slackhq / go-audit Goto Github PK
View Code? Open in Web Editor NEWgo-audit is an alternative to the auditd daemon that ships with many distros
License: MIT License
go-audit is an alternative to the auditd daemon that ships with many distros
License: MIT License
make is running for day with progress
go-audit
version:
OS version(s): go1.7.4 linux/amd64
N/A
[go-audit]# make
govendor sync
make stays here, no progress on this.
[ go-test]# du -sh *
8.9M bin
1.4M pkg
9.0M src
[go-test]# du -sh .cache
64M .cache
Hi,
go-audit process dies frequently on a server which is too busy. it work as expected on rest of the servers. so far I have increased socket buffer receive 16384 x 3 with no luck. can you help us out on this?
Failed to write message, retrying in 1 second. Error: write unixgram @->/dev/log: write: message too long
Failed to write message, retrying in 1 second. Error: write unixgram @->/dev/log: write: message too long
Failed to write message, retrying in 1 second. Error: write unixgram @->/dev/log: write: message too long
Failed to write message, retrying in 1 second. Error: write unixgram @->/dev/log: write: message too long
Failed to write message, retrying in 1 second. Error: write unixgram @->/dev/log: write: message too long
Failed to write message. Error: write unixgram @->/dev/log: write: message too long
rsyslog is allowing message size $MaxMessageSize 20k
go-audit
version: current version
OS version(s):Amazon Linux AMI release 2016.09
Hello. I would like to known how I can split messages, or prevent go-audit from aggregating them into a single log line.
For example:
2017-06-29T00:46:11Z ip-10-0-0-99 go-audit[297]: {"sequence":2487,"timestamp":"1498697171.657","messages":[{"type":1300,"data":"arch=c000003e syscall=59 success=yes exit=0 a0=e4fee0 a1=e510a0 a2=e22540 a3=5a1 items=2 ppid=18824 pid=18848 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=\"cat\" exe=\"/usr/bin/cat\" key=\"user_commands\""},{"type":1309,"data":"argc=2 a0=\"cat\" a1=\"/etc/passwd\""},{"type":1302,"data":"item=0 name=\"/usr/bin/cat\" inode=409296 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL"},{"type":1302,"data":"item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=395436 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL"},{"type":1327,"data":"proctitle=636174002F6574632F706173737764"}],"uid_map":{"0":"root","1000":"henrique.goncalves"}}
Under "messages", there are several entries. This is proving a pain in the buttocks to parse with logstash. All my "split" tries didnt work.
How can I log each of those messages separated, even if duplicating the sequence and timestamp values, and the uid_map.
go-audit
version: all
OS version(s): all
Messages are logged separated
Messages are put into a JSON array somewhat hard to parse using logstash.
e.g. Logs, screenshots, screencast, sample project, funny gif, etc.
To solve issue #13 and filter on internal entries that don't have "syscall" @nbrownus added a patch to allow an empty string for syscall.
A subsequent patch on audit.go line 299 explicitly checks for an empty string and throws an error.
Would you mind removing this second check? Thanks
go-audit
version: master
OS version(s): 4.14.47-64.38.amzn2.x86_64
add the following configuration:
filters:
Watch go-audit exit with the error message "Filter 1 is missing the syscall
entry"
Profit
skipping these messages every five second:
audit[14960]: {"sequence":15404,"timestamp":"1531162561.286","messages":[{"type":1305,"data":"audit_pid=14960 old=14960 auid=4294967295 ses=4294967295 res=0"}],"uid_map":{"4294967295":"UNKNOWN_USER"}}
go-audit exits with the error message "Filter 1 is missing the syscall
entry"
audit.go line 299:
if af.syscall == "" {
return filters, fmt.Errorf("Filter %d is missing the syscall
entry", i+1)
}
Should we add automation to build and publish Debian/Ubuntu packages? There's currently a script to build the package (make_deb.sh
) that will build the Debian package. Curious if there is any interest in getting this setup to publish to the right places to make generally available.
N/A
N/A
apt install go-audit
N/A
N/A
incessant "Likely Missed sequence" messages
go-audit
version:
OS version(s):
root@ld5333:/tmp# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial
start go-audit and let run
e.g. What you expected to happen
root@ld5333:/tmp# ./go-audit -config go-audit.yaml
2017/02/03 Flushed existing audit rules
2017/02/03 Added audit rule #1
2017/02/03 Added audit rule #2
2017/02/03 Socket receive buffer size: 32768
2017/02/03 Ignoring syscall 49
containing message type 1306
matching string saddr=(10..|0A..)
2017/02/03 Ignoring syscall `` containing message type 1305
matching string `.*`
2017/02/03 Started processing events
2017/02/03 Likely missed sequence 504532, current 505034, worst message delay 0
2017/02/03 Likely missed sequence 504534, current 505036, worst message delay 0
2017/02/03 Likely missed sequence 504536, current 505038, worst message delay 0
2017/02/03 Likely missed sequence 504538, current 505040, worst message delay 0
2017/02/03 Likely missed sequence 504540, current 505042, worst message delay 0
2017/02/03 Likely missed sequence 504542, current 505044, worst message delay 0
2017/02/03 Likely missed sequence 504544, current 505046, worst message delay 0
2017/02/03 Likely missed sequence 504546, current 505048, worst message delay 0
2017/02/03 Likely missed sequence 504548, current 505050, worst message delay 0
2017/02/03 Likely missed sequence 504550, current 505052, worst message delay 0
2017/02/03 Likely missed sequence 504552, current 505054, worst message delay 0
2017/02/03 Likely missed sequence 504554, current 505056, worst message delay 0
2017/02/03 Likely missed sequence 504556, current 505058, worst message delay 0
2017/02/03 Likely missed sequence 504558, current 505060, worst message delay 0
2017/02/03 Likely missed sequence 504561, current 505062, worst message delay 0
2017/02/03 Likely missed sequence 504563, current 505064, worst message delay 0
2017/02/03 Likely missed sequence 504566, current 505068, worst message delay 0
2017/02/03 Likely missed sequence 504569, current 505070, worst message delay 0
2017/02/03 Likely missed sequence 504571, current 505072, worst message delay 0
2017/02/03 Likely missed sequence 504573, current 505074, worst message delay 0
2017/02/03 Likely missed sequence 504575, current 505076, worst message delay 0
^C
e.g. Logs, screenshots, screencast, sample project, funny gif, etc.
