forked from mozilla/libaudit-go
/
libaudit.go
393 lines (340 loc) · 12.2 KB
/
libaudit.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
/*
Package libaudit is a client library in pure Go for talking with audit framework in the linux kernel.
It provides API for dealing with audit related tasks like setting audit rules, deleting audit rules etc.
The idea is to provide the same set of API as auditd (linux audit daemon).
One example of the actual client using the library can be found at https://github.com/mozilla/audit-go.
NOTE: Currently the library is only applicable for x64 architecture.
*/
package libaudit
import (
"bytes"
"encoding/binary"
"fmt"
"os"
"sync/atomic"
"syscall"
"unsafe"
"github.com/pkg/errors"
)
var sequenceNumber uint32
// NetlinkMessage is the struct type that is used for communicating on netlink sockets.
type NetlinkMessage syscall.NetlinkMessage
// auditStatus is the c compatible struct of audit_status (libaudit.h).
// It is used for passing information involving status of audit services.
type auditStatus struct {
Mask uint32 /* Bit mask for valid entries */
Enabled uint32 /* 1 = enabled, 0 = disabled */
Failure uint32 /* Failure-to-log action */
Pid uint32 /* pid of auditd process */
RateLimit uint32 /* messages rate limit (per second) */
BacklogLimit uint32 /* waiting messages limit */
Lost uint32 /* messages lost */
Backlog uint32 /* messages waiting in queue */
Version uint32 /* audit api version number */
BacklogWaitTime uint32 /* message queue wait timeout */
}
// NetlinkConnection holds the file descriptor and address for
// an opened netlink connection
type NetlinkConnection struct {
fd int
address syscall.SockaddrNetlink
}
func nativeEndian() binary.ByteOrder {
var x uint32 = 0x01020304
if *(*byte)(unsafe.Pointer(&x)) == 0x01 {
return binary.BigEndian
}
return binary.LittleEndian
}
// ToWireFormat converts a NetlinkMessage to byte stream.
// Recvfrom in go takes only a byte [] to put the data recieved from the kernel that removes the need
// for having a separate audit_reply struct for recieving data from kernel.
func (rr *NetlinkMessage) ToWireFormat() []byte {
b := make([]byte, rr.Header.Len)
*(*uint32)(unsafe.Pointer(&b[0:4][0])) = rr.Header.Len
*(*uint16)(unsafe.Pointer(&b[4:6][0])) = rr.Header.Type
*(*uint16)(unsafe.Pointer(&b[6:8][0])) = rr.Header.Flags
*(*uint32)(unsafe.Pointer(&b[8:12][0])) = rr.Header.Seq
*(*uint32)(unsafe.Pointer(&b[12:16][0])) = rr.Header.Pid
b = append(b[:16], rr.Data[:]...) //b[:16] is crucial for aligning the header and data properly.
return b
}
// Round the length of a netlink message up to align it properly.
func nlmAlignOf(msglen int) int {
return (msglen + syscall.NLMSG_ALIGNTO - 1) & ^(syscall.NLMSG_ALIGNTO - 1)
}
// Parse a byte stream to an array of NetlinkMessage structs
func parseAuditNetlinkMessage(b []byte) ([]NetlinkMessage, error) {
var (
msgs []NetlinkMessage
m NetlinkMessage
)
for len(b) >= syscall.NLMSG_HDRLEN {
h, dbuf, dlen, err := netlinkMessageHeaderAndData(b)
if err != nil {
return nil, errors.Wrap(err, "error while parsing NetlinkMessage")
}
if len(dbuf) == int(h.Len) {
// this should never be possible in correct scenarios
// but sometimes kernel reponse have length of header == length of data appended
// which would lead to trimming of data if we subtract NLMSG_HDRLEN
// therefore following workaround
m = NetlinkMessage{Header: *h, Data: dbuf[:int(h.Len)]}
} else {
m = NetlinkMessage{Header: *h, Data: dbuf[:int(h.Len)-syscall.NLMSG_HDRLEN]}
}
msgs = append(msgs, m)
b = b[dlen:]
}
return msgs, nil
}
// Internal Function, uses unsafe pointer conversions for separating Netlink Header and the Data appended with it
func netlinkMessageHeaderAndData(b []byte) (*syscall.NlMsghdr, []byte, int, error) {
h := (*syscall.NlMsghdr)(unsafe.Pointer(&b[0]))
if int(h.Len) < syscall.NLMSG_HDRLEN || int(h.Len) > len(b) {
return nil, nil, 0, fmt.Errorf("Nlmsghdr header length unexpected %v, actual packet length %v", h.Len, len(b))
}
return h, b[syscall.NLMSG_HDRLEN:], nlmAlignOf(int(h.Len)), nil
