fluent-plugin-go-audit-parser 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: ba22e96bea2ae400b687602a97d450158e4ec505b84248dab397ff9b0ec9b229
4
+ data.tar.gz: f7891bcefd7796ca666561956162759745f32a1f6c7177279ba27ace1723fc02
5
+ SHA512:
6
+ metadata.gz: a817930b2d24a2dc7ff04cd9375c57a9defe70d8492f9649ce8a54c5c540231f8c88853b60155b71e8f8a740dbefa8f387d52f84563ed787807bccb0b911db70
7
+ data.tar.gz: 89ecacbe447fccc5ee7ac1cb1476a1943e95e675ff7e71c0a69bbe55dce1e6fe79b69f012a14e256ba5bcabe446814d0da00b5f41820386f7d9fdb4338d436c3
data/Gemfile ADDED
@@ -0,0 +1,3 @@
1
+ source "https://rubygems.org"
2
+
3
+ gemspec
data/LICENSE ADDED
@@ -0,0 +1,202 @@
1
+
2
+ Apache License
3
+ Version 2.0, January 2004
4
+ http://www.apache.org/licenses/
5
+
6
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
7
+
8
+ 1. Definitions.
9
+
10
+ "License" shall mean the terms and conditions for use, reproduction,
11
+ and distribution as defined by Sections 1 through 9 of this document.
12
+
13
+ "Licensor" shall mean the copyright owner or entity authorized by
14
+ the copyright owner that is granting the License.
15
+
16
+ "Legal Entity" shall mean the union of the acting entity and all
17
+ other entities that control, are controlled by, or are under common
18
+ control with that entity. For the purposes of this definition,
19
+ "control" means (i) the power, direct or indirect, to cause the
20
+ direction or management of such entity, whether by contract or
21
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
22
+ outstanding shares, or (iii) beneficial ownership of such entity.
23
+
24
+ "You" (or "Your") shall mean an individual or Legal Entity
25
+ exercising permissions granted by this License.
26
+
27
+ "Source" form shall mean the preferred form for making modifications,
28
+ including but not limited to software source code, documentation
29
+ source, and configuration files.
30
+
31
+ "Object" form shall mean any form resulting from mechanical
32
+ transformation or translation of a Source form, including but
33
+ not limited to compiled object code, generated documentation,
34
+ and conversions to other media types.
35
+
36
+ "Work" shall mean the work of authorship, whether in Source or
37
+ Object form, made available under the License, as indicated by a
38
+ copyright notice that is included in or attached to the work
39
+ (an example is provided in the Appendix below).
40
+
41
+ "Derivative Works" shall mean any work, whether in Source or Object
42
+ form, that is based on (or derived from) the Work and for which the
43
+ editorial revisions, annotations, elaborations, or other modifications
44
+ represent, as a whole, an original work of authorship. For the purposes
45
+ of this License, Derivative Works shall not include works that remain
46
+ separable from, or merely link (or bind by name) to the interfaces of,
47
+ the Work and Derivative Works thereof.
48
+
49
+ "Contribution" shall mean any work of authorship, including
50
+ the original version of the Work and any modifications or additions
51
+ to that Work or Derivative Works thereof, that is intentionally
52
+ submitted to Licensor for inclusion in the Work by the copyright owner
53
+ or by an individual or Legal Entity authorized to submit on behalf of
54
+ the copyright owner. For the purposes of this definition, "submitted"
55
+ means any form of electronic, verbal, or written communication sent
56
+ to the Licensor or its representatives, including but not limited to
57
+ communication on electronic mailing lists, source code control systems,
58
+ and issue tracking systems that are managed by, or on behalf of, the
59
+ Licensor for the purpose of discussing and improving the Work, but
60
+ excluding communication that is conspicuously marked or otherwise
61
+ designated in writing by the copyright owner as "Not a Contribution."
62
+
63
+ "Contributor" shall mean Licensor and any individual or Legal Entity
64
+ on behalf of whom a Contribution has been received by Licensor and
65
+ subsequently incorporated within the Work.
66
+
67
+ 2. Grant of Copyright License. Subject to the terms and conditions of
68
+ this License, each Contributor hereby grants to You a perpetual,
69
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
70
+ copyright license to reproduce, prepare Derivative Works of,
71
+ publicly display, publicly perform, sublicense, and distribute the
72
+ Work and such Derivative Works in Source or Object form.
