From d7383927973d01021fec8aba5b5de37a98048ea6 Mon Sep 17 00:00:00 2001 From: yo Date: Tue, 4 Jan 2022 09:35:55 +0100 Subject: [PATCH] Init repo --- .gitignore | 1 + libbsm.go | 1413 ++++++++++++++++++++++++++++++++++++++++++++++++++++ main.go | 151 ++++++ 3 files changed, 1565 insertions(+) create mode 100644 .gitignore create mode 100644 libbsm.go create mode 100644 main.go diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ac3948e --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +./20211228134923.20211228151348 diff --git a/libbsm.go b/libbsm.go new file mode 100644 index 0000000..2010bb3 --- /dev/null +++ b/libbsm.go @@ -0,0 +1,1413 @@ +// This is an implementation of libbsm +// Copyright johan@nosd.in 2021 +// +package main + +import ( + "io" + "os" + "fmt" +// "net" + "time" + "bytes" + "encoding/binary" +) + +const ( + // bsm/libbsm.h + AUDIT_MAX_ARGS = 128 + // sys/bsm/audit.h + MAXAUDITDATA = (0x8000 - 1) + MAX_AUDIT_RECORD_SIZE = MAXAUDITDATA + + // Max length for a Path (AUT_PATH) or an arg (AUT_EXEC_ARGS) + MAX_AUDIT_ARG_LENGTH = 1024 + +/* + * Token type identifiers. + From https://github.com/freebsd/freebsd-src/blob/main/contrib/openbsm/sys/bsm/audit_record.h + */ + AUT_INVALID = 0x00 + AUT_OTHER_FILE32 = 0x11 + AUT_OHEADER = 0x12 + AUT_TRAILER = 0x13 + AUT_HEADER32 = 0x14 + AUT_HEADER32_EX = 0x15 + AUT_DATA = 0x21 + AUT_IPC = 0x22 + AUT_PATH = 0x23 + AUT_SUBJECT32 = 0x24 + AUT_XATPATH = 0x25 + AUT_PROCESS32 = 0x26 + AUT_RETURN32 = 0x27 + AUT_TEXT = 0x28 + AUT_OPAQUE = 0x29 + AUT_IN_ADDR = 0x2a + AUT_IP = 0x2b + AUT_IPORT = 0x2c + AUT_ARG32 = 0x2d + AUT_SOCKET = 0x2e + AUT_SEQ = 0x2f + AUT_ACL = 0x30 + AUT_ATTR = 0x31 + AUT_IPC_PERM = 0x32 + AUT_LABEL = 0x33 + AUT_GROUPS = 0x34 + AUT_ACE = 0x35 + AUT_PRIV = 0x38 + AUT_UPRIV = 0x39 + AUT_LIAISON = 0x3a + AUT_NEWGROUPS = 0x3b + AUT_EXEC_ARGS = 0x3c + AUT_EXEC_ENV = 0x3d + AUT_ATTR32 = 0x3e + AUT_UNAUTH = 0x3f + AUT_XATOM = 0x40 + AUT_XOBJ = 0x41 + AUT_XPROTO = 0x42 + AUT_XSELECT = 0x43 + AUT_XCOLORMAP = 0x44 + AUT_XCURSOR = 0x45 + AUT_XFONT = 0x46 + AUT_XGC = 0x47 + AUT_XPIXMAP = 0x48 + AUT_XPROPERTY = 0x49 + AUT_XWINDOW = 0x4a + AUT_XCLIENT = 0x4b + AUT_CMD = 0x51 + AUT_EXIT = 0x52 + AUT_ZONENAME = 0x60 + AUT_HOST = 0x70 + AUT_ARG64 = 0x71 + AUT_RETURN64 = 0x72 + AUT_ATTR64 = 0x73 + AUT_HEADER64 = 0x74 + AUT_SUBJECT64 = 0x75 + AUT_PROCESS64 = 0x77 + AUT_OTHER_FILE64 = 0x78 + AUT_HEADER64_EX = 0x79 + AUT_SUBJECT32_EX = 0x7a + AUT_PROCESS32_EX = 0x7b + AUT_SUBJECT64_EX = 0x7c + AUT_PROCESS64_EX = 0x7d + AUT_IN_ADDR_EX = 0x7e + AUT_SOCKET_EX = 0x7f + + + // Display control + PRT_ONELINE = 1 +) + +// Fields types, from https://github.com/freebsd/freebsd-src/blob/main/contrib/openbsm/bsm/libbsm.h + +// Abstraction of a record +type Record interface { + GetType() uint8 +// Length() + LoadFromBinary(file *os.File) error + Print(*os.File, string, int) +} + +type Header32 struct { + Size uint32 // Record byte count + Version uint8 // version # (uchar) + E_type uint16 // Event type + E_mod uint16 // Event modifier + S uint32 // Seconds of time + Msec uint32 // Milliseconds of time +} + +type Header32Ex struct { + Size uint32 // Record byte count + Version uint8 // version # (uchar) + E_type uint16 // Event type + E_mod uint16 // Event modifier + Ad_type uint32 // Address type/Length + Addr [4]uint32 // Ipv4 or IPv6 + S uint32 // Seconds of time + Msec uint32 // Milliseconds of time +} + +type Trailer struct { + Magic uint16 + Count uint32 +} + +type Arg32 struct { + No byte // Argument # + Val uint32 // Argument value + Length uint16 // Text length + Text []byte // Text +} + +type Arg64 struct { + No byte // Argument # + Val uint64 // Argument value + Length uint16 // Text length + Text []byte // Text +} + +type Attribute32 struct { + Mode uint32 // file access mode + Uid uint32 // Owner user ID + Gid uint32 // Owner group ID + Fsid uint32 // File system ID + Nid uint64 // Node ID + Dev uint32 // Device +} + +type Attribute64 struct { + Mode uint32 // file access mode + Uid uint32 // Owner user ID + Gid uint32 // Owner group ID + Fsid uint32 // File system ID + Nid uint64 // Node ID + Dev uint64 // Device +} + +/* +* count 4 bytes +* text count null-terminated string(s) +*/ +type ExecArg struct { + Count uint32 + //Text [AUDIT_MAX_ARGS][]byte + Text [][]byte +} + +type Path struct { + Length uint16 // path length + Path []byte +} + +type Return32 struct { + Status byte // Error status + Ret uint32 // Return code +} + +type Return64 struct { + Status byte // Error status + Ret uint64 // Return code +} + +type Subject32 struct { + Auid uint32 // Audit ID + Euid uint32 // Effective user ID + Egid uint32 // Effective Group ID + Ruid uint32 // Real User ID + Rgid uint32 // Real Group ID + Pid uint32 // Process ID + Sid uint32 // Session ID + Tid Tid32 +} + +type Process32 Subject32 + +type Subject32Ex struct { + Auid uint32 // Audit ID + Euid uint32 // Effective user ID + Egid uint32 // Effective Group ID + Ruid uint32 // Real User ID + Rgid uint32 // Real Group ID + Pid uint32 // Process ID + Sid uint32 // Session ID + Tid Tid32Ex +} + +type Process32Ex Subject32Ex + +type Tid32 struct { + Port uint32 + IpVers uint32 // 0x10 = IPv6 + Addr uint32 +} + +type Tid32Ex struct { + Port uint32 + Ttype uint32 + IpVers uint32 // 0x10 = IPv6 + Addr [4]uint32 // 4 bytes long if IpVers == 0x10, 1 byte long if IpVers == 4 +} + +type Subject64 struct { + Auid uint32 // Audit ID + Euid uint32 // Effective user ID + Egid uint32 // Effective Group ID + Ruid uint32 // Real User ID + Rgid