yo/libbsm
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: yo:v0.5.9c
Branches Tags
yo:master
yo:v0.6.3
yo:v0.6.2
yo:v0.6.1
yo:v0.6
yo:v0.5.9c
yo:v.0.5
yo:v.0.4
yo:v.0.3
yo:v.0.2
...
compare: yo:master
Branches Tags
yo:master
yo:v0.6.3
yo:v0.6.2
yo:v0.6.1
yo:v0.6
yo:v0.5.9c
yo:v.0.5
yo:v.0.4
yo:v.0.3
yo:v.0.2

9 Commits
v0.5.9c ... master

Author SHA1 Message Date
yo
10201023f0 v0.6.3: BUGFIX: Append to current.godit so we do not block when file already exist 2023-12-22 09:42:42 +01:00
yo
3e4cdd6f35 Update readme 2023-12-18 14:00:28 +01:00
yo
f4314a8940 go version bump to 1.18 2023-12-18 13:13:51 +01:00
yo
30ea998620 v0.6.2 : Write to output file, SIGUSR1 will reopen output file so we can newsyslog 2023-12-18 11:55:23 +01:00
yo
e028ca7ee2 Write output to *bufio.Writer 2023-12-18 11:53:12 +01:00
yo
a1892cbe37 Bugfix when no input file specified 2023-09-11 16:14:33 +02:00
yo
9b849fad3a v0.6 2023-09-11 16:09:21 +02:00
yo
e9c7c7b744 Revert "v0.6" 
This reverts commit 74ad307bd1b6587e8b0e93e0c4919b25ae63bcb3.
 2023-09-11 16:08:20 +02:00
yo
74ad307bd1 v0.6 2023-09-11 16:05:39 +02:00
4 changed files with 105 additions and 33 deletions
Show Stats Expand all files Collapse all files

2
README.md
View File

@ -8,3 +8,5 @@ See http://www.trustedbsd.org/openbsm.html
Include a binary "godit" which print audit logs in text or json format
Godit can read log files, /dev/auditpipe, or stdin with "-"
godit can be run as a service with included rc file. It needs audit to be configured to output to /dev/auditpipe.

2
go.mod
View File

@ -1,5 +1,5 @@
module godit
go 1.17
go 1.18
require github.com/spf13/pflag v1.0.5