73
+
74
+ 3. Grant of Patent License. Subject to the terms and conditions of
75
+ this License, each Contributor hereby grants to You a perpetual,
76
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
77
+ (except as stated in this section) patent license to make, have made,
78
+ use, offer to sell, sell, import, and otherwise transfer the Work,
79
+ where such license applies only to those patent claims licensable
80
+ by such Contributor that are necessarily infringed by their
81
+ Contribution(s) alone or by combination of their Contribution(s)
82
+ with the Work to which such Contribution(s) was submitted. If You
83
+ institute patent litigation against any entity (including a
84
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
85
+ or a Contribution incorporated within the Work constitutes direct
86
+ or contributory patent infringement, then any patent licenses
87
+ granted to You under this License for that Work shall terminate
88
+ as of the date such litigation is filed.
89
+
90
+ 4. Redistribution. You may reproduce and distribute copies of the
91
+ Work or Derivative Works thereof in any medium, with or without
92
+ modifications, and in Source or Object form, provided that You
93
+ meet the following conditions:
94
+
95
+ (a) You must give any other recipients of the Work or
96
+ Derivative Works a copy of this License; and
97
+
98
+ (b) You must cause any modified files to carry prominent notices
99
+ stating that You changed the files; and
100
+
101
+ (c) You must retain, in the Source form of any Derivative Works
102
+ that You distribute, all copyright, patent, trademark, and
103
+ attribution notices from the Source form of the Work,
104
+ excluding those notices that do not pertain to any part of
105
+ the Derivative Works; and
106
+
107
+ (d) If the Work includes a "NOTICE" text file as part of its
108
+ distribution, then any Derivative Works that You distribute must
109
+ include a readable copy of the attribution notices contained
110
+ within such NOTICE file, excluding those notices that do not
111
+ pertain to any part of the Derivative Works, in at least one
112
+ of the following places: within a NOTICE text file distributed
113
+ as part of the Derivative Works; within the Source form or
114
+ documentation, if provided along with the Derivative Works; or,
115
+ within a display generated by the Derivative Works, if and
116
+ wherever such third-party notices normally appear. The contents
117
+ of the NOTICE file are for informational purposes only and
118
+ do not modify the License. You may add Your own attribution
119
+ notices within Derivative Works that You distribute, alongside
120
+ or as an addendum to the NOTICE text from the Work, provided
121
+ that such additional attribution notices cannot be construed
122
+ as modifying the License.
123
+
124
+ You may add Your own copyright statement to Your modifications and
125
+ may provide additional or different license terms and conditions
126
+ for use, reproduction, or distribution of Your modifications, or
127
+ for any such Derivative Works as a whole, provided Your use,
128
+ reproduction, and distribution of the Work otherwise complies with
129
+ the conditions stated in this License.
130
+
131
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
132
+ any Contribution intentionally submitted for inclusion in the Work
133
+ by You to the Licensor shall be under the terms and conditions of
134
+ this License, without any additional terms or conditions.
135
+ Notwithstanding the above, nothing herein shall supersede or modify
136
+ the terms of any separate license agreement you may have executed
137
+ with Licensor regarding such Contributions.
138
+
139
+ 6. Trademarks. This License does not grant permission to use the trade
140
+ names, trademarks, service marks, or product names of the Licensor,
141
+ except as required for reasonable and customary use in describing the
142
+ origin of the Work and reproducing the content of the NOTICE file.
143
+
144
+ 7. Disclaimer of Warranty. Unless required by applicable law or
145
+ agreed to in writing, Licensor provides the Work (and each
146
+ Contributor provides its Contributions) on an "AS IS" BASIS,
147
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
148
+ implied, including, without limitation, any warranties or conditions
149
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
150
+ PARTICULAR PURPOSE. You are solely responsible for determining the
151
+ appropriateness of using or redistributing the Work and assume any
152
+ risks associated with Your exercise of permissions under this License.
153
+
154
+ 8. Limitation of Liability. In no event and under no legal theory,
155
+ whether in tort (including negligence), contract, or otherwise,
156
+ unless required by applicable law (such as deliberate and grossly
157
+ negligent acts) or agreed to in writing, shall any Contributor be
158
+ liable to You for damages, including any direct, indirect, special,
159
+ incidental, or consequential damages of any character arising as a
160
+ result of this License or out of the use or inability to use the
161
+ Work (including but not limited to damages for loss of goodwill,
162
+ work stoppage, computer failure or malfunction, or any and all
163
+ other commercial damages or losses), even if such Contributor
164
+ has been advised of the possibility of such damages.