uint32 // Real Group ID + Pid uint32 // Process ID + Sid uint32 // Session ID + Tid Tid64 +} + +type Process64 Subject64 + +type Subject64Ex struct { + Auid uint32 // Audit ID + Euid uint32 // Effective user ID + Egid uint32 // Effective Group ID + Ruid uint32 // Real User ID + Rgid uint32 // Real Group ID + Pid uint32 // Process ID + Sid uint32 // Session ID + Tid Tid64Ex +} + +type Process64Ex Subject64Ex + +type Tid64 struct { + Port uint64 + IpVers uint32 + Addr uint32 +} + +type Tid64Ex struct { + Port uint64 + Ttype uint32 + IpVers uint32 // 0x10 = IPv6 + Addr [4]uint32 +} + +type Exit struct { + Status uint32 + Ret uint32 +} + +/* Utilities */ +func PrintIpv6FromInt(ipv6int [4]uint32) string { + //return fmt.Sprintf("%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x", + return fmt.Sprintf("%x:%x:%x:%x:%x:%x:%x:%x", + ipv6int[0] & 0xFFFF0000 >> 16, ipv6int[0] & 0x0000FFFF, + ipv6int[1] & 0xFFFF0000 >> 16, ipv6int[1] & 0x0000FFFF, + ipv6int[2] & 0xFFFF0000 >> 16, ipv6int[2] & 0x0000FFFF, + ipv6int[3] & 0xFFFF0000 >> 16, ipv6int[3] & 0x0000FFFF) +} + + +/* Records structs implementation */ +func NewHeader32(h Header32) *Header32 { + return &Header32{ + Size: h.Size, + Version: h.Version, + E_type: h.E_type, + E_mod: h.E_mod, + S: h.S, + Msec: h.Msec, + } +} + +func (h *Header32) GetType() uint8 { + return AUT_HEADER32 +} + +// TODO : Take *io.Reader as arg? +func (h *Header32) LoadFromBinary(file *os.File) error { + err := binary.Read(file, binary.BigEndian, &h.Size) + if err != nil { return fmt.Errorf("Unable to read Header32.Size from file: %v", err) } + + /* Check for recsize sanity: We already read 32 bits + 8 bits */ + if h.Size < (4 + 1) { + return fmt.Errorf("Record size is corrupted: %d", h.Size) + } + + err = binary.Read(file, binary.BigEndian, &h.Version) + if err != nil { return fmt.Errorf("Unable to read Header32.Version from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &h.E_type) + if err != nil { return fmt.Errorf("Unable to read Header32.E_type from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &h.E_mod) + if err != nil { return fmt.Errorf("Unable to read Header32.E_mod from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &h.S) + if err != nil { return fmt.Errorf("Unable to read Header32.S from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &h.Msec) + if err != nil { return fmt.Errorf("Unable to read Header32.Msec from file: %v", err) } + + return nil +} + + +/* Implementation of + static void + print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) +*/ +func (h *Header32) Print(file *os.File, delimiter string, flags int) { + t := time.Unix((int64)(h.S), 0) + fmt.Fprintf(file, "header%s%v%s%v%s%v%s%v%s%v%s%v", delimiter, h.Size, delimiter, h.Version, delimiter, + h.E_type, delimiter, h.E_mod, delimiter, t.Format(time.UnixDate), delimiter, h.Msec) + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } +} + +func NewExecArg(e ExecArg) *ExecArg { + return &ExecArg{ + Count: e.Count, + Text: e.Text, + } +} + +func (e *ExecArg) GetType() uint8 { + return AUT_EXEC_ARGS +} + +func (e *ExecArg) LoadFromBinary(file *os.File) error { + err := binary.Read(file, binary.BigEndian, &e.Count) + if err != nil { return fmt.Errorf("Unable to read ExecArg.Count from file: %v", err) } + + // Get current offset in file + startOf, err := file.Seek(0, io.SeekCurrent) + if err != nil { + return fmt.Errorf("Unable to seek to current position: %v", err) + } + + // TODO : Reinject these alreday read bytes into working flow, to avoir rereading them + chunk := make([]byte, e.Count*MAX_AUDIT_ARG_LENGTH + e.Count) + _, err = file.Read(chunk) + if err != nil { + return fmt.Errorf("Unable to read %d * MAX_AUDIT_ARG_LENGTH from current position: %v", err) + } + // Search for null terminating byte, Count times + totLen := int64(0) + buf := bytes.NewBuffer(chunk) + for i := uint32(0) ; i < e.Count ; i++ { + // TODO : Needs a bufio.Reader + // Get this arg length + arg, err := buf.ReadBytes((byte)(0x00)) + if err != nil { + return fmt.Errorf("Error searching for null terminated exec arg: Loop exec n%d, offset of record start: %x, error : %v", i, startOf, err) + } + // Allocate before reading + //e.Text[i] = make([]byte, len(buf)) + totLen += int64(len(arg)) + e.Text = append(e.Text, arg) + } + + startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart) + if err != nil { + return fmt.Errorf("Error seeking offset %x from file", startOf) + } + + return nil +} + +func (e *ExecArg) Print(file *os.File, delimiter string, flags int) { + fmt.Fprintf(file, "exec arg%s", delimiter) + for i := uint32(0) ; i < e.Count ; i++ { + if i < e.Count - 1 { + fmt.Fprintf(file, "%s%s", string(e.Text[i]), delimiter) + } else { + fmt.Fprintf(file, "%s", string(e.Text[i])) + } + } + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } +} + +func NewPath(p Path) *Path { + return &Path{ + Length: p.Length, + Path: p.Path, + } +} + +func (p *Path) GetType() uint8 { + return AUT_PATH +} + +func (p *Path) LoadFromBinary(file *os.File) error { + err := binary.Read(file, binary.BigEndian, &p.Length) + if err != nil { return fmt.Errorf("Unable to read Path.Length from file: %v", err) } + + // Get current offset in file + startOf, err := file.Seek(0, io.SeekCurrent) + if err != nil { + return fmt.Errorf("Unable to seek to current position: %v", err) + } + + // TODO : Reinject these already read bytes into working flow, to avoir rereading them + chunk := make([]byte, MAX_AUDIT_ARG_LENGTH+1) + _, err = file.Read(chunk) + if err != nil { + return