forked from slackhq/go-audit
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsimple.go
196 lines (174 loc) · 4.41 KB
/
simple.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
package main
import (
"bytes"
"encoding/binary"
"encoding/hex"
"fmt"
"os"
"strings"
)
type json_map map[string]interface{}
var DECODE_TYPES = map[string]bool{
"proctitle": true,
"arch": true,
}
func trimRightFromString(psrc *string, pattern string) (trimmed string) {
idx := strings.Index(*psrc, pattern)
trimmed = string(*psrc)
if idx >= 0 {
trimmed = (*psrc)[:idx]
}
return trimmed
}
func trimQuotesFromString(psrc *string) (trimmed string) {
trimmed = string(*psrc)
if len(trimmed) > 1 && trimmed[0] == '"' {
trimmed = trimmed[1:]
}
if len(trimmed) > 1 && trimmed[len(trimmed)-1] == '"' {
trimmed = trimmed[:len(trimmed)-1]
}
return trimmed
}
func process_group(grp *AuditMessageGroup) (tmp json_map, err error) {
tmp = json_map{}
tmp["timestamp"] = trimRightFromString(&grp.AuditTime, ".")
args := json_map{} // execve args
paths_list := []string{}
paths_map := json_map{}
tmp["hostname"], _ = os.Hostname()
for i := 0; i < len(grp.Msgs); i++ {
msg := grp.Msgs[i]
if AUDITD_EVENT_TYPES[msg.Type] == "execve" {
parse_kvs(&msg.Data, &args)
tmp["args"] = args
} else {
parse_kvs(&msg.Data, &tmp)
}
if AUDITD_EVENT_TYPES[msg.Type] == "syscall" {
for i := 0; i < 4; i++ {
delete(tmp, fmt.Sprintf("a%d", i))
}
if session, ok := (tmp["ses"]).(string); ok {
tmp["session"] = session
delete(tmp, "ses")
}
}
if AUDITD_EVENT_TYPES[msg.Type] == "path" {
tmp_kvs := json_map{}
parse_kvs(&msg.Data, &tmp_kvs)
paths_list = append(paths_list, tmp_kvs["name"].(string))
paths_map[tmp_kvs["item"].(string)] = tmp_kvs
}
}
// Set paths, paths_info if any path messages were processed
if len(paths_map) > 0 {
tmp["paths"] = paths_list
tmp["paths_info"] = paths_map
}
set_username(&tmp, &grp.UidMap)
set_syscall_type(&tmp, &grp.Syscall)
return tmp, err
}
func parse_kvs(blob *string, pkvs *json_map) (err error) {
kvs := *pkvs
kvs_unparsed := strings.Split(*blob, " ")
for i := 0; i < len(kvs_unparsed); i++ {
split := strings.Split(kvs_unparsed[i], "=")
if len(split) == 2 {
k := split[0]
v := split[1]
if _, ok := DECODE_TYPES[k]; ok {
if k == "arch" {
map_arch(&v, pkvs)
} else {
v, _ = decode_hex_string(&v)
}
}
kvs[k] = trimQuotesFromString(&v)
}
err = nil
}
return err
}
func set_username(pkvs *json_map, puidmap *map[string]string) (err error) {
tmp := *pkvs
uidmap := *puidmap
var ok bool
var user string
var auid string
if auid, ok = tmp["auid"].(string); ok {
if auid == "4294967295" {
auid, ok = tmp["uid"].(string)
}
user, ok = uidmap[auid]
}
if !ok {
user = ""
}
tmp["user"] = user
return err
}
func set_syscall_type(pkvs *json_map, psyscall_id *string) (err error) {
tmp := *pkvs
syscall_id := *psyscall_id
var arch string
var ok bool
if arch, ok = tmp["arch_name"].(string); ok {
tmp["type"] = SYSCALLS[arch][syscall_id]
}
if !ok {
tmp["type"] = "UNKNOWN"
}
return err
}
func map_arch(data *string, pkvs *json_map) (err error) {
arch, _ := decode_hex_int(data)
kvs := *pkvs
bits := "64"
endianness := "little"
if !((ARCH["64bit"])&arch != 0) {
bits = "32"
} else {
arch ^= ARCH["64bit"]
}
kvs["bits"] = bits
if !((ARCH["little_endian"])&arch != 0) {
endianness = "big"
} else {
arch = arch ^ ARCH["little_endian"]
}
kvs["endianness"] = endianness
if (ARCH["convention_mips64_n32"])&arch != 0 {
arch = arch ^ ARCH["convention_mips64_n32"]
}
if name, ok := MACHINES[arch]; ok {
kvs["arch_name"] = name
} else {
kvs["arch_name"] = fmt.Sprintf("Unrecognized Archietecture: %d", arch)
}
err = nil
return err
}
func decode_hex_string(blob *string) (decoded string, err error) {
/* Some values are hex-encoded if there are potentally non-ascii bytes or spaces in the string
such as IP addresses and proctitles
This function helps those things become human readable
*/
bstring, _ := hex.DecodeString(*blob)
decoded = string(bytes.ReplaceAll(bstring, []byte("\x00"), []byte(" ")))
err = nil
return decoded, err
}
func decode_hex_int(blob *string) (decoded int, err error) {
/* Some values are hex-encoded if there are potentally non-ascii bytes or spaces in the string
such as IP addresses and proctitles
This function helps those things become human readable
*/
bstring, _ := hex.DecodeString(*blob)
var buint64 [8]byte
copy(buint64[8-len(bstring):], bstring)
decoded = int(binary.BigEndian.Uint64(buint64[:]))
err = nil
return decoded, err
}