diff --git a/audit.go b/audit.go index 584855e..a18caee 100644 --- a/audit.go +++ b/audit.go @@ -4,14 +4,14 @@ package main import ( - "os/exec" - "strings" + "flag" "github.com/pkg/profile" "github.com/spf13/viper" + "log" "log/syslog" - "flag" "os" - "log" + "os/exec" + "strings" ) var l = log.New(os.Stdout, "", 0) @@ -23,13 +23,13 @@ func loadConfig(config *viper.Viper) { config.SetDefault("message_tracking.log_out_of_order", false) config.SetDefault("message_tracking.max_out_of_order", 500) config.SetDefault("output.syslog.enabled", false) - config.SetDefault("output.syslog.priority", int(syslog.LOG_LOCAL0 | syslog.LOG_WARNING)) + config.SetDefault("output.syslog.priority", int(syslog.LOG_LOCAL0|syslog.LOG_WARNING)) config.SetDefault("output.syslog.tag", "go-audit") config.SetDefault("output.syslog.attempts", "3") config.SetDefault("log.flags", 0) err := config.ReadInConfig() // Find and read the config file - if err != nil { // Handle errors reading the config file + if err != nil { // Handle errors reading the config file el.Printf("Config file has an error: %s\n", err) os.Exit(1) } @@ -54,10 +54,10 @@ func setRules(config *viper.Viper) { err := exec.Command("auditctl", strings.Fields(v)...).Run() if err != nil { - el.Fatalf("Failed to add rule #%d. Error: %s \n", i + 1, err) + el.Fatalf("Failed to add rule #%d. Error: %s \n", i+1, err) } - l.Printf("Added audit rule #%d\n", i + 1) + l.Printf("Added audit rule #%d\n", i+1) } } else { el.Fatalln("No audit rules found. exiting") diff --git a/audit_test.go b/audit_test.go index 7966755..779f6cd 100644 --- a/audit_test.go +++ b/audit_test.go @@ -1,12 +1,12 @@ package main import ( - "testing" - "syscall" "github.com/spf13/viper" "github.com/stretchr/testify/assert" "io/ioutil" "os" + "syscall" + "testing" ) func Test_loadConfig(t *testing.T) { @@ -68,34 +68,33 @@ func Benchmark_MultiPacketMessage(b *testing.B) { data := make([][]byte, 6) //&{1300,,arch=c000003e,syscall=59,success=yes,exit=0,a0=cc4e68,a1=d10bc8,a2=c69808,a3=7fff2a700900,items=2,ppid=11552,pid=11623,auid=1000,uid=1000,gid=1000,euid=1000,suid=1000,fsuid=1000,egid=1000,sgid=1000,fsgid=1000,tty=pts0,ses=35,comm="ls",exe="/bin/ls",key=(null),1222763,1459376866.885} - data[0] = []byte{34,1,0,0,20,5,0,0,0,0,0,0,0,0,0,0,97,117,100,105,116,40,49,52,53,57,51,55,54,56,54,54,46,56,56,53,58,49,50,50,50,55,54,51,41,58,32,97,114,99,104,61,99,48,48,48,48,48,51,101,32,115,121,115,99,97,108,108,61,53,57,32,115,117,99,99,101,115,115,61,121,101,115,32,101,120,105,116,61,48,32,97,48,61,99,99,52,101,54,56,32,97,49,61,100,49,48,98,99,56,32,97,50,61,99,54,57,56,48,56,32,97,51,61,55,102,102,102,50,97,55,48,48,57,48,48,32,105,116,101,109,115,61,50,32,112,112,105,100,61,49,49,53,53,50,32,112,105,100,61,49,49,54,50,51,32,97,117,105,100,61,49,48,48,48,32,117,105,100,61,49,48,48,48,32,103,105,100,61,49,48,48,48,32,101,117,105,100,61,49,48,48,48,32,115,117,105,100,61,49,48,48,48,32,102,115,117,105,100,61,49,48,48,48,32,101,103,105,100,61,49,48,48,48,32,115,103,105,100,61,49,48,48,48,32,102,115,103,105,100,61,49,48,48,48,32,116,116,121,61,112,116,115,48,32,115,101,115,61,51,53,32,99,111,109,109,61,34,108,115,34,32,101,120,101,61,34,47,98,105,110,47,108,115,34,32,107,101,121,61,40,110,117,108,108,41} + data[0] = []byte{34, 