fmt.Errorf("Unable to read MAX_AUDIT_ARG_LENGTH from current position: %v", err) + } + // Search for null terminating byte + buf := bytes.NewBuffer(chunk) + // TODO : Needs a bufio.Reader + // Get this arg length + arg, err := buf.ReadBytes((byte)(0x00)) + if err != nil { + return fmt.Errorf("Error searching for null terminated path: offset of record start: %x, error : %v", startOf, err) + } + totLen := int64(len(arg)) + p.Path = arg + + startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart) + if err != nil { + return fmt.Errorf("Error seeking offset %x from file", startOf) + } + + return nil +} + +func (p *Path) Print(file *os.File, delimiter string, flags int) { + fmt.Fprintf(file, "path%s%s", delimiter, string(p.Path)) + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } +} + +func NewAttribute32(a Attribute32) *Attribute32 { + return &Attribute32{ + Mode: a.Mode, + Uid: a.Uid, + Gid: a.Gid, + Fsid: a.Fsid, + Nid: a.Nid, + Dev: a.Dev, + } +} + +func (a* Attribute32) GetType() uint8 { + return AUT_ATTR32 +} + +func (a *Attribute32) LoadFromBinary(file *os.File) error { + err := binary.Read(file, binary.BigEndian, &a.Mode) + if err != nil { return fmt.Errorf("Unable to read Attribute32.Mode from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &a.Uid) + if err != nil { return fmt.Errorf("Unable to read Attribute32.Uid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &a.Gid) + if err != nil { return fmt.Errorf("Unable to read Attribute32.Gid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &a.Fsid) + if err != nil { return fmt.Errorf("Unable to read Attribute32.Fsid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &a.Nid) + if err != nil { return fmt.Errorf("Unable to read Attribute32.Nid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &a.Dev) + if err != nil { return fmt.Errorf("Unable to read Attribute32.Dev from file: %v", err) } + + return nil +} + +func (a *Attribute32) Print(file *os.File, delimiter string, flags int) { + // TODO : resolve Uid and Gid (also support domain accounts) + fmt.Fprintf(file, "attribute%s%o%s%v%s%v%s%v%s%v%s%v", delimiter, a.Mode, delimiter, a.Uid, delimiter, + a.Gid, delimiter, a.Fsid, delimiter, a.Nid, delimiter, a.Dev) + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } +} + +func NewAttribute64(a Attribute64) *Attribute64 { + return &Attribute64{ + Mode: a.Mode, + Uid: a.Uid, + Gid: a.Gid, + Fsid: a.Fsid, + Nid: a.Nid, + Dev: a.Dev, + } +} + +func (a* Attribute64) GetType() uint8 { + return AUT_ATTR64 +} + +func (a *Attribute64) LoadFromBinary(file *os.File) error { + err := binary.Read(file, binary.BigEndian, &a.Mode) + if err != nil { return fmt.Errorf("Unable to read Attribute64.Mode from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &a.Uid) + if err != nil { return fmt.Errorf("Unable to read Attribute64.Uid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &a.Gid) + if err != nil { return fmt.Errorf("Unable to read Attribute64.Gid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &a.Fsid) + if err != nil { return fmt.Errorf("Unable to read Attribute64.Fsid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &a.Nid) + if err != nil { return fmt.Errorf("Unable to read Attribute64.Nid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &a.Dev) + if err != nil { return fmt.Errorf("Unable to read Attribute64.Dev from file: %v", err) } + + return nil +} + +func (a *Attribute64) Print(file *os.File, delimiter string, flags int) { + // TODO : resolve Uid and Gid (also support domain accounts) + fmt.Fprintf(file, "attribute%s%o%s%v%s%v%s%v%s%v%s%v", delimiter, a.Mode, delimiter, a.Uid, delimiter, + a.Gid, delimiter, a.Fsid, delimiter, a.Nid, delimiter, a.Dev) + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } +} + +func NewSubject32(s Subject32) *Subject32 { + return &Subject32{ + Auid: s.Auid, + Euid: s.Euid, + Egid: s.Egid, + Ruid: s.Ruid, + Rgid: s.Rgid, + Pid: s.Pid, + Sid: s.Sid, + Tid: s.Tid, + } +} + +func (s *Subject32) GetType() uint8 { + return AUT_SUBJECT32 +} + +func (s *Subject32) LoadFromBinary(file *os.File) error { + err := binary.Read(file, binary.BigEndian, &s.Auid) + if err != nil { return fmt.Errorf("Unable to read Sibject32.Auid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &s.Euid) + if err != nil { return fmt.Errorf("Unable to read Subject32.Euid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &s.Egid) + if err != nil { return fmt.Errorf("Unable to read Subject32.Egid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &s.Ruid) + if err != nil { return fmt.Errorf("Unable to read Subject32.Ruid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &s.Rgid) + if err != nil { return fmt.Errorf("Unable to read Subject32.Rgid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &s.Sid) + if err != nil { return fmt.Errorf("Unable to read Subject32.Sid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &s.Tid) + if err != nil { return fmt.Errorf("Unable to read Subject32.Tid from file: %v", err) } + + return nil +} + +func PrintIpv4FromInt(ipv4int uint32) string { + return fmt.Sprintf("%d.%d.%d.