// This is an implementation of libbsm // Copyright johan@nosd.in 2021 // package main import ( "io" "os" "fmt" // "net" "time" "bytes" "encoding/binary" ) const ( // bsm/libbsm.h AUDIT_MAX_ARGS = 128 // sys/bsm/audit.h MAXAUDITDATA = (0x8000 - 1) MAX_AUDIT_RECORD_SIZE = MAXAUDITDATA // Max length for a Path (AUT_PATH) or an arg (AUT_EXEC_ARGS) MAX_AUDIT_ARG_LENGTH = 1024 /* * Token type identifiers. From https://github.com/freebsd/freebsd-src/blob/main/contrib/openbsm/sys/bsm/audit_record.h */ AUT_INVALID = 0x00 AUT_OTHER_FILE32 = 0x11 AUT_OHEADER = 0x12 AUT_TRAILER = 0x13 AUT_HEADER32 = 0x14 AUT_HEADER32_EX = 0x15 AUT_DATA = 0x21 AUT_IPC = 0x22 AUT_PATH = 0x23 AUT_SUBJECT32 = 0x24 AUT_XATPATH = 0x25 AUT_PROCESS32 = 0x26 AUT_RETURN32 = 0x27 AUT_TEXT = 0x28 AUT_OPAQUE = 0x29 AUT_IN_ADDR = 0x2a AUT_IP = 0x2b AUT_IPORT = 0x2c AUT_ARG32 = 0x2d AUT_SOCKET = 0x2e AUT_SEQ = 0x2f AUT_ACL = 0x30 AUT_ATTR = 0x31 AUT_IPC_PERM = 0x32 AUT_LABEL = 0x33 AUT_GROUPS = 0x34 AUT_ACE = 0x35 AUT_PRIV = 0x38 AUT_UPRIV = 0x39 AUT_LIAISON = 0x3a AUT_NEWGROUPS = 0x3b AUT_EXEC_ARGS = 0x3c AUT_EXEC_ENV = 0x3d AUT_ATTR32 = 0x3e AUT_UNAUTH = 0x3f AUT_XATOM = 0x40 AUT_XOBJ = 0x41 AUT_XPROTO = 0x42 AUT_XSELECT = 0x43 AUT_XCOLORMAP = 0x44 AUT_XCURSOR = 0x45 AUT_XFONT = 0x46 AUT_XGC = 0x47 AUT_XPIXMAP = 0x48 AUT_XPROPERTY = 0x49 AUT_XWINDOW = 0x4a AUT_XCLIENT = 0x4b AUT_CMD = 0x51 AUT_EXIT = 0x52 AUT_ZONENAME = 0x60 AUT_HOST = 0x70 AUT_ARG64 = 0x71 AUT_RETURN64 = 0x72 AUT_ATTR64 = 0x73 AUT_HEADER64 = 0x74 AUT_SUBJECT64 = 0x75 AUT_PROCESS64 = 0x77 AUT_OTHER_FILE64 = 0x78 AUT_HEADER64_EX = 0x79 AUT_SUBJECT32_EX = 0x7a AUT_PROCESS32_EX = 0x7b AUT_SUBJECT64_EX = 0x7c AUT_PROCESS64_EX = 0x7d AUT_IN_ADDR_EX = 0x7e AUT_SOCKET_EX = 0x7f // Display control PRT_ONELINE = 1 ) // Fields types, from https://github.com/freebsd/freebsd-src/blob/main/contrib/openbsm/bsm/libbsm.h // Abstraction of a record type Record interface { GetType() uint8 // Length() LoadFromBinary(file *os.File) error Print(*os.File, string, int) } type Header32 struct { Size uint32 // Record byte count Version uint8 // version # (uchar) E_type uint16 // Event type E_mod uint16 // Event modifier S uint32 // Seconds of time Msec uint32 // Milliseconds of time } type Header32Ex struct { Size uint32 // Record byte count Version uint8 // version # (uchar) E_type uint16 // Event type E_mod uint16 // Event modifier Ad_type uint32 // Address type/Length Addr [4]uint32 // Ipv4 or IPv6 S uint32 // Seconds of time Msec uint32 // Milliseconds of time } type Trailer struct { Magic uint16 Count uint32 } type Arg32 struct { No byte // Argument # Val uint32 // Argument value Length uint16 // Text length Text []byte // Text } type Arg64 struct { No byte // Argument # Val uint64 // Argument value Length uint16 // Text length Text []byte // Text } type Attribute32 struct { Mode uint32 // file access mode Uid uint32 // Owner user ID Gid uint32 // Owner group ID Fsid uint32 // File system ID Nid uint64 // Node ID Dev uint32 // Device } type Attribute64 struct { Mode uint32 // file access mode Uid uint32 // Owner user ID Gid uint32 // Owner group ID Fsid uint32 // File system ID Nid uint64 // Node ID Dev uint64 // Device } /* * count 4 bytes * text count null-terminated string(s) */ type ExecArg struct { Count uint32 //Text [AUDIT_MAX_ARGS][]byte Text [][]byte } type Path struct { Length uint16 // path length Path []byte } type Return32 struct { Status byte // Error status Ret uint32 // Return code } type Return64 struct { Status byte // Error status Ret uint64 // Return code } type Subject32 struct { Auid uint32 // Audit ID Euid uint32 // Effective user ID Egid uint32 // Effective Group ID Ruid uint32 // Real User ID Rgid uint32 // Real Group ID Pid uint32 // Process ID Sid uint32 // Session ID Tid Tid32 } type Process32 Subject32 type Subject32Ex struct { Auid uint32 // Audit ID Euid uint32 // Effective user ID Egid uint32 // Effective Group ID Ruid uint32 // Real User ID Rgid uint32 // Real Group ID Pid uint32 // Process ID Sid uint32 // Session ID Tid Tid32Ex } type Process32Ex Subject32Ex type Tid32 struct { Port uint32 IpVers uint32 // 0x10 = IPv6 Addr uint32 } type Tid32Ex struct { Port uint32 Ttype uint32 IpVers uint32 // 0x10 = IPv6, 0x04 = IPv4 Addr4 uint32 // 4 bytes long if IpVers == 0x04 Addr6 [4]uint32 // 4x4 bytes long if IpVers == 0x10 } type Subject64 struct { Auid uint32 // Audit ID Euid uint32 // Effective user ID Egid uint32 // Effective Group ID Ruid uint32 // Real User ID Rgid uint32 // Real Group ID Pid uint32 // Process ID Sid uint32 // Session ID Tid Tid64 } type Process64 Subject64 type Subject64Ex struct { Auid uint32 // Audit ID Euid uint32 // Effective user ID Egid uint32 // Effective Group ID Ruid uint32 // Real User ID Rgid uint32 // Real Group ID Pid uint32 // Process ID Sid uint32 // Session ID Tid Tid64Ex } type Process64Ex Subject64Ex type Tid64 struct { Port uint64 IpVers uint32 Addr uint32 } type Tid64Ex struct { Port uint64 Ttype uint32 IpVers uint32 // 0x10 = IPv6, 0x04 = IPv4 Addr4 uint32 Addr6 [4]uint32 } type Exit struct { Status uint32 Ret uint32 } /* Utilities */ func PrintIpv6FromInt(ipv6int [4]uint32) string { //return fmt.Sprintf("%04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x", return