165
+
166
+ 9. Accepting Warranty or Additional Liability. While redistributing
167
+ the Work or Derivative Works thereof, You may choose to offer,
168
+ and charge a fee for, acceptance of support, warranty, indemnity,
169
+ or other liability obligations and/or rights consistent with this
170
+ License. However, in accepting such obligations, You may act only
171
+ on Your own behalf and on Your sole responsibility, not on behalf
172
+ of any other Contributor, and only if You agree to indemnify,
173
+ defend, and hold each Contributor harmless for any liability
174
+ incurred by, or claims asserted against, such Contributor by reason
175
+ of your accepting any such warranty or additional liability.
176
+
177
+ END OF TERMS AND CONDITIONS
178
+
179
+ APPENDIX: How to apply the Apache License to your work.
180
+
181
+ To apply the Apache License to your work, attach the following
182
+ boilerplate notice, with the fields enclosed by brackets "[]"
183
+ replaced with your own identifying information. (Don't include
184
+ the brackets!) The text should be enclosed in the appropriate
185
+ comment syntax for the file format. We also recommend that a
186
+ file or class name and description of purpose be included on the
187
+ same "printed page" as the copyright notice for easier
188
+ identification within third-party archives.
189
+
190
+ Copyright [yyyy] [name of copyright owner]
191
+
192
+ Licensed under the Apache License, Version 2.0 (the "License");
193
+ you may not use this file except in compliance with the License.
194
+ You may obtain a copy of the License at
195
+
196
+ http://www.apache.org/licenses/LICENSE-2.0
197
+
198
+ Unless required by applicable law or agreed to in writing, software
199
+ distributed under the License is distributed on an "AS IS" BASIS,
200
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
201
+ See the License for the specific language governing permissions and
202
+ limitations under the License.
data/README.md ADDED
@@ -0,0 +1,141 @@
1
+ # fluent-plugin-go-audit-parser
2
+
3
+ [go-audit](https://github.com/slackhq/go-audit) outputs audit logs in a raw json format.
4
+
5
+ ```
6
+ {
7
+ "sequence": 1053,
8
+ "timestamp": "1626105161.783",
9
+ "messages": [
10
+ {
11
+ "type": 1300,
12
+ "data": "arch=c000003e syscall=257 success=yes exit=0 a0=55b5827dfaf0 a1=55b5827df360 a2=55b582819870 a3=8 items=2 ppid=10366 pid=10539 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts3 ses=47 comm=\"sudo\" exe=\"/usr/bin/sudo\" key=etcpasswd"
13
+ },
14
+ {
15
+ {
16
+ "type": 1302,
17
+ "data": "item=0 name=\"/etc/shadow\" inode=6948426 dev=fc:03 mode=0100640 ouid=0 ogid=42 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0"
18
+ },
19
+ {
20
+ "type": 1327,
21
+ "data": "proctitle=7375646F007461696C002D66002F7661722F6C6F672F676F2D61756469742E6C6F67"
22
+ }
23
+ ],
24
+ "uid_map": {
25
+ "0": "root",
26
+ "1000": "vagrant"
27
+ }
28
+ }
29
+ ```
30
+
31
+ This [Fluentd](https://fluentd.org/) plugin transforms go-audit logs and make it easy to be handled by modern log aggregators.