54
libbsm.go
View File

@ -156,7 +156,7 @@ type Record interface {
GetType() uint8
// Length()
LoadFromBinary(rdr *bufio.Reader) error
Print(*os.File, string, int)
Print(*bufio.Writer, string, int)
}
type Header32 struct {
@ -605,7 +605,7 @@ func (h *Header32) LoadFromBinary(rdr *bufio.Reader) error {
static void
print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
*/
func (h *Header32) Print(file *os.File, delimiter string, flags int) {
func (h *Header32) Print(file *bufio.Writer, delimiter string, flags int) {
var timeval string
if PRT_TIMESYSLOG23 == flags&PRT_TIMESYSLOG23 {
timeval = time.Unix((int64)(h.S), 0).Add(time.Millisecond * (time.Duration)(h.Msec)).Format("2006-01-02T15:04:05.000Z07:00")
@ -704,7 +704,7 @@ func (e *ExecArg) LoadFromBinary(rdr *bufio.Reader) error {
return nil
}
func (e *ExecArg) Print(file *os.File, delimiter string, flags int) {
func (e *ExecArg) Print(file *bufio.Writer, delimiter string, flags int) {
if flags&PRT_JSON == PRT_JSON {
// We don't need no count, bc we reconstiture command line
printable := struct {
@ -770,7 +770,7 @@ func (p *Path) LoadFromBinary(rdr *bufio.Reader) error {
return nil
}
func (p *Path) Print(file *os.File, delimiter string, flags int) {
func (p *Path) Print(file *bufio.Writer, delimiter string, flags int) {
if flags&PRT_JSON == PRT_JSON {
// We don't need no length
printable := struct {
@ -847,7 +847,7 @@ func (a *Attribute32) LoadFromBinary(rdr *bufio.Reader) error {
return nil
}
func (a *Attribute32) Print(file *os.File, delimiter string, flags int) {
func (a *Attribute32) Print(file *bufio.Writer, delimiter string, flags int) {
var user string
var group string
@ -952,7 +952,7 @@ func (a *Attribute64) LoadFromBinary(rdr *bufio.Reader) error {
return nil
}
func (a *Attribute64) Print(file *os.File, delimiter string, flags int) {
func (a *Attribute64) Print(file *bufio.Writer, delimiter string, flags int) {
var user string
var group string
// TODO : resolve Uid and Gid (also support domain accounts)
@ -1082,7 +1082,7 @@ func (s *Subject32) LoadFromBinary(rdr *bufio.Reader) error {
return nil
}
func (s *Subject32) Print(file *os.File, delimiter string, flags int) {
func (s *Subject32) Print(file *bufio.Writer, delimiter string, flags int) {
var auser string
var euser string
var egroup string
@ -1225,7 +1225,7 @@ func (p *Process32) LoadFromBinary(rdr *bufio.Reader) error {
return nil
}
func (p *Process32) Print(file *os.File, delimiter string, flags int) {
func (p *Process32) Print(file *bufio.Writer, delimiter string, flags int) {
var auser string
var euser string
var egroup string
@ -1386,7 +1386,7 @@ func (s *Subject32Ex) LoadFromBinary(rdr *bufio.Reader) error {
return nil
}
func (s *Subject32Ex) Print(file *os.File, delimiter string, flags int) {
func (s *Subject32Ex) Print(file *bufio.Writer, delimiter string, flags int) {
var auser string
var euser string
var egroup string
@ -1558,7 +1558,7 @@ func (p *Process32Ex) LoadFromBinary(rdr *bufio.Reader) error {
return nil
}
func (p *Process32Ex) Print(file *os.File, delimiter string, flags int) {
func (p *Process32Ex) Print(file *bufio.Writer, delimiter string, flags int) {
var auser string
var euser string
var egroup string
@ -1714,7 +1714,7 @@ func (s *Subject64) LoadFromBinary(rdr *bufio.Reader) error {
return nil
}
func (s *Subject64) Print(file *os.File, delimiter string, flags int) {
func (s *Subject64) Print(file *bufio.Writer, delimiter string, flags int) {
var auser string
var euser string
var egroup string
@ -1857,7 +1857,7 @@ func (p *Process64) LoadFromBinary(rdr *bufio.Reader) error {
return nil
}
func (p *Process64) Print(file *os.File, delimiter string, flags int) {
func (p *Process64) Print(file *bufio.Writer, delimiter string, flags int) {
var auser string
var euser string
var egroup string
@ -2017,7 +2017,7 @@ func (s *Subject64Ex) LoadFromBinary(rdr *bufio.Reader) error {
return nil
}
func (s *Subject64Ex) Print(file *os.File, delimiter string, flags int) {
func (s *Subject64Ex) Print(file *bufio.Writer, delimiter string, flags int) {
var auser string
var euser string
var egroup string
@ -2189,7 +2189,7 @@ func (p *Process64Ex) LoadFromBinary(rdr *bufio.Reader) error {
return nil
}
func (p *Process64Ex) Print(file *os.File, delimiter string, flags int) {
func (p *Process64Ex) Print(file *bufio.Writer, delimiter string, flags int) {
