yo/libbsm
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: yo:bf76779fb5752422d60d04cb2b62ba3fbae5df13
Branches Tags
yo:master
yo:v0.6.3 yo:v0.6.2 yo:v0.6.1 yo:v0.6 yo:v0.5.9c yo:v.0.5 yo:v.0.4 yo:v.0.3 yo:v.0.2
...
compare: yo:v.0.2
Branches Tags
yo:master
yo:v0.6.3 yo:v0.6.2 yo:v0.6.1 yo:v0.6 yo:v0.5.9c yo:v.0.5 yo:v.0.4 yo:v.0.3 yo:v.0.2

7 Commits
bf76779fb5 ... v.0.2

Author SHA1 Message Date
yo
92feeacc5c version bump 2022-01-04 17:51:24 +01:00
yo
8a93dcfc26 Uid & gid resolution, oneline, noresolve 2022-01-04 17:50:34 +01:00
yo
716a3cd0f8 Add go.mod 2022-01-04 11:06:12 +01:00
yo
0579cfea1d Version bump, fix EOF error, move PrintIPv4FromInt 2022-01-04 11:03:58 +01:00
yo
501b371936 Merge branch 'master' of ssh://git.nosd.in:2222/yo/libbsm 2022-01-04 10:48:29 +01:00
yo
5970632c31 AUT_TEXT support 2022-01-04 10:47:10 +01:00
yo
0c7c123fd9 Ipv4/v6 distinction fix 2022-01-04 10:22:57 +01:00
4 changed files with 506 additions and 61 deletions
Expand all files Collapse all files

5
go.mod Normal file
View File

@ -0,0 +1,5 @@
module godit
go 1.17
require github.com/spf13/pflag v1.0.5

2
go.sum Normal file
View File

@ -0,0 +1,2 @@
github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=

533
libbsm.go
View File

@ -1,15 +1,30 @@
// This is an implementation of libbsm
// Copyright johan@nosd.in 2021
//
// +build freebsd
//
// Use libc to get pw name from uid
package main
/*
#cgo CFLAGS: -I /usr/lib
#cgo LDFLAGS: -L. -lc
#include <sys/types.h>
#include <stdlib.h>
#include <utmpx.h>
#include <grp.h>
#include <pwd.h>
*/
import "C"
import (
"io"
"os"
"fmt"
// "net"
"time"
"bytes"
"strconv"
"encoding/binary"
)
@ -95,7 +110,15 @@ const (
// Display control
PRT_ONELINE = 1
PRT_ONELINE = 1
PRT_NORESOLVE_USER = 2
)
var (
// A global user/uid cache
gUsers []user
// A global group/gid cache
gGroups []group
)
// Fields types, from https://github.com/freebsd/freebsd-src/blob/main/contrib/openbsm/bsm/libbsm.h
@ -225,8 +248,9 @@ type Tid32 struct {
type Tid32Ex struct {
Port uint32
Ttype uint32
IpVers uint32 // 0x10 = IPv6
Addr [4]uint32 // 4 bytes long if IpVers == 0x10, 1 byte long if IpVers == 4
IpVers uint32 // 0x10 = IPv6, 0x04 = IPv4
Addr4 uint32 // 4 bytes long if IpVers == 0x04
Addr6 [4]uint32 // 4x4 bytes long if IpVers == 0x10
}
type Subject64 struct {
@ -264,8 +288,9 @@ type Tid64 struct {
type Tid64Ex struct {
Port uint64
Ttype uint32
IpVers uint32 // 0x10 = IPv6
Addr [4]uint32
IpVers uint32 // 0x10 = IPv6, 0x04 = IPv4
Addr4 uint32
Addr6 [4]uint32
}
type Exit struct {
@ -273,7 +298,108 @@ type Exit struct {
Ret uint32
}
type Text struct {
Length uint16
Text []byte
}
/* Utilities */
// users ID for resolution
type user struct {
uid uint32
name string
}
// groups ID for resolution
type group struct {
gid uint32
name string
}
/* Utilities */
// Return uid if user not found
func getUserName(uid uint32) (string, error) {
for _, u := range gUsers {
if u.uid == uid {
return u.name, nil
}
}
// Not found in cache, get it from system query
u, err := getUserNameByUid(uid)
if err != nil {
// If not found, return user object with name = uid
if err.Error() == "User ID not found" {
u.uid = uid
u.name = strconv.FormatUint(uint64(uid), 10)
gUsers = append(gUsers, u)
return u.name, err
} else {
return "", err
}
}
gUsers = append(gUsers, u)
return u.name, nil
}
func getUserNameByUid(uid uint32) (user, error) {
var pw *C.struct_passwd
var usr user
pw = C.getpwuid((C.uint32_t)(uid))
if pw == nil {
return usr, fmt.Errorf("User ID not found")
}
usr.uid = uid
usr.name = C.GoString(pw.pw_name)
return usr, nil
}
func getGroupName(gid uint32) (string, error) {
for _, g := range gGroups {
if g.gid == gid {
return g.name, nil
}
}
// Not found in cache, get it from system query
g, err := getGroupNameByGid(gid)
if err != nil {
// If not found, return group object with name = gid