32
+
33
+ ```
34
+ {
35
+ "sequence": 1053,
36
+ "messages": {
37
+ "syscall": {
38
+ "type": 1300,
39
+ "arch": "c000003e",
40
+ "syscall": 257,
41
+ "success": "yes",
42
+ "exit": "0",
43
+ "a0": "55b5827dfaf0",
44
+ "a1": "55b5827df360",
45
+ "a2": "55b582819870",
46
+ "a3": "8",
47
+ "items": "2",
48
+ "ppid": 10366,
49
+ "pid": 10539,
50
+ "auid": { "id": 1000, "name": "vagrant" },
51
+ "uid": { "id": 1000, "name": "vagrant" },
52
+ "gid": 1000,
53
+ "euid": { "id": 0, "name": "root" },
54
+ "suid": { "id": 0, "name": "root" },
55
+ "fsuid": { "id": 0, "name": "root" },
56
+ "egid": 1000,
57
+ "sgid": 1000,
58
+ "fsgid": 1000,
59
+ "tty": "pts3",
60
+ "ses": 47,
61
+ "comm": "sudo",
62
+ "exe": "/usr/bin/sudo",
63
+ "key": "etcpasswd"
64
+ },
65
+ "path": {
66
+ "type": 1302,
67
+ "item": "0",
68
+ "name": "/etc/shadow",
69
+ "inode": 6948416,
70
+ "dev": "fc:03",
71
+ "mode": "0100640",
72
+ "ouid": { "id": 0, "name": "root" },
73
+ "ogid": 42,
74
+ "rdev": "00:00",
75
+ "nametype": "NORMAL",
76
+ "cap_fp": "0",
77
+ "cap_fi": "0",
78
+ "cap_fe": "0",
79
+ "cap_fver": "0",
80
+ "cap_frootid": "0"
81
+ },
82
+ "proctitle": {
83
+ "type": 1327,
84
+ "proctitle": "sudo tail -f /var/log/go-audit.log"
85
+ }
86
+ },
87
+ "message_types": [ "syscall", "path", "proctitle" ]
88
+ }
89
+ ```
90
+
91
+ ## Installation
92
+
93
+ ### RubyGems
94
+
95
+ ```
96
+ $ gem install fluent-plugin-go-audit-parser
97
+ ```
98
+
99
+ ### Bundler
100
+
101
+ Add following line to your Gemfile:
102
+
103
+ ```ruby
104
+ gem "fluent-plugin-go-audit-parser"
105
+ ```
106
+
107
+ And then execute:
108
+
109
+ ```
110
+ $ bundle
111
+ ```
112
+
113
+ ## Configuration
114
+
115
+ ```
116
+ <source>
117
+ @type tail
118
+ @id go-audit.tail
119
+ path /var/log/go-audit.log
120
+ <parse>
121
+ @type json
122
+ </parse>
123
+ tag audit
124
+ </source>
125
+
126
+ <filter audit>
127
+ @type go_audit_parser
128
+ @id go-audit.parser
129
+ </filter>
130
+
131
+ <match audit>
132
+ @type stdout
133
+ @id go-audit.stdout
134
+ </match>
135
+ ```
136
+
137
+ ## Copyright
138
+
139
+ * Copyright(c) 2021- haccht
140
+ * License
141
+ * Apache License, Version 2.0
data/Rakefile ADDED
@@ -0,0 +1,13 @@
1
+ require "bundler"
2
+ Bundler::GemHelper.install_tasks
3
+
4
+ require "rake/testtask"
5
+
6
+ Rake::TestTask.new(:test) do |t|
7
+ t.libs.push("lib", "test")
8
+ t.test_files = FileList["test/**/test_*.rb"]
9
+ t.verbose = true
10
+ t.warning = true
11
+ end
12
+
13
+ task default: [:test]
@@ -0,0 +1,27 @@
1
+ lib = File.expand_path("../lib", __FILE__)
2
+ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
3
+
4
+ Gem::Specification.new do |spec|
5
+ spec.name = "fluent-plugin-go-audit-parser"
6
+ spec.version = "0.1.0"
7
+ spec.authors = ["haccht"]
8
+ spec.email = ["haccht@users.noreply.github.com"]
9
+
10
+ spec.summary = %q{Fluentd plugin to transform go-audit log and make it easy to be handled by modern log aggregators.}
11
+ spec.description = %q{Fluentd plugin to transform go-audit log and make it easy to be handled by modern log aggregators.}
12
+ spec.homepage = "https://github.com/haccht/fluent-plugin-go-audit-parser"
13
+ spec.license = "Apache-2.0"
14
+
15
+ test_files, files = `git ls-files -z`.split("\x0").partition do |f|
16
+ f.match(%r{^(test|spec|features)/})
17
+ end
18
+ spec.files = files
19
+ spec.executables = files.grep(%r{^bin/}) { |f| File.basename(f) }
20
+ spec.test_files = test_files
21
+ spec.require_paths = ["lib"]
22
+
23
+ spec.add_development_dependency "bundler", "~> 2.2.20"
24
+ spec.add_development_dependency "rake", "~> 13.0.6"
25
+ spec.add_development_dependency "test-unit", "~> 3.4.4"
26
+ spec.add_runtime_dependency "fluentd", [">= 0.14.10", "< 2"]
27
+ end
@@ -0,0 +1,312 @@
1
+ #
2
+ # Copyright 2021- haccht
3
+ #
4
+ # Licensed under the Apache License, Version 2.0 (the "License");
5
+ # you may not use this file except in compliance with the License.
6
+ # You may obtain a copy of the License at
7
+ #
8
+ # http://www.apache.org/licenses/LICENSE-2.0
9
+ #
10
+ # Unless required by applicable law or agreed to in writing, software
11
+ # distributed under the License is distributed on an "AS IS" BASIS,
12
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
+ # See the License for the specific language governing permissions and
14
+ # limitations under the License.
