr6 from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Tid.Addr6)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Addr6: %v", err) }
} else if p.Tid.IpVers == 0x04 {
err = binary.Read(file, binary.BigEndian, &p.Tid.Addr4)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Addr4 from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &p.Tid.Addr4)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Addr4: %v", err) }
}
return nil
@ -1441,12 +1395,12 @@ func (r *Return32) GetType() uint8 {
return AUT_RETURN32
}
func (r *Return32) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &r.Status)
if err != nil { return fmt.Errorf("Unable to read Return32.Status from file: %v", err) }
func (r *Return32) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(rdr, binary.BigEndian, &r.Status)
if err != nil { return fmt.Errorf("Unable to read Return32.Status: %v", err) }
err = binary.Read(file, binary.BigEndian, &r.Ret)
if err != nil { return fmt.Errorf("Unable to read Return32.Ret from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &r.Ret)
if err != nil { return fmt.Errorf("Unable to read Return32.Ret: %v", err) }
return nil
}
@ -1471,12 +1425,12 @@ func (r *Return64) GetType() uint8 {
return AUT_RETURN64
}
func (r *Return64) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &r.Status)
if err != nil { return fmt.Errorf("Unable to read Return64.Status from file: %v", err) }
func (r *Return64) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(rdr, binary.BigEndian, &r.Status)
if err != nil { return fmt.Errorf("Unable to read Return64.Status: %v", err) }
err = binary.Read(file, binary.BigEndian, &r.Ret)
if err != nil { return fmt.Errorf("Unable to read Return64.Ret from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &r.Ret)
if err != nil { return fmt.Errorf("Unable to read Return64.Ret: %v", err) }
return nil
}
@ -1501,12 +1455,12 @@ func (t *Trailer) GetType() uint8 {
return AUT_TRAILER
}
func (t *Trailer) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &t.Magic)
if err != nil { return fmt.Errorf("Unable to read Trailer.Magic from file: %v", err) }
func (t *Trailer) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(rdr, binary.BigEndian, &t.Magic)
if err != nil { return fmt.Errorf("Unable to read Trailer.Magic: %v", err) }
err = binary.Read(file, binary.BigEndian, &t.Count)
if err != nil { return fmt.Errorf("Unable to read Trailer.Count from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &t.Count)
if err != nil { return fmt.Errorf("Unable to read Trailer.Count: %v", err) }
return nil
}
@ -1530,42 +1484,22 @@ func (a *Arg32) GetType() uint8 {
return AUT_ARG32
}
func (a *Arg32) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &a.No)
if err != nil { return fmt.Errorf("Unable to read Arg32.No from file: %v", err) }
func (a *Arg32) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(rdr, binary.BigEndian, &a.No)
if err != nil { return fmt.Errorf("Unable to read Arg32.No: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Val)
if err != nil { return fmt.Errorf("Unable to read Arg32.Val from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &a.Val)
if err != nil { return fmt.Errorf("Unable to read Arg32.Val: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Length)
if err != nil { return fmt.Errorf("Unable to read Arg32.Length from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &a.Length)
if err != nil { return fmt.Errorf("Unable to read Arg32.Length: %v", err) }
// Get current offset in file
startOf, err := file.Seek(0, io.SeekCurrent)
if err != nil {
return fmt.Errorf("Unable to seek to current position: %v", err)
}
// TODO : Reinject these already read bytes into working flow, to avoir rereading them
chunk := make([]byte, MAX_AUDIT_ARG_LENGTH+1)
_, err = file.Read(chunk)
if err != nil {
return fmt.Errorf("Unable to read MAX_AUDIT_ARG_LENGTH from current position: %v", err)
}
// Search for null terminating byte
buf := bytes.NewBuffer(chunk)
// Get this arg length
arg, err := buf.ReadBytes((byte)(0x00))
arg, err := rdr.ReadBytes((byte)(0x00))
if err != nil {
return fmt.Errorf("Error searching for null terminated path: offset of record start: %x, error : %v", startOf, err)
}
totLen := int64(len(arg))
a.Text = arg[:totLen-1]
startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart)
if err != nil {
return fmt.Errorf("Error seeking offset %x from file", startOf)
return fmt.Errorf("Error searching for null terminated path: %v", err)
}