Hi! There is no option to include node name/ip in log output, like "name_format" in auditd.conf:
name_format
This option controls how computer node names are inserted
into the audit event stream. It has the following choices:
none, hostname, fqd, numeric, and user. None means that
no computer name is inserted into the audit event.
hostname is the name returned by the gethostname syscall.
The fqd means that it takes the hostname and resolves it
with dns for a fully qualified domain name of that
machine. Numeric is similar to fqd except it resolves the
IP address of the machine. In order to use this option,
you might want to test that 'hostname -i' or 'domainname
-i' returns a numeric address. Also, this option is not
recommended if dhcp is used because you could have
different addresses over time for the same machine. User
is an admin defined string from the name option. The
default value is none.
Is there any way to include such info in current output?
go-audit
version: 1.2.0
Every log line can include node hostname/ip if the option is set to (hostname | fqd | numeric | user) in config file, like:
{ "sequence": 101, "timestamp": "1482700861.088", "node": "192.168.0.1", "messages": [ { "type": 1300, "data": "arch=c000003e syscall=2 success=yes exit=3 a0=7ffff76f7938 a1=0 a2=20000 a3=69d items=1 ppid=12166 pid=12602 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm=\"cat\" exe=\"/bin/cat\" key=\"bees_in_my_honey\"" }, { "type": 1307, "data": " cwd=\"/root\"" }, { "type": 1302, "data": "item=0 name=\"/opt/secret.txt\" inode=785716 dev=fc:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL" }, { "type": 1327, "data": "proctitle=636174002F6F70742F7365637265742E747874" } ], "uid_map": { "0": "root", "1000": "user" } }
Currently, there is no such option in config file.
e.g. Description of the bug or feature
go-audit
version:
OS version(s):
e.g. What you expected to happen
e.g. What actually happened
e.g. Logs, screenshots, screencast, sample project, funny gif, etc.
The example yaml indicates that it's blocked by viper issue, that's since been resolved. Yay viper!
Uhh here: https://github.com/slackhq/go-audit/blob/master/go-audit.yaml.example#L1-L5
Look above
Nothing particularly. This is a heads up that it's been fixed.
I filled out an awkward set of questions.
Here's a cat! https://s-media-cache-ak0.pinimg.com/564x/45/91/b2/4591b2ec5726c7ad10537568415e8b07.jpg
Does go-audit decode the encoded fields such as saddr, a0, etc...?
If so are there special configuration parameter that need to be set?
After proper deployment of go-audit, the service functions as it should for some time and then it randomly stops logging to file (var/log/go-audit.log). Service shows as functioning and restarting the service does not fix the issue. Increasing the socket.buffer size in go-audit.yaml does not fix the issue.
This issue was reproducible in both Ubuntu and opensuse. Reverting to older VM snapshots resulted in logging restored, however, after some time or even a reboot the service still stop logging to file. I don't think this is a resource issue and both VM's have plenty of drive space.
go-audit version: 1.0.0
OS version(s): Ubuntu 20.04.1 LTS
OS version(s): opensuse 15.2
Process does not stop logging.
Process stops logging after working for some time.
root@ubuntu:/var/log# service go-audit status
โ go-audit.service - go-audit
Loaded: loaded (/etc/systemd/system/go-audit.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-01-07 17:42:06 PST; 35min ago
Main PID: 13144 (go-audit)
Tasks: 7 (limit: 2281)
Memory: 6.3M
CGroup: /system.slice/go-audit.service
โโ13144 /usr/local/bin/go-audit -config /etc/go-audit.yaml
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #193
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #194
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #195
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #196
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #197
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #198
Jan 07 17:42:06 ubuntu go-audit[13144]: Ignoring syscall 42
containing message type 1306
matching string saddr=(0200....7F|01> Jan 07 17:42:06 ubuntu go-audit[13144]: Ignoring syscall `` containing message type
1305matching string
.*`
Jan 07 17:42:06 ubuntu go-audit[13144]: Socket receive buffer size: 212992
Jan 07 17:42:06 ubuntu go-audit[13144]: Started processing events in the range [1300, 1399]
I could not find any other systems logs that hint any related issues... Any help would be much appreciated!
The current README.md file describes using govendor to install the package:
Install govendor if you haven't already
go get -u github.com/kardianos/govendor
govendor is now deprecated and go modules is recommended.
It appears that a go.mod
file was added in e90a1ca already.
Does the README file just need an update or is some other migration work necessary to remove the govendor pattern.
using a docker 6.5 container with golang 1.7 and govendor installed, when make executes govendor sync, it just hangs. Did same process on rhel 7.3 and does not hang
go-audit
version:
OS version(s):
rhel 6.5
bash-4.1# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.5 (Santiago)
bash-4.1# ls -a
. .travis.yml README.md contrib marshaller.go writer.go
.. BATTLE_TESTING.md audit.go examples marshaller_test.go
.git CODE_OF_CONDUCT.md audit_test.go go-audit parser.go
.github LICENSE client.go go-audit.yaml.example parser_test.go
.gitignore Makefile client_test.go make_deb.sh vendor
bash-4.1# yum list golang
Loaded plugins: product-id, subscription-manager
Installed Packages
golang.x86_64 1.7.4-1.el6 @epel1.
bash-4.1# govendor -version
v1.0.8
bash-4.1# ls vendor
github.com golang.org vendor.json
I 've tested and found out its the vendor.json which is causing it to hang.
bash-4.1# govendor sync . ->? just hangs
e.g. What you expected to happen
e.g. What actually happened
e.g. Logs, screenshots, screencast, sample project, funny gif, etc.