15
+
16
+ require "fluent/plugin/filter"
17
+
18
+ module Fluent
19
+ module Plugin
20
+ class GoAuditParserFilter < Fluent::Plugin::Filter
21
+ Fluent::Plugin.register_filter("go_audit_parser", self)
22
+
23
+ # https://github.com/torvalds/linux/blob/master/include/uapi/linux/audit.h
24
+ # https://github.com/linux-audit/audit-userspace/blob/master/lib/libaudit.h
25
+ TYPES = {
26
+ 1100 => 'user_auth',
27
+ 1101 => 'user_acct',
28
+ 1102 => 'user_mgmt',
29
+ 1103 => 'cred_acq',
30
+ 1104 => 'cred_disp',
31
+ 1105 => 'user_start',
32
+ 1106 => 'user_end',
33
+ 1107 => 'user_avc',
34
+ 1108 => 'user_chauthtok',
35
+ 1109 => 'user_err',
36
+ 1110 => 'cred_refr',
37
+ 1111 => 'usys_config',
38
+ 1112 => 'user_login',
39
+ 1113 => 'user_logout',
40
+ 1114 => 'add_user',
41
+ 1115 => 'del_user',
42
+ 1116 => 'add_group',
43
+ 1117 => 'del_group',
44
+ 1118 => 'dac_check',
45
+ 1119 => 'chgrp_id',
46
+ 1120 => 'test',
47
+ 1121 => 'trusted_app',
48
+ 1122 => 'user_selinux_err',
49
+ 1123 => 'user_cmd',
50
+ 1124 => 'user_tty',
51
+ 1125 => 'chuser_id',
52
+ 1126 => 'grp_auth',
53
+ 1127 => 'system_boot',
54
+ 1128 => 'system_shutdown',
55
+ 1129 => 'system_runlevel',
56
+ 1130 => 'service_start',
57
+ 1131 => 'service_stop',
58
+ 1132 => 'grp_mgmt',
59
+ 1133 => 'grp_chauthtok',
60
+ 1134 => 'mac_check',
61
+ 1135 => 'acct_lock',
62
+ 1136 => 'acct_unlock',
63
+ 1137 => 'user_device',
64
+ 1138 => 'software_update',
65
+ 1200 => 'daemon_start',
66
+ 1201 => 'daemon_end',
67
+ 1202 => 'daemon_abort',
68
+ 1203 => 'daemon_config',
69
+ 1204 => 'daemon_reconfig',
70
+ 1205 => 'daemon_rotate',
71
+ 1206 => 'daemon_resume',
72
+ 1207 => 'daemon_accept',
73
+ 1208 => 'daemon_close',
74
+ 1209 => 'daemon_err',
75
+ 1300 => 'syscall',
76
+ 1302 => 'path',
77
+ 1303 => 'ipc',
78
+ 1304 => 'socketcall',
79
+ 1305 => 'config_change',
80
+ 1306 => 'sockaddr',
81
+ 1307 => 'cwd',
82
+ 1309 => 'execve',
83
+ 1311 => 'ipc_set_perm',
84
+ 1312 => 'mq_open',
85
+ 1313 => 'mq_sendrecv',
86
+ 1314 => 'mq_notify',
87
+ 1315 => 'mq_getsetattr',
88
+ 1316 => 'kernel_other',
89
+ 1317 => 'fd_pair',
90
+ 1318 => 'obj_pid',
91
+ 1319 => 'tty',
92
+ 1320 => 'eoe',
93
+ 1321 => 'bprm_fcaps',
94
+ 1322 => 'capset',
95
+ 1323 => 'mmap',
96
+ 1324 => 'netfilter_pkt',
97
+ 1325 => 'netfilter_cfg',
98
+ 1326 => 'seccomp',
99
+ 1327 => 'proctitle',
100
+ 1328 => 'feature_change',
101
+ 1329 => 'replace',
102
+ 1330 => 'kern_module',
103
+ 1331 => 'fanotify',
104
+ 1332 => 'time_injoffset',
105
+ 1333 => 'time_adjntpval',
106
+ 1334 => 'bpf',
107
+ 1335 => 'event_listener',
108
+ 1400 => 'avc',
109
+ 1401 => 'selinux_err',
110
+ 1402 => 'avc_path',
111
+ 1403 => 'mac_policy_load',
112
+ 1404 => 'mac_status',
113
+ 1405 => 'mac_config_change',
114
+ 1406 => 'mac_unlbl_allow',
115
+ 1407 => 'mac_cipsov4_add',
116