a.Text = arg[:len(arg)-1]
return nil
}
@ -1592,42 +1526,22 @@ func (a *Arg64) GetType() uint8 {
return AUT_ARG64
}
func (a *Arg64) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &a.No)
if err != nil { return fmt.Errorf("Unable to read Arg64.No from file: %v", err) }
func (a *Arg64) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(rdr, binary.BigEndian, &a.No)
if err != nil { return fmt.Errorf("Unable to read Arg64.No: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Val)
if err != nil { return fmt.Errorf("Unable to read Arg64.Val from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &a.Val)
if err != nil { return fmt.Errorf("Unable to read Arg64.Val: %v", err) }
err = binary.Read(file, binary.BigEndian, &a.Length)
if err != nil { return fmt.Errorf("Unable to read Arg64.Length from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &a.Length)
if err != nil { return fmt.Errorf("Unable to read Arg64.Length: %v", err) }
// Get current offset in file
startOf, err := file.Seek(0, io.SeekCurrent)
if err != nil {
return fmt.Errorf("Unable to seek to current position: %v", err)
}
// TODO : Reinject these already read bytes into working flow, to avoir rereading them
chunk := make([]byte, MAX_AUDIT_ARG_LENGTH+1)
_, err = file.Read(chunk)
if err != nil {
return fmt.Errorf("Unable to read MAX_AUDIT_ARG_LENGTH from current position: %v", err)
}
// Search for null terminating byte
buf := bytes.NewBuffer(chunk)
// Get this arg length
arg, err := buf.ReadBytes((byte)(0x00))
arg, err := rdr.ReadBytes((byte)(0x00))
if err != nil {
return fmt.Errorf("Error searching for null terminated path: offset of record start: %x, error : %v", startOf, err)
}
totLen := int64(len(arg))
a.Text = arg[:totLen-1]
startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart)
if err != nil {
return fmt.Errorf("Error seeking offset %x from file", startOf)
return fmt.Errorf("Error searching for null terminated path: %v", err)
}
a.Text = arg[:len(arg)-1]
return nil
}
@ -1652,12 +1566,12 @@ func (e *Exit) GetType() uint8 {
return AUT_EXIT
}
func (e *Exit) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &e.Status)
if err != nil { return fmt.Errorf("Unable to read Exit.Status from file: %v", err) }
func (e *Exit) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(rdr, binary.BigEndian, &e.Status)
if err != nil { return fmt.Errorf("Unable to read Exit.Status: %v", err) }
err = binary.Read(file, binary.BigEndian, &e.Ret)
if err != nil { return fmt.Errorf("Unable to read Exit.Ret from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &e.Ret)
if err != nil { return fmt.Errorf("Unable to read Exit.Ret: %v", err) }
return nil
}
@ -1682,14 +1596,14 @@ func (t *Text) GetType() uint8 {
return AUT_TEXT
}
func (t *Text) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &t.Length)
if err != nil { return fmt.Errorf("Unable to read Text.Length from file: %v", err) }
func (t *Text) LoadFromBinary(rdr *bufio.Reader) error {
err := binary.Read(rdr, binary.BigEndian, &t.Length)
if err != nil { return fmt.Errorf("Unable to read Text.Length: %v", err) }
text := make([]byte, t.Length)
err = binary.Read(file, binary.BigEndian, &text)
if err != nil { return fmt.Errorf("Unable to read Text.Text from file: %v", err) }
err = binary.Read(rdr, binary.BigEndian, &text)
if err != nil { return fmt.Errorf("Unable to read Text.Text: %v", err) }
t.Text = text[:len(text)-1]
return nil
@ -1704,112 +1618,107 @@ func (t *Text) Print(file *os.File, delimiter string, flags int) {
}
}
func readRecordToStruct(file *os.File) (Record, error) {
func readRecordToStruct(reader *bufio.Reader) (Record, error) {
var rec Record
hdr := make([]byte, 1)
n, err := file.Read(hdr)
n, err := reader.Read(hdr)
if err != nil || n < 1 {
if err != io.EOF {
return rec, fmt.Errorf("Unable to read header ID in file: %v", err)
return rec, fmt.Errorf("Unable to read header ID: %v", err)
}
return rec, err
}
// DEBUG
/* startOf, _ := file.Seek(0, io.SeekCurrent)
fmt.Printf("Offset dans le fichier : %x\n", startOf)
*/
switch (int8)(hdr[0]) {
case AUT_HEADER32:
var h Header32
err := h.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
err := h.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewHeader32(h), nil
case AUT_EXEC_ARGS:
var e ExecArg
err := e.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
err := e.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewExecArg(e), nil
case AUT_PATH:
var p Path
err := p.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