%d", ipv4int & 0xFF000000 >> 24, ipv4int & 0x00FF0000 >> 16, + ipv4int & 0x0000FF00 >> 8, ipv4int & 0x000000FF) +} + +func (s *Subject32) Print(file *os.File, delimiter string, flags int) { + fmt.Fprintf(file, "subject%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, s.Auid, delimiter, s.Euid, delimiter, s.Egid, + delimiter, s.Ruid, delimiter, s.Rgid, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter, s.Tid.IpVers, + delimiter, PrintIpv4FromInt(s.Tid.Addr)) + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } +} + +func NewProcess32(s Process32) *Process32 { + return &Process32{ + Auid: s.Auid, + Euid: s.Euid, + Egid: s.Egid, + Ruid: s.Ruid, + Rgid: s.Rgid, + Pid: s.Pid, + Sid: s.Sid, + Tid: s.Tid, + } +} + +func (p *Process32) GetType() uint8 { + return AUT_PROCESS32 +} + +func (p *Process32) LoadFromBinary(file *os.File) error { + err := binary.Read(file, binary.BigEndian, &p.Auid) + if err != nil { return fmt.Errorf("Unable to read Process32.Auid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &p.Euid) + if err != nil { return fmt.Errorf("Unable to read Process32.Euid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &p.Egid) + if err != nil { return fmt.Errorf("Unable to read Process32.Egid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &p.Ruid) + if err != nil { return fmt.Errorf("Unable to read Process32.Ruid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &p.Rgid) + if err != nil { return fmt.Errorf("Unable to read Process32.Rgid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &p.Sid) + if err != nil { return fmt.Errorf("Unable to read Process32.Sid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &p.Tid) + if err != nil { return fmt.Errorf("Unable to read Process32.Tid from file: %v", err) } + + return nil +} + +func (p *Process32) Print(file *os.File, delimiter string, flags int) { + fmt.Fprintf(file, "process%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, p.Auid, delimiter, p.Euid, delimiter, p.Egid, + delimiter, p.Ruid, delimiter, p.Rgid, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter, p.Tid.IpVers, + delimiter, PrintIpv4FromInt(p.Tid.Addr)) + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } +} + +func NewSubject32Ex(s Subject32Ex) *Subject32Ex { + return &Subject32Ex{ + Auid: s.Auid, + Euid: s.Euid, + Egid: s.Egid, + Ruid: s.Ruid, + Rgid: s.Rgid, + Pid: s.Pid, + Sid: s.Sid, + Tid: s.Tid, + } +} + +func (s *Subject32Ex) GetType() uint8 { + return AUT_SUBJECT32_EX +} + +func (s *Subject32Ex) LoadFromBinary(file *os.File) error { + + err := binary.Read(file, binary.BigEndian, &s.Auid) + if err != nil { return fmt.Errorf("Unable to read Sibject32Ex.Auid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &s.Euid) + if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Euid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &s.Egid) + if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Egid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &s.Ruid) + if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Ruid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &s.Rgid) + if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Rgid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &s.Sid) + if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Sid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &s.Tid) + if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid from file: %v", err) } + + return nil +} + +func (s *Subject32Ex) Print(file *os.File, delimiter string, flags int) { + fmt.Fprintf(file, "subject_ex%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, s.Auid, delimiter, s.Euid, + delimiter, s.Egid, delimiter, s.Ruid, delimiter, s.Rgid, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter, + s.Tid.Ttype, delimiter, PrintIpv6FromInt(s.Tid.Addr)) + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } +} + +func NewProcess32Ex(p Process32Ex) *Process32Ex { + return &Process32Ex{ + Auid: p.Auid, + Euid: p.Euid, + Egid: p.Egid, + Ruid: p.Ruid, + Rgid: p.Rgid, + Pid: p.Pid, + Sid: p.Sid, + Tid: p.Tid, + } +} + +func (s *Process32Ex) GetType() uint8 { + return AUT_PROCESS32_EX +} + +func (p *Process32Ex) LoadFromBinary(file *os.File) error { + + err := binary.Read(file, binary.BigEndian, &p.Auid) + if err != nil { return fmt.Errorf("Unable to read Process32Ex.Auid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &p.Euid) + if err != nil { return fmt.Errorf("Unable to read Process32Ex.Euid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &p.Egid) + if err != nil { return fmt.Errorf("Unable to read Process32Ex.Egid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &p.Ruid) + if err != nil { return fmt.Errorf("Unable to read Process32Ex.Ruid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &p.Rgid) + if err != nil { return fmt.Errorf("Unable to read Process32Ex.Rgid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &p.Sid) + if err != nil { return fmt.Errorf("Unable to read Process32Ex.Sid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &p.Tid) + if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid from file: %v", err) } + + return nil +} + +func (p *Process32Ex) Print(file *os.File, delimiter string, flags int) { + fmt.Fprintf(file, "process_ex%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, p.Auid, delimiter, p.Euid, + delimiter, p.Egid, delimiter, p.Ruid, delimiter, p.Rgid, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter, + p.Tid.Ttype, delimiter, PrintIpv6FromInt(p.Tid.Addr)) + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } +} + +func NewSubject64(s Subject64) *Subject64 { + return &Subject64{ + Auid: s.Auid, + Euid: s.Euid, + Egid: s.Egid, + Ruid: s.Ruid, + Rgid: s.Rgid, + Pid: s.Pid, + Sid: s.Sid, + Tid: s.Tid, + } +} + +func (s *Subject64) GetType() uint8 { + return AUT_SUBJECT64 +} + +func (s *Subject64) LoadFromBinary(file *os.File) error { + err := binary.Read(file, binary.BigEndian, &s.Auid) + if err != nil { return