yo/libbsm
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: yo:8d87cc12c44ecdbb8f96f41cac2de7bf18077f55
Branches Tags
yo:master
yo:v0.6.3
yo:v0.6.2
yo:v0.6.1
yo:v0.6
yo:v0.5.9c
yo:v.0.5
yo:v.0.4
yo:v.0.3
yo:v.0.2
...
compare: yo:65afab1eec2274495c167ae351dae45bf9e3aa36
Branches Tags
yo:master
yo:v0.6.3
yo:v0.6.2
yo:v0.6.1
yo:v0.6
yo:v0.5.9c
yo:v.0.5
yo:v.0.4
yo:v.0.3
yo:v.0.2

3 Commits
8d87cc12c4 ... 65afab1eec

Author SHA1 Message Date
yo
65afab1eec WIP: json output option 2023-01-17 11:17:01 +01:00
yo
9218ae6daa Code formatting 2022-07-01 17:20:56 +02:00
yo
dcecaf6c62 Code formatting 2022-07-01 17:15:54 +02:00
1 changed files with 232 additions and 193 deletions
Show Stats Expand all files Collapse all files

425
libbsm.go
View File

@ -31,110 +31,111 @@ import (
) )
const ( const (
// bsm/libbsm.h // bsm/libbsm.h
AUDIT_MAX_ARGS = 128 AUDIT_MAX_ARGS = 128
AUDIT_EVENT_FILE = "/etc/security/audit_event" AUDIT_EVENT_FILE = "/etc/security/audit_event"
// sys/bsm/audit.h // sys/bsm/audit.h
MAXAUDITDATA = (0x8000 - 1) MAXAUDITDATA = (0x8000 - 1)
MAX_AUDIT_RECORD_SIZE = MAXAUDITDATA MAX_AUDIT_RECORD_SIZE = MAXAUDITDATA
// Max length for a Path (AUT_PATH) or an arg (AUT_EXEC_ARGS) // Max length for a Path (AUT_PATH) or an arg (AUT_EXEC_ARGS)
MAX_AUDIT_ARG_LENGTH = 1024 MAX_AUDIT_ARG_LENGTH = 1024
/* /*
* Token type identifiers. * Token type identifiers.
From https://github.com/freebsd/freebsd-src/blob/main/contrib/openbsm/sys/bsm/audit_record.h From https://github.com/freebsd/freebsd-src/blob/main/contrib/openbsm/sys/bsm/audit_record.h
*/ */
AUT_INVALID = 0x00 AUT_INVALID = 0x00
AUT_OTHER_FILE32 = 0x11 AUT_OTHER_FILE32 = 0x11
AUT_OHEADER = 0x12 AUT_OHEADER = 0x12
AUT_TRAILER = 0x13 AUT_TRAILER = 0x13
AUT_HEADER32 = 0x14 AUT_HEADER32 = 0x14
AUT_HEADER32_EX = 0x15 AUT_HEADER32_EX = 0x15
AUT_DATA = 0x21 AUT_DATA = 0x21
AUT_IPC = 0x22 AUT_IPC = 0x22
AUT_PATH = 0x23 AUT_PATH = 0x23
AUT_SUBJECT32 = 0x24 AUT_SUBJECT32 = 0x24
AUT_XATPATH = 0x25 AUT_XATPATH = 0x25
AUT_PROCESS32 = 0x26 AUT_PROCESS32 = 0x26
AUT_RETURN32 = 0x27 AUT_RETURN32 = 0x27
AUT_TEXT = 0x28 AUT_TEXT = 0x28
AUT_OPAQUE = 0x29 AUT_OPAQUE = 0x29
AUT_IN_ADDR = 0x2a AUT_IN_ADDR = 0x2a
AUT_IP = 0x2b AUT_IP = 0x2b
AUT_IPORT = 0x2c AUT_IPORT = 0x2c
AUT_ARG32 = 0x2d AUT_ARG32 = 0x2d
AUT_SOCKET = 0x2e AUT_SOCKET = 0x2e
AUT_SEQ = 0x2f AUT_SEQ = 0x2f
AUT_ACL = 0x30 AUT_ACL = 0x30
AUT_ATTR = 0x31 AUT_ATTR = 0x31
AUT_IPC_PERM = 0x32 AUT_IPC_PERM = 0x32
AUT_LABEL = 0x33 AUT_LABEL = 0x33
AUT_GROUPS = 0x34 AUT_GROUPS = 0x34
AUT_ACE = 0x35 AUT_ACE = 0x35
AUT_PRIV = 0x38 AUT_PRIV = 0x38
AUT_UPRIV = 0x39 AUT_UPRIV = 0x39
AUT_LIAISON = 0x3a AUT_LIAISON = 0x3a
AUT_NEWGROUPS = 0x3b AUT_NEWGROUPS = 0x3b
AUT_EXEC_ARGS = 0x3c AUT_EXEC_ARGS = 0x3c
AUT_EXEC_ENV = 0x3d AUT_EXEC_ENV = 0x3d
AUT_ATTR32 = 0x3e AUT_ATTR32 = 0x3e
AUT_UNAUTH = 0x3f AUT_UNAUTH = 0x3f
AUT_XATOM = 0x40 AUT_XATOM = 0x40
AUT_XOBJ = 0x41 AUT_XOBJ = 0x41
AUT_XPROTO = 0x42 AUT_XPROTO = 0x42
AUT_XSELECT = 0x43 AUT_XSELECT = 0x43