}
func newNetlinkAuditRequest(proto uint16, family, sizeofData int) *NetlinkMessage {
rr := &NetlinkMessage{}
rr.Header.Len = uint32(syscall.NLMSG_HDRLEN + sizeofData)
rr.Header.Type = proto
rr.Header.Flags = syscall.NLM_F_REQUEST | syscall.NLM_F_ACK
rr.Header.Seq = atomic.AddUint32(&sequenceNumber, 1) //Autoincrementing Sequence
return rr
}
// NewNetlinkConnection creates a fresh netlink connection
func NewNetlinkConnection() (*NetlinkConnection, error) {
// Check for root user
if os.Getuid() != 0 {
return nil, fmt.Errorf("not root user, exiting")
}
fd, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_RAW, syscall.NETLINK_AUDIT)
if err != nil {
return nil, errors.Wrap(err, "could not obtain socket")
}
s := &NetlinkConnection{
fd: fd,
}
s.address.Family = syscall.AF_NETLINK
s.address.Groups = 0
s.address.Pid = 0 //Kernel space pid is always set to be 0
if err := syscall.Bind(fd, &s.address); err != nil {
syscall.Close(fd)
return nil, errors.Wrap(err, "could not bind socket to address")
}
return s, nil
}
// Close is a wrapper for closing netlink socket
func (s *NetlinkConnection) Close() {
syscall.Close(s.fd)
}
// Send is a wrapper for sending NetlinkMessage across netlink socket
func (s *NetlinkConnection) Send(request *NetlinkMessage) error {
if err := syscall.Sendto(s.fd, request.ToWireFormat(), 0, &s.address); err != nil {
return errors.Wrap(err, "could not send NetlinkMessage")
}
return nil
}
// Receive is a wrapper for recieving from netlink socket and return an array of NetlinkMessage
func (s *NetlinkConnection) Receive(bytesize int, block int) ([]NetlinkMessage, error) {
rb := make([]byte, bytesize)
nr, _, err := syscall.Recvfrom(s.fd, rb, 0|block)
if err != nil {
return nil, errors.Wrap(err, "recvfrom failed")
}
if nr < syscall.NLMSG_HDRLEN {
return nil, errors.Wrap(err, "message length shorter than expected")
}
rb = rb[:nr]
return parseAuditNetlinkMessage(rb)
}
// auditGetReply connects to kernel to recieve a reply
func auditGetReply(s *NetlinkConnection, bytesize, block int, seq uint32) error {
done:
for {
msgs, err := s.Receive(bytesize, block) //parseAuditNetlinkMessage(rb)
if err != nil {
return errors.Wrap(err, "auditGetReply failed")
}
for _, m := range msgs {
address, err := syscall.Getsockname(s.fd)
if err != nil {
return errors.Wrap(err, "auditGetReply: Getsockname failed")
}
switch v := address.(type) {
case *syscall.SockaddrNetlink:
if m.Header.Seq != seq {
return fmt.Errorf("auditGetReply: Wrong Seq nr %d, expected %d", m.Header.Seq, seq)
}
if m.Header.Pid != v.Pid {
return fmt.Errorf("auditGetReply: Wrong pid %d, expected %d", m.Header.Pid, v.Pid)
}
default:
return errors.Wrap(syscall.EINVAL, "auditGetReply: socket type unexpected")
}
if m.Header.Type == syscall.NLMSG_DONE {
break done
}
if m.Header.Type == syscall.NLMSG_ERROR {
e := int32(nativeEndian().Uint32(m.Data[0:4]))
if e == 0 {
break done
} else {
return fmt.Errorf("auditGetReply: error while recieving reply -%d", e)
}
}
// acknowledge AUDIT_GET replies from kernel
if m.Header.Type == uint16(AUDIT_GET) {
break done
}
}
}
return nil
}
// AuditSetEnabled enables or disables audit in kernel.
// Provide `enabled` as 1 for enabling and 0 for disabling.
func AuditSetEnabled(s *NetlinkConnection, enabled int) error {
var (
status auditStatus
err error
)
status.Enabled = (uint32)(enabled)
status.Mask = AUDIT_STATUS_ENABLED
buff := new(bytes.Buffer)
err = binary.Write(buff, nativeEndian(), status)
if err != nil {
return errors.Wrap(err, "AuditSetEnabled: binary write from auditStatus failed")
}
wb := newNetlinkAuditRequest(uint16(AUDIT_SET), syscall.AF_NETLINK, int(unsafe.Sizeof(status)))
wb.Data = append(wb.Data[:], buff.Bytes()[:]...)
if err := s.Send(wb); err != nil {
return errors.Wrap(err, "AuditSetEnabled failed")
}
// Receive in just one try
err = auditGetReply(s, syscall.Getpagesize(), 0, wb.Header.Seq)
if err != nil {
return errors.Wrap(err, "AuditSetEnabled failed")
}
return nil
}
// AuditIsEnabled returns 0 if audit is not enabled and
// 1 if enabled, and -1 on failure.