err := p.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewPath(p), nil
case AUT_ATTR32:
var a Attribute32
err := a.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
err := a.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewAttribute32(a), nil
case AUT_ATTR64:
var a Attribute64
err := a.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
err := a.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewAttribute64(a), nil
case AUT_SUBJECT32:
var s Subject32
err := s.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
err := s.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewSubject32(s), nil
case AUT_SUBJECT32_EX:
var s Subject32Ex
err := s.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
err := s.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewSubject32Ex(s), nil
case AUT_RETURN32:
var r Return32
err := r.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
err := r.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewReturn32(r), nil
case AUT_TRAILER:
var t Trailer
err := t.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
err := t.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewTrailer(t), nil
case AUT_ARG32:
var a Arg32
err := a.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
err := a.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewArg32(a), nil
case AUT_ARG64:
var a Arg64
err := a.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
err := a.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewArg64(a), nil
case AUT_EXIT:
var e Exit
err := e.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
err := e.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewExit(e), nil
case AUT_PROCESS32:
var p Process32
err := p.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
err := p.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewProcess32(p), nil
case AUT_PROCESS32_EX:
var p Process32Ex
err := p.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
err := p.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewProcess32Ex(p), nil
case AUT_PROCESS64:
var p Process64
err := p.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
err := p.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewProcess64(p), nil
case AUT_PROCESS64_EX:
var p Process64Ex
err := p.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
err := p.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewProcess64Ex(p), nil
case AUT_TEXT:
var t Text
err := t.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
err := t.LoadFromBinary(reader)
if err != nil { return rec, fmt.Errorf("Unable to read: %v", err) }
return NewText(t), nil
}
startOf, _ := file.Seek(0, io.SeekCurrent)
return rec, fmt.Errorf("Event type not supported: 0x%x at offset 0x%x", hdr[0], startOf)
return rec, fmt.Errorf("Event type not supported: 0x%x", hdr[0])
}

38
main.go
View File

@ -5,12 +5,18 @@
//
/*
% time ./godit 20211228134923.20211228151348 > godit.log
11.599u 38.235s 0:48.25 103.2% 1045+553k 1+2262168io 4pf+0w
% time praudit -l /home/yo/Dev/go/godit/20211228134923.20211228151348 > praudit.log
101.728u 7.315s 1:49.09 99.9% 10+167k 0+191152io 0pf+0w
% time ./godit 20211228134923.20211228151348 > godit.log
11.599u 38.235s 0:48.25 103.2% 1045+553k 1+2262168io 4pf+0w
% ./godit -V
Godit v0.03
% time ./godit 20211228134923.20211228151348 > 20211228134923.20211228151348.godit3
7.183u 19.590s 0:25.98 103.0% 1038+559k 0+2262168io 0pf+0w
% ./godit -V
Godit v0.4.3
*/
package main
@ -19,11 +25,13 @@ import (
"io"
"os"
"fmt"
"bufio"
"strings"
"github.com/spf13/pflag"
)
const (
version = "0.4"
version = "0.4.3"
)
var (
@ -66,27 +74,37 @@ func main() {
}
args := os.Args
filename := args[len(args)-1]
/* fmt.Printf("Args: %s\n", args)
fmt.Printf("Filename: %s\n", filename)
*/
var f *os.File
var r *bufio.Reader
var err error
if len(filename) > 0 {
f, err := os.Open(filename)
if err != nil {
fmt.Printf("Impossible d'ouvrir le fichier %s\n", filename)
return
// If arg is "-", open stdin to read content
if true == strings.EqualFold(filename, "-") {
r = bufio.NewReader(os.Stdin)
} else {
f, err = os.Open(filename)
if err != nil {
fmt.Printf("Impossible d'ouvrir le fichier %s\n", filename)
return
}
r = bufio.NewReader(f)
}
//for i := 0 ; i < 20 ; i++ {
for {
rec, err := readRecordToStruct(f)
rec, err := readRecordToStruct(r)
if err != nil {
if err != io.EOF {
fmt.Printf("Erreur : %v\n", err)
} else { // v.0.4.2 : Continue on error
return
}
return
}
rec.Print(os.Stdout, ",", flags)
}