Hello!
I want to ask you to consider creating ECS (https://www.elastic.co/guide/en/ecs/1.9/ecs-field-reference.html) compatible go-audit output format.
ECS is a field name normalization scheme used in the Elastic Security (SIEM) module, which we want to use in our SOC.
At the moment, the correspondence of field names to the ECS scheme out of the box is present when using the Auditbeat utility with the auditd module (https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-module-auditd.html).
It looks like we can use Filebeat with auditd module to simply read auditd logs too (https://www.elastic.co/guide/en/beats/filebeat/7.11/filebeat-module-auditd.html).
But I think these options could not be used if we want to use go-audit instead of classic auditd.
Manually converting field names in accordance with the ECS format is a very time-consuming task and it would be very cool if a go-audit could do it out of the box.
I found another interesting Elastic repository with similar topic https://github.com/elastic/go-libaudit, maybe it will give you some additional useful data.
Test run fails.
go-audit
version:
OS version(s): CentOS 6.8
go version go1.7.3 linux/amd64
Steps:
go test -v
=== RUN Test_loadConfig
--- PASS: Test_loadConfig (0.00s)
=== RUN Test_setRules
Flushed existing audit rules
Flushed existing audit rules
Flushed existing audit rules
Added audit rule 1
Added audit rule 3
--- PASS: Test_setRules (0.00s)
=== RUN Test_createFileOutput
--- FAIL: Test_createFileOutput (0.00s)
Error Trace: audit_test.go:160
Error: Expected value not to be nil.
Messages: An error is expected but got nil.
Error Trace: audit_test.go:161
Error: Expected nil, but got: &main.AuditWriter{e:(*json.Encoder)(0xc4201423c0), w:(*os.File)(0xc420030148), attempts:1}
=== RUN Test_createSyslogOutput
--- FAIL: Test_createSyslogOutput (0.00s)
Error Trace: audit_test.go:205
Error: Expected nil, but got: &errors.errorString{s:"Failed to open syslog writer. Error: dial tcp [::]:38761: connect: no route to host"}
Error Trace: audit_test.go:206
Error: Expected value not to be nil.
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x48c6c0]
goroutine 8 [running]:
panic(0x7e85c0, 0xc420010120)
/usr/lib/golang/src/runtime/panic.go:500 +0x1a1
testing.tRunner.func1(0xc420092600)
/usr/lib/golang/src/testing/testing.go:579 +0x25d
panic(0x7e85c0, 0xc420010120)
/usr/lib/golang/src/runtime/panic.go:458 +0x243
go-audit.Test_createSyslogOutput(0xc420092600)
/root/go/src/go-audit/audit_test.go:207 +0xdc0
testing.tRunner(0xc420092600, 0x88a0f8)
/usr/lib/golang/src/testing/testing.go:610 +0x81
created by testing.(*T).Run
/usr/lib/golang/src/testing/testing.go:646 +0x2ec
exit status 2
FAIL go-audit 0.011s
I've seen docker containers are supported since a while. Is there some way to get events specifically from LXD containers?
When I run go-audit it logs AUDIT_CONFIG_CHANGE messages every few seconds. Any idea why this is happening? I don't see this when running ordinary auditd.
go-audit
version: dev+20200629015509
I also tried with version 1.00 and got the same result.
OS version(s): Ubuntu 20.04 LTS
kernel 5.4.0-39-generic
go v1.13.8
e.g. What you expected to happen
No AUDIT_CONFIG_CHANGE messages.
A similar volume of messages as when I run auditd with the same rules.
{"sequence":904,"timestamp":"1593402441.566","messages":[{"type":1305,"data":"op=set audit_pid=1585 old=1585 auid=0 ses=5 res=0"}],"uid_map":{"0":"root"}}
{"sequence":905,"timestamp":"1593402446.567","messages":[{"type":1305,"data":"op=set audit_pid=1585 old=1585 auid=0 ses=5 res=0"}],"uid_map":{"0":"root"}}
{"sequence":906,"timestamp":"1593402451.567","messages":[{"type":1305,"data":"op=set audit_pid=1585 old=1585 auid=0 ses=5 res=0"}],"uid_map":{"0":"root"}}
Now using the contrib spec file which means I need to complile on 6 to create the el6 rpm.
using a docker 6.5 container with golang 1.7 and govendor installed, when make executes govendor sync, it just hangs. Did same process on rhel 7.3 and does not hang
go-audit
version: 752b3358719278e32d780677e9dde2b075a3c6d5OS version(s):
make completes
make hangs at govendor
e.g. Logs, screenshots, screencast, sample project, funny gif, etc.
No releases/tags, and (per #65), no prebuilt binaries. I did notice that make_deb.sh
includes a version 0.16.0
, but contrib/go-audit.rpmbuild.spec
specifies version 1
.
I am trying to integrate go-audit
into an AWS AMI build pipeline. At present I am cloning, checking out a specific commit, building a binary and copying it into my AMI volume. This works, but it's not particularly nice โ which version have I installed? It also precludes semantic versioning.
With build tooling being very much a matter of taste and also org suitability I have not immediately created a PR. If a Goreleaser config would work for Slack I'll happily contribute one as I'm somewhat familiar with it via my own projects.