fmt.Errorf("Unable to read Sibject64.Auid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &s.Euid) + if err != nil { return fmt.Errorf("Unable to read Subject64.Euid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &s.Egid) + if err != nil { return fmt.Errorf("Unable to read Subject64.Egid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &s.Ruid) + if err != nil { return fmt.Errorf("Unable to read Subject64.Ruid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &s.Rgid) + if err != nil { return fmt.Errorf("Unable to read Subject64.Rgid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &s.Sid) + if err != nil { return fmt.Errorf("Unable to read Subject64.Sid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &s.Tid) + if err != nil { return fmt.Errorf("Unable to read Subject64.Tid from file: %v", err) } + + return nil +} + +func (s *Subject64) Print(file *os.File, delimiter string, flags int) { + fmt.Fprintf(file, "subject%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, s.Auid, delimiter, s.Euid, delimiter, s.Egid, + delimiter, s.Ruid, delimiter, s.Rgid, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter, s.Tid.IpVers, + delimiter, PrintIpv4FromInt(s.Tid.Addr)) + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } +} + +func NewProcess64(p Process64) *Process64 { + return &Process64{ + Auid: p.Auid, + Euid: p.Euid, + Egid: p.Egid, + Ruid: p.Ruid, + Rgid: p.Rgid, + Pid: p.Pid, + Sid: p.Sid, + Tid: p.Tid, + } +} + +func (s *Process64) GetType() uint8 { + return AUT_PROCESS64 +} + +func (p *Process64) LoadFromBinary(file *os.File) error { + err := binary.Read(file, binary.BigEndian, &p.Auid) + if err != nil { return fmt.Errorf("Unable to read Process64.Auid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &p.Euid) + if err != nil { return fmt.Errorf("Unable to read Process64.Euid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &p.Egid) + if err != nil { return fmt.Errorf("Unable to read Process64.Egid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &p.Ruid) + if err != nil { return fmt.Errorf("Unable to read Process64.Ruid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &p.Rgid) + if err != nil { return fmt.Errorf("Unable to read Process64.Rgid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &p.Sid) + if err != nil { return fmt.Errorf("Unable to read Process64.Sid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &p.Tid) + if err != nil { return fmt.Errorf("Unable to read Process64.Tid from file: %v", err) } + + return nil +} + +func (p *Process64) Print(file *os.File, delimiter string, flags int) { + fmt.Fprintf(file, "process%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, p.Auid, delimiter, p.Euid, delimiter, p.Egid, + delimiter, p.Ruid, delimiter, p.Rgid, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter, p.Tid.IpVers, + delimiter, PrintIpv4FromInt(p.Tid.Addr)) + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } +} + +func NewSubject64Ex(s Subject64Ex) *Subject64Ex { + return &Subject64Ex{ + Auid: s.Auid, + Euid: s.Euid, + Egid: s.Egid, + Ruid: s.Ruid, + Rgid: s.Rgid, + Pid: s.Pid, + Sid: s.Sid, + Tid: s.Tid, + } +} + +func (s *Subject64Ex) GetType() uint8 { + return AUT_SUBJECT64_EX +} + +func (s *Subject64Ex) LoadFromBinary(file *os.File) error { + err := binary.Read(file, binary.BigEndian, &s.Auid) + if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Auid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &s.Euid) + if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Euid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &s.Egid) + if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Egid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &s.Ruid) + if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Ruid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &s.Rgid) + if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Rgid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &s.Sid) + if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Sid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &s.Tid) + if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid from file: %v", err) } + + return nil +} + +func (s *Subject64Ex) Print(file *os.File, delimiter string, flags int) { + fmt.Fprintf(file, "subject_ex%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, s.Auid, delimiter, s.Euid, + delimiter, s.Egid, delimiter, s.Ruid, delimiter, s.Rgid, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter, + s.Tid.Ttype, delimiter, PrintIpv6FromInt(s.Tid.Addr)) + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } +} + +func NewProcess64Ex(p Process64Ex) *Process64Ex { + return &Process64Ex{ + Auid: p.Auid, + Euid: p.Euid, + Egid: p.Egid, + Ruid: p.Ruid, + Rgid: p.Rgid, + Pid: p.Pid, + Sid: p.Sid, + Tid: p.Tid, + } +} + +func (p *Process64Ex) GetType() uint8 { + return AUT_SUBJECT64_EX +} + +func (p *Process64Ex) LoadFromBinary(file *os.File) error { + err := binary.Read(file, binary.BigEndian, &p.Auid) + if err != nil { return fmt.Errorf("Unable to read Process64Ex.Auid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &p.Euid) + if err != nil { return fmt.Errorf("Unable to read Process64Ex.Euid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &p.Egid) + if err != nil { return fmt.Errorf("Unable to read Process64Ex.Egid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &p.Ruid) + if err != nil { return fmt.Errorf("Unable to read Process64Ex.Ruid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &p.Rgid) + if err != nil { return fmt.Errorf("Unable