var auser string
var euser string
var egroup string
@ -2308,7 +2308,7 @@ func (r *Return32) LoadFromBinary(rdr *bufio.Reader) error {
return nil
}
func (r *Return32) Print(file *os.File, delimiter string, flags int) {
func (r *Return32) Print(file *bufio.Writer, delimiter string, flags int) {
var errMsg string
errNo, err := lookupErrno(r.Status)
if err == nil {
@ -2369,7 +2369,7 @@ func (r *Return64) LoadFromBinary(rdr *bufio.Reader) error {
return nil
}
func (r *Return64) Print(file *os.File, delimiter string, flags int) {
func (r *Return64) Print(file *bufio.Writer, delimiter string, flags int) {
var errMsg string
errNo, err := lookupErrno(r.Status)
if err == nil {
@ -2430,7 +2430,7 @@ func (t *Trailer) LoadFromBinary(rdr *bufio.Reader) error {
return nil
}
func (t *Trailer) Print(file *os.File, delimiter string, flags int) {
func (t *Trailer) Print(file *bufio.Writer, delimiter string, flags int) {
if flags&PRT_JSON == PRT_JSON {
printable := struct {
Count uint32 `json:"length"` // Effective user ID
@ -2493,7 +2493,7 @@ func (a *Arg32) LoadFromBinary(rdr *bufio.Reader) error {
return nil
}
func (a *Arg32) Print(file *os.File, delimiter string, flags int) {
func (a *Arg32) Print(file *bufio.Writer, delimiter string, flags int) {
if flags&PRT_JSON == PRT_JSON {
printable := struct {
Count uint32 `json:"count"` // Effective user ID
@ -2563,7 +2563,7 @@ func (a *Arg64) LoadFromBinary(rdr *bufio.Reader) error {
return nil
}
func (a *Arg64) Print(file *os.File, delimiter string, flags int) {
func (a *Arg64) Print(file *bufio.Writer, delimiter string, flags int) {
if flags&PRT_JSON == PRT_JSON {
printable := struct {
Count uint32 `json:"count"` // Effective user ID
@ -2667,7 +2667,7 @@ func (s *SocketEx) LoadFromBinary(rdr *bufio.Reader) error {
return nil
}
func (s *SocketEx) Print(file *os.File, delimiter string, flags int) {
func (s *SocketEx) Print(file *bufio.Writer, delimiter string, flags int) {
var lip string
var rip string
if s.AddrType == ISIPV4 {
@ -2732,7 +2732,7 @@ func (s *SockInet32) LoadFromBinary(rdr *bufio.Reader) error {
return nil
}
func (s *SockInet32) Print(file *os.File, delimiter string, flags int) {
func (s *SockInet32) Print(file *bufio.Writer, delimiter string, flags int) {
if flags&PRT_JSON == PRT_JSON {
printable := struct {
Family uint16 `json:"family"`
@ -2794,7 +2794,7 @@ func (s *SockInet128) LoadFromBinary(rdr *bufio.Reader) error {
return nil
}
func (s *SockInet128) Print(file *os.File, delimiter string, flags int) {
func (s *SockInet128) Print(file *bufio.Writer, delimiter string, flags int) {
if flags&PRT_JSON == PRT_JSON {
printable := struct {
Family uint16 `json:"family"`
@ -2852,7 +2852,7 @@ func (s *SockUnix) LoadFromBinary(rdr *bufio.Reader) error {
return nil
}
func (s *SockUnix) Print(file *os.File, delimiter string, flags int) {
func (s *SockUnix) Print(file *bufio.Writer, delimiter string, flags int) {
if flags&PRT_JSON == PRT_JSON {
printable := struct {
Family uint16 `json:"family"`
@ -2905,7 +2905,7 @@ func (e *Exit) LoadFromBinary(rdr *bufio.Reader) error {
return nil
}
func (e *Exit) Print(file *os.File, delimiter string, flags int) {
func (e *Exit) Print(file *bufio.Writer, delimiter string, flags int) {
if flags&PRT_JSON == PRT_JSON {
j, err := json.Marshal(e)
if err != nil {
@ -2953,7 +2953,7 @@ func (t *Text) LoadFromBinary(rdr *bufio.Reader) error {
return nil
}
func (t *Text) Print(file *os.File, delimiter string, flags int) {
func (t *Text) Print(file *bufio.Writer, delimiter string, flags int) {
if flags&PRT_JSON == PRT_JSON {
j, err := json.Marshal(t)
if err != nil {
@ -3001,7 +3001,7 @@ func (z *ZoneName) LoadFromBinary(rdr *bufio.Reader) error {
return nil
}
func (z *ZoneName) Print(file *os.File, delimiter string, flags int) {
func (z *ZoneName) Print(file *bufio.Writer, delimiter string, flags int) {
if flags&PRT_JSON == PRT_JSON {
printable := struct {
Name string `json:"name"`
@ -3103,7 +3103,7 @@ func (c *Capabilities) MarshalJSON() ([]byte, error) {
return json.Marshal(cJSON)
}
func (r *Rights) Print(file *os.File, delimiter string, flags int) {
func (r *Rights) Print(file *bufio.Writer, delimiter string, flags int) {
if flags&PRT_JSON == PRT_JSON {
// Do not print Rights.Length, only capabilities array
j, err := json.Marshal(r.Rights)