Thanks for sharing this software!
N/A
N/A
Github releases, or at least version tags
No tags or releases
N/A
I had a more fundamental question. I was playing with go-audit in Centos7. If go-audit is supposed to be a replacement for auditd, is it possible to stop auditd on the distro, and even possibly remove it all together? I ask this because when I tried, I got the following error:
[root@CyCentos myuser]# systemctl stop auditd
Failed to stop auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is configured to refuse manual start/stop).
See system logs and 'systemctl status auditd.service' for details
I would be concerned running auditd and go-audit together on the same system would be a performance bottleneck.
Thanks! I could pull the repo and document the answer you provided if you want.
Hey. I followed the steps on your github readme. I cannot build due to this error:
some:~/goshit/src/github.com/slackhq/go-audit$ make
govendor sync
go build
# github.com/slackhq/go-audit
./audit.go:226: undefined: user.LookupGroup
Makefile:2: recipe for target 'bin' failed
make: *** [bin] Error 2
I tried to debug it, its probably happening because go cannot import os/user package. Can someone please help me with this?
go-audit
version: GIT head
OS version(s): Ubuntu 16.04 (Xenial)
Go version: go1.6.2 linux/amd64
e.g. Description of the bug or feature
go-audit
version: master build
OS version(s): ubuntu 14.04 virtual appliance
e.g. What you expected to happen
kernel panic
e.g. What actually happened
e.g. Logs, screenshots, screencast, sample project, funny gif, etc.
[11569.640940] audit: netlink_unicast sending to audit_pid=30964 returned error: -111
[11569.643620] Kernel panic - not syncing: audit: audit_pid=30964 reset
[11569.643620]
[11569.644928] CPU: 0 PID: 918 Comm: kauditd Not tainted 4.4.0-75-generic #9614.04.1-Ubuntucloud0 04/01/2014
[11569.644928] Hardware name: OpenStack Foundation OpenStack Nova, BIOS Ubuntu-1.8.2-1ubuntu1
[11569.644928] 0000000000000000 ffff880235253d68 ffffffff813dce3c ffffffff81ccf361
[11569.644928] ffff8802347191e4 ffff880235253de0 ffffffff81182e9c 0000000000000010
[11569.644928] ffff880235253df0 ffff880235253d90 ffff880235253da0 ffff880235253e28
[11569.644928] Call Trace:
[11569.644928] [] dump_stack+0x63/0x87
[11569.644928] [] panic+0xc8/0x20f
[11569.644928] [] audit_panic+0x5e/0x60
[11569.644928] [] audit_log_lost+0x3f/0xc0
[11569.644928] [] kauditd_send_skb+0x122/0x150
[11569.644928] [] ? audit_printk_skb+0x70/0x70
[11569.644928] [] kauditd_thread+0x78/0x190
[11569.644928] [] ? prepare_to_wait_event+0xf0/0xf0
[11569.644928] [] kthread+0xc9/0xe0
[11569.644928] [] ? kthread_park+0x60/0x60
[11569.644928] [] ret_from_fork+0x3f/0x70
[11569.644928] [] ? kthread_park+0x60/0x60
[11569.644928] Kernel Offset: disabled
[11569.644928] ---[ end Kernel panic - not syncing: audit: audit_pid=30964 reset
[11569.644928]
Backend: streamstash wont put the go-audit events in the "streamstash" index
go-audit
version: latest
streamstash
version: latest, as the suggested version in the example docs (sudo npm install -g https://github.com/nbrownus/streamstash#2.0
) didn't work
OS version(s): Ubuntu 16.04 (on both backend & client)
According to the example docs a custom index should be created named "streamstash"
https://github.com/slackhq/go-audit/blob/master/examples/streamstash/streamstash.js#L21
streamstash puts all events in the (default?) "logstash-*" index
I was discussing go-audit and looking at the code, and noticed I couldn't check out one of the dependencies.
I do see it on archive.org wayback machine, but I guess that project is dead.
https://github.com/capsule8/capsule8 404s
Line 8 in 42f8f96
https://github.com/slackhq/go-audit/search?q=capsule8
Just an FYI that you might want to consider migrating off it.
Link in CONTRIBUTING.md points to CODE_OF_CONDUCT.md within .github
, however is actually located in project root. Should contributing docs be updated to point to correct location, or code file moved to .github
?
latest version has wrong app in syslogs.
go-audit
version:
latest git clone
OS version(s):
amzn linux
when go audit is running I see host FQDN as app name
Aug 15 03:25:07 instance-test.abc.local /usr/local/bin/go-audit[3262]
e.g. What you expected to happen
Aug 15 03:25:07 instance-test instance-test.abc.local /usr/local/bin/go-audit[3262]
e.g. What actually happened
Hello, not really a go-audit issue, but there is some systemd behaviour that I think should be noticed: on recent versions of journald, journald by default listens to kernel audit messages by directly using a netlink socket.
That behaviour could generate double audit entries, or other strange issues, for example if you configure rsyslog to ingest journald messages, and also configure rsyslog to ingest go-audit messages.
To disable the journald audit socket:
sudo systemctl mask systemd-journald-audit.socket
Kind regards !
Had once a panic in logs that came from an out of bound array in parser.go.
go-audit
version: HEAD
OS version(s): Linux Ubuntu 16.04
??
I'm seeing a failure to open syslog writer. Is there additional setup that I need? I also tried making syslogd listen on /var/run/go-audit.sock but still no luck. I tried this on Ubuntu 16.04.