fmt.Sprintf("%x:%x:%x:%x:%x:%x:%x:%x", ipv6int[0] & 0xFFFF0000 >> 16, ipv6int[0] & 0x0000FFFF, ipv6int[1] & 0xFFFF0000 >> 16, ipv6int[1] & 0x0000FFFF, ipv6int[2] & 0xFFFF0000 >> 16, ipv6int[2] & 0x0000FFFF, ipv6int[3] & 0xFFFF0000 >> 16, ipv6int[3] & 0x0000FFFF) } /* Records structs implementation */ func NewHeader32(h Header32) *Header32 { return &Header32{ Size: h.Size, Version: h.Version, E_type: h.E_type, E_mod: h.E_mod, S: h.S, Msec: h.Msec, } } func (h *Header32) GetType() uint8 { return AUT_HEADER32 } // TODO : Take *io.Reader as arg? func (h *Header32) LoadFromBinary(file *os.File) error { err := binary.Read(file, binary.BigEndian, &h.Size) if err != nil { return fmt.Errorf("Unable to read Header32.Size from file: %v", err) } /* Check for recsize sanity: We already read 32 bits + 8 bits */ if h.Size < (4 + 1) { return fmt.Errorf("Record size is corrupted: %d", h.Size) } err = binary.Read(file, binary.BigEndian, &h.Version) if err != nil { return fmt.Errorf("Unable to read Header32.Version from file: %v", err) } err = binary.Read(file, binary.BigEndian, &h.E_type) if err != nil { return fmt.Errorf("Unable to read Header32.E_type from file: %v", err) } err = binary.Read(file, binary.BigEndian, &h.E_mod) if err != nil { return fmt.Errorf("Unable to read Header32.E_mod from file: %v", err) } err = binary.Read(file, binary.BigEndian, &h.S) if err != nil { return fmt.Errorf("Unable to read Header32.S from file: %v", err) } err = binary.Read(file, binary.BigEndian, &h.Msec) if err != nil { return fmt.Errorf("Unable to read Header32.Msec from file: %v", err) } return nil } /* Implementation of static void print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) */ func (h *Header32) Print(file *os.File, delimiter string, flags int) { t := time.Unix((int64)(h.S), 0) fmt.Fprintf(file, "header%s%v%s%v%s%v%s%v%s%v%s%v", delimiter, h.Size, delimiter, h.Version, delimiter, h.E_type, delimiter, h.E_mod, delimiter, t.Format(time.UnixDate), delimiter, h.Msec) if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } } func NewExecArg(e ExecArg) *ExecArg { return &ExecArg{ Count: e.Count, Text: e.Text, } } func (e *ExecArg) GetType() uint8 { return AUT_EXEC_ARGS } func (e *ExecArg) LoadFromBinary(file *os.File) error { err := binary.Read(file, binary.BigEndian, &e.Count) if err != nil { return fmt.Errorf("Unable to read ExecArg.Count from file: %v", err) } // Get current offset in file startOf, err := file.Seek(0, io.SeekCurrent) if err != nil { return fmt.Errorf("Unable to seek to current position: %v", err) } // TODO : Reinject these alreday read bytes into working flow, to avoir rereading them chunk := make([]byte, e.Count*MAX_AUDIT_ARG_LENGTH + e.Count) _, err = file.Read(chunk) if err != nil { return fmt.Errorf("Unable to read %d * MAX_AUDIT_ARG_LENGTH from current position: %v", err) } // Search for null terminating byte, Count times totLen := int64(0) buf := bytes.NewBuffer(chunk) for i := uint32(0) ; i < e.Count ; i++ { // TODO : Needs a bufio.Reader // Get this arg length arg, err := buf.ReadBytes((byte)(0x00)) if err != nil { return fmt.Errorf("Error searching for null terminated exec arg: Loop exec n%d, offset of record start: %x, error : %v", i, startOf, err) } // Allocate before reading //e.Text[i] = make([]byte, len(buf)) totLen += int64(len(arg)) e.Text = append(e.Text, arg) } startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart) if err != nil { return fmt.Errorf("Error seeking offset %x from file", startOf) } return nil } func (e *ExecArg) Print(file *os.File, delimiter string, flags int) { fmt.Fprintf(file, "exec arg%s", delimiter) for i := uint32(0) ; i < e.Count ; i++ { if i < e.Count - 1 { fmt.Fprintf(file, "%s%s", string(e.Text[i]), delimiter) } else { fmt.Fprintf(file, "%s", string(e.Text[i])) } } if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } } func NewPath(p Path) *Path { return &Path{ Length: p.Length, Path: p.Path, } } func (p *Path) GetType() uint8 { return AUT_PATH } func (p *Path) LoadFromBinary(file *os.File) error { err := binary.Read(file, binary.BigEndian, &p.Length) if err != nil { return fmt.Errorf("Unable to read Path.Length from file: %v", err) } // Get current offset in file startOf, err := file.Seek(0, io.SeekCurrent) if err != nil { return fmt.Errorf("Unable to seek to current position: %v", err) } // TODO : Reinject these already read bytes into working flow, to avoir rereading them chunk := make([]byte, MAX_AUDIT_ARG_LENGTH+1) _, err = file.Read(chunk) if err != nil { return fmt.Errorf("Unable to read MAX_AUDIT_ARG_LENGTH from current position: %v", err) } // Search for null terminating byte buf := bytes.NewBuffer(chunk) // TODO : Needs a bufio.Reader // Get this arg length arg, err := buf.ReadBytes((byte)(0x00)) if err != nil { return fmt.Errorf("Error searching for null terminated path: offset of record start: %x, error : %v", startOf, err) } totLen := int64(len(arg)) p.Path = arg startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart) if err != nil { return fmt.Errorf("Error seeking offset %x from file", startOf) } return nil } func (p *Path) Print(file *os.File, delimiter string, flags int) { fmt.Fprintf(file, "path%s%s", delimiter, string(p.Path)) if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } } func NewAttribute32(a