to read Process64Ex.Rgid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &p.Sid) + if err != nil { return fmt.Errorf("Unable to read Process64Ex.Sid from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &p.Tid) + if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid from file: %v", err) } + + return nil +} + +func (p *Process64Ex) Print(file *os.File, delimiter string, flags int) { + fmt.Fprintf(file, "process_ex%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, p.Auid, delimiter, p.Euid, + delimiter, p.Egid, delimiter, p.Ruid, delimiter, p.Rgid, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter, + p.Tid.Ttype, delimiter, PrintIpv6FromInt(p.Tid.Addr)) + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } +} + +func NewReturn32(r Return32) *Return32 { + return &Return32{ + Status: r.Status, + Ret: r.Ret, + } +} + +func (r *Return32) GetType() uint8 { + return AUT_RETURN32 +} + +func (r *Return32) LoadFromBinary(file *os.File) error { + err := binary.Read(file, binary.BigEndian, &r.Status) + if err != nil { return fmt.Errorf("Unable to read Return32.Status from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &r.Ret) + if err != nil { return fmt.Errorf("Unable to read Return32.Ret from file: %v", err) } + + return nil +} + +func (r *Return32) Print(file *os.File, delimiter string, flags int) { + fmt.Fprintf(file, "return%s%v%s%v", delimiter, r.Status, delimiter, r.Ret) + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } +} + +func NewReturn64(r Return64) *Return64 { + return &Return64{ + Status: r.Status, + Ret: r.Ret, + } +} + +func (r *Return64) GetType() uint8 { + return AUT_RETURN64 +} + +func (r *Return64) LoadFromBinary(file *os.File) error { + err := binary.Read(file, binary.BigEndian, &r.Status) + if err != nil { return fmt.Errorf("Unable to read Return64.Status from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &r.Ret) + if err != nil { return fmt.Errorf("Unable to read Return64.Ret from file: %v", err) } + + return nil +} + +func (r *Return64) Print(file *os.File, delimiter string, flags int) { + fmt.Fprintf(file, "return%s%v%s%v", delimiter, r.Status, delimiter, r.Ret) + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } +} + +func NewTrailer(t Trailer) *Trailer { + return &Trailer{ + Magic: t.Magic, + Count: t.Count, + } +} + +func (t *Trailer) GetType() uint8 { + return AUT_TRAILER +} + +func (t *Trailer) LoadFromBinary(file *os.File) error { + err := binary.Read(file, binary.BigEndian, &t.Magic) + if err != nil { return fmt.Errorf("Unable to read Trailer.Magic from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &t.Count) + if err != nil { return fmt.Errorf("Unable to read Trailer.Count from file: %v", err) } + + return nil +} + +func (t *Trailer) Print(file *os.File, delimiter string, flags int) { + fmt.Fprintf(file, "trailer%s%v", delimiter, t.Count) + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } +} + +func NewArg32(a Arg32) *Arg32 { + return &Arg32{ + No: a.No, + Val: a.Val, + Length: a.Length, + Text: a.Text, + } +} + +func (a *Arg32) GetType() uint8 { + return AUT_ARG32 +} + +func (a *Arg32) LoadFromBinary(file *os.File) error { + err := binary.Read(file, binary.BigEndian, &a.No) + if err != nil { return fmt.Errorf("Unable to read Arg32.No from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &a.Val) + if err != nil { return fmt.Errorf("Unable to read Arg32.Val from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &a.Length) + if err != nil { return fmt.Errorf("Unable to read Arg32.Length from file: %v", err) } + + // Get current offset in file + startOf, err := file.Seek(0, io.SeekCurrent) + if err != nil { + return fmt.Errorf("Unable to seek to current position: %v", err) + } + + // TODO : Reinject these already read bytes into working flow, to avoir rereading them + chunk := make([]byte, MAX_AUDIT_ARG_LENGTH+1) + _, err = file.Read(chunk) + if err != nil { + return fmt.Errorf("Unable to read MAX_AUDIT_ARG_LENGTH from current position: %v", err) + } + // Search for null terminating byte + buf := bytes.NewBuffer(chunk) + // Get this arg length + arg, err := buf.ReadBytes((byte)(0x00)) + if err != nil { + return fmt.Errorf("Error searching for null terminated path: offset of record start: %x, error : %v", startOf, err) + } + totLen := int64(len(arg)) + a.Text = arg + + startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart) + if err != nil { + return fmt.Errorf("Error seeking offset %x from file", startOf) + } + + return nil +} + +func (a *Arg32) Print(file *os.File, delimiter string, flags int) { + fmt.Fprintf(file, "argument%s%v%s%v%s%s", delimiter, a.No, delimiter, a.Val, delimiter, string(a.Text)) + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } +} + +func NewArg64(a Arg64) *Arg64 { + return &Arg64{ + No: a.No, + Val: a.Val, + Length: a.Length, + Text: a.Text, + } +} + +func (a *Arg64) GetType() uint8 { + return AUT_ARG64 +} + +func (a *Arg64) LoadFromBinary(file *os.File) error { + err := binary.Read(file, binary.BigEndian, &a.No) + if err != nil { return fmt.Errorf("Unable to read Arg64.No from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &a.Val) + if err != nil { return fmt.Errorf("Unable to read Arg64.Val from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &a.Length) + if err != nil { return fmt.Errorf("Unable to read Arg64.Length from file: %v", err) } + + // Get current offset in file + startOf, err := file.Seek(0, io.SeekCurrent) + if err != nil { + return fmt.Errorf("Unable to seek to current position: %v", err) + } + + // TODO : Reinject these already read bytes into working flow, to avoir rereading them + chunk := make([]byte, MAX_AUDIT_ARG_LENGTH+1) + _, err = file.Read(chunk) + if err != nil { + return fmt.Errorf("Unable to read MAX_AUDIT_ARG_LENGTH from current position: %v", err) + } + // Search for null terminating byte + buf := bytes.NewBuffer(chunk) + // Get this arg length + arg, err := buf.ReadBytes((byte)(0x00)) + if err != nil { + return fmt.Errorf("Error searching for null terminated path: offset of record start: %x, error : %v", startOf, err) + } + totLen := int64(len(arg)) + a.Text = arg + + startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart) + if err != nil { + return fmt.Errorf("Error seeking offset %x from file", startOf) + } + + return nil +} + +func (a *Arg64) Print(file *os.File, delimiter string, flags int) { + fmt.Fprintf(file, "argument%s%v%s%v%s%s", delimiter, a.No, delimiter, a.Val, delimiter, string(a.Text)) + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } +} + +func NewExit(e Exit) *Exit { + return &Exit{ + Status: e.Status, + Ret: e.Ret, + } +} + +func (e *Exit) GetType() uint8 { + return AUT_EXIT +} + +func (e *Exit) LoadFromBinary(file *os.File) error { + err := binary.Read(file, binary.BigEndian, &e.Status) + if err != nil { return fmt.Errorf("Unable to read Exit.Status from file: %v", err) } + + err = binary.Read(file, binary.BigEndian, &e.Ret) + if err != nil { return fmt.Errorf("Unable to read Exit.Ret from file: %v", err) } + + return nil +} + +func (e *Exit) Print(file *os.File, delimiter string, flags int) { + fmt.Fprintf(file, "exit%s%v%s%v", delimiter, e.Status, delimiter, e.Ret) + if 0 == (flags & PRT_ONELINE) { + fmt.Fprintf(file, "\n") + } +} + +func readRecordToStruct(file *os.File) (Record, error) { + var rec Record + + hdr := make([]byte, 1) + n, err := file.Read(hdr) + if err != nil || n < 1 { + return rec, fmt.Errorf("Unable to read header ID in file: %v", err) + } + + // DEBUG +/* startOf, _ := file.Seek(0, io.SeekCurrent) + fmt.Printf("Offset dans le fichier : %x\n", startOf) +*/ + //switch hdr.(int8) { + switch (int8)(hdr[0]) { + case AUT_HEADER32: + var h Header32 + err := h.LoadFromBinary(file) + if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + return NewHeader32(h), nil + case AUT_EXEC_ARGS: + var e ExecArg + err := e.LoadFromBinary(file) + if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + return NewExecArg(e), nil + case AUT_PATH: + var p Path + err := p.LoadFromBinary(file) + if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + return NewPath(p), nil + case AUT_ATTR32: + var a Attribute32 + err := a.LoadFromBinary(file) + if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + return NewAttribute32(a), nil + case AUT_ATTR64: + var a Attribute64 + err := a.LoadFromBinary(file) + if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + return NewAttribute64(a), nil + case AUT_SUBJECT32: + var s Subject32 + err := s.LoadFromBinary(file) + if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + return NewSubject32(s), nil + case AUT_SUBJECT32_EX: + var s Subject32Ex + err := s.LoadFromBinary(file) + if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + return NewSubject32Ex(s), nil + case AUT_RETURN32: + var r Return32 + err := r.LoadFromBinary(file) + if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + return NewReturn32(r), nil + case AUT_TRAILER: + var t Trailer + err := t.LoadFromBinary(file) + if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + return NewTrailer(t), nil + case AUT_ARG32: + var a Arg32 + err := a.LoadFromBinary(file) + if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + return NewArg32(a), nil + case AUT_ARG64: + var a Arg64 + err := a.LoadFromBinary(file) + if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + return NewArg64(a), nil + case AUT_EXIT: + var e Exit + err := e.LoadFromBinary(file) + if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + return NewExit(e), nil + case AUT_PROCESS32: + var p Process32 + err := p.LoadFromBinary(file) + if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + return NewProcess32(p), nil + case AUT_PROCESS32_EX: + var p Process32Ex + err := p.LoadFromBinary(file) + if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + return NewProcess32Ex(p), nil + case AUT_PROCESS64: + var p Process64 + err := p.LoadFromBinary(file) + if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + return NewProcess64(p), nil + case AUT_PROCESS64_EX: + var p Process64Ex + err := p.LoadFromBinary(file) + if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } + return NewProcess64Ex(p), nil + } + + startOf, _ := file.Seek(0, io.SeekCurrent) + return rec, fmt.Errorf("Event type not supported: 0x%x at offset 0x%x", hdr[0], startOf) +} + + +/* Implementation of + int au_read_rec(FILE *fp, u_char **buf) + + source: https://github.com/freebsd/freebsd-src/blob/main/contrib/openbsm/libbsm/bsm_io.c +*/ +func readRecord(file *os.File) ([]byte, error) { + var buf *bytes.Buffer + var recSize int32 + + hdr := make([]byte, 1) + n, err := file.Read(hdr) + if err != nil || n < 1 { + return hdr, fmt.Errorf("Unable to read file") + } + + //switch hdr.