Golang package (lib) for Linux Audit
Libaudit-go is a go library that provide helper methods to talk to Linux Audit. Originally developed for Audit GO Heka Pluigin
See main.go for example implementation of these functions
Open a audit netlink socket connection Similar to audit_open, NewNetlinkConnection creates a NETLINK_AUDIT socket for communication with the kernel part of the Linux Audit Subsystem.
It provide three methods
- Close
- Send
- Receive
Example :
s, err := netlinkAudit.NewNetlinkConnection()
if err != nil {
log.Println(err)
log.Fatalln("Error while availing socket! Exiting!")
}
defer s.Close()
Definations of Send and Receive are :
Send
func (s *NetlinkConnection) Send(request *NetlinkMessage) error
Receive
func (s *NetlinkConnection) Receive(bytesize int, block int) ([]NetlinkMessage, error)
Start a Audit event monitor
func AuditGetEvents(s *NetlinkConnection, cb EventCallback, ec chan error, args ...interface{})
This function start a audit event monitor and accept a callback that get called on each audit event received from the Audit Subsysten.
Example:
func EventCallback(msg string, ce chan error, args ...interface{}) {
log.Println(msg)
}
// Go rutine to monitor events and call callback for each event fired
netlinkAudit.GetAuditEvents(s, EventCallback, errchan)
Get the audit system's reply
func AuditGetReply(s *NetlinkConnection, bytesize, block int, seq uint32) error
This function gets the next data packet sent on the audit netlink socket. This function is usually called after sending a command to the audit system. block is of type int which is either: GET_REPLY_BLOCKING
and GET_REPLY_NONBLOCKING
.
Example :
err = AuditGetReply(s, syscall.Getpagesize(), 0, wb.Header.Seq)
This function will return 0 if auditing is NOT enabled and 1 if enabled, and -1 and an error on error.
func AuditIsEnabled(s *NetlinkConnection) (state int, err error)
Example :
status, err := netlinkAudit.AuditIsEnabled(s)
Not yet implemented
Enable or disable auditing
func AuditSetEnabled(s *NetlinkConnection) error
Example :
status, err := netlinkAudit.AuditSetEnabled(s)
Set audit rate limit
func AuditSetRateLimit(s *NetlinkConnection, limit int) error
This function set the maximum number of messages that the kernel will send per second.
Example:
err = netlinkAudit.AuditSetRateLimit(s, 600)
Set the audit backlog limit
func AuditSetBacklogLimit(s *NetlinkConnection, limit int) error
This function sets the queue length for audit events awaiting transfer to the audit daemon
Example :
err = netlinkAudit.AuditSetBacklogLimit(s, 420)
Set audit daemon process ID
func AuditSetPid(s *NetlinkConnection, pid uint32 ) error
This function tells the kernel what the pid is of the audit daemon
Example :
err = netlinkAudit.AuditSetPid(s, uint32(syscall.Getpid()))
Not yet implemented
Set audit rules from a configuration file
func SetRules(s *NetlinkConnection, content []byte) error
This function accept the json rules file as byte array and register rules with audit. See audit.rules.json for example
Example:
// Load all rules
content, err := ioutil.ReadFile("audit.rules.json")
if err != nil {
log.Print("Error:", err)
os.Exit(0)
}
// Set audit rules
err = netlinkAudit.SetRules(s, content)
Delete all audit rules.
func func DeleteAllRules(s *NetlinkConnection) error
Example:
err := DeleteAllRules(s)
Delete audit rule
func AuditDeleteRuleData(s *NetlinkConnection, rule *AuditRuleData, flags uint32, action uint32) error
This funciton is used to delete rules that are currently loaded in the kernel. To delete a rule, you must set up the rules identical to the one being deleted.
TODO - Add an example
Add new audit rule
func AuditAddRuleData(s *NetlinkConnection, rule *AuditRuleData, flags int, action int) error
Example:
TODO - Add an example
Not yet implemented