if err.Error() == "Group ID not found" {
g.gid = gid
g.name = strconv.FormatUint(uint64(gid), 10)
gGroups = append(gGroups, g)
return g.name, err
} else {
return "", err
}
}
gGroups = append(gGroups, g)
return g.name, nil
}
func getGroupNameByGid(gid uint32) (group, error) {
var gr *C.struct_group
var grp group
gr = C.getgrgid((C.uint32_t)(gid))
if gr == nil {
return grp, fmt.Errorf("Group ID not found")
}
grp.gid = gid
grp.name = C.GoString(gr.gr_name)
return grp, nil
}
func PrintIpv4FromInt(ipv4int uint32) string {
return fmt.Sprintf("%d.%d.%d.%d", ipv4int & 0xFF000000 >> 24, ipv4int & 0x00FF0000 >> 16,
ipv4int & 0x0000FF00 >> 8, ipv4int & 0x000000FF)
}
func PrintIpv6FromInt(ipv6int [4]uint32) string {
//return fmt.Sprintf("%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x",
return fmt.Sprintf("%x:%x:%x:%x:%x:%x:%x:%x",
@ -283,7 +409,6 @@ func PrintIpv6FromInt(ipv6int [4]uint32) string {
ipv6int[3] & 0xFFFF0000 >> 16, ipv6int[3] & 0x0000FFFF)
}
/* Records structs implementation */
func NewHeader32(h Header32) *Header32 {
return &Header32{
@ -339,6 +464,8 @@ func (h *Header32) Print(file *os.File, delimiter string, flags int) {
h.E_type, delimiter, h.E_mod, delimiter, t.Format(time.UnixDate), delimiter, h.Msec)
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
} else {
fmt.Fprintf(file, "%s", delimiter)
}
}
@ -380,9 +507,9 @@ func (e *ExecArg) LoadFromBinary(file *os.File) error {
return fmt.Errorf("Error searching for null terminated exec arg: Loop exec n%d, offset of record start: %x, error : %v", i, startOf, err)
}
// Allocate before reading
//e.Text[i] = make([]byte, len(buf))
totLen += int64(len(arg))
e.Text = append(e.Text, arg)
//e.Text = append(e.Text, arg) // Discard last 0
e.Text = append(e.Text, arg[:len(arg)-1])
}
startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart)
@ -404,6 +531,8 @@ func (e *ExecArg) Print(file *os.File, delimiter string, flags int) {
}
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
} else {
fmt.Fprintf(file, "%s", delimiter)
}
}
@ -443,7 +572,7 @@ func (p *Path) LoadFromBinary(file *os.File) error {
return fmt.Errorf("Error searching for null terminated path: offset of record start: %x, error : %v", startOf, err)
}
totLen := int64(len(arg))
p.Path = arg
p.Path = arg[:totLen-1]
startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart)
if err != nil {
@ -457,6 +586,8 @@ func (p *Path) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "path%s%s", delimiter, string(p.Path))
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
} else {
fmt.Fprintf(file, "%s", delimiter)
}
}
@ -498,11 +629,24 @@ func (a *Attribute32) LoadFromBinary(file *os.File) error {
}
func (a *Attribute32) Print(file *os.File, delimiter string, flags int) {
var user string
var group string
// TODO : resolve Uid and Gid (also support domain accounts)
fmt.Fprintf(file, "attribute%s%o%s%v%s%v%s%v%s%v%s%v", delimiter, a.Mode, delimiter, a.Uid, delimiter,
a.Gid, delimiter, a.Fsid, delimiter, a.Nid, delimiter, a.Dev)
if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER {
user = string(a.Uid)
group = string(a.Gid)
} else {
user, _ = getUserName(a.Uid)
group, _ = getGroupName(a.Gid)
}
fmt.Fprintf(file, "attribute%s%o%s%v%s%v%s%v%s%v%s%v", delimiter, a.Mode, delimiter, user, delimiter,
group, delimiter, a.Fsid, delimiter, a.Nid, delimiter, a.Dev)
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
} else {
fmt.Fprintf(file, "%s", delimiter)
}
}
@ -544,11 +688,22 @@ func (a *Attribute64) LoadFromBinary(file *os.File) error {
}
func (a *Attribute64) Print(file *os.File, delimiter string, flags int) {
var user string
var group string
// TODO : resolve Uid and Gid (also support domain accounts)
fmt.Fprintf(file, "attribute%s%o%s%v%s%v%s%v%s%v%s%v", delimiter, a.Mode, delimiter, a.Uid, delimiter,