+ 1408 => 'mac_cipsov4_del',
117
+ 1409 => 'mac_map_add',
118
+ 1410 => 'mac_map_del',
119
+ 1411 => 'mac_ipsec_addsa',
120
+ 1412 => 'mac_ipsec_delsa',
121
+ 1413 => 'mac_ipsec_addspd',
122
+ 1414 => 'mac_ipsec_delspd',
123
+ 1415 => 'mac_ipsec_event',
124
+ 1416 => 'mac_unlbl_stcadd',
125
+ 1417 => 'mac_unlbl_stcdel',
126
+ 1418 => 'mac_calipso_add',
127
+ 1419 => 'mac_calipso_del',
128
+ 1500 => 'aa',
129
+ 1501 => 'apparmor_audit',
130
+ 1502 => 'apparmor_allowed',
131
+ 1503 => 'apparmor_denied',
132
+ 1504 => 'apparmor_hint',
133
+ 1505 => 'apparmor_status',
134
+ 1506 => 'apparmor_error',
135
+ 1507 => 'apparmor_kill',
136
+ 1700 => 'anom_promiscuous',
137
+ 1701 => 'anom_abend',
138
+ 1702 => 'anom_link',
139
+ 1703 => 'anom_creat',
140
+ 1800 => 'integrity_data',
141
+ 1801 => 'integrity_metadata',
142
+ 1802 => 'integrity_status',
143
+ 1803 => 'integrity_hash',
144
+ 1804 => 'integrity_pcr',
145
+ 1805 => 'integrity_rule',
146
+ 1806 => 'integrity_evm_xattr',
147
+ 1807 => 'integrity_policy_rule',
148
+ 1899 => 'integrity_last_msg',
149
+ 2000 => 'kernel',
150
+ 2100 => 'anom_login_failures',
151
+ 2101 => 'anom_login_time',
152
+ 2102 => 'anom_login_sessions',
153
+ 2103 => 'anom_login_acct',
154
+ 2104 => 'anom_login_location',
155
+ 2105 => 'anom_max_dac',
156
+ 2106 => 'anom_max_mac',
157
+ 2107 => 'anom_amtu_fail',
158
+ 2108 => 'anom_rbac_fail',
159
+ 2109 => 'anom_rbac_integrity_fail',
160
+ 2110 => 'anom_crypto_fail',
161
+ 2111 => 'anom_access_fs',
162
+ 2112 => 'anom_exec',
163
+ 2113 => 'anom_mk_exec',
164
+ 2114 => 'anom_add_acct',
165
+ 2115 => 'anom_del_acct',
166
+ 2116 => 'anom_mod_acct',
167
+ 2117 => 'anom_root_trans',
168
+ 2118 => 'anom_login_service',
169
+ 2119 => 'anom_login_root',
170
+ 2120 => 'anom_origin_failures',
171
+ 2121 => 'anom_session',
172
+ 2200 => 'resp_anomaly',
173
+ 2201 => 'resp_alert',
174
+ 2202 => 'resp_kill_proc',
175
+ 2203 => 'resp_term_access',
176
+ 2204 => 'resp_acct_remote',
177
+ 2205 => 'resp_acct_lock_timed',
178
+ 2206 => 'resp_acct_unlock_timed',
179
+ 2207 => 'resp_acct_lock',
180
+ 2208 => 'resp_term_lock',
181
+ 2209 => 'resp_sebool',
182
+ 2210 => 'resp_exec',
183
+ 2211 => 'resp_single',
184
+ 2212 => 'resp_halt',
185
+ 2213 => 'resp_origin_block',
186
+ 2214 => 'resp_origin_block_timed',
187
+ 2215 => 'resp_origin_unblock_timed',
188
+ 2300 => 'user_role_change',
189
+ 2301 => 'role_assign',
190
+ 2302 => 'role_remove',
191
+ 2303 => 'label_override',
192
+ 2304 => 'label_level_change',
193
+ 2305 => 'user_labeled_export',
194
+ 2306 => 'user_unlabeled_export',
195
+ 2307 => 'dev_alloc',
196
+ 2308 => 'dev_dealloc',
197
+ 2309 => 'fs_relabel',
198
+ 2310 => 'user_mac_policy_load',
199
+ 2311 => 'role_modify',
200
+ 2312 => 'user_mac_config_change',
201
+ 2313 => 'user_mac_status',
202
+ 2400 => 'crypto_test_user',