AUT_XCOLORMAP = 0x44 AUT_XCOLORMAP = 0x44
AUT_XCURSOR = 0x45 AUT_XCURSOR = 0x45
AUT_XFONT = 0x46 AUT_XFONT = 0x46
AUT_XGC = 0x47 AUT_XGC = 0x47
AUT_XPIXMAP = 0x48 AUT_XPIXMAP = 0x48
AUT_XPROPERTY = 0x49 AUT_XPROPERTY = 0x49
AUT_XWINDOW = 0x4a AUT_XWINDOW = 0x4a
AUT_XCLIENT = 0x4b AUT_XCLIENT = 0x4b
AUT_CMD = 0x51 AUT_CMD = 0x51
AUT_EXIT = 0x52 AUT_EXIT = 0x52
AUT_ZONENAME = 0x60 AUT_ZONENAME = 0x60
AUT_HOST = 0x70 AUT_HOST = 0x70
AUT_ARG64 = 0x71 AUT_ARG64 = 0x71
AUT_RETURN64 = 0x72 AUT_RETURN64 = 0x72
AUT_ATTR64 = 0x73 AUT_ATTR64 = 0x73
AUT_HEADER64 = 0x74 AUT_HEADER64 = 0x74
AUT_SUBJECT64 = 0x75 AUT_SUBJECT64 = 0x75
AUT_PROCESS64 = 0x77 AUT_PROCESS64 = 0x77
AUT_OTHER_FILE64 = 0x78 AUT_OTHER_FILE64 = 0x78
AUT_HEADER64_EX = 0x79 AUT_HEADER64_EX = 0x79
AUT_SUBJECT32_EX = 0x7a AUT_SUBJECT32_EX = 0x7a
AUT_PROCESS32_EX = 0x7b AUT_PROCESS32_EX = 0x7b
AUT_SUBJECT64_EX = 0x7c AUT_SUBJECT64_EX = 0x7c
AUT_PROCESS64_EX = 0x7d AUT_PROCESS64_EX = 0x7d
AUT_IN_ADDR_EX = 0x7e AUT_IN_ADDR_EX = 0x7e
AUT_SOCKET_EX = 0x7f AUT_SOCKET_EX = 0x7f
// Display control // Display control
PRT_ONELINE = 1 PRT_ONELINE = 1
PRT_NORESOLVE_USER = 2 PRT_NORESOLVE_USER = 2
PRT_TIMESTAMP = 4 PRT_TIMESTAMP = 4
PRT_JSON = 8
PRT_JSON_PRETTY = 16
) )
var ( var (
// A global user/uid cache // A global user/uid cache
gUsers []user gUsers []user
// A global group/gid cache // A global group/gid cache
gGroups []group gGroups []group
// Cache of audit_event file // Cache of audit_event file
gEventDB []event gEventDB []event
) )
type event struct { type event struct {
Type int Type int
Name string Name string
Desc string Desc string
Class string Class string
} }
@ -142,67 +143,67 @@ type event struct {
// Abstraction of a record // Abstraction of a record
type Record interface { type Record interface {
GetType() uint8 GetType() uint8
// Length() //Length()
LoadFromBinary(rdr *bufio.Reader) error LoadFromBinary(rdr *bufio.Reader) error
Print(*os.File, string, int) Print(*os.File, string, int)
} }
type Header32 struct { type Header32 struct {
Size uint32 // Record byte count Size uint32 `json:"size"` // Record byte count
Version uint8 // version # (uchar) Version uint8 `json:"version"` // version # (uchar)
E_type uint16 // Event type E_type uint16 `json:"event_type"` // Event type
E_mod uint16 // Event modifier E_mod uint16 `json:"event_modifier"` // Event modifier
S uint32 // Seconds of time S uint32 `json:"timestamp"` // Seconds of time
Msec uint32 // Milliseconds of time Msec uint32 `json:"msec"` // Milliseconds of time
} }
type Header32Ex struct { type Header32Ex struct {
Size uint32 // Record byte count Size uint32 `json:"size"` // Record byte count
Version uint8 // version # (uchar) Version uint8 `json:"version"` // version # (uchar)
E_type uint16 // Event type E_type uint16 `json:"event_type"` // Event type
E_mod uint16 // Event modifier E_mod uint16 `json:"event_modifier"` // Event modifier
Ad_type uint32 // Address type/Length Ad_type uint32 `json:"address_type"` // Address type/Length