Attribute32) *Attribute32 { return &Attribute32{ Mode: a.Mode, Uid: a.Uid, Gid: a.Gid, Fsid: a.Fsid, Nid: a.Nid, Dev: a.Dev, } } func (a* Attribute32) GetType() uint8 { return AUT_ATTR32 } func (a *Attribute32) LoadFromBinary(file *os.File) error { err := binary.Read(file, binary.BigEndian, &a.Mode) if err != nil { return fmt.Errorf("Unable to read Attribute32.Mode from file: %v", err) } err = binary.Read(file, binary.BigEndian, &a.Uid) if err != nil { return fmt.Errorf("Unable to read Attribute32.Uid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &a.Gid) if err != nil { return fmt.Errorf("Unable to read Attribute32.Gid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &a.Fsid) if err != nil { return fmt.Errorf("Unable to read Attribute32.Fsid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &a.Nid) if err != nil { return fmt.Errorf("Unable to read Attribute32.Nid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &a.Dev) if err != nil { return fmt.Errorf("Unable to read Attribute32.Dev from file: %v", err) } return nil } func (a *Attribute32) Print(file *os.File, delimiter string, flags int) { // TODO : resolve Uid and Gid (also support domain accounts) fmt.Fprintf(file, "attribute%s%o%s%v%s%v%s%v%s%v%s%v", delimiter, a.Mode, delimiter, a.Uid, delimiter, a.Gid, delimiter, a.Fsid, delimiter, a.Nid, delimiter, a.Dev) if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } } func NewAttribute64(a Attribute64) *Attribute64 { return &Attribute64{ Mode: a.Mode, Uid: a.Uid, Gid: a.Gid, Fsid: a.Fsid, Nid: a.Nid, Dev: a.Dev, } } func (a* Attribute64) GetType() uint8 { return AUT_ATTR64 } func (a *Attribute64) LoadFromBinary(file *os.File) error { err := binary.Read(file, binary.BigEndian, &a.Mode) if err != nil { return fmt.Errorf("Unable to read Attribute64.Mode from file: %v", err) } err = binary.Read(file, binary.BigEndian, &a.Uid) if err != nil { return fmt.Errorf("Unable to read Attribute64.Uid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &a.Gid) if err != nil { return fmt.Errorf("Unable to read Attribute64.Gid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &a.Fsid) if err != nil { return fmt.Errorf("Unable to read Attribute64.Fsid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &a.Nid) if err != nil { return fmt.Errorf("Unable to read Attribute64.Nid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &a.Dev) if err != nil { return fmt.Errorf("Unable to read Attribute64.Dev from file: %v", err) } return nil } func (a *Attribute64) Print(file *os.File, delimiter string, flags int) { // TODO : resolve Uid and Gid (also support domain accounts) fmt.Fprintf(file, "attribute%s%o%s%v%s%v%s%v%s%v%s%v", delimiter, a.Mode, delimiter, a.Uid, delimiter, a.Gid, delimiter, a.Fsid, delimiter, a.Nid, delimiter, a.Dev) if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } } func NewSubject32(s Subject32) *Subject32 { return &Subject32{ Auid: s.Auid, Euid: s.Euid, Egid: s.Egid, Ruid: s.Ruid, Rgid: s.Rgid, Pid: s.Pid, Sid: s.Sid, Tid: s.Tid, } } func (s *Subject32) GetType() uint8 { return AUT_SUBJECT32 } func (s *Subject32) LoadFromBinary(file *os.File) error { err := binary.Read(file, binary.BigEndian, &s.Auid) if err != nil { return fmt.Errorf("Unable to read Sibject32.Auid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Euid) if err != nil { return fmt.Errorf("Unable to read Subject32.Euid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Egid) if err != nil { return fmt.Errorf("Unable to read Subject32.Egid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Ruid) if err != nil { return fmt.Errorf("Unable to read Subject32.Ruid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Rgid) if err != nil { return fmt.Errorf("Unable to read Subject32.Rgid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Sid) if err != nil { return fmt.Errorf("Unable to read Subject32.Sid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Tid) if err != nil { return fmt.Errorf("Unable to read Subject32.Tid from file: %v", err) } return nil } func PrintIpv4FromInt(ipv4int uint32) string { return fmt.Sprintf("%d.%d.%d.%d", ipv4int & 0xFF000000 >> 24, ipv4int & 0x00FF0000 >> 16, ipv4int & 0x0000FF00 >> 8, ipv4int & 0x000000FF) } func (s *Subject32) Print(file *os.File, delimiter string, flags int) { fmt.Fprintf(file, "subject%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, s.Auid, delimiter, s.Euid, delimiter, s.Egid, delimiter, s.Ruid, delimiter, s.Rgid, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter, s.Tid.IpVers, delimiter, PrintIpv4FromInt(s.Tid.Addr)) if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } } func NewProcess32(s Process32) *Process32 { return &Process32{ Auid: s.Auid, Euid: s.Euid, Egid: s.Egid, Ruid: s.Ruid, Rgid: s.Rgid, Pid: s.Pid, Sid: s.Sid, Tid: s.Tid, } } func (p *Process32) GetType() uint8 { return AUT_PROCESS32 } func (p *Process32) LoadFromBinary(file *os.File) error { err := binary.Read(file, binary.BigEndian, &p.Auid) if err != nil { return fmt.Errorf("Unable to read Process32.Auid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Euid) if err != nil { return fmt.Errorf("Unable to read Process32.Euid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Egid) if err != nil { return fmt.Errorf("Unable to read