$ sudo go-audit -config examples/go-audit/go-audit.yaml
Flushed existing audit rules
Added audit rule #1
Added audit rule #2
Added audit rule #3
Added audit rule #4
Added audit rule #5
Added audit rule #6
Added audit rule #7
Added audit rule #8
Added audit rule #9
Added audit rule #10
Failed to open syslog writer. Error: dial unix /var/run/go-audit.sock: connect: connection refused
When attempting to build and run go-audit I find that no messages are received on ubuntu 16.10. auditctl -l shows the rules being there, but all messages that come in have Seq==0, and they seem to be responses to the config change heartbeat. (used the examples/go-audit/go-audit.yaml but modified to get output to stdout)
go-audit
version: 2cd7fc8
OS version(s): Ubuntu server 16.10
We should get messages for the hooked syscalls.
No messages are received
Hi,
I want to filter for just see all commands running by users in local0 to 7
I think is here: ?
# If kaudit filtering isn't powerful enough you can use the following filter mechanism
filters:
# Each filter consists of exactly 3 parts
- syscall: 54 # The syscall id of the message group (a single log line from go-audit), to test against the regex
message_type: 1306 # The message type identifier containing the data to test against the regex
regex: saddr=(10..|0A..) # The regex to test against the message specific message types data
For example i want to filter on this :
{"sequence":1737967,"timestamp":"1687420435.434","messages":[{"type":1300,"data":"arch=c000003e syscall=59 success=yes exit=0 a0=5558db82cfb0 a1=5558db82bfe0 a2=5558db70ebc0 a3=8 items=2 ppid=75483 pid=1615780 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm=\"cat\" exe=\"/usr/bin/cat\" subj=unconfined key=(null)"},{"type":1309,"data":"argc=2 a0=\"cat\" a1=\"/var/log/pacman.log\""},{"type":1307,"data":"cwd=\"/root\""},{"type":1302,"data":"item=0 name=\"/usr/bin/cat\" inode=17698222 dev=00:18 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0"},{"type":1302,"data":"item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=18143793 dev=00:18 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0"},{"type":1327,"data":"proctitle=636174002F7661722F6C6F672F7061636D616E2E6C6F67"}],"uid_map":{"0":"root","1000":"pc"}}
Also have limited to events to 1327
Best Regards
compiled on both ubuntu and redhat. When running on redhat, nothing is logged until an event happens which is expected. On ubuntu, usng the same exact yaml file, the following entry is generated every 5 seconds ( example of two messages )
[root@ld4643 tmp]# nc -u -l 514 | tee audit.out
<129>2016-12-19T14:34:43-05:00 ld4645 audit-thing[6000]: {"sequence":10672,"timestamp":"1482176078.578","messages":[{"type":1305,"data":"audit_pid=6000 old=6000 auid=1000 ses=497 res=1"}],"uid_map":{"1000":"ubuntu"}}
<129>2016-12-19T14:34:48-05:00 ld4645 audit-thing[6000]: {"sequence":10673,"timestamp":"1482176083.578","messages":[{"type":1305,"data":"audit_pid=6000 old=6000 auid=1000 ses=497 res=1"}],"uid_map":{"1000":"ubuntu"}}
go-audit
version:
OS version(s):
root@ld4645:/home/bxj6191# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial
[root@ld4643 tmp]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.3 (Maipo)#### Steps to reproduce:
The following rules were added to the YAML file
-w /tmp/bxj6191/ -p wa -k selinux_changes
-w /tmp/bxj6191/test_audit -p x -k module_insertion
no entries added to log until rule is applicable
entry added every 5 seconds
[root@ld4643 tmp]# nc -u -l 514 | tee audit.out
<129>2016-12-19T14:34:43-05:00 ld4645 audit-thing[6000]: {"sequence":10672,"timestamp":"1482176078.578","messages":[{"type":1305,"data":"audit_pid=6000 old=6000 auid=1000 ses=497 res=1"}],"uid_map":{"1000":"ubuntu"}}
<129>2016-12-19T14:34:48-05:00 ld4645 audit-thing[6000]: {"sequence":10673,"timestamp":"1482176083.578","messages":[{"type":1305,"data":"audit_pid=6000 old=6000 auid=1000 ses=497 res=1"}],"uid_map":{"1000":"ubuntu"}}
e.g. Logs, screenshots, screencast, sample project, funny gif, etc.
Would it be a nice idea to auto-decode any hex-encoded values (eg; proctitle is frequently encoded as such). This apparently happens automagically when the value contains a space
I wanted help in making the filter function to filter out that particular filter instead of ignoring it !
This is more of a best practice as I'm not aware of any specific issues caused by the older dep.
As of today go-audit uses the "syscall" package which has been frozen since Go 1.4:
Deprecated: this package is locked down. Callers should use the corresponding package in the golang.org/x/sys repository instead. That is also where updates required by new systems or versions should be applied. See https://golang.org/s/go1.4-syscall for more information.
go-audit should migrate to using golang.org/x/sys/unix instead as new fixes/features are implemented there.
This should be a pretty straightforward migration as most structures are the same in both packages, any concerns with me sending over a pull request for this?
Do we need to implement logrotate for the go-audit.log file? Or is there a way to add logrotate in the go-audit.yaml file?
In auditd you can set logrotate in the auditd.conf file just wondering if there is something similar in go-audit.
max_log_file = 8
num_logs = 5
max_log_file_action = ROTATE
go-audit
version: 1
OS version(s): Centos 8
go-audit.log does not grow to big in size.
e.g. What actually happened
e.g. Logs, screenshots, screencast, sample project, funny gif, etc.
Ship an official Docker image for go-auditd. Should be as simple as adding a Dockerfile here and setting up automated builds on DockerHub. Would be quite useful for folks wanting to run this inside docker containers.