(int8) { + switch (int8)(hdr[0]) { + case AUT_HEADER32, AUT_HEADER32_EX, AUT_HEADER64, AUT_HEADER64_EX: + err := binary.Read(file, binary.BigEndian, &recSize) + if err != nil { + return hdr, fmt.Errorf("Unable to read file") + } + + /* Check for recsize sanity: We already read 32 bits + 8 bits */ + if recSize < (4 + 1) { + return hdr, fmt.Errorf("Record size is corrupted: %d", recSize) + } + + /* store the token contents already read, back to the buffer*/ + data := make([]byte, 0) + buf = bytes.NewBuffer(data) + err = binary.Write(buf, binary.BigEndian, (int8)(hdr[0])) + if err != nil { + return hdr, fmt.Errorf("Unable to concatenate header to data") + } + err = binary.Write(buf, binary.BigEndian, recSize) + if err != nil { + return hdr, fmt.Errorf("Unable to concatenate recordsize to existing data") + } + + /* now read remaining record bytes */ + remainSize := recSize - (4 + 1) + remain := make([]byte, remainSize) + n, err = file.Read(remain) + if err != nil || (int32)(n) < remainSize { + return hdr, fmt.Errorf("Unable to read data from file") + } + n, err = buf.Write(remain) + if err != nil { + return hdr, fmt.Errorf("Unable to write data to buffer") + } + + case AUT_OTHER_FILE32: + var sec int32 + var msec int32 + var filenamelen int16 + + err := binary.Read(file, binary.BigEndian, &sec) + if err != nil { + return hdr, fmt.Errorf("Unable to read file") + } + err = binary.Read(file, binary.BigEndian, &msec) + if err != nil { + return hdr, fmt.Errorf("Unable to read file") + } + err = binary.Read(file, binary.BigEndian, &filenamelen) + if err != nil { + return hdr, fmt.Errorf("Unable to read file") + } + + recSize = 1 + 4 + 4 + 2 + int32(filenamelen) + data := make([]byte, 0) + buf = bytes.NewBuffer(data) + + /* store the token contents already read, back to the buffer*/ + err = binary.Write(buf, binary.BigEndian, (int8)(hdr[0])) + if err != nil { + return hdr, fmt.Errorf("Unable to concatenate header to data") + } + err = binary.Write(buf, binary.BigEndian, sec) + if err != nil { + return hdr, fmt.Errorf("Unable to concatenate sec to data") + } + err = binary.Write(buf, binary.BigEndian, msec) + if err != nil { + return hdr, fmt.Errorf("Unable to concatenate msec to data") + } + err = binary.Write(buf, binary.BigEndian, filenamelen) + if err != nil { + return hdr, fmt.Errorf("Unable to concatenate filenamelen to data") + } + + filename := make([]byte, filenamelen) + n, err = file.Read(filename) + if err != nil || n < int(filenamelen) { + return hdr, fmt.Errorf("Unable to read filename from file") + } + n, err = buf.Write(filename) + if err != nil { + return hdr, fmt.Errorf("Unable to concatenate filename to buffer") + } + + default: + return hdr, fmt.Errorf("Record type not implemented: %v", hdr) + } + + return buf.Bytes(), nil +} + + diff --git a/main.go b/main.go new file mode 100644 index 0000000..5b768a0 --- /dev/null +++ b/main.go @@ -0,0 +1,151 @@ +// Copyright 2021, johan@nosd.in +// +build freebsd +// +// godit is a search tool for BSM audit trails used by FreeBSD auditd +// + +package main + +/* +#cgo CFLAGS: -I /usr/lib +#cgo LDFLAGS: -L. -lbsm -lc +#include +#include +*/ +import "C" +import "unsafe" + +import ( + "os" + "fmt" +// "encoding/hex" + "github.com/spf13/pflag" +) + +const ( + version = "0.001" +) + +var ( + randFlag bool + showVersion bool + + // Default delimiter + delimiter = "," +) + + +/* +// This function only work on full file for the moment +// It is essentially a rip of praudit:print_tokens function + + It is SLOW: + +yo@martine:~/Dev/go/godit % time praudit -l /home/yo/Dev/go/godit/20211228134923.20211228151348 > praudit.log +102.428u 8.496s 1:50.98 99.9% 10+167k 0+191152io 0pf+0w + +yo@martine:~/Dev/go/godit % time ./godit 20211228134923.20211228151348 > godit.log +232.573u 56.834s 5:12.00 92.7% 859+553k 0+381988io 0pf+0w + +*/ +func print_tokens(filename string) error { + var buf *C.u_char + var recLen C.int + var bytesRead C.int + var tok C.tokenstr_t + var del *C.char + var fp *C.FILE + var cFilename *C.char + var r *C.char + + del = C.CString(delimiter) + r = C.CString("r") + + cFilename = C.CString(filename) + fp = C.fopen(cFilename, r) + if fp == nil { + return fmt.Errorf("Error opening file %s\n", filename) + } + + for recLen != -1 { + recLen = C.au_read_rec(fp, &buf) + if recLen == -1 { + break + } + bytesRead = 0 + for bytesRead < recLen { + newstart := unsafe.Add(unsafe.Pointer(buf), bytesRead) + if( -1 == C.au_fetch_tok(&tok, (*C.u_char)(newstart), recLen - bytesRead)) { + break + } + C.au_print_flags_tok((*C.FILE)(C.stdout), &tok, del, C.AU_OFLAG_NONE) + + bytesRead += (C.int)(tok.len) + // fmt.Printf is buffered, its use cause a time glitch on display + C.putchar((C.int)(*del)) + } + fmt.Printf("\n") + C.fflush((*C.FILE)(C.stdout)) + + // buf was allocated by au_read_rec(), we need to free it + C.free(unsafe.Pointer(buf)) + + } + + C.fclose(fp) + + C.free(unsafe.Pointer(cFilename)) + C.free(unsafe.Pointer(del)) + C.free(unsafe.Pointer(r)) + + return nil +} + + +func main() { + + pflag.BoolVarP(&randFlag, "randFlag", "r", false, "A random flag, just to play you.") + pflag.BoolVarP(&showVersion, "version", "V", false, "Show version then exit") + + pflag.Parse() + + if showVersion { + fmt.Printf("Godit v%s\n", version) + return + } + + args := os.Args + + filename := args[len(args)-1] + +/* fmt.Printf("Args: %s\n", args) + fmt.Printf("Filename: %s\n", filename) +*/ + + if len(filename) > 0 { +/* err := print_tokens(filename) + if err != nil { + :q + fmt.Printf("Erreur dans print_tokens: %s\n", err.Error()) + return + } + } +*/ + f, err := os.Open(filename) + if err != nil { + fmt.Printf("Impossible d'ouvrir le fichier %s\n", filename) + return + } + //for i := 0 ; i < 20 ; i++ { + for { + rec, err := readRecordToStruct(f) + if err != nil { + fmt.Printf("Erreur : %v\n", err) + return + } + rec.Print(os.Stdout, ",", 0) + } + } +} + +