Addr [4]uint32 // Ipv4 or IPv6 Addr [4]uint32 `json:"address"` // Ipv4 or IPv6
S uint32 // Seconds of time S uint32 `json:"timestamp"` // Seconds of time
Msec uint32 // Milliseconds of time Msec uint32 `json:"msec"` // Milliseconds of time
} }
type Trailer struct { type Trailer struct {
Magic uint16 Magic uint16 `json:"magic"`
Count uint32 Count uint32 `json:"size"`
} }
type Arg32 struct { type Arg32 struct {
No byte // Argument # No byte `json:"count"` // Argument #
Val uint32 // Argument value Val uint32 `json:"value"` // Argument value
Length uint16 // Text length Length uint16 `json:"lentgh"` // Text length
Text []byte // Text Text []byte `json:"text"` // Text
} }
type Arg64 struct { type Arg64 struct {
No byte // Argument # No byte `json:"count"` // Argument #
Val uint64 // Argument value Val uint64 `json:"value"` // Argument value
Length uint16 // Text length Length uint16 `json:"lentgh"` // Text length
Text []byte // Text Text []byte `json:"text"` // Text
} }
type Attribute32 struct { type Attribute32 struct {
Mode uint32 // file access mode Mode uint32 `json:"mode"` // file access mode
Uid uint32 // Owner user ID Uid uint32 `json:"user_id"` // Owner user ID
Gid uint32 // Owner group ID Gid uint32 `json:"group_id"` // Owner group ID
Fsid uint32 // File system ID Fsid uint32 `json:"filesystem_id"` // File system ID
Nid uint64 // Node ID Nid uint64 `json:"node_id"` // Node ID
Dev uint32 // Device Dev uint32 `json:"device"` // Device
} }
type Attribute64 struct { type Attribute64 struct {
Mode uint32 // file access mode Mode uint32 `json:"mode"` // file access mode
Uid uint32 // Owner user ID Uid uint32 `json:"user_id"` // Owner user ID
Gid uint32 // Owner group ID Gid uint32 `json:"group_id"` // Owner group ID
Fsid uint32 // File system ID Fsid uint32 `json:"filesystem_id"` // File system ID
Nid uint64 // Node ID Nid uint64 `json:"node_id"` // Node ID
Dev uint64 // Device Dev uint64 `json:"device"` // Device
} }
/* /*
@ -210,128 +211,128 @@ type Attribute64 struct {
* text count null-terminated string(s) * text count null-terminated string(s)
*/ */
type ExecArg struct { type ExecArg struct {
Count uint32 Count uint32 `json:"count"`
//Text [AUDIT_MAX_ARGS][]byte //Text [AUDIT_MAX_ARGS][]byte
Text [][]byte Text [][]byte `json:"text"`
} }
type Path struct { type Path struct {
Length uint16 // path length Length uint16 `json:"length"` // path length
Path []byte Path []byte `json:"path"`
} }
type Return32 struct { type Return32 struct {
Status byte // Error status Status byte `json:"status"` // Error status
Ret uint32 // Return code Ret uint32 `json:"code"` // Return code
} }
type Return64 struct { type Return64 struct {
Status byte // Error status Status byte `json:"status"` // Error status
Ret uint64 // Return code Ret uint64 `json:"code"` // Return code
} }
type Subject32 struct { type Subject32 struct {
Auid uint32 // Audit ID Auid uint32 `json:"audit_id"` // Audit ID