a.Gid, delimiter, a.Fsid, delimiter, a.Nid, delimiter, a.Dev)
if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER {
user = string(a.Uid)
group = string(a.Gid)
} else {
user, _ = getUserName(a.Uid)
group, _ = getGroupName(a.Gid)
}
fmt.Fprintf(file, "attribute%s%o%s%v%s%v%s%v%s%v%s%v", delimiter, a.Mode, delimiter, user, delimiter,
group, delimiter, a.Fsid, delimiter, a.Nid, delimiter, a.Dev)
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
} else {
fmt.Fprintf(file, "%s", delimiter)
}
}
@ -594,17 +749,29 @@ func (s *Subject32) LoadFromBinary(file *os.File) error {
return nil
}
func PrintIpv4FromInt(ipv4int uint32) string {
return fmt.Sprintf("%d.%d.%d.%d", ipv4int & 0xFF000000 >> 24, ipv4int & 0x00FF0000 >> 16,
ipv4int & 0x0000FF00 >> 8, ipv4int & 0x000000FF)
}
func (s *Subject32) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "subject%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, s.Auid, delimiter, s.Euid, delimiter, s.Egid,
delimiter, s.Ruid, delimiter, s.Rgid, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter, s.Tid.IpVers,
var euser string
var egroup string
var ruser string
var rgroup string
if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER {
euser = string(s.Euid)
egroup = string(s.Egid)
ruser = string(s.Ruid)
rgroup = string(s.Rgid)
} else {
euser, _ = getUserName(s.Euid)
egroup, _ = getGroupName(s.Egid)
ruser, _ = getUserName(s.Ruid)
rgroup, _ = getGroupName(s.Rgid)
}
fmt.Fprintf(file, "subject%s%v%s%s%s%s%s%s%s%s%s%v%s%v%s%v%s%s", delimiter, s.Auid, delimiter, euser, delimiter, egroup,
delimiter, ruser, delimiter, rgroup, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter, s.Tid.IpVers,
delimiter, PrintIpv4FromInt(s.Tid.Addr))
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
} else {
fmt.Fprintf(file, "%s", delimiter)
}
}
@ -651,11 +818,28 @@ func (p *Process32) LoadFromBinary(file *os.File) error {
}
func (p *Process32) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "process%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, p.Auid, delimiter, p.Euid, delimiter, p.Egid,
delimiter, p.Ruid, delimiter, p.Rgid, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter, p.Tid.IpVers,
var euser string
var egroup string
var ruser string
var rgroup string
if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER {
euser = string(p.Euid)
egroup = string(p.Egid)
ruser = string(p.Ruid)
rgroup = string(p.Rgid)
} else {
euser, _ = getUserName(p.Euid)
egroup, _ = getGroupName(p.Egid)
ruser, _ = getUserName(p.Ruid)
rgroup, _ = getGroupName(p.Rgid)
}
fmt.Fprintf(file, "process%s%v%s%s%s%s%s%s%s%s%s%v%s%v%s%v%s%s", delimiter, p.Auid, delimiter, euser, delimiter, egroup,
delimiter, ruser, delimiter, rgroup, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter, p.Tid.IpVers,
delimiter, PrintIpv4FromInt(p.Tid.Addr))
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
} else {
fmt.Fprintf(file, "%s", delimiter)
}
}
@ -696,18 +880,56 @@ func (s *Subject32Ex) LoadFromBinary(file *os.File) error {
err = binary.Read(file, binary.BigEndian, &s.Sid)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Sid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid.Port)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Port from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid.Ttype)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Ttype from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid.IpVers)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.IpVers from file: %v", err) }
if s.Tid.IpVers == 0x10 {
err = binary.Read(file, binary.BigEndian, &s.Tid.Addr6)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Addr6 from file: %v", err) }
} else if s.Tid.IpVers == 0x04 {
err = binary.Read(file, binary.BigEndian, &s.Tid.Addr4)
if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Addr4 from file: %v", err) }