Process32.Egid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Ruid) if err != nil { return fmt.Errorf("Unable to read Process32.Ruid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Rgid) if err != nil { return fmt.Errorf("Unable to read Process32.Rgid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Sid) if err != nil { return fmt.Errorf("Unable to read Process32.Sid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Tid) if err != nil { return fmt.Errorf("Unable to read Process32.Tid from file: %v", err) } return nil } func (p *Process32) Print(file *os.File, delimiter string, flags int) { fmt.Fprintf(file, "process%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, p.Auid, delimiter, p.Euid, delimiter, p.Egid, delimiter, p.Ruid, delimiter, p.Rgid, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter, p.Tid.IpVers, delimiter, PrintIpv4FromInt(p.Tid.Addr)) if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } } func NewSubject32Ex(s Subject32Ex) *Subject32Ex { return &Subject32Ex{ Auid: s.Auid, Euid: s.Euid, Egid: s.Egid, Ruid: s.Ruid, Rgid: s.Rgid, Pid: s.Pid, Sid: s.Sid, Tid: s.Tid, } } func (s *Subject32Ex) GetType() uint8 { return AUT_SUBJECT32_EX } func (s *Subject32Ex) LoadFromBinary(file *os.File) error { err := binary.Read(file, binary.BigEndian, &s.Auid) if err != nil { return fmt.Errorf("Unable to read Sibject32Ex.Auid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Euid) if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Euid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Egid) if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Egid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Ruid) if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Ruid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Rgid) if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Rgid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Sid) if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Sid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Tid.Port) if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Port from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Tid.Ttype) if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Ttype from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Tid.IpVers) if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.IpVers from file: %v", err) } if s.Tid.IpVers == 0x10 { err = binary.Read(file, binary.BigEndian, &s.Tid.Addr6) if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Addr6 from file: %v", err) } } else if s.Tid.IpVers == 0x04 { err = binary.Read(file, binary.BigEndian, &s.Tid.Addr4) if err != nil { return fmt.Errorf("Unable to read Subject32Ex.Tid.Addr4 from file: %v", err) } } return nil } func (s *Subject32Ex) Print(file *os.File, delimiter string, flags int) { if s.Tid.IpVers == 0x04 { fmt.Fprintf(file, "subject_ex%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, s.Auid, delimiter, s.Euid, delimiter, s.Egid, delimiter, s.Ruid, delimiter, s.Rgid, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter, s.Tid.Ttype, delimiter, PrintIpv4FromInt(s.Tid.Addr4)) } else { fmt.Fprintf(file, "subject_ex%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, s.Auid, delimiter, s.Euid, delimiter, s.Egid, delimiter, s.Ruid, delimiter, s.Rgid, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter, s.Tid.Ttype, delimiter, PrintIpv6FromInt(s.Tid.Addr6)) } if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } } func NewProcess32Ex(p Process32Ex) *Process32Ex { return &Process32Ex{ Auid: p.Auid, Euid: p.Euid, Egid: p.Egid, Ruid: p.Ruid, Rgid: p.Rgid, Pid: p.Pid, Sid: p.Sid, Tid: p.Tid, } } func (s *Process32Ex) GetType() uint8 { return AUT_PROCESS32_EX } func (p *Process32Ex) LoadFromBinary(file *os.File) error { err := binary.Read(file, binary.BigEndian, &p.Auid) if err != nil { return fmt.Errorf("Unable to read Process32Ex.Auid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Euid) if err != nil { return fmt.Errorf("Unable to read Process32Ex.Euid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Egid) if err != nil { return fmt.Errorf("Unable to read Process32Ex.Egid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Ruid) if err != nil { return fmt.Errorf("Unable to read Process32Ex.Ruid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Rgid) if err != nil { return fmt.Errorf("Unable to read Process32Ex.Rgid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Sid) if err != nil { return fmt.Errorf("Unable to read Process32Ex.Sid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Tid.Port) if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Port from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Tid.Ttype) if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Ttype from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Tid.IpVers) if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.IpVers from file: %v", err) } if p.Tid.IpVers == 0x10 { err = binary.Read(file, binary.BigEndian, &p.Tid.Addr6) if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Addr6 from file: %v", err) } } else if p.Tid.IpVers == 0x04 { err = binary.Read(file, binary.BigEndian, &p.Tid.Addr4) if err != nil { return fmt.Errorf("Unable to read Process32Ex.Tid.Addr4 from file: %v", err) } } return nil } func (p *Process32Ex) Print(file *os.File, delimiter string, flags int) { if p.Tid.IpVers == 0x04 { fmt.Fprintf(file, "process_ex%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, p.Auid, delimiter, p.Euid, delimiter, p.Egid, delimiter, p.Ruid, delimiter, p.Rgid, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter, p.Tid.Ttype, delimiter, PrintIpv4FromInt(p.Tid.Addr4)) } else { fmt.Fprintf(file, "process_ex%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, p.Auid, delimiter, p.Euid, delimiter, p.Egid, delimiter, p.Ruid, delimiter, p.Rgid, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter, p.Tid.Ttype, delimiter, PrintIpv6FromInt(p.Tid.Addr6)) } if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } } func NewSubject64(s Subject64) *Subject64 { return &Subject64{ Auid: s.Auid, Euid: s.Euid, Egid: s.Egid, Ruid: s.Ruid, Rgid: s.Rgid, Pid: s.Pid, Sid: s.Sid, Tid: s.Tid, } } func (s *Subject64) GetType() uint8 { return AUT_SUBJECT64 } func (s *Subject64) LoadFromBinary(file *os.File) error { err := binary.Read(file, binary.BigEndian, &s.Auid) if err != nil { return fmt.Errorf("Unable to read Sibject64.Auid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Euid) if err != nil { return fmt.Errorf("Unable to read Subject64.Euid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Egid) if err != nil { return fmt.Errorf("Unable to read Subject64.Egid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Ruid) if err != nil { return fmt.Errorf("Unable to read Subject64.Ruid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Rgid) if err != nil { return fmt.Errorf("Unable to read Subject64.Rgid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Sid) if err != nil { return fmt.Errorf("Unable to read Subject64.Sid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Tid) if err != nil { return fmt.Errorf("Unable to read Subject64.Tid from file: %v", err) } return nil } func (s *Subject64) Print(file *os.File, delimiter string, flags int) { fmt.Fprintf(file, "subject%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, s.Auid, delimiter, s.Euid, delimiter, s.Egid, delimiter, s.Ruid, delimiter, s.Rgid, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter, s.Tid.IpVers, delimiter, PrintIpv4FromInt(s.Tid.Addr)) if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } } func NewProcess64(p Process64) *Process64 { return &Process64{ Auid: p.Auid, Euid: p.Euid, Egid: p.Egid, Ruid: p.Ruid, Rgid: p.Rgid, Pid: p.Pid, Sid: p.Sid, Tid: p.Tid, } } func (s *Process64) GetType() uint8 { return AUT_PROCESS64 } func (p *Process64) LoadFromBinary(file *os.File) error { err := binary.Read(file, binary.BigEndian, &p.Auid) if err != nil { return fmt.Errorf("Unable to read Process64.Auid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Euid) if err != nil { return fmt.Errorf("Unable to read Process64.Euid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Egid) if err != nil { return fmt.Errorf("Unable to read Process64.Egid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Ruid) if err != nil { return fmt.Errorf("Unable to read Process64.Ruid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Rgid) if err != nil { return fmt.Errorf("Unable to read Process64.Rgid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Sid) if err != nil { return fmt.Errorf("Unable to read Process64.Sid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Tid) if err != nil { return fmt.Errorf("Unable to read Process64.Tid from file: %v", err) } return nil } func (p *Process64) Print(file *os.File, delimiter string, flags int) { fmt.Fprintf(file, "process%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, p.Auid, delimiter, p.Euid, delimiter, p.Egid, delimiter, p.Ruid, delimiter, p.Rgid, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter, p.Tid.IpVers, delimiter, PrintIpv4FromInt(p.Tid.Addr)) if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } } func NewSubject64Ex(s Subject64Ex) *Subject64Ex { return &Subject64Ex{ Auid: s.Auid, Euid: s.Euid, Egid: s.Egid, Ruid: s.Ruid, Rgid: s.Rgid, Pid: s.Pid, Sid: s.Sid, Tid: s.Tid, } } func (s *Subject64Ex) GetType() uint8 { return AUT_SUBJECT64_EX } func (s *Subject64Ex) LoadFromBinary(file *os.File) error { err := binary.Read(file, binary.BigEndian, &s.Auid) if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Auid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Euid) if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Euid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Egid) if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Egid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Ruid) if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Ruid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Rgid) if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Rgid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Sid) if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Sid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Tid.Port) if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Port from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Tid.Ttype) if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Ttype from file: %v", err) } err = binary.Read(file, binary.BigEndian, &s.Tid.IpVers) if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.IpVers