203
+ 2401 => 'crypto_param_change_user',
204
+ 2402 => 'crypto_login',
205
+ 2403 => 'crypto_logout',
206
+ 2404 => 'crypto_key_user',
207
+ 2405 => 'crypto_failure_user',
208
+ 2406 => 'crypto_replay_user',
209
+ 2407 => 'crypto_session',
210
+ 2408 => 'crypto_ike_sa',
211
+ 2409 => 'crypto_ipsec_sa',
212
+ 2500 => 'virt_control',
213
+ 2501 => 'virt_resource',
214
+ 2502 => 'virt_machine_id',
215
+ 2503 => 'virt_integrity_check',
216
+ 2504 => 'virt_create',
217
+ 2505 => 'virt_destroy',
218
+ 2506 => 'virt_migrate_in',
219
+ 2507 => 'virt_migrate_out',
220
+ }
221
+
222
+ def filter_with_time(tag, time, record)
223
+ if record.key?('messages') && record.key?('uid_map')
224
+ messages = record.delete('messages')
225
+ uid_map = record.delete('uid_map')
226
+
227
+ new_messages = messages.each.with_object({}) do |message, new_messages|
228
+ type, data = message.values_at('type', 'data')
229
+
230
+ name = TYPES[type.to_i]
231
+ hash = { 'type' => type.to_i }
232
+ parseline(data).each do |key, val|
233
+ case key
234
+ when 'msg'
235
+ hash[key] = parseline(val)
236
+ when 'saddr'
237
+ hash[key] = sockaddr(val)
238
+ when 'proctitle'
239
+ hash[key] = packhex(val)
240
+ when 'uid', 'euid', 'suid', 'ouid', 'fsuid', 'auid'
241
+ hash[key] = uid(val, uid_map)
242
+ when 'gid', 'egid', 'sgid', 'ogid', 'fsgid'
243
+ hash[key] = val.to_i
244
+ when 'syscall', 'pid', 'ses', 'argc', 'inode'
245
+ hash[key] = val.to_i
246
+ else
247
+ hash[key] = val
248
+ end
249
+ end
250
+
251
+ new_messages.update(name => hash)
252
+ end
253
+
254
+ record['messages'] = new_messages
255
+ record['message_types'] = new_messages.keys
256
+ end
257
+
258
+ if record.key?('timestamp')
259
+ timestamp = record.delete('timestamp').to_f
260
+ time = Fluent::EventTime.from_time(Time.at(timestamp))
261
+ end
262
+
263
+ return time, record
264
+ end
265
+
266
+ def parseline(text)
267
+ regex = /([^\s=]+)=('[^']*'|"[^"]*"|\S+)/
268
+ text.scan(regex).each.with_object({}) do |(key, val), hash|
269
+ val = val[1..-2] if val.start_with?(/['"]/)
270
+ hash[key] = val
271
+ end
272
+ end
273
+
274
+ def uid(id, uid_map)
275
+ { 'id' => id.to_i, 'name' => uid_map[id] }
276
+ end
277
+
278
+ def packhex(text)
279
+ [text].pack("H*").gsub(/[^[:print:]]/, ' ')
280
+ end
281
+
282
+ def sockaddr(text)
283
+ addr = {}
284
+
285
+ case text[0, 2].hex + (256 * text[2, 2].hex)
286
+ when 1
287
+ pos = text.index('00', 4) - 4
288
+ pos = text.size - 4 if pos < 0
289
+ addr.update('family' => 'local')
290
+ addr.update('path' => packhex(text[4, pos]))
291
+ addr.update('unknown' => text[pos+4..-1]) if text.size > pos + 5
292
+ when 2
293
+ addr.update('family' => 'inet')
294
+ addr.update('port' => (text[4, 2].hex * 256) + text[6, 2].hex)
295
+ addr.update('ip' => text[8, 8].scan(/.{2}/).map{ |x| x.hex }.join("."))