1, 0, 0, 20, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 97, 117, 100, 105, 116, 40, 49, 52, 53, 57, 51, 55, 54, 56, 54, 54, 46, 56, 56, 53, 58, 49, 50, 50, 50, 55, 54, 51, 41, 58, 32, 97, 114, 99, 104, 61, 99, 48, 48, 48, 48, 48, 51, 101, 32, 115, 121, 115, 99, 97, 108, 108, 61, 53, 57, 32, 115, 117, 99, 99, 101, 115, 115, 61, 121, 101, 115, 32, 101, 120, 105, 116, 61, 48, 32, 97, 48, 61, 99, 99, 52, 101, 54, 56, 32, 97, 49, 61, 100, 49, 48, 98, 99, 56, 32, 97, 50, 61, 99, 54, 57, 56, 48, 56, 32, 97, 51, 61, 55, 102, 102, 102, 50, 97, 55, 48, 48, 57, 48, 48, 32, 105, 116, 101, 109, 115, 61, 50, 32, 112, 112, 105, 100, 61, 49, 49, 53, 53, 50, 32, 112, 105, 100, 61, 49, 49, 54, 50, 51, 32, 97, 117, 105, 100, 61, 49, 48, 48, 48, 32, 117, 105, 100, 61, 49, 48, 48, 48, 32, 103, 105, 100, 61, 49, 48, 48, 48, 32, 101, 117, 105, 100, 61, 49, 48, 48, 48, 32, 115, 117, 105, 100, 61, 49, 48, 48, 48, 32, 102, 115, 117, 105, 100, 61, 49, 48, 48, 48, 32, 101, 103, 105, 100, 61, 49, 48, 48, 48, 32, 115, 103, 105, 100, 61, 49, 48, 48, 48, 32, 102, 115, 103, 105, 100, 61, 49, 48, 48, 48, 32, 116, 116, 121, 61, 112, 116, 115, 48, 32, 115, 101, 115, 61, 51, 53, 32, 99, 111, 109, 109, 61, 34, 108, 115, 34, 32, 101, 120, 101, 61, 34, 47, 98, 105, 110, 47, 108, 115, 34, 32, 107, 101, 121, 61, 40, 110, 117, 108, 108, 41} //&{1309,,argc=3,a0="ls",a1="--color=auto",a2="-alF",1222763,1459376866.885} - data[1] = []byte{73,0,0,0,29,5,0,0,0,0,0,0,0,0,0,0,97,117,100,105,116,40,49,52,53,57,51,55,54,56,54,54,46,56,56,53,58,49,50,50,50,55,54,51,41,58,32,97,114,103,99,61,51,32,97,48,61,34,108,115,34,32,97,49,61,34,45,45,99,111,108,111,114,61,97,117,116,111,34,32,97,50,61,34,45,97,108,70,34} + data[1] = []byte{73, 0, 0, 0, 29, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 97, 117, 100, 105, 116, 40, 49, 52, 53, 57, 51, 55, 54, 56, 54, 54, 46, 56, 56, 53, 58, 49, 50, 50, 50, 55, 54, 51, 41, 58, 32, 97, 114, 103, 99, 61, 51, 32, 97, 48, 61, 34, 108, 115, 34, 32, 97, 49, 61, 34, 45, 45, 99, 111, 108, 111, 114, 61, 97, 117, 116, 111, 34, 32, 97, 50, 61, 34, 45, 97, 108, 70, 34} //&{1307,,,cwd="/home/ubuntu/src/slack-github.com/rhuber/go-audit-new",1222763,1459376866.885} - data[2] = []byte{91,0,0,0,27,5,0,0,0,0,0,0,0,0,0,0,97,117,100,105,116,40,49,52,53,57,51,55,54,56,54,54,46,56,56,53,58,49,50,50,50,55,54,51,41,58,32,32,99,119,100,61,34,47,104,111,109,101,47,117,98,117,110,116,117,47,115,114,99,47,115,108,97,99,107,45,103,105,116,104,117,98,46,99,111,109,47,114,104,117,98,101,114,47,103,111,45,97,117,100,105,116,45,110,101,119,34} + data[2] = []byte{91, 0, 0, 0, 27, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 97, 117, 100, 105, 116, 40, 49, 52, 53, 57, 51, 55, 54, 56, 54, 54, 46, 56, 56, 53, 58, 49, 50, 50, 50, 55, 54, 51, 41, 58, 32, 32, 99, 119, 100, 61, 34, 47, 104, 111, 109, 101, 47, 117, 98, 117, 110, 116, 117, 47, 115, 114, 99, 47, 115, 108, 97, 99, 107, 45, 103, 105, 116, 104, 117, 98, 46, 99, 111, 109, 47, 114, 104, 117, 98, 101, 114, 47, 103, 111, 45, 97, 117, 100, 105, 116, 45, 110, 101, 119, 