Following a clean install (Ubuntu 16.04 LTS), and apt-get install golang, the install guidance to add govendor fails with this error:
~$ go get -u github.com/kardianos/govendor
package github.com/kardianos/govendor: cannot download, $GOPATH not set. For more details see: go help gopath
~$ sudo go get -u github.com/kardianos/govendor
package github.com/kardianos/govendor: cannot download, $GOPATH not set. For more details see: go help gopath
go-audit
version: all - installation guidance issue.
OS version(s): Ubuntu 16.04
~$ go get -u github.com/kardianos/govendor
package github.com/kardianos/govendor: cannot download, $GOPATH not set. For more details see: go help gopath
n/a
During boot, I'm getting a kernel oops
[ 26.856596] BUG: stack guard page was hit at ffffc900011bbff8 (stack is ffffc900011bc000..ffffc900011bffff) [ 26.859714] kernel stack overflow (double-fault): 0000 [#1] PREEMPT SMP [ 26.859714] Modules linked in: intel_rapl sb_edac edac_core crct10dif_pclmul mousedev crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd ttm glue_helper cryptd drm_kms_helper drm intel_rapl_perf pcspkr psmouse syscopyarea sysfillrect ppdev sysimgblt parport_pc fb_sys_fops i2c_piix4 parport input_leds led_class fjes intel_agp intel_gtt acpi_cpufreq evdev tpm_tis tpm_tis_core tpm mac_hid sch_fq_codel ip_tables x_tables ext4 crc16 jbd2 fscrypto mbcache ata_generic pata_acpi serio_raw atkbd libps2 ata_piix libata scsi_mod floppy i8042 serio ixgbevf xen_privcmd xen_netfront xen_blkfront virtio_pci virtio_net virtio_blk virtio_ring virtio ipmi_poweroff ipmi_devintf ipmi_msghandler button [ 26.859714] CPU: 1 PID: 459 Comm: go-audit Not tainted 4.10.11-1-pagarme #1 [ 26.859714] Hardware name: Xen HVM domU, BIOS 4.2.amazon 02/16/2017 [ 26.859714] task: ffff8801090e5580 task.stack: ffffc900011bc000 [ 26.859714] RIP: 0010:_raw_spin_lock_irqsave+0x9/0x50 [ 26.859714] RSP: 0018:ffffc900011bc000 EFLAGS: 00010246 [ 26.859714] RAX: 0000000000000000 RBX: ffff8801090cc800 RCX: 0000000000000000 [ 26.859714] RDX: 0000000100100001 RSI: ffffea0004243200 RDI: ffff88010ac00d40 [ 26.859714] RBP: ffffc900011bc000 R08: 0000000000000001 R09: ffff88010ac00d40 [ 26.859714] R10: ffff8801090cc800 R11: dead000000000100 R12: ffffea0004243200 [ 26.859714] R13: ffff8801090c9800 R14: 0000000000000000 R15: ffff88010ac03040 [ 26.859714] FS: 00007f59a7a7d700(0000) GS:ffff88010b240000(0000) knlGS:0000000000000000 [ 26.859714] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 26.915296] CR2: ffffc900011bbff8 CR3: 0000000108a4a000 CR4: 00000000001406e0 [ 26.915296] Call Trace: [ 26.919284] __slab_free+0x148/0x3d0 [ 26.919465] ? skb_free_head+0x21/0x30 [ 26.919465] kfree+0x177/0x190 [ 26.919465] skb_free_head+0x21/0x30 [ 26.919465] skb_release_data+0x101/0x110 [ 26.919465] ? kauditd_hold_skb+0x74/0xb0 [ 26.919465] skb_release_all+0x24/0x30 [ 26.919465] kfree_skb+0x36/0xb0 [ 26.919465] kauditd_hold_skb+0x74/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 27.361241] auditd_reset+0x2f/0x70 [ 27.361241] kauditd_hold_skb+0x79/0xb0 [ 27.361241] auditd_reset+0x2f/0x70 [ 27.361241] kauditd_hold_skb+0x79/0xb0 [ 27.361241] auditd_reset+0x2f/0x70 [ 27.361241] kauditd_hold_skb+0x79/0xb0 [ 27.361241] auditd_reset+0x2f/0x70 [ 27.361241] kauditd_hold_skb+0x79/0xb0 [ 27.361241] auditd_reset+0x2f/0x70 [ 27.361241] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] audit_receive_msg+0x94e/0xcd0 [ 27.603420] ? __kmalloc_node_track_caller+0x35/0x2c0 [ 27.603420] audit_receive+0x4a/0xa0 [ 27.603420] netlink_unicast+0x17c/0x240 [ 27.603420] netlink_sendmsg+0x348/0x3b0 [ 27.603420] sock_sendmsg+0x17/0x30 [ 27.603420] SyS_sendto+0x101/0x150 [ 27.603420] ? __audit_syscall_entry+0xad/0xf0 [ 27.603420] ? syscall_trace_enter+0x1d9/0x300 [ 27.603420] ? __do_page_fault+0x2dc/0x510 [ 27.603420] do_syscall_64+0x54/0xc0 [ 27.603420] entry_SYSCALL64_slow_path+0x25/0x25 [ 27.603420] RIP: 0033:0x4780ba [ 27.603420] RSP: 002b:000000c42002ee10 EFLAGS: 00000202 ORIG_RAX: 000000000000002c [ 27.603420] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004780ba [ 27.603420] RDX: 0000000000000038 RSI: 000000c420172020 RDI: 0000000000000005 [ 27.603420] RBP: 000000c42002ee70 R08: 000000c42015010c R09: 000000000000000c [ 27.603420] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 27.603420] R13: 00000000ffffffee R14: 0000000000000060 R15: 00000000000000aa [ 27.603420] Code: f0 80 60 02 df 0f ae f0 48 8b 00 a8 08 74 0b 65 81 25 88 ba 9c 7e ff ff ff 7f 89 d0 5d c3 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 <53> 9c 58 0f 1f 44 00 00 48 89 c3 fa 66 0f 1f 44 00 00 65 ff 05 [ 27.603420] RIP: _raw_spin_lock_irqsave+0x9/0x50 RSP: ffffc900011bc000 [ 27.603420] ---[ end trace 179041e7187b5cc2 ]--- [ 27.743043] note: go-audit[459] exited with preempt_count 1
And then I can't SSH to the machine to get more details (AWS instance)
go-audit
version: Compiled from e194f88
OS version(s): Arch Linux with kernel 4.11.6
go-audit runs
Kernel oops
e.g. Logs, screenshots, screencast, sample project, funny gif, etc.