from file: %v", err) } if s.Tid.IpVers == 0x10 { err = binary.Read(file, binary.BigEndian, &s.Tid.Addr6) if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Addr6 from file: %v", err) } } else if s.Tid.IpVers == 0x04 { err = binary.Read(file, binary.BigEndian, &s.Tid.Addr4) if err != nil { return fmt.Errorf("Unable to read Subject64Ex.Tid.Addr4 from file: %v", err) } } return nil } func (s *Subject64Ex) Print(file *os.File, delimiter string, flags int) { if s.Tid.IpVers == 0x04 { fmt.Fprintf(file, "subject_ex%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, s.Auid, delimiter, s.Euid, delimiter, s.Egid, delimiter, s.Ruid, delimiter, s.Rgid, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter, s.Tid.Ttype, delimiter, PrintIpv4FromInt(s.Tid.Addr4)) } else { fmt.Fprintf(file, "subject_ex%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, s.Auid, delimiter, s.Euid, delimiter, s.Egid, delimiter, s.Ruid, delimiter, s.Rgid, delimiter, s.Sid, delimiter, s.Tid.Port, delimiter, s.Tid.Ttype, delimiter, PrintIpv6FromInt(s.Tid.Addr6)) } if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } } func NewProcess64Ex(p Process64Ex) *Process64Ex { return &Process64Ex{ Auid: p.Auid, Euid: p.Euid, Egid: p.Egid, Ruid: p.Ruid, Rgid: p.Rgid, Pid: p.Pid, Sid: p.Sid, Tid: p.Tid, } } func (p *Process64Ex) GetType() uint8 { return AUT_SUBJECT64_EX } func (p *Process64Ex) LoadFromBinary(file *os.File) error { err := binary.Read(file, binary.BigEndian, &p.Auid) if err != nil { return fmt.Errorf("Unable to read Process64Ex.Auid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Euid) if err != nil { return fmt.Errorf("Unable to read Process64Ex.Euid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Egid) if err != nil { return fmt.Errorf("Unable to read Process64Ex.Egid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Ruid) if err != nil { return fmt.Errorf("Unable to read Process64Ex.Ruid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Rgid) if err != nil { return fmt.Errorf("Unable to read Process64Ex.Rgid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Sid) if err != nil { return fmt.Errorf("Unable to read Process64Ex.Sid from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Tid.Port) if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Port from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Tid.Ttype) if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Ttype from file: %v", err) } err = binary.Read(file, binary.BigEndian, &p.Tid.IpVers) if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.IpVers from file: %v", err) } if p.Tid.IpVers == 0x10 { err = binary.Read(file, binary.BigEndian, &p.Tid.Addr6) if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Addr6 from file: %v", err) } } else if p.Tid.IpVers == 0x04 { err = binary.Read(file, binary.BigEndian, &p.Tid.Addr4) if err != nil { return fmt.Errorf("Unable to read Process64Ex.Tid.Addr4 from file: %v", err) } } return nil } func (p *Process64Ex) Print(file *os.File, delimiter string, flags int) { if p.Tid.IpVers == 0x04 { fmt.Fprintf(file, "process_ex%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, p.Auid, delimiter, p.Euid, delimiter, p.Egid, delimiter, p.Ruid, delimiter, p.Rgid, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter, p.Tid.Ttype, delimiter, PrintIpv4FromInt(p.Tid.Addr4)) } else { fmt.Fprintf(file, "process_ex%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%v%s%s", delimiter, p.Auid, delimiter, p.Euid, delimiter, p.Egid, delimiter, p.Ruid, delimiter, p.Rgid, delimiter, p.Sid, delimiter, p.Tid.Port, delimiter, p.Tid.Ttype, delimiter, PrintIpv6FromInt(p.Tid.Addr6)) } if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } } func NewReturn32(r Return32) *Return32 { return &Return32{ Status: r.Status, Ret: r.Ret, } } func (r *Return32) GetType() uint8 { return AUT_RETURN32 } func (r *Return32) LoadFromBinary(file *os.File) error { err := binary.Read(file, binary.BigEndian, &r.Status) if err != nil { return fmt.Errorf("Unable to read Return32.Status from file: %v", err) } err = binary.Read(file, binary.BigEndian, &r.Ret) if err != nil { return fmt.Errorf("Unable to read Return32.Ret from file: %v", err) } return nil } func (r *Return32) Print(file *os.File, delimiter string, flags int) { fmt.Fprintf(file, "return%s%v%s%v", delimiter, r.Status, delimiter, r.Ret) if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } } func NewReturn64(r Return64) *Return64 { return &Return64{ Status: r.Status, Ret: r.Ret, } } func (r *Return64) GetType() uint8 { return AUT_RETURN64 } func (r *Return64) LoadFromBinary(file *os.File) error { err := binary.Read(file, binary.BigEndian, &r.Status) if err != nil { return fmt.Errorf("Unable to read Return64.Status from file: %v", err) } err = binary.Read(file, binary.BigEndian, &r.Ret) if err != nil { return fmt.Errorf("Unable to read Return64.Ret from file: %v", err) } return nil } func (r *Return64) Print(file *os.File, delimiter string, flags int) { fmt.Fprintf(file, "return%s%v%s%v", delimiter, r.Status, delimiter, r.Ret) if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } } func NewTrailer(t Trailer) *Trailer { return &Trailer{ Magic: t.Magic, Count: t.Count, } } func (t *Trailer) GetType() uint8 { return AUT_TRAILER } func (t *Trailer) LoadFromBinary(file *os.File) error { err := binary.Read(file, binary.BigEndian, &t.Magic) if err != nil { return fmt.Errorf("Unable to read Trailer.Magic from file: %v", err) } err = binary.Read(file, binary.BigEndian, &t.Count) if err != nil { return fmt.Errorf("Unable to read Trailer.Count from file: %v", err) } return nil } func (t *Trailer) Print(file *os.File, delimiter string, flags int) { fmt.Fprintf(file, "trailer%s%v", delimiter, t.Count) if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } } func NewArg32(a Arg32) *Arg32 { return &Arg32{ No: a.No, Val: a.Val, Length: a.Length, Text: a.Text, } } func (a *Arg32) GetType() uint8 { return AUT_ARG32 } func (a *Arg32) LoadFromBinary(file *os.File) error { err := binary.Read(file, binary.BigEndian, &a.No) if err != nil { return fmt.Errorf("Unable to read Arg32.No from file: %v", err) } err = binary.Read(file, binary.BigEndian, &a.Val) if err != nil { return fmt.Errorf("Unable to read Arg32.Val from file: %v", err) } err = binary.Read(file, binary.BigEndian, &a.Length) if err != nil { return fmt.Errorf("Unable to read Arg32.Length from file: %v", err) } // Get current offset in file startOf, err := file.Seek(0, io.SeekCurrent) if err != nil { return fmt.Errorf("Unable to seek to current position: %v", err) } // TODO : Reinject these already read bytes into working flow, to avoir rereading them chunk := make([]byte, MAX_AUDIT_ARG_LENGTH+1) _, err = file.Read(chunk) if err != nil { return fmt.Errorf("Unable to read MAX_AUDIT_ARG_LENGTH from current position: %v", err) } // Search for null terminating byte buf := bytes.NewBuffer(chunk) // Get this arg length arg, err := buf.ReadBytes((byte)(0x00)) if err != nil { return fmt.Errorf("Error searching for null terminated path: offset of record start: %x, error : %v", startOf, err) } totLen := int64(len(arg)) a.Text = arg startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart) if err != nil { return fmt.Errorf("Error seeking offset %x from file", startOf) } return nil } func (a *Arg32) Print(file *os.File, delimiter string, flags int) { fmt.Fprintf(file, "argument%s%v%s%v%s%s", delimiter, a.No, delimiter, a.Val, delimiter, string(a.Text)) if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } } func NewArg64(a Arg64) *Arg64 { return &Arg64{ No: a.No, Val: a.Val, Length: a.Length, Text: a.Text, } } func (a *Arg64) GetType() uint8 { return AUT_ARG64 } func (a *Arg64) LoadFromBinary(file *os.File) error { err := binary.Read(file, binary.BigEndian, &a.No) if err != nil { return fmt.Errorf("Unable to read Arg64.No from file: %v", err) } err = binary.Read(file, binary.BigEndian, &a.Val) if err != nil { return fmt.Errorf("Unable to read Arg64.Val from file: %v", err) } err = binary.Read(file, binary.BigEndian, &a.Length) if err != nil { return fmt.Errorf("Unable to read Arg64.Length from file: %v", err) } // Get current offset in file startOf, err := file.Seek(0, io.SeekCurrent) if err != nil { return fmt.Errorf("Unable to seek to current position: %v", err) } // TODO : Reinject these already read bytes into working flow, to avoir rereading them chunk := make([]byte, MAX_AUDIT_ARG_LENGTH+1) _, err = file.Read(chunk) if err != nil { return fmt.Errorf("Unable to read MAX_AUDIT_ARG_LENGTH from current position: %v", err) } // Search for null terminating byte buf := bytes.NewBuffer(chunk) // Get this arg length arg, err := buf.ReadBytes((byte)(0x00)) if err != nil { return fmt.Errorf("Error searching for null terminated path: offset of record start: %x, error : %v", startOf, err) } totLen := int64(len(arg)) a.Text = arg startOf, err = file.Seek(int64(startOf+totLen), io.SeekStart) if err != nil { return fmt.Errorf("Error seeking offset %x from file", startOf) } return nil } func (a *Arg64) Print(file *os.File, delimiter string, flags int) { fmt.Fprintf(file, "argument%s%v%s%v%s%s", delimiter, a.No, delimiter, a.Val, delimiter, string(a.Text)) if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } } func NewExit(e Exit) *Exit { return &Exit{ Status: e.Status, Ret: e.Ret, } } func (e *Exit) GetType() uint8 { return AUT_EXIT } func (e *Exit) LoadFromBinary(file *os.File) error { err := binary.Read(file, binary.BigEndian, &e.Status) if err != nil { return fmt.Errorf("Unable to read Exit.Status from file: %v", err) } err = binary.Read(file, binary.BigEndian, &e.Ret) if err != nil { return fmt.Errorf("Unable to read Exit.Ret from file: %v", err) } return nil } func (e *Exit) Print(file *os.File, delimiter string, flags int) { fmt.Fprintf(file, "exit%s%v%s%v", delimiter, e.Status, delimiter, e.Ret) if 0 == (flags & PRT_ONELINE) { fmt.Fprintf(file, "\n") } } func readRecordToStruct(file *os.File) (Record, error) { var rec Record hdr := make([]byte, 1) n, err := file.Read(hdr) if err != nil || n < 1 { return rec, fmt.Errorf("Unable to read header ID in file: %v", err) } // DEBUG /* startOf, _ := file.Seek(0, io.SeekCurrent) fmt.Printf("Offset dans le fichier : %x\n", startOf) */ //switch hdr.