80
main.go
View File

@ -27,13 +27,16 @@ import (
"io"
"os"
"fmt"
"sync"
"bufio"
"strings"
"syscall"
"os/signal"
"github.com/spf13/pflag"
)
const (
version = "0.5.9c"
version = "0.6.3"
)
var (
@ -42,19 +45,43 @@ var (
// Default delimiter
delimiter = ","
Writer *bufio.Writer
)
func NewWriter(file string) (*bufio.Writer, *os.File, error) {
if len(file) > 0 {
var f *os.File
var err error
f, err = os.OpenFile(file, os.O_CREATE|os.O_RDWR|os.O_APPEND, 0640)
if err != nil {
return nil, nil, err
}
Writer = bufio.NewWriter(f)
return Writer, f, nil
} else {
Writer = bufio.NewWriter(os.Stdout)
return Writer, nil, nil
}
}
func main() {
var flags int
var oneLine bool
var noUserResolve bool
var syslog23 bool
var json bool
var outputFile string
// Output file mutex
var outfMtx sync.Mutex
var outFile *os.File
pflag.BoolVarP(&oneLine, "oneline", "l", false, "Prints the entire record on the same line")
pflag.BoolVarP(&noUserResolve, "numeric", "n", false, "Do not convert user and group IDs to their names but leave in their numeric forms")
pflag.BoolVarP(&json, "json", "j", false, "Print compact json")
pflag.BoolVarP(&syslog23, "syslog23", "s", false, "Print time as \"2006-01-02T15:04:05.000Z07:00\", RFC339 with ms, also used on RSYSLOG_SyslogProtocol23Format. \"msec\" field will not be print in json output")
pflag.StringVarP(&outputFile, "out", "o", "", "Output to file, overwrite existing. File will be re-opened receiving SIGUSR1.")
pflag.BoolVarP(&showVersion, "version", "V", false, "Show version and exit")
var Usage = func() {
@ -84,11 +111,41 @@ func main() {
}
args := os.Args
if len(os.Args) < 2 {
pflag.Usage()
os.Exit(1)
}
filename := args[len(args)-1]
// Get a writer, file or stdout
_, outFile, err := NewWriter(outputFile)
if err != nil {
fmt.Fprintf(os.Stderr, "%v\n", err)
os.Exit(1)
}
if len(outputFile) > 0 {
// Manage output file rotation when receiving SIGUSR1
sig := make(chan os.Signal)
signal.Notify(sig, syscall.SIGUSR1)
go func() {
for {
<-sig
outfMtx.Lock()
fmt.Println("SIGUSR1 received, recreating output file")
outFile.Close()
_, outFile, err = NewWriter(outputFile)
if err != nil {
outfMtx.Unlock()
fmt.Fprintf(os.Stderr, "%v\n", err)
os.Exit(1)
}
outfMtx.Unlock()
}
}()
}
var f *os.File
var r *bufio.Reader
var err error
if len(filename) > 0 {
// If arg is "-", open stdin to read content
if true == strings.EqualFold(filename, "-") {
@ -96,13 +153,12 @@ func main() {
} else {
f, err = os.Open(filename)
if err != nil {
fmt.Printf("Impossible d'ouvrir le fichier %s\n", filename)
fmt.Fprintf(os.Stderr, "Impossible d'ouvrir le fichier %s\n", filename)
os.Exit(-1)
}
r = bufio.NewReader(f)
}
//for i := 0 ; i < 20 ; i++ {
for {
rec, err := readRecordToStruct(r)
if err != nil {
@ -112,7 +168,21 @@ func main() {
return
}
}
rec.Print(os.Stdout, ",", flags)
if len(outputFile) > 0 {
outfMtx.Lock()
rec.Print(Writer, ",", flags)
Writer.Flush() // Performance ?
outfMtx.Unlock()
} else {
// No need for mutex with stdout
rec.Print(Writer, ",", flags)
}
}
}
if len(outputFile) > 0 && outFile != nil {
outfMtx.Lock()
outFile.Close()
outfMtx.Unlock()
}
}