Using the provided go-audit.yaml.example prevents the go-audit service from starting. To resolve the issue, you can edit the example configuration file to enable container monitoring
go-audit
version:
latest git clone at 42f8f96
OS version(s):
Ubuntu 18.04.4 LTS
sudo ./go-audit -config go-audit.yaml
or as root with ./go-audit -config go-audit.yaml
extras:
containers:
enabled: false
# if enabled, make requests to the local docker daemon for extra container details
docker: false
docker_api_version: 1.24
# number of pid -> container_id mappings to cache (0 means disable cache)
pid_cache: 0
# number of container_id -> docker_details to cache (0 means disable cache)
docker_cache: 0
extras.go
to print more debug information. The steps can be reproduced without this modification. 4 import "fmt"
.....
30 func (ps ExtraParsers) Parse(am *AuditMessage) {
31 for _, p := range ps {
32 fmt.Printf("%#v, %#v", p, ps)
33 p.Parse(am)
34 }
35 }
Observe errors in console
Edit the configuration file to set values to true
extras:
containers:
enabled: true
# if enabled, make requests to the local docker daemon for extra container details
docker: true
docker_api_version: 1.24
# number of pid -> container_id mappings to cache (0 means disable cache)
pid_cache: 0
# number of container_id -> docker_details to cache (0 means disable cache)
docker_cache: 0
$ sudo ./go-audit -config examples/go-audit/go-audit2.yaml
Flushed existing audit rules
Added audit rule #1
Added audit rule #2
Added audit rule #3
Ignoring syscall `49` containing message type `1306` matching string `saddr=(10..|0A..)`
Socket receive buffer size: 32768
ContainerParser enabled (docker=true pid_cache=0 docker_cache=0)
Started processing events in the range [1300, 1399]
{"sequence":23099,"timestamp":"1580767369.656","messages":[{"type":1305,"data":"audit_pid=2067 old=0 auid=1000 ses=3 res=1"}],"uid_map":{"1000":"computer"}}
Without modifications to the example file, service starts, begins collecting audit data. This should also support instances where Docker is not installed on a host.
[remotephone@computer:~/gits/work/go-audit]
$ sudo ./go-audit -config go-audit.yaml
Flushed existing audit rules
Added audit rule #1
Added audit rule #2
Added audit rule #3
Ignoring syscall `49` containing message type `1306` matching string `saddr=(10..|0A..)`
Socket receive buffer size: 32768
Started processing events in the range [1300, 1399]
<nil>, main.ExtraParsers{main.ExtraParser(nil)}panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x94e708]
goroutine 1 [running]:
main.ExtraParsers.Parse(0xc00030cc40, 0x1, 0x1, 0xc000292ec0)
/home/remotephone/gits/work/go-audit/extras.go:33 +0x148
main.(*AuditMarshaller).Consume(0xc000225e60, 0xc000317050)
/home/remotephone/gits/work/go-audit/marshaller.go:97 +0xf9
main.main()
/home/remotephone/gits/work/go-audit/audit.go:420 +0x674
e.g. Logs, screenshots, screencast, sample project, funny gif, etc.
Would like to move from auditd to go-audit, but the problem for me is that the machines that this will be installed on have no internet access. This means that the govendor sync
cannot resolve the dependencies venor/vendor.json
. I'm not very familiar with go but know that it's compiled. If it's possible could you release a pre-compiled version? Cheers :)
Currently config is read from a file based on --config command line argument. For an environment where thousands of nodes are monitored using go-audit, these config files need to be pushed from an external tool like chef.
Here are a few thoughts I have:
I could send up a pull request if you like this idea.
Currently go-audit uses the stdlib encoding/json
class to marshal the AuditMessageGroup
and AuditMessage
structs into a []byte
. Internally the encoding/json
package uses reflection so it can marshal arbitrary objects.
Because go-audit only uses two static structures there would likely be a significant performance improvement using a code generation library like easyjson to serialize the structures into bytes.
You can find various benchmarks on JSON serialization performance across code generation packages vs stdlib but I am partial to go_serialization_benchmarks:
benchmark | iter | time/iter | bytes/op | allocs/op | tt.sec | tt.kb | ns/alloc |
---|---|---|---|---|---|---|---|
BenchmarkJsonMarshal-8 | 1000000 | 1585 ns/op | 304 | 4 | 1.58 | 30400 | 396.25 |
BenchmarkEasyJsonMarshal-8 | 1000000 | 1125 ns/op | 784 | 5 | 1.12 | 78400 | 225.00 |
This comes at the cost of an additional dependency (primarily when the models change only)
Build of go-audit not successful due to go path issues.
