189 lines
4.2 KiB
Go
189 lines
4.2 KiB
Go
// Copyright 2021, johan@nosd.in
|
|
//go:build freebsd
|
|
// +build freebsd
|
|
|
|
//
|
|
// godit is a search tool for BSM audit trails used by FreeBSD auditd
|
|
//
|
|
|
|
/*
|
|
% time praudit -l /home/yo/Dev/go/godit/20211228134923.20211228151348 > praudit.log
|
|
101.728u 7.315s 1:49.09 99.9% 10+167k 0+191152io 0pf+0w
|
|
|
|
% time ./godit 20211228134923.20211228151348 > godit.log
|
|
11.599u 38.235s 0:48.25 103.2% 1045+553k 1+2262168io 4pf+0w
|
|
% ./godit -V
|
|
Godit v0.03
|
|
|
|
% time ./godit 20211228134923.20211228151348 > 20211228134923.20211228151348.godit3
|
|
7.183u 19.590s 0:25.98 103.0% 1038+559k 0+2262168io 0pf+0w
|
|
% ./godit -V
|
|
Godit v0.4.3
|
|
*/
|
|
|
|
package main
|
|
|
|
import (
|
|
"io"
|
|
"os"
|
|
"fmt"
|
|
"sync"
|
|
"bufio"
|
|
"strings"
|
|
"syscall"
|
|
"os/signal"
|
|
"github.com/spf13/pflag"
|
|
)
|
|
|
|
const (
|
|
version = "0.6.2"
|
|
)
|
|
|
|
var (
|
|
randFlag bool
|
|
showVersion bool
|
|
|
|
// Default delimiter
|
|
delimiter = ","
|
|
|
|
Writer *bufio.Writer
|
|
)
|
|
|
|
func NewWriter(file string) (*bufio.Writer, *os.File, error) {
|
|
if len(file) > 0 {
|
|
var f *os.File
|
|
var err error
|
|
|
|
f, err = os.OpenFile(file, os.O_CREATE|os.O_WRONLY, 0640)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
Writer = bufio.NewWriter(f)
|
|
return Writer, f, nil
|
|
} else {
|
|
Writer = bufio.NewWriter(os.Stdout)
|
|
return Writer, nil, nil
|
|
}
|
|
}
|
|
|
|
func main() {
|
|
var flags int
|
|
var oneLine bool
|
|
var noUserResolve bool
|
|
var syslog23 bool
|
|
var json bool
|
|
var outputFile string
|
|
// Output file mutex
|
|
var outfMtx sync.Mutex
|
|
var outFile *os.File
|
|
|
|
pflag.BoolVarP(&oneLine, "oneline", "l", false, "Prints the entire record on the same line")
|
|
pflag.BoolVarP(&noUserResolve, "numeric", "n", false, "Do not convert user and group IDs to their names but leave in their numeric forms")
|
|
pflag.BoolVarP(&json, "json", "j", false, "Print compact json")
|
|
pflag.BoolVarP(&syslog23, "syslog23", "s", false, "Print time as \"2006-01-02T15:04:05.000Z07:00\", RFC339 with ms, also used on RSYSLOG_SyslogProtocol23Format. \"msec\" field will not be print in json output")
|
|
pflag.StringVarP(&outputFile, "out", "o", "", "Output to file, overwrite existing. File will be re-opened receiving SIGUSR1.")
|
|
pflag.BoolVarP(&showVersion, "version", "V", false, "Show version and exit")
|
|
|
|
var Usage = func() {
|
|
fmt.Fprintf(os.Stderr, "Usage of \"%s [opts] auditfile\":\n", os.Args[0])
|
|
pflag.PrintDefaults()
|
|
fmt.Fprintf(os.Stderr, "Set auditfile to \"-\" to read stdin\n")
|
|
}
|
|
pflag.Usage = Usage
|
|
|
|
pflag.Parse()
|
|
|
|
if showVersion {
|
|
fmt.Printf("Godit v%s\n", version)
|
|
return
|
|
}
|
|
if oneLine {
|
|
flags = flags + PRT_ONELINE
|
|
}
|
|
if noUserResolve {
|
|
flags = flags + PRT_NORESOLVE_USER
|
|
}
|
|
if syslog23 {
|
|
flags = flags + PRT_TIMESYSLOG23
|
|
}
|
|
if json {
|
|
flags |= PRT_JSON
|
|
}
|
|
|
|
args := os.Args
|
|
if len(os.Args) < 2 {
|
|
pflag.Usage()
|
|
os.Exit(1)
|
|
}
|
|
filename := args[len(args)-1]
|
|
|
|
// Get a writer, file or stdout
|
|
_, outFile, err := NewWriter(outputFile)
|
|
if err != nil {
|
|
fmt.Fprintf(os.Stderr, "%v\n", err)
|
|
os.Exit(1)
|
|
}
|
|
if len(outputFile) > 0 {
|
|
// Manage output file rotation when receiving SIGUSR1
|
|
sig := make(chan os.Signal)
|
|
signal.Notify(sig, syscall.SIGUSR1)
|
|
go func() {
|
|
for {
|
|
<-sig
|
|
outfMtx.Lock()
|
|
fmt.Println("SIGUSR1 received, recreating output file")
|
|
outFile.Close()
|
|
_, outFile, err = NewWriter(outputFile)
|
|
if err != nil {
|
|
outfMtx.Unlock()
|
|
fmt.Fprintf(os.Stderr, "%v\n", err)
|
|
os.Exit(1)
|
|
}
|
|
outfMtx.Unlock()
|
|
}
|
|
}()
|
|
}
|
|
|
|
var f *os.File
|
|
var r *bufio.Reader
|
|
if len(filename) > 0 {
|
|
// If arg is "-", open stdin to read content
|
|
if true == strings.EqualFold(filename, "-") {
|
|
r = bufio.NewReader(os.Stdin)
|
|
} else {
|
|
f, err = os.Open(filename)
|
|
if err != nil {
|
|
fmt.Fprintf(os.Stderr, "Impossible d'ouvrir le fichier %s\n", filename)
|
|
os.Exit(-1)
|
|
}
|
|
r = bufio.NewReader(f)
|
|
}
|
|
|
|
for {
|
|
rec, err := readRecordToStruct(r)
|
|
if err != nil {
|
|
if err != io.EOF {
|
|
fmt.Printf("Erreur : %v\n", err)
|
|
} else { // v.0.4.2 : Continue on error
|
|
return
|
|
}
|
|
}
|
|
if len(outputFile) > 0 {
|
|
outfMtx.Lock()
|
|
rec.Print(Writer, ",", flags)
|
|
Writer.Flush() // Performance ?
|
|
outfMtx.Unlock()
|
|
} else {
|
|
// No need for mutex with stdout
|
|
rec.Print(Writer, ",", flags)
|
|
}
|
|
}
|
|
}
|
|
|
|
if len(outputFile) > 0 && outFile != nil {
|
|
outfMtx.Lock()
|
|
outFile.Close()
|
|
outfMtx.Unlock()
|
|
}
|
|
}
|