}
return nil
}
func (s *Subject32Ex) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "subject_ex%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, s.Auid, delimiter, s.Euid,
delimiter, s.Egid, delimiter, s.Ruid, delimiter, s.Rgid, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter,
s.Tid.Ttype, delimiter, PrintIpv6FromInt(s.Tid.Addr))
var euser string
var egroup string
var ruser string
var rgroup string
var ip string
if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER {
euser = string(s.Euid)
egroup = string(s.Egid)
ruser = string(s.Ruid)
rgroup = string(s.Rgid)
} else {
euser, _ = getUserName(s.Euid)
egroup, _ = getGroupName(s.Egid)
ruser, _ = getUserName(s.Ruid)
rgroup, _ = getGroupName(s.Rgid)
}
if s.Tid.IpVers == 0x04 {
ip = PrintIpv4FromInt(s.Tid.Addr4)
} else {
ip = PrintIpv6FromInt(s.Tid.Addr6)
}
fmt.Fprintf(file, "subject_ex%s%v%s%s%s%s%s%s%s%s%s%v%s%v%s%v%s%s", delimiter, s.Auid, delimiter, euser,
delimiter, egroup, delimiter, ruser, delimiter, rgroup, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter,
s.Tid.Ttype, delimiter, ip)
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
} else {
fmt.Fprintf(file, "%s", delimiter)
}
}
@ -748,18 +970,58 @@ func (p *Process32Ex) LoadFromBinary(file *os.File) error {
err = binary.Read(file, binary.BigEndian, &p.Sid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Sid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid.Port)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Port from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid.Ttype)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Ttype from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid.IpVers)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.IpVers from file: %v", err) }
if p.Tid.IpVers == 0x10 {
err = binary.Read(file, binary.BigEndian, &p.Tid.Addr6)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Addr6 from file: %v", err) }
} else if p.Tid.IpVers == 0x04 {
err = binary.Read(file, binary.BigEndian, &p.Tid.Addr4)
if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Addr4 from file: %v", err) }
}
return nil
}
func (p *Process32Ex) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "process_ex%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, p.Auid, delimiter, p.Euid,
delimiter, p.Egid, delimiter, p.Ruid, delimiter, p.Rgid, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter,
p.Tid.Ttype, delimiter, PrintIpv6FromInt(p.Tid.Addr))
var euser string
var egroup string
var ruser string
var rgroup string
var ip string
if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER {
euser = string(p.Euid)
egroup = string(p.Egid)
ruser = string(p.Ruid)
rgroup = string(p.Rgid)
} else {
euser, _ = getUserName(p.Euid)
egroup, _ = getGroupName(p.Egid)
ruser, _ = getUserName(p.Ruid)
rgroup, _ = getGroupName(p.Rgid)
}
if p.Tid.IpVers == 0x04 {
ip = PrintIpv4FromInt(p.Tid.Addr4)
} else {
ip = PrintIpv6FromInt(p.Tid.Addr6)
}
fmt.Fprintf(file, "process_ex%s%v%s%s%s%s%s%s%s%s%s%v%s%v%s%v%s%s", delimiter, p.Auid, delimiter, euser,
delimiter, egroup, delimiter, ruser, delimiter, rgroup, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter,
p.Tid.Ttype, delimiter, ip)
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
} else {
fmt.Fprintf(file, "%s", delimiter)
}
}
@ -806,11 +1068,28 @@ func (s *Subject64) LoadFromBinary(file *os.File) error {
}
func (s *Subject64) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "subject%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, s.Auid, delimiter, s.Euid, delimiter, s.Egid,
delimiter, s.Ruid, delimiter, s.Rgid, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter, s.Tid.IpVers,
var euser string
var egroup string
var ruser string
var rgroup string
if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER {
euser = string(s.Euid)
egroup = string(s.Egid)
ruser = string(s.Ruid)
rgroup = string(s.Rgid)
} else {
euser, _ = getUserName(s.Euid)
egroup, _ = getGroupName(s.Egid)
ruser, _ = getUserName(s.Ruid)
rgroup, _ = getGroupName(s.Rgid)
}
fmt.Fprintf(file, "subject%s%v%s%s%s%s%s%s%s%s%s%v%s%v%s%v%s%s", delimiter, s.Auid, delimiter, euser, delimiter, egroup,
delimiter, ruser, delimiter, rgroup, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter, s.Tid.IpVers,
delimiter, PrintIpv4FromInt(s.Tid.Addr))
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
} else {
fmt.Fprintf(file, "%s", delimiter)
}
}
@ -857,11 +1136,28 @@ func (p *Process64) LoadFromBinary(file *os.File) error {
}
func (p *Process64) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "process%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, p.Auid, delimiter, p.Euid, delimiter, p.Egid,
delimiter, p.Ruid, delimiter, p.Rgid, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter, p.Tid.IpVers,
var euser string
var egroup string
var ruser string
var rgroup string
if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER {
euser = string(p.Euid)
egroup = string(p.Egid)
ruser = string(p.Ruid)
rgroup = string(p.Rgid)
} else {
euser, _ = getUserName(p.Euid)
egroup, _ = getGroupName(p.Egid)
ruser, _ = getUserName(p.Ruid)
rgroup, _ = getGroupName(p.Rgid)
}
fmt.Fprintf(file, "process%s%v%s%s%s%s%s%s%s%s%s%v%s%v%s%v%s%s", delimiter, p.Auid, delimiter, euser, delimiter, egroup,
delimiter, ruser, delimiter, rgroup, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter, p.Tid.IpVers,
delimiter, PrintIpv4FromInt(p.Tid.Addr))
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
} else {
fmt.Fprintf(file, "%s", delimiter)
}
}
@ -901,18 +1197,57 @@ func (s *Subject64Ex) LoadFromBinary(file *os.File) error {
err = binary.Read(file, binary.BigEndian, &s.Sid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Sid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid.Port)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Port from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid.Ttype)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Ttype from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &s.Tid.IpVers)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.IpVers from file: %v", err) }
if s.Tid.IpVers == 0x10 {
err = binary.Read(file, binary.BigEndian, &s.Tid.Addr6)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Addr6 from file: %v", err) }
} else if s.Tid.IpVers == 0x04 {
err = binary.Read(file, binary.BigEndian, &s.Tid.Addr4)
if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Addr4 from file: %v", err) }
}
return nil
}
func (s *Subject64Ex) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "subject_ex%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, s.Auid, delimiter, s.Euid,
delimiter, s.Egid, delimiter, s.Ruid, delimiter, s.Rgid, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter,
s.Tid.Ttype, delimiter, PrintIpv6FromInt(s.Tid.Addr))
var euser string
var egroup string
var ruser string
var rgroup string
var ip string
if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER {
euser = string(s.Euid)
egroup = string(s.Egid)
ruser = string(s.Ruid)
rgroup = string(s.Rgid)
} else {
euser, _ = getUserName(s.Euid)
egroup, _ = getGroupName(s.Egid)
ruser, _ = getUserName(s.Ruid)
rgroup, _ = getGroupName(s.Rgid)
}
if s.Tid.IpVers == 0x04 {
ip = PrintIpv4FromInt(s.Tid.Addr4)
} else {
ip = PrintIpv6FromInt(s.Tid.Addr6)
}
fmt.Fprintf(file, "subject_ex%s%v%s%s%s%s%s%s%s%s%s%v%s%v%s%v%s%s", delimiter, s.Auid, delimiter, euser,
delimiter, egroup, delimiter, ruser, delimiter, rgroup, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter,
s.Tid.Ttype, delimiter, ip)
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
} else {