func AuditIsEnabled(s *NetlinkConnection) (state int, err error) {
var status auditStatus
wb := newNetlinkAuditRequest(uint16(AUDIT_GET), syscall.AF_NETLINK, 0)
if err = s.Send(wb); err != nil {
return -1, errors.Wrap(err, "AuditIsEnabled failed")
}
done:
for {
// MSG_DONTWAIT has implications on systems with low memory and CPU
// msgs, err := s.Receive(MAX_AUDIT_MESSAGE_LENGTH, syscall.MSG_DONTWAIT)
msgs, err := s.Receive(MAX_AUDIT_MESSAGE_LENGTH, 0)
if err != nil {
return -1, errors.Wrap(err, "AuditIsEnabled failed")
}
for _, m := range msgs {
address, err := syscall.Getsockname(s.fd)
if err != nil {
return -1, errors.Wrap(err, "AuditIsEnabled: Getsockname failed")
}
switch v := address.(type) {
case *syscall.SockaddrNetlink:
if m.Header.Seq != uint32(wb.Header.Seq) {
return -1, fmt.Errorf("AuditIsEnabled: Wrong Seq nr %d, expected %d", m.Header.Seq, wb.Header.Seq)
}
if m.Header.Pid != v.Pid {
return -1, fmt.Errorf("AuditIsEnabled: Wrong PID %d, expected %d", m.Header.Pid, v.Pid)
}
default:
return -1, errors.Wrap(syscall.EINVAL, "AuditIsEnabled: socket type unexpected")
}
if m.Header.Type == syscall.NLMSG_DONE {
break done
} else if m.Header.Type == syscall.NLMSG_ERROR {
e := int32(nativeEndian().Uint32(m.Data[0:4]))
if e == 0 {
// request ack from kernel
continue
}
break done
}
if m.Header.Type == uint16(AUDIT_GET) {
//Convert the data part written to auditStatus struct
buf := bytes.NewBuffer(m.Data[:])
err = binary.Read(buf, nativeEndian(), &status)
if err != nil {
return -1, errors.Wrap(err, "AuditIsEnabled: binary read into auditStatus failed")
}
state = int(status.Enabled)
return state, nil
}
}
}
return -1, nil
}
// AuditSetPID sends a message to kernel for setting of program PID
func AuditSetPID(s *NetlinkConnection, pid int) error {
var status auditStatus
status.Mask = AUDIT_STATUS_PID
status.Pid = (uint32)(pid)
buff := new(bytes.Buffer)
err := binary.Write(buff, nativeEndian(), status)
if err != nil {
return errors.Wrap(err, "AuditSetPID: binary write from auditStatus failed")
}
wb := newNetlinkAuditRequest(uint16(AUDIT_SET), syscall.AF_NETLINK, int(unsafe.Sizeof(status)))
wb.Data = append(wb.Data[:], buff.Bytes()[:]...)
if err := s.Send(wb); err != nil {
return errors.Wrap(err, "AuditSetPID failed")
}
err = auditGetReply(s, syscall.Getpagesize(), 0, wb.Header.Seq)
if err != nil {
return errors.Wrap(err, "AuditSetPID failed")
}
return nil
}
// AuditSetRateLimit sets rate limit for audit messages from kernel
func AuditSetRateLimit(s *NetlinkConnection, limit int) error {
var status auditStatus
status.Mask = AUDIT_STATUS_RATE_LIMIT
status.RateLimit = (uint32)(limit)
buff := new(bytes.Buffer)
err := binary.Write(buff, nativeEndian(), status)
if err != nil {
return errors.Wrap(err, "AuditSetRateLimit: binary write from auditStatus failed")
}
wb := newNetlinkAuditRequest(uint16(AUDIT_SET), syscall.AF_NETLINK, int(unsafe.Sizeof(status)))
wb.Data = append(wb.Data[:], buff.Bytes()[:]...)
if err := s.Send(wb); err != nil {
return errors.Wrap(err, "AuditSetRateLimit failed")
}
err = auditGetReply(s, syscall.Getpagesize(), 0, wb.Header.Seq)
if err != nil {
return err
}
return nil
}
// AuditSetBacklogLimit sets backlog limit for audit messages from kernel
func AuditSetBacklogLimit(s *NetlinkConnection, limit int) error {
var status auditStatus
status.Mask = AUDIT_STATUS_BACKLOG_LIMIT
status.BacklogLimit = (uint32)(limit)
buff := new(bytes.Buffer)
err := binary.Write(buff, nativeEndian(), status)
if err != nil {
return errors.Wrap(err, "AuditSetBacklogLimit: binary write from auditStatus failed")
}
wb := newNetlinkAuditRequest(uint16(AUDIT_SET), syscall.AF_NETLINK, int(unsafe.Sizeof(status)))
wb.Data = append(wb.Data[:], buff.Bytes()[:]...)
if err := s.Send(wb); err != nil {
return errors.Wrap(err, "AuditSetBacklogLimit failed")
}
err = auditGetReply(s, syscall.Getpagesize(), 0, wb.Header.Seq)
if err != nil {
return errors.Wrap(err, "AuditSetBacklogLimit failed")
}
return nil
}