34} //&{1302,,item=0,name="/bin/ls",inode=262316,dev=ca:01,mode=0100755,ouid=0,ogid=0,rdev=00:00,nametype=NORMAL,1222763,1459376866.885} - data[3] = []byte{129,0,0,0,22,5,0,0,0,0,0,0,0,0,0,0,97,117,100,105,116,40,49,52,53,57,51,55,54,56,54,54,46,56,56,53,58,49,50,50,50,55,54,51,41,58,32,105,116,101,109,61,48,32,110,97,109,101,61,34,47,98,105,110,47,108,115,34,32,105,110,111,100,101,61,50,54,50,51,49,54,32,100,101,118,61,99,97,58,48,49,32,109,111,100,101,61,48,49,48,48,55,53,53,32,111,117,105,100,61,48,32,111,103,105,100,61,48,32,114,100,101,118,61,48,48,58,48,48,32,110,97,109,101,116,121,112,101,61,78,79,82,77,65,76} + data[3] = []byte{129, 0, 0, 0, 22, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 97, 117, 100, 105, 116, 40, 49, 52, 53, 57, 51, 55, 54, 56, 54, 54, 46, 56, 56, 53, 58, 49, 50, 50, 50, 55, 54, 51, 41, 58, 32, 105, 116, 101, 109, 61, 48, 32, 110, 97, 109, 101, 61, 34, 47, 98, 105, 110, 47, 108, 115, 34, 32, 105, 110, 111, 100, 101, 61, 50, 54, 50, 51, 49, 54, 32, 100, 101, 118, 61, 99, 97, 58, 48, 49, 32, 109, 111, 100, 101, 61, 48, 49, 48, 48, 55, 53, 53, 32, 111, 117, 105, 100, 61, 48, 32, 111, 103, 105, 100, 61, 48, 32, 114, 100, 101, 118, 61, 48, 48, 58, 48, 48, 32, 110, 97, 109, 101, 116, 121, 112, 101, 61, 78, 79, 82, 77, 65, 76} //&{1302,,item=1,name="/lib64/ld-linux-x86-64.so.2",inode=396037,dev=ca:01,mode=0100755,ouid=0,ogid=0,rdev=00:00,nametype=NORMAL,1222763,1459376866.885} - data[4] = []byte{149,0,0,0,22,5,0,0,0,0,0,0,0,0,0,0,97,117,100,105,116,40,49,52,53,57,51,55,54,56,54,54,46,56,56,53,58,49,50,50,50,55,54,51,41,58,32,105,116,101,109,61,49,32,110,97,109,101,61,34,47,108,105,98,54,52,47,108,100,45,108,105,110,117,120,45,120,56,54,45,54,52,46,115,111,46,50,34,32,105,110,111,100,101,61,51,57,54,48,51,55,32,100,101,118,61,99,97,58,48,49,32,109,111,100,101,61,48,49,48,48,55,53,53,32,111,117,105,100,61,48,32,111,103,105,100,61,48,32,114,100,101,118,61,48,48,58,48,48,32,110,97,109,101,116,121,112,101,61,78,79,82,77,65,76} + data[4] = []byte{149, 0, 0, 0, 22, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 97, 117, 100, 105, 116, 40, 49, 52, 53, 57, 51, 55, 54, 56, 54, 54, 46, 56, 56, 53, 58, 49, 50, 50, 50, 55, 54, 51, 41, 58, 32, 105, 116, 101, 109, 61, 49, 32, 110, 97, 109, 101, 61, 34, 47, 108, 105, 98, 54, 52, 47, 108, 100, 45, 108, 105, 110, 117, 120, 45, 120, 56, 54, 45, 54, 52, 46, 115, 111, 46, 50, 34, 32, 105, 110, 111, 100, 101, 61, 51, 57, 54, 48, 51, 55, 32, 100, 101, 118, 61, 99, 97, 58, 48, 49, 32, 109, 111, 100, 101, 61, 48, 49, 48, 48, 55, 53, 53, 32, 111, 117, 105, 100, 61, 48, 32, 111, 103, 105, 100, 61, 48, 32, 114, 100, 101, 118, 61, 48, 48, 58, 48, 48, 32, 110, 97, 109, 101, 116, 121, 112, 101, 61, 78, 79, 82, 77, 65, 76} //&{1320,,,1222763,1459376866.885} - data[5] = []byte{31,0,0,0,40,5,0,0,0,0,0,0,0,0,0,0,97,117,100,105,116,40,49,52,53,57,51,55,54,56,54,54,46,56,56,53,58,49,50,50,50,55,54,51,41,58,32} + data[5] = []byte{31, 0, 0, 0, 40, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 97, 117, 100, 105, 116, 40, 49, 52, 53, 57, 51, 55, 54, 56, 54, 54, 46, 56, 56, 53, 58, 49, 50, 50, 50, 55, 54, 51, 41, 58, 32} - for i := 0; i < b.N; i++ { for n := 0; n < len(data); n++ { nlen := len(data[n]) msg := &syscall.NetlinkMessage{ Header: syscall.NlMsghdr{ - Len: Endianness.Uint32(data[n][0:4]), - Type: Endianness.Uint16(data[n][4:6]), + Len: Endianness.Uint32(data[n][0:4]), + Type: Endianness.Uint16(data[n][4:6]), Flags: Endianness.Uint16(data[n][6:8]), - Seq: Endianness.Uint32(data[n][8:12]), - Pid: Endianness.Uint32(data[n][12:16]), + Seq: Endianness.Uint32(data[n][8:12]), + Pid: Endianness.Uint32(data[n][12:16]), }, Data: data[n][syscall.SizeofNlMsghdr:nlen], } @@ -104,7 +103,7 @@ func Benchmark_MultiPacketMessage(b *testing.B) { } } -type noopWriter struct { t *testing.T } +type noopWriter struct{ t *testing.T } func (t *noopWriter) Write(a []byte) (int, error) { return 0, nil diff --git a/client.go b/client.go index 1934d5a..7407803 100644 --- a/client.go +++ b/client.go @@ -1,12 +1,12 @@ package main import ( - "syscall" - "sync/atomic" "bytes" "encoding/binary" - "time" "errors" + "sync/atomic" + "syscall" + "time" ) var Endianness = binary.LittleEndian @@ -34,20 +34,20 @@ type AuditStatusPayload struct { type NetlinkPacket syscall.NlMsghdr type NetlinkClient struct { - fd int - address syscall.Sockaddr - seq uint32 - buf []byte + fd int + address syscall.Sockaddr + seq uint32 + buf []byte } -func NewNetlinkClient(recvSize int) (*NetlinkClient) { +func NewNetlinkClient(recvSize int) *NetlinkClient { fd, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_RAW, syscall.NETLINK_AUDIT) if err != nil { el.Fatalln("Could not create a socket:", err) } n := &NetlinkClient{ - fd: fd, + fd: fd, address: &syscall.SockaddrNetlink{Family: syscall.AF_NETLINK, Groups: 0, Pid: 0}, buf: make([]byte, MAX_AUDIT_MESSAGE_LENGTH), } @@ -58,7 +58,7 @@ func NewNetlinkClient(recvSize int) (*NetlinkClient) { } // Set the buffer size if we were asked - if (recvSize > 0) { + if recvSize > 0 { err = syscall.SetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_RCVBUF, recvSize) } @@ -115,11 +115,11 @@ func (n *NetlinkClient) Receive() (*syscall.NetlinkMessage, error) { msg := &syscall.NetlinkMessage{ Header: syscall.NlMsghdr{ - Len: Endianness.Uint32(n.buf[0:4]), - Type: Endianness.Uint16(n.buf[4:6]), + Len: Endianness.Uint32(n.buf[0:4]), + Type: Endianness.Uint16(n.buf[4:6]), Flags: Endianness.Uint16(n.buf[6:8]), - Seq: Endianness.Uint32(n.buf[8:12]), - Pid: Endianness.Uint32(n.buf[12:16]), + Seq: Endianness.Uint32(n.buf[8:12]), + Pid: Endianness.Uint32(n.buf[12:16]), }, Data: n.buf[syscall.SizeofNlMsghdr:nlen], } @@ -129,16 +129,16 @@ func (n *NetlinkClient) Receive() (*syscall.NetlinkMessage, error) { func (n *NetlinkClient) KeepConnection() { payload := &AuditStatusPayload{ - Mask: 4, + Mask: 4, Enabled: 1, - Pid: uint32(syscall.Getpid()), + Pid: uint32(syscall.Getpid()), //TODO: Failure: http://lxr.free-electrons.com/source/include/uapi/linux/audit.h#L338 } packet := &NetlinkPacket{ - Type: uint16(1001), + Type: uint16(1001), Flags: syscall.NLM_F_REQUEST | syscall.NLM_F_ACK, - Pid: uint32(syscall.Getpid()), + Pid: uint32(syscall.Getpid()), } err := n.Send(packet, payload) diff --git a/client_test.go b/client_test.go index 6b20363..bc79df1 100644 --- a/client_test.go +++ b/client_test.go @@ -1,12 +1,12 @@ package main import ( - "testing" - "syscall" - "os" - "github.com/stretchr/testify/assert" "bytes" "encoding/binary" + "github.com/stretchr/testify/assert" + "os" + "syscall" + "testing" ) func