296
+ addr.update('unknown' => text[16..-1]) if text.length > 16
297
+ when 10
298
+ addr.update('family' => 'inet6')
299
+ addr.update('port' => (text[4, 2].hex * 256) + text[6, 2].hex)
300
+ addr.update('flow_info' => text[8, 8])
301
+ addr.update('ip' => text[16, 32].scan(/.{4}/).map{ |x| x.downcase }.join(":"))
302
+ addr.update('scope_id' => text[48, 8])
303
+ addr.update('unknown' => text[56..-1]) if text.size > 56
304
+ else
305
+ addr.update('unknown' => text[4..-1])
306
+ end
307
+
308
+ addr
309
+ end
310
+ end
311
+ end
312
+ end
data/test/helper.rb ADDED
@@ -0,0 +1,8 @@
1
+ $LOAD_PATH.unshift(File.expand_path("../../", __FILE__))
2
+ require "test-unit"
3
+ require "fluent/test"
4
+ require "fluent/test/driver/filter"
5
+ require "fluent/test/helpers"
6
+
7
+ Test::Unit::TestCase.include(Fluent::Test::Helpers)
8
+ Test::Unit::TestCase.extend(Fluent::Test::Helpers)
@@ -0,0 +1,18 @@
1
+ require "helper"
2
+ require "fluent/plugin/filter_go_audit_parser.rb"
3
+
4
+ class GoAuditParserFilterTest < Test::Unit::TestCase
5
+ setup do
6
+ Fluent::Test.setup
7
+ end
8
+
9
+ test "failure" do
10
+ flunk
11
+ end
12
+
13
+ private
14
+
15
+ def create_driver(conf)
16
+ Fluent::Test::Driver::Filter.new(Fluent::Plugin::GoAuditParserFilter).configure(conf)
17
+ end
18
+ end
metadata ADDED
@@ -0,0 +1,117 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: fluent-plugin-go-audit-parser
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.1.0
5
+ platform: ruby
6
+ authors:
7
+ - haccht
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2021-07-15 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: bundler
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - "~>"
18
+ - !ruby/object:Gem::Version
19
+ version: 2.2.20
20
+ type: :development
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - "~>"
25
+ - !ruby/object:Gem::Version
26
+ version: 2.2.20
27
+ - !ruby/object:Gem::Dependency
28
+ name: rake
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - "~>"
32
+ - !ruby/object:Gem::Version
33
+ version: 13.0.6
34
+ type: :development
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - "~>"
39
+ - !ruby/object:Gem::Version
40
+ version: 13.0.6
41
+ - !ruby/object:Gem::Dependency
42
+ name: test-unit
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - "~>"
46
+ - !ruby/object:Gem::Version
47
+ version: 3.4.4
48
+ type: :development
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - "~>"
53
+ - !ruby/object:Gem::Version
54
+ version: 3.4.4
55
+ - !ruby/object:Gem::Dependency
56
+ name: fluentd
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - ">="
60
+ - !ruby/object:Gem::Version
61
+ version: 0.14.10
62
+ - - "<"
63
+ - !ruby/object:Gem::Version
64
+ version: '2'
65
+ type: :runtime
66
+ prerelease: false
67
+ version_requirements: !ruby/object:Gem::Requirement
68
+ requirements:
69
+ - - ">="
70
+ - !ruby/object:Gem::Version
71
+ version: 0.14.10
72
+ - - "<"
73
+ - !ruby/object:Gem::Version
74
+ version: '2'
75
+ description: Fluentd plugin to transform go-audit log and make it easy to be handled
76
+ by modern log aggregators.
77
+ email:
78
+ - haccht@users.noreply.github.com
79
+ executables: []
80
+ extensions: []
81
+ extra_rdoc_files: []
82
+ files:
83
+ - Gemfile
84
+ - LICENSE
85
+ - README.md
86
+ - Rakefile
87
+ - fluent-plugin-go-audit-parser.gemspec
88
+ - lib/fluent/plugin/filter_go_audit_parser.rb
89
+ - test/helper.rb
90
+ - test/plugin/test_filter_go_audit_parser.rb
91
+ homepage: https://github.com/haccht/fluent-plugin-go-audit-parser
92
+ licenses:
93
+ - Apache-2.0
94
+ metadata: {}
95
+ post_install_message:
96
+ rdoc_options: []
97
+ require_paths:
98
+ - lib
99
+ required_ruby_version: !ruby/object:Gem::Requirement
100
+ requirements:
101
+ - - ">="
102
+ - !ruby/object:Gem::Version
103
+ version: '0'
104
+ required_rubygems_version: !ruby/object:Gem::Requirement
105
+ requirements:
106
+ - - ">="
107
+ - !ruby/object:Gem::Version
108
+ version: '0'
109
+ requirements: []
110
+ rubygems_version: 3.0.3
111
+ signing_key:
112
+ specification_version: 4
113
+ summary: Fluentd plugin to transform go-audit log and make it easy to be handled by
114
+ modern log aggregators.
115
+ test_files:
116
+ - test/helper.rb
117
+ - test/plugin/test_filter_go_audit_parser.rb