Euid uint32 // Effective user ID Euid uint32 `json:"effective_user_id"` // Effective user ID
Egid uint32 // Effective Group ID Egid uint32 `json:"effective_group_id"` // Effective Group ID
Ruid uint32 // Real User ID Ruid uint32 `json:"real_user_id"` // Real User ID
Rgid uint32 // Real Group ID Rgid uint32 `json:"real_group_id"` // Real Group ID
Pid uint32 // Process ID Pid uint32 `json:"process_id"` // Process ID
Sid uint32 // Session ID Sid uint32 `json:"session_id"` // Session ID
Tid Tid32 Tid Tid32 `json:"terminal_id"`
} }
type Process32 Subject32 type Process32 Subject32
type Subject32Ex struct { type Subject32Ex struct {
Auid uint32 // Audit ID Auid uint32 `json:"audit_id"` // Audit ID
Euid uint32 // Effective user ID Euid uint32 `json:"effective_user_id"` // Effective user ID
Egid uint32 // Effective Group ID Egid uint32 `json:"effective_group_id"` // Effective Group ID
Ruid uint32 // Real User ID Ruid uint32 `json:"real_user_id"` // Real User ID
Rgid uint32 // Real Group ID Rgid uint32 `json:"real_group_id"` // Real Group ID
Pid uint32 // Process ID Pid uint32 `json:"process_id"` // Process ID
Sid uint32 // Session ID Sid uint32 `json:"session_id"` // Session ID
Tid Tid32Ex Tid Tid32Ex `json:"terminal_id_ex"`
} }
type Process32Ex Subject32Ex type Process32Ex Subject32Ex
type Tid32 struct { type Tid32 struct {
Port uint32 Port uint32 `json:"port"`
IpVers uint32 // 0x10 = IPv6 IpVers uint32 `json:"ip_version"` // 0x10 = IPv6
Addr uint32 Addr uint32 `json:"ip"`
} }
type Tid32Ex struct { type Tid32Ex struct {
Port uint32 Port uint32 `json:"port"`
Ttype uint32 Ttype uint32 `json:"terminal_type"`
IpVers uint32 // 0x10 = IPv6, 0x04 = IPv4 IpVers uint32 `json:"ip_version"` // 0x10 = IPv6, 0x04 = IPv4
Addr4 uint32 // 4 bytes long if IpVers == 0x04 Addr4 uint32 `json:"ip4"` // 4 bytes long if IpVers == 0x04
Addr6 [4]uint32 // 4x4 bytes long if IpVers == 0x10 Addr6 [4]uint32 `json:"ip6"` // 4x4 bytes long if IpVers == 0x10
} }
type Subject64 struct { type Subject64 struct {
Auid uint32 // Audit ID Auid uint32 `json:"audit_id"` // Audit ID
Euid uint32 // Effective user ID Euid uint32 `json:"effective_user_id"` // Effective user ID
Egid uint32 // Effective Group ID Egid uint32 `json:"effective_group_id"` // Effective Group ID
Ruid uint32 // Real User ID Ruid uint32 `json:"real_user_id"` // Real User ID
Rgid uint32 // Real Group ID Rgid uint32 `json:"real_group_id"` // Real Group ID
Pid uint32 // Process ID Pid uint32 `json:"process_id"` // Process ID
Sid uint32 // Session ID Sid uint32 `json:"session_id"` // Session ID
Tid Tid64 Tid Tid64 `json:"terminal_id"`
} }
type Process64 Subject64 type Process64 Subject64
type Subject64Ex struct { type Subject64Ex struct {
Auid uint32 // Audit ID Auid uint32 `json:"audit_id"` // Audit ID
Euid uint32 // Effective user ID Euid uint32 `json:"effective_user_id"` // Effective user ID
Egid uint32 // Effective Group ID Egid uint32 `json:"effective_group_id"` // Effective Group ID