Troubleshooting path issue, I attempted to use 'go get' but this failed with
error 177: undefined: user.LookupGroup
go-audit
version:
OS version(s): CentOS 7
$ go get github.com/slackhq/go-audit
pwd
/home/user/go/src/github.com/slackhq/go-audit
[user@localhost go-audit]$ make
govendor sync
go build
# github.com/slackhq/go-audit
./audit.go:177: undefined: user.LookupGroup
make: *** [bin] Error 2
./audit.go:177: undefined: user.LookupGroup
e.g. Logs, screenshots, screencast, sample project, funny gif, etc.
e.g. Description of the bug or feature
go-audit
version: Latest master branch
OS version(s): Ubuntu 16.04.3 LTS (4.4.0-1028-aws)
rsyslog (preinstalled in Ubuntu): 8.16.0
go get github.com/slackhq/go-audit
, or make in $GOPATH/src/github.com/slackhq/go-audit
after go get github.com/slackhq/go-audit
.$GOPATH/bin
of former in step 1 or $GOPATH/src/github.com/slackhq/go-audit
of latter in step 1, into /usr/local/bin
./etc/go-audit.yml
with syslog output following https://github.com/slackhq/go-audit/blob/master/go-audit.yaml.example
and run go-audit with systemd./etc/go-audit.yml
with file output and sudo mkdir /var/log/go-audit
, and restart go-audit yields the same failure./etc/rsyslog.conf
with module(load="imtcp")
and input(type="imtcp" port="514")
, /etc/go-audit.yml
configured with network: tcp
and address: localhost:514
, and restart go-audit yields the same failure.Normal run of go-audit.
Output of /var/log/syslog:
Aug 6 02:28:05 ip-10-255-0-48 go-audit[1138]: Flushed existing audit rules
Aug 6 02:28:05 ip-10-255-0-48 go-audit[1138]: Added audit rule #1
Aug 6 02:28:05 ip-10-255-0-48 go-audit[1138]: Added audit rule #2
Aug 6 02:28:05 ip-10-255-0-48 go-audit[1138]: Added audit rule #3
Aug 6 02:28:05 ip-10-255-0-48 go-audit[1138]: Socket receive buffer size: 32768
Aug 6 02:28:05 ip-10-255-0-48 go-audit[1138]: panic: runtime error: invalid memory address or nil pointer dereference
Aug 6 02:28:05 ip-10-255-0-48 go-audit[1138]: [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x75ef0f]
Aug 6 02:28:05 ip-10-255-0-48 go-audit[1138]: goroutine 1 [running]:
Aug 6 02:28:05 ip-10-255-0-48 go-audit[1138]: main.createFilters(0xc42007c1e0, 0x838967, 0x21, 0x1f4)
Aug 6 02:28:05 ip-10-255-0-48 go-audit[1138]: #011/home/ubuntu/go/src/github.com/slackhq/go-audit/audit.go:299 +0x55f
Aug 6 02:28:05 ip-10-255-0-48 go-audit[1138]: main.main()
Aug 6 02:28:05 ip-10-255-0-48 go-audit[1138]: #011/home/ubuntu/go/src/github.com/slackhq/go-audit/audit.go:339 +0x374
Aug 6 02:28:05 ip-10-255-0-48 systemd[1]: go-audit.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Aug 6 02:28:05 ip-10-255-0-48 kernel: [ 15.659200] audit_printk_skb: 15 callbacks suppressed
Aug 6 02:28:05 ip-10-255-0-48 kernel: [ 15.659203] audit: type=1131 audit(1501957685.404:17): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=go-audit comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Aug 6 02:28:05 ip-10-255-0-48 systemd[1]: go-audit.service: Unit entered failed state.
Aug 6 02:28:05 ip-10-255-0-48 systemd[1]: go-audit.service: Failed with result 'exit-code'.
Aug 6 02:28:05 ip-10-255-0-48 kernel: [ 15.668861] audit: type=1300 audit(1501957685.416:18): arch=c000003e syscall=59 success=yes exit=0 a0=134e8e8 a1=134d6c8 a2=1343008 a3=598 items=2 ppid=1359 pid=1361 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/bin/sed" key=(null)
Aug 6 02:28:05 ip-10-255-0-48 kernel: [ 15.668867] audit: type=1309 audit(1501957685.416:18): argc=2 a0="sed" a1="s/\([^.]*\)[^@]*\(.*\)/\1\2/"
Aug 6 02:28:05 ip-10-255-0-48 kernel: [ 15.668869] audit: type=1307 audit(1501957685.416:18): cwd="/"
Aug 6 02:28:05 ip-10-255-0-48 kernel: [ 15.668873] audit: type=1302 audit(1501957685.416:18): item=0 name="/bin/sed" inode=15 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
Aug 6 02:28:05 ip-10-255-0-48 kernel: [ 15.668876] audit: type=1302 audit(1501957685.416:18): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=2041 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
Aug 6 02:28:05 ip-10-255-0-48 kernel: [ 15.668880] audit: type=1327 audit(1501957685.416:18): proctitle=73656400732F5C285B5E2E5D2A5C295B5E405D2A5C282E2A5C292F5C315C322F
Aug 6 02:28:05 ip-10-255-0-48 kernel: [ 15.696417] audit: type=1300 audit(1501957685.416:19): arch=c000003e syscall=59 success=yes exit=0 a0=134d9c8 a1=1344308 a2=1343008 a3=598 items=2 ppid=1339 pid=1362 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="localedef" exe="/usr/bin/localedef" key=(null)
Aug 6 02:28:05 ip-10-255-0-48 kernel: [ 15.696424] audit: type=1309 audit(1501957685.416:19): argc=9 a0="localedef" a1="-i" a2="en_US" a3="-c" a4="-f" a5="UTF-8" a6="-A" a7="/usr/share/locale/locale.alias" a8="en_US.UTF-8"
Aug 6 02:28:05 ip-10-255-0-48 kernel: [ 15.696427] audit: type=1307 audit(1501957685.416:19): cwd="/"
The auditd is loaded but not active:
$ systemctl status auditd
โ auditd.service - Security Auditing Service
Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: inactive (dead)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.