fmt.Fprintf(file, "%s", delimiter)
}
}
@ -930,7 +1265,7 @@ func NewProcess64Ex(p Process64Ex) *Process64Ex {
}
func (p *Process64Ex) GetType() uint8 {
return AUT_SUBJECT64_EX
return AUT_PROCESS64_EX
}
func (p *Process64Ex) LoadFromBinary(file *os.File) error {
@ -952,18 +1287,57 @@ func (p *Process64Ex) LoadFromBinary(file *os.File) error {
err = binary.Read(file, binary.BigEndian, &p.Sid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Sid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid.Port)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Port from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid.Ttype)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Ttype from file: %v", err) }
err = binary.Read(file, binary.BigEndian, &p.Tid.IpVers)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.IpVers from file: %v", err) }
if p.Tid.IpVers == 0x10 {
err = binary.Read(file, binary.BigEndian, &p.Tid.Addr6)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Addr6 from file: %v", err) }
} else if p.Tid.IpVers == 0x04 {
err = binary.Read(file, binary.BigEndian, &p.Tid.Addr4)
if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Addr4 from file: %v", err) }
}
return nil
}
func (p *Process64Ex) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "process_ex%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, p.Auid, delimiter, p.Euid,
delimiter, p.Egid, delimiter, p.Ruid, delimiter, p.Rgid, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter,
p.Tid.Ttype, delimiter, PrintIpv6FromInt(p.Tid.Addr))
var euser string
var egroup string
var ruser string
var rgroup string
var ip string
if PRT_NORESOLVE_USER == flags & PRT_NORESOLVE_USER {
euser = string(p.Euid)
egroup = string(p.Egid)
ruser = string(p.Ruid)
rgroup = string(p.Rgid)
} else {
euser, _ = getUserName(p.Euid)
egroup, _ = getGroupName(p.Egid)
ruser, _ = getUserName(p.Ruid)
rgroup, _ = getGroupName(p.Rgid)
}
if p.Tid.IpVers == 0x04 {
ip = PrintIpv4FromInt(p.Tid.Addr4)
} else {
ip = PrintIpv6FromInt(p.Tid.Addr6)
}
fmt.Fprintf(file, "process_ex%s%v%s%s%s%s%s%s%s%s%s%v%s%v%s%v%s%s", delimiter, p.Auid, delimiter, euser,
delimiter, egroup, delimiter, ruser, delimiter, rgroup, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter,
p.Tid.Ttype, delimiter, ip)
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
} else {
fmt.Fprintf(file, "%s", delimiter)
}
}
@ -992,6 +1366,8 @@ func (r *Return32) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "return%s%v%s%v", delimiter, r.Status, delimiter, r.Ret)
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
} else {
fmt.Fprintf(file, "%s", delimiter)
}
}
@ -1020,6 +1396,8 @@ func (r *Return64) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "return%s%v%s%v", delimiter, r.Status, delimiter, r.Ret)
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
} else {
fmt.Fprintf(file, "%s", delimiter)
}
}
@ -1046,9 +1424,8 @@ func (t *Trailer) LoadFromBinary(file *os.File) error {
func (t *Trailer) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "trailer%s%v", delimiter, t.Count)
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
}
// The trailer close the record print, whatever the oneLine flag value
fmt.Fprintf(file, "\n")
}
func NewArg32(a Arg32) *Arg32 {
@ -1094,7 +1471,7 @@ func (a *Arg32) LoadFromBinary(file *os.File) error {
return fmt.Errorf("Error searching for null terminated path: offset of record start: %x, error : %v", startOf, err)
}
totLen := int64(len(arg))
a.Text = arg
a.Text = arg[:totLen-1]
startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart)
if err != nil {
@ -1108,6 +1485,8 @@ func (a *Arg32) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "argument%s%v%s%v%s%s", delimiter, a.No, delimiter, a.Val, delimiter, string(a.Text))
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
} else {