Ruid uint32 // Real User ID Ruid uint32 `json:"real_user_id"` // Real User ID
Rgid uint32 // Real Group ID Rgid uint32 `json:"real_group_id"` // Real Group ID
Pid uint32 // Process ID Pid uint32 `json:"process_id"` // Process ID
Sid uint32 // Session ID Sid uint32 `json:"session_id"` // Session ID
Tid Tid64Ex Tid Tid64Ex `json:"terminal_id_ex"`
} }
type Process64Ex Subject64Ex type Process64Ex Subject64Ex
type Tid64 struct { type Tid64 struct {
Port uint64 Port uint64 `json:"port"`
IpVers uint32 IpVers uint32 `json:"ip_version"`
Addr uint32 Addr uint32 `json:"ip"`
} }
type Tid64Ex struct { type Tid64Ex struct {
Port uint64 Port uint64 `json:"port"`
Ttype uint32 Ttype uint32 `json:"terminal_type"`
IpVers uint32 // 0x10 = IPv6, 0x04 = IPv4 IpVers uint32 `json:"ip_version"` // 0x10 = IPv6, 0x04 = IPv4
Addr4 uint32 Addr4 uint32 `json:"ip4"`
Addr6 [4]uint32 Addr6 [4]uint32 `json:"ip6"`
} }
type Exit struct { type Exit struct {
Status uint32 Status uint32 `json:"status"`
Ret uint32 Ret uint32 `json:"code"`
} }
type Text struct { type Text struct {
Length uint16 Length uint16 `json:"length"`
Text []byte Text []byte `json:"text"`
} }
/* Utilities */ /* Utilities */
// users ID for resolution // users ID for resolution
type user struct { type user struct {
uid uint32 uid uint32
name string name string
} }
// groups ID for resolution // groups ID for resolution
type group struct { type group struct {
gid uint32 gid uint32
name string name string
} }
/* Utilities */ /* Utilities */
@ -534,6 +535,44 @@ func (h *Header32) Print(file *os.File, delimiter string, flags int) {
} }
} }
func (h *Header32) PrintJson(file *os.File, flags int) {
var timeval string
if PRT_TIMESTAMP == flags & PRT_TIMESTAMP {
timeval = strconv.Itoa(int(h.S))
} else {
t := time.Unix((int64)(h.S), 0)
timeval = t.Format(time.UnixDate)
}
// We dont care for error
evdesc, _ := getEventName(h.E_type)
/*fmt.Fprintf(file, "header%s%d%s%d%s%s%s%v%s%s%s%d", delimiter, h.Size, delimiter, h.Version, delimiter,
//h.E_type, delimiter, h.E_mod, delimiter, t.Format(time.UnixDate), delimiter, h.Msec)
evdesc, delimiter, h.E_mod, delimiter, timeval, delimiter, h.Msec)*/
/*
type Header32 struct {
Size uint32 `json:"size"` // Record byte count
Version uint8 `json:"version"` // version # (uchar)
E_type uint16 `json:"event_type"` // Event type
E_mod uint16 `json:"event_modifier"` // Event modifier
S uint32 `json:"timestamp"` // Seconds of time
Msec uint32 `json:"msec"` // Milliseconds of time
}
*/
// 1. convert to json
json := fmt.Sprintf("\"size\":%d,\"version\":%d,\"event_type\":\"%s\",event_modifier\":\"%s\",\"timestamp\":%d,\"msec\":%d,",
h.Size, h.Version, evdesc, h.E_mod, h.S, h.Msec)
// 2. Prettify if flag is set
if flags == (flags & PRT_JSON_PRETTY) {
fmt.Fprintf(file, "NOT IMPLEMENTED\n")
} else {
fmt.Fprintf(file, "%s", json)
}
}
func NewExecArg(e ExecArg) *ExecArg { func NewExecArg(e ExecArg) *ExecArg {
return &ExecArg{ return &ExecArg{
Count: e.Count, Count: e.Count,