TestNetlinkClient_KeepConnection(t *testing.T) { @@ -19,7 +19,7 @@ func TestNetlinkClient_KeepConnection(t *testing.T) { t.Fatal("Did not expect an error", err) } - expectedData := []byte{4,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0} + expectedData := []byte{4, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} binary.LittleEndian.PutUint32(expectedData[12:16], uint32(os.Getpid())) assert.Equal(t, uint16(1001), msg.Header.Type, "Header.Type mismatch") @@ -43,19 +43,19 @@ func TestNetlinkClient_SendReceive(t *testing.T) { // Build our client n := makeNelinkClient(t) - defer syscall.Close(n.fd) + defer syscall.Close(n.fd) // Make sure we can encode/decode properly payload := &AuditStatusPayload{ - Mask: 4, + Mask: 4, Enabled: 1, - Pid: uint32(1006), + Pid: uint32(1006), } packet := &NetlinkPacket{ - Type: uint16(1001), + Type: uint16(1001), Flags: syscall.NLM_F_REQUEST | syscall.NLM_F_ACK, - Pid: uint32(1006), + Pid: uint32(1006), } msg = sendReceive(t, n, packet, payload) @@ -65,7 +65,7 @@ func TestNetlinkClient_SendReceive(t *testing.T) { assert.Equal(t, packet.Flags, msg.Header.Flags, "Header.Flags mismatch") assert.Equal(t, uint32(1), msg.Header.Seq, "Header.Seq mismatch") assert.Equal(t, uint32(56), msg.Header.Len, "Packet size is wrong - this test is brittle though") - assert.EqualValues(t, msg.Data[:40], []byte{4,0,0,0,1,0,0,0,0,0,0,0,238,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}, "data was wrong") + assert.EqualValues(t, msg.Data[:40], []byte{4, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 238, 3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}, "data was wrong") // Make sure sequences numbers increment on our side msg = sendReceive(t, n, packet, payload) @@ -111,7 +111,7 @@ func makeNelinkClient(t *testing.T) *NetlinkClient { } n := &NetlinkClient{ - fd: fd, + fd: fd, address: &syscall.SockaddrUnix{Name: "go-audit.test.sock"}, buf: make([]byte, MAX_AUDIT_MESSAGE_LENGTH), } @@ -125,7 +125,7 @@ func makeNelinkClient(t *testing.T) *NetlinkClient { } // Helper to send and then receive a message with the netlink client -func sendReceive(t *testing.T, n *NetlinkClient, packet *NetlinkPacket, payload *AuditStatusPayload) (*syscall.NetlinkMessage) { +func sendReceive(t *testing.T, n *NetlinkClient, packet *NetlinkPacket, payload *AuditStatusPayload) *syscall.NetlinkMessage { err := n.Send(packet, payload) if err != nil { t.Fatal("Failed to send:", err) diff --git a/marshaller.go b/marshaller.go index c648a73..873a565 100644 --- a/marshaller.go +++ b/marshaller.go @@ -1,35 +1,35 @@ package main import ( - "time" - "syscall" "os" + "syscall" + "time" ) const ( EVENT_START = 1300 // Start of the audit type ids that we care about - EVENT_END = 1399 // End of the audit type ids that we care about - EVENT_EOE = 1320 // End of multi packet event + EVENT_END = 1399 // End of the audit type ids that we care about + EVENT_EOE = 1320 // End of multi packet event ) type AuditMarshaller struct { - msgs map[int]*AuditMessageGroup - writer *AuditWriter - lastSeq int - missed map[int]bool - worstLag int + msgs map[int]*AuditMessageGroup + writer *AuditWriter + lastSeq int + missed map[int]bool + worstLag int trackMessages bool logOutOfOrder bool maxOutOfOrder int - attempts int + attempts int } // Create a new marshaller -func NewAuditMarshaller(w *AuditWriter, trackMessages, logOOO bool, maxOOO int) (*AuditMarshaller){ +func NewAuditMarshaller(w *AuditWriter, trackMessages, logOOO bool, maxOOO int) *AuditMarshaller { return &AuditMarshaller{ - writer: w, - msgs: make(map[int]*AuditMessageGroup, 5), // It is not typical to have more than 2 message groups at any given time - missed: make(map[int]bool, 10), + writer: w, + msgs: make(map[int]*AuditMessageGroup, 5), // It is not typical to have more than 2 message groups at any given time + missed: make(map[int]bool, 10), trackMessages: trackMessages, logOutOfOrder: logOOO, maxOutOfOrder: maxOOO, @@ -47,11 +47,11 @@ func (a *AuditMarshaller) Consume(nlMsg *syscall.NetlinkMessage) { return } - if (a.trackMessages) { + if a.trackMessages { a.detectMissing(aMsg.Seq) } - if (nlMsg.Header.Type < EVENT_START || nlMsg.Header.Type > EVENT_END) { + if nlMsg.Header.Type < EVENT_START || nlMsg.Header.Type > EVENT_END { // Drop all audit messages that aren't things we care about or end a multi packet event a.flushOld() return @@ -103,7 +103,7 @@ func (a *AuditMarshaller) completeMessage(seq int) { // Track sequence numbers and log if we suspect we missed a message func (a *AuditMarshaller) detectMissing(seq int) { - if seq > a.lastSeq + 1 && a.lastSeq != 0 { + if seq > a.lastSeq+1 && a.lastSeq != 0 { // We likely leap frogged over a msg, wait until the next sequence to make sure for i := a.lastSeq + 1; i < seq; i++ { a.missed[i] = true @@ -117,18 +117,18 @@ func (a *AuditMarshaller) detectMissing(seq int) { a.worstLag = lag } - if (a.logOutOfOrder) { + if a.logOutOfOrder { el.Println("Got sequence", missedSeq, "after", lag, "messages. Worst lag so far", a.worstLag, "messages") } delete(a.missed, missedSeq) - } else if seq - missedSeq > a.maxOutOfOrder { + } else if seq-missedSeq > a.maxOutOfOrder { el.Printf("Likely missed sequence %d, current %d, worst message delay %d\n", missedSeq, seq, a.worstLag) delete(a.missed, missedSeq) } } - if seq > a.lastSeq { - // Keep track of the largest sequence - a.lastSeq = seq - } + if seq > a.lastSeq { + // Keep track of the largest sequence + a.lastSeq = seq + } } diff --git a/marshaller_test.go b/marshaller_test.go index 900aa6f..be7032b 100644 --- a/marshaller_test.go +++ b/marshaller_test.go @@ -1,12 +1,12 @@ package main import ( - "testing" - "github.com/stretchr/testify/assert" "bytes" + "errors" + "github.com/stretchr/testify/assert" "syscall" + "testing" "time" - "errors" ) func TestMarshallerConstants(t *testing.T) { @@ -22,22 +22,22 @@ func TestAuditMarshaller_Consume(t *testing.T) { // Flush group on 1320 m.Consume(&syscall.NetlinkMessage{ Header: syscall.NlMsghdr{ - Len: uint32(44), - Type: uint16(1300), + Len: uint32(44), + Type: uint16(1300), Flags: uint16(0), - Seq: uint32(0), - Pid: uint32(0), + Seq: uint32(0), + Pid: uint32(0), }, Data: []byte("audit(10000001:1): hi there"), }) m.Consume(&syscall.NetlinkMessage{ Header: syscall.NlMsghdr{ - Len: uint32(44), - Type: uint16(1301), + Len: uint32(44), + Type: uint16(1301), Flags: uint16(0), - Seq: uint32(0), - Pid: uint32(0), + Seq: uint32(0), + Pid: uint32(0), }, Data: []byte("audit(10000001:1): hi there"), }) @@ -55,11 +55,11 @@ func TestAuditMarshaller_Consume(t *testing.T) { w.Reset() m.Consume(&syscall.NetlinkMessage{ Header: syscall.NlMsghdr{ - Len: uint32(44), - Type: uint16(1299), + Len: uint32(44), + Type: uint16(1299), Flags: uint16(0), - Seq: uint32(0), - Pid: uint32(0), + Seq: uint32(0), + Pid: uint32(0), }, Data: []byte("audit(10000001:2): hi there"), }) @@ -70,11 +70,11 @@ func TestAuditMarshaller_Consume(t *testing.T) { w.Reset() m.Consume(&syscall.NetlinkMessage{ Header: syscall.NlMsghdr{ - Len: uint32(44), - Type: uint16(1400), + Len: uint32(44), + Type: uint16(1400), Flags: uint16(0), - Seq: uint32(0), - Pid: uint32(0), + Seq: uint32(0), + Pid: uint32(0), }, Data: []byte("audit(10000001:3): hi there"), }) @@ -85,11 +85,11 @@ func TestAuditMarshaller_Consume(t *testing.T) { w.Reset() m.Consume(&syscall.NetlinkMessage{ Header: syscall.NlMsghdr{ - Len: uint32(44), - Type: uint16(1400), + Len: uint32(44), + Type: uint16(1400), Flags: uint16(0), - Seq: uint32(0), - Pid: uint32(0), + Seq: uint32(0), + Pid: uint32(0), }, Data: []byte("audit(10000001:0): hi there"), }) @@ -100,11 +100,11 @@ func TestAuditMarshaller_Consume(t *testing.T) { w.Reset() m.Consume(&syscall.NetlinkMessage{ Header: syscall.NlMsghdr{ - Len: uint32(44), - Type: uint16(1300), + Len: uint32(44), + Type: uint16(1300), Flags: uint16(0), - Seq: uint32(0), - Pid: uint32(0), + Seq: uint32(0), + Pid: uint32(0), }, Data: []byte("audit(10000001:4): hi there"), }) @@ -129,11 +129,11 @@ func TestAuditMarshaller_completeMessage(t *testing.T) { m.Consume(&syscall.NetlinkMessage{ Header: syscall.NlMsghdr{ - Len: uint32(44), - Type: uint16(1300), + Len: uint32(44), + Type: uint16(1300), Flags: uint16(0), - Seq: uint32(0), - Pid: uint32(0), + Seq: uint32(0), + Pid: uint32(0), }, Data: []byte("audit(10000001:4): hi there"), }) @@ -146,11 +146,11 @@ func TestAuditMarshaller_completeMessage(t *testing.T) { func new1320(seq string) *syscall.NetlinkMessage { return &syscall.NetlinkMessage{ Header: syscall.NlMsghdr{ - Len: uint32(44), - Type: uint16(1320), + Len: uint32(44), + Type: uint16(1320), Flags: uint16(0), - Seq: uint32(0), - Pid: uint32(0), + Seq: uint32(0), + Pid: uint32(0), }, Data: []byte("audit(10000001:" + seq + "): "), } diff --git a/parser.go b/parser.go index 01922c6..7822daa 100644 --- a/parser.go +++ b/parser.go @@ -19,17 +19,17 @@ const ( ) type AuditMessage struct { - Type uint16 `json:"type"` - Data string `json:"data"` - Seq int `json:"-"` + Type uint16 `json:"type"` + Data string `json:"data"` + Seq int `json:"-"` AuditTime string `json:"-"` } type AuditMessageGroup struct { - Seq int `json:"sequence"` - AuditTime string `json:"timestamp"` - CompleteAfter time.Time `json:"-"` - Msgs []*AuditMessage `json:"messages"` + Seq int `json:"sequence"` + AuditTime string `json:"timestamp"` + CompleteAfter time.Time `json:"-"` + Msgs []*AuditMessage `json:"messages"` UidMap map[string]string `json:"uid_map"` } @@ -52,9 +52,9 @@ func NewAuditMessageGroup(am *AuditMessage) *AuditMessageGroup { func NewAuditMessage(nlm *syscall.NetlinkMessage) *AuditMessage { aTime, seq := parseAuditHeader(nlm) return &AuditMessage{ - Type: nlm.Header.Type, - Data: string(nlm.Data), - Seq: seq, + Type: nlm.Header.Type, + Data: string(nlm.Data), + Seq: seq, AuditTime: aTime, } } @@ -72,10 +72,10 @@ func parseAuditHeader(msg *syscall.NetlinkMessage) (time string, seq int) { //TODO: out of range check, possibly fully binary? sep := strings.IndexByte(header, ":"[0]) time = header[HEADER_START_POS:sep] - seq, _ = strconv.Atoi(header[sep + 1:]) + seq, _ = strconv.Atoi(header[sep+1:]) // Remove the header from data - msg.Data = msg.Data[headerStop + 3:] + msg.Data = msg.Data[headerStop+3:] } return time, seq @@ -116,16 +116,16 @@ func (amg *AuditMessageGroup) mapUids(am *AuditMessage) { } } - uid := data[start:start + end] + uid := data[start : start+end] // Don't bother re-adding if the existing group already has the mapping if _, ok := amg.UidMap[uid]; !ok { - amg.UidMap[uid] = getUsername(data[start:start + end]) + amg.UidMap[uid] = getUsername(data[start : start+end]) } // Find the next uid= if we have space for one next := start + end + 1 - if (next >= len(data)) { + if next >= len(data) { break } @@ -135,7 +135,7 @@ func (amg *AuditMessageGroup) mapUids(am *AuditMessage) { } // Gets a username for a user id -func getUsername(uid string) (string) { +func getUsername(uid string) string { uname := "UNKNOWN_USER" //Make sure we have a uid element to work with. diff --git a/parser_test.go b/parser_test.go index 4512dd9..3e9ca43 100644 --- a/parser_test.go +++ b/parser_test.go @@ -1,28 +1,28 @@ package main import ( - "testing" "github.com/stretchr/testify/assert" - "time" "os/user" "syscall" + "testing" + "time" ) func TestAuditConstants(t *testing.T) { assert.Equal(t, 7, HEADER_MIN_LENGTH) assert.Equal(t, 6, HEADER_START_POS) - assert.Equal(t, time.Second * 2, COMPLETE_AFTER) + assert.Equal(t, time.Second*2, COMPLETE_AFTER) assert.Equal(t, []byte{")"[0]}, headerEndChar) } func TestNewAuditMessage(t *testing.T) { msg := &syscall.NetlinkMessage{ Header: syscall.NlMsghdr{ - Len: uint32(44), - Type: uint16(1309), + Len: uint32(44), + Type: uint16(1309), Flags: uint16(0), - Seq: uint32(0), - Pid: uint32(0), + Seq: uint32(0), + Pid: uint32(0), }, Data: []byte("audit(10000001:99): hi there"), } @@ -79,10 +79,10 @@ func TestAuditMessageGroup_AddMessage(t *testing.T) { func TestNewAuditMessageGroup(t *testing.T) { uidMap = make(map[string]user.User, 0) m := &AuditMessage{ - Type: uint16(1300), - Seq: 1019, + Type: uint16(1300), + Seq: 1019, AuditTime: "9919", - Data: "Stuff is here", + Data: "Stuff is here", } amg := NewAuditMessageGroup(m) diff --git a/writer.go b/writer.go index 3b3af84..e3b3a69 100644 --- a/writer.go +++ b/writer.go @@ -2,26 +2,26 @@ package main import ( "encoding/json" - "time" "io" + "time" ) type AuditWriter struct { - e *json.Encoder - w io.Writer + e *json.Encoder + w io.Writer attempts int } func NewAuditWriter(w io.Writer, attempts int) *AuditWriter { return &AuditWriter{ - e: json.NewEncoder(w), - w: w, + e: json.NewEncoder(w), + w: w, attempts: attempts, } } func (a *AuditWriter) Write(msg *AuditMessageGroup) (err error) { - for i :=0; i < a.attempts; i++ { + for i := 0; i < a.attempts; i++ { err = a.e.Encode(msg) if err == nil { break