fmt.Fprintf(file, "%s", delimiter)
}
}
@ -1154,7 +1533,7 @@ func (a *Arg64) LoadFromBinary(file *os.File) error {
return fmt.Errorf("Error searching for null terminated path: offset of record start: %x, error : %v", startOf, err)
}
totLen := int64(len(arg))
a.Text = arg
a.Text = arg[:totLen-1]
startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart)
if err != nil {
@ -1168,6 +1547,8 @@ func (a *Arg64) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "argument%s%v%s%v%s%s", delimiter, a.No, delimiter, a.Val, delimiter, string(a.Text))
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
} else {
fmt.Fprintf(file, "%s", delimiter)
}
}
@ -1196,6 +1577,41 @@ func (e *Exit) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "exit%s%v%s%v", delimiter, e.Status, delimiter, e.Ret)
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
} else {
fmt.Fprintf(file, "%s", delimiter)
}
}
func NewText(t Text) *Text {
return &Text{
Length: t.Length,
Text: t.Text,
}
}
func (t *Text) GetType() uint8 {
return AUT_TEXT
}
func (t *Text) LoadFromBinary(file *os.File) error {
err := binary.Read(file, binary.BigEndian, &t.Length)
if err != nil { return fmt.Errorf("Unable to read Text.Length from file: %v", err) }
text := make([]byte, t.Length)
err = binary.Read(file, binary.BigEndian, &text)
if err != nil { return fmt.Errorf("Unable to read Text.Text from file: %v", err) }
t.Text = text[:len(text)-1]
return nil
}
func (t *Text) Print(file *os.File, delimiter string, flags int) {
fmt.Fprintf(file, "text%s%s", delimiter, t.Text)
if 0 == (flags & PRT_ONELINE) {
fmt.Fprintf(file, "\n")
} else {
fmt.Fprintf(file, "%s", delimiter)
}
}
@ -1205,14 +1621,16 @@ func readRecordToStruct(file *os.File) (Record, error) {
hdr := make([]byte, 1)
n, err := file.Read(hdr)
if err != nil || n < 1 {
return rec, fmt.Errorf("Unable to read header ID in file: %v", err)
if err != io.EOF {
return rec, fmt.Errorf("Unable to read header ID in file: %v", err)
}
return rec, err
}
// DEBUG
/* startOf, _ := file.Seek(0, io.SeekCurrent)
fmt.Printf("Offset dans le fichier : %x\n", startOf)
*/
//switch hdr.(int8) {
switch (int8)(hdr[0]) {
case AUT_HEADER32:
var h Header32
@ -1294,6 +1712,11 @@ func readRecordToStruct(file *os.File) (Record, error) {
err := p.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
return NewProcess64Ex(p), nil
case AUT_TEXT:
var t Text
err := t.LoadFromBinary(file)
if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) }
return NewText(t), nil
}
startOf, _ := file.Seek(0, io.SeekCurrent)

27
main.go
View File

@ -16,6 +16,7 @@ import "C"
import "unsafe"
import (
"io"
"os"
"fmt"
// "encoding/hex"
@ -23,7 +24,7 @@ import (
)
const (
version = "0.001"
version = "0.02"
)
var (
@ -103,8 +104,12 @@ func print_tokens(filename string) error {
func main() {
pflag.BoolVarP(&randFlag, "randFlag", "r", false, "A random flag, just to play you.")
var flags int
var oneLine bool
var noUserResolve bool
pflag.BoolVarP(&oneLine, "oneline", "l", false, "Prints the entire record on the same line. If this option is not specified, every token is displayed on a different line.")
pflag.BoolVarP(&noUserResolve, "numeric", "n", false, "Do not convert user and group IDs to their names but leave in their numeric forms.")
pflag.BoolVarP(&showVersion, "version", "V", false, "Show version then exit")
pflag.Parse()
@ -114,6 +119,14 @@ func main() {
return
}
if oneLine {
flags = flags + PRT_ONELINE
}
if noUserResolve {
flags = flags + PRT_NORESOLVE_USER
}
args := os.Args
filename := args[len(args)-1]
@ -139,11 +152,13 @@ func main() {
//for i := 0 ; i < 20 ; i++ {
for {
rec, err := readRecordToStruct(f)
if err != nil {
fmt.Printf("Erreur : %v\n", err)
if err != nil {
if err != io.EOF {
fmt.Printf("Erreur : %v\n", err)
}
return
}
rec.Print(os.Stdout, ",", 0)
rec.Print(os.Stdout, ",", flags)
}
}
}