Name: go-audit
Owner: Datadog, Inc.
Description: go-audit is an alternative to the auditd daemon that ships with many distros
Forked from: slackhq/go-audit
Created: 2016-11-20 18:15:17.0
Updated: 2016-11-20 18:15:18.0
Pushed: 2018-03-21 21:41:59.0
Size: 223
Language: Go
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
go-audit is an alternative to the auditd daemon that ships with many distros. After having created an auditd audisp plugin to convert audit logs to json, I became interested in creating a replacement for the existing daemon.
Install golang, version 1.7 or greater is required
Install govendor
if you haven't already
Clone the repo
clone (this repo)
o-audit
Build the binary
Copy the binary go-audit
to wherever you'd like
make test
- run the unit test suitemake test-cov-html
- run the unit tests and open up the code coverage resultsmake bench
- run the benchmark test suitemake bench-cpu
- run the benchmark test suite with cpu profilingmake bench-cpulong
- run the benchmark test suite with cpu profiling and try to get some gc collectionCheck the contrib folder, it contains examples for how to run go-audit
as a proper service on your machine.
Error during message receive: no buffer space available
in the logsThis is because go-audit
is not receiving data as quickly as your system is generating it. You can increase
the receive buffer system wide and maybe it will help. Best to try and reduce the amount of data go-audit
has
to handle.
If reducing audit velocity is not an option you can try increasing socket_buffer.receive
in your config.
See Example Config for more information
et_buffer:
receive: <some number bigger than (the current value * 2)>
name
, only inode
, what gives?The kernel doesn't always know the filename for file access. Figuring out the filename from an inode is expensive and error prone.
You can map back to a filename, possibly not the filename, that triggured the audit line though.
debugfs -R "ncheck <inode to map>" /dev/<your block device here>
Use the default, or consult this handy table.
Wikipedia has a pretty good page on this
| | emerg (0)| alert (1) | crit (2) | err (3) | warn (4) | notice (5) | info (6) | debug (7) | |——————-|———-|———–|———–|———|———-|————|———–|———–| | kernel (0) | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | | user (1) | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | | mail (2) | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | | daemon (3) | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | | auth (4) | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | | syslog (5) | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | | lpr (6) | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | | news (7) | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | | uucp (8) | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | | clock (9) | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | | authpriv (10) | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | | ftp (11) | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | | ntp (12) | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | | logaudit (13) | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | | logalert (14) | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | | cron (15) | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | | local0 (16) | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | | local1 (17) | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | | local2 (18) | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | | local3 (19) | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | | local4 (20) | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | | local5 (21) | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | | local6 (22) | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | | local7 (23) | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 |
To Hardik Juneja, Arun Sori, Aalekh Nigam Aalekhn for the inspiration via https://github.com/mozilla/audit-go