(int8) { switch (int8)(hdr[0]) { case AUT_HEADER32: var h Header32 err := h.LoadFromBinary(file) if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } return NewHeader32(h), nil case AUT_EXEC_ARGS: var e ExecArg err := e.LoadFromBinary(file) if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } return NewExecArg(e), nil case AUT_PATH: var p Path err := p.LoadFromBinary(file) if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } return NewPath(p), nil case AUT_ATTR32: var a Attribute32 err := a.LoadFromBinary(file) if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } return NewAttribute32(a), nil case AUT_ATTR64: var a Attribute64 err := a.LoadFromBinary(file) if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } return NewAttribute64(a), nil case AUT_SUBJECT32: var s Subject32 err := s.LoadFromBinary(file) if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } return NewSubject32(s), nil case AUT_SUBJECT32_EX: var s Subject32Ex err := s.LoadFromBinary(file) if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } return NewSubject32Ex(s), nil case AUT_RETURN32: var r Return32 err := r.LoadFromBinary(file) if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } return NewReturn32(r), nil case AUT_TRAILER: var t Trailer err := t.LoadFromBinary(file) if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } return NewTrailer(t), nil case AUT_ARG32: var a Arg32 err := a.LoadFromBinary(file) if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } return NewArg32(a), nil case AUT_ARG64: var a Arg64 err := a.LoadFromBinary(file) if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } return NewArg64(a), nil case AUT_EXIT: var e Exit err := e.LoadFromBinary(file) if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } return NewExit(e), nil case AUT_PROCESS32: var p Process32 err := p.LoadFromBinary(file) if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } return NewProcess32(p), nil case AUT_PROCESS32_EX: var p Process32Ex err := p.LoadFromBinary(file) if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } return NewProcess32Ex(p), nil case AUT_PROCESS64: var p Process64 err := p.LoadFromBinary(file) if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } return NewProcess64(p), nil case AUT_PROCESS64_EX: var p Process64Ex err := p.LoadFromBinary(file) if err != nil { return rec, fmt.Errorf("Unable to read file: %v", err) } return NewProcess64Ex(p), nil } startOf, _ := file.Seek(0, io.SeekCurrent) return rec, fmt.Errorf("Event type not supported: 0x%x at offset 0x%x", hdr[0], startOf) } /* Implementation of int au_read_rec(FILE *fp, u_char **buf) source: https://github.com/freebsd/freebsd-src/blob/main/contrib/openbsm/libbsm/bsm_io.c */ func readRecord(file *os.File) ([]byte, error) { var buf *bytes.Buffer var recSize int32 hdr := make([]byte, 1) n, err := file.Read(hdr) if err != nil || n < 1 { return hdr, fmt.Errorf("Unable to read file") } //switch hdr.(int8) { switch (int8)(hdr[0]) { case AUT_HEADER32, AUT_HEADER32_EX, AUT_HEADER64, AUT_HEADER64_EX: err := binary.Read(file, binary.BigEndian, &recSize) if err != nil { return hdr, fmt.Errorf("Unable to read file") } /* Check for recsize sanity: We already read 32 bits + 8 bits */ if recSize < (4 + 1) { return hdr, fmt.Errorf("Record size is corrupted: %d", recSize) } /* store the token contents already read, back to the buffer*/ data := make([]byte, 0) buf = bytes.NewBuffer(data) err = binary.Write(buf, binary.BigEndian, (int8)(hdr[0])) if err != nil { return hdr, fmt.Errorf("Unable to concatenate header to data") } err = binary.Write(buf, binary.BigEndian, recSize) if err != nil { return hdr, fmt.Errorf("Unable to concatenate recordsize to existing data") } /* now read remaining record bytes */ remainSize := recSize - (4 + 1) remain := make([]byte, remainSize) n, err = file.Read(remain) if err != nil || (int32)(n) < remainSize { return hdr, fmt.Errorf("Unable to read data from file") } n, err = buf.Write(remain) if err != nil { return hdr, fmt.Errorf("Unable to write data to buffer") } case AUT_OTHER_FILE32: var sec int32 var msec int32 var filenamelen int16 err := binary.Read(file, binary.BigEndian, &sec) if err != nil { return hdr, fmt.Errorf("Unable to read file") } err = binary.Read(file, binary.BigEndian, &msec) if err != nil { return hdr, fmt.Errorf("Unable to read file") } err = binary.Read(file, binary.BigEndian, &filenamelen) if err != nil { return hdr, fmt.Errorf("Unable to read file") } recSize = 1 + 4 + 4 + 2 + int32(filenamelen) data := make([]byte, 0) buf = bytes.NewBuffer(data) /* store the token contents already read, back to the buffer*/ err = binary.Write(buf, binary.BigEndian, (int8)(hdr[0])) if err != nil { return hdr, fmt.Errorf("Unable to concatenate header to data") } err = binary.Write(buf, binary.BigEndian, sec) if err != nil { return hdr, fmt.Errorf("Unable to concatenate sec to data") } err = binary.Write(buf, binary.BigEndian, msec) if err != nil { return hdr, fmt.Errorf("Unable to concatenate msec to data") } err = binary.Write(buf, binary.BigEndian, filenamelen) if err != nil { return hdr, fmt.Errorf("Unable to concatenate filenamelen to data") } filename := make([]byte, filenamelen) n, err = file.Read(filename) if err != nil || n < int(filenamelen) { return hdr, fmt.Errorf("Unable to read filename from file") } n, err = buf.Write(filename) if err != nil { return hdr, fmt.Errorf("Unable to concatenate filename to buffer") } default: return hdr, fmt.Errorf("Record type not implemented: %v", hdr) } return buf.Bytes(), nil }