fluent-plugin-go-audit-parser 0.1.1 → 0.1.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/fluent-plugin-go-audit-parser.gemspec +1 -1
  3. data/lib/fluent/plugin/filter_go_audit_parser.rb +347 -8
  4. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 5fcd033eb832dc942bcdc40ddd3d1f854fe3495546078ab7007d1f8a76ecdbc4
4
- data.tar.gz: 92006dc2153f74691f827629f16a6986e5e0ba353a36aa6e7132e88b6d1a1b55
3
+ metadata.gz: 65a6217c92a3665a6c3e848a0f37ae300192844dbfaa12d3eb7734bb7b189648
4
+ data.tar.gz: b10be6284c6eda352c3fc0fd51b5dde1a9c1f911d3ea165d45b3b7f0ebadd290
5
5
  SHA512:
6
- metadata.gz: 90fb8c565839c81e116c4ed86a672b94e91ed23bf753b86986092833693a148c54a5b1f530767dda82147d603861359f94689864be81f663c83d6c42e2a1cd4a
7
- data.tar.gz: 4b0a8ae01c4933e77b83ff17e241251e7ac60f86cab11930f31a743e4fe9072112e4673443fadcc27b9be71dc12553bae410f1e8295200080c81b8f4f28bf4c8
6
+ metadata.gz: a8cc21baec1227ff39fb203e37f8eda091dfaca7d37f8f08c6aa5ab6eb98f5ed81422be66c55036c8b2d7a0210f841b0b7a95a45558f93ce6d0f30f5ea2843eb
7
+ data.tar.gz: b82c9caba11b68423fd130fdb62442d26d2a22ef69356765a19c7ea776de2c567b978e90b3964b53d6f386de941dbe327d6f68c429dddc4cfe1c2e736739a333
data/fluent-plugin-go-audit-parser.gemspec CHANGED
@@ -3,7 +3,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
3
3
 
4
4
  Gem::Specification.new do |spec|
5
5
  spec.name = "fluent-plugin-go-audit-parser"
6
- spec.version = "0.1.1"
6
+ spec.version = "0.1.2"
7
7
  spec.authors = ["haccht"]
8
8
  spec.email = ["haccht@users.noreply.github.com"]
9
9
 
data/lib/fluent/plugin/filter_go_audit_parser.rb CHANGED
@@ -20,8 +20,344 @@ module Fluent
20
20
  class GoAuditParserFilter < Fluent::Plugin::Filter
21
21
  Fluent::Plugin.register_filter("go_audit_parser", self)
22
22
 
23
- # https://github.com/torvalds/linux/blob/master/include/uapi/linux/audit.h
24
- # https://github.com/linux-audit/audit-userspace/blob/master/lib/libaudit.h
23
+ SYSCALLS = {
24
+ 0 => 'read',
25
+ 1 => 'write',
26
+ 2 => 'open',
27
+ 3 => 'close',
28
+ 4 => 'stat',
29
+ 5 => 'fstat',
30
+ 6 => 'lstat',
31
+ 7 => 'poll',
32
+ 8 => 'lseek',
33
+ 9 => 'mmap',
34
+ 10 => 'mprotect',
35
+ 11 => 'munmap',
36
+ 12 => 'brk',
37
+ 13 => 'rt_sigaction',
38
+ 14 => 'rt_sigprocmask',
39
+ 15 => 'rt_sigreturn',
40
+ 16 => 'ioctl',
41
+ 17 => 'pread',
42
+ 18 => 'pwrite',
43
+ 19 => 'readv',
44
+ 20 => 'writev',
45
+ 21 => 'access',
46
+ 22 => 'pipe',
47
+ 23 => 'select',
48
+ 24 => 'sched_yield',
49
+ 25 => 'mremap',
50
+ 26 => 'msync',
51
+ 27 => 'mincore',
52
+ 28 => 'madvise',
53
+ 29 => 'shmget',
54
+ 30 => 'shmat',
55
+ 31 => 'shmctl',
56
+ 32 => 'dup',
57
+ 33 => 'dup2',
58
+ 34 => 'pause',
59
+ 35 => 'nanosleep',
60
+ 36 => 'getitimer',
61
+ 37 => 'alarm',
62
+ 38 => 'setitimer',
63
+ 39 => 'getpid',
64
+ 40 => 'sendfile',
65
+ 41 => 'socket',
66
+ 42 => 'connect',
67
+ 43 => 'accept',
68
+ 44 => 'sendto',
69
+ 45 => 'recvfrom',
70
+ 46 => 'sendmsg',
71
+ 47 => 'recvmsg',
72
+ 48 => 'shutdown',
73
+ 49 => 'bind',
74
+ 50 => 'listen',
75
+ 51 => 'getsockname',
76
+ 52 => 'getpeername',
77
+ 53 => 'socketpair',
78
+ 54 => 'setsockopt',
79
+ 55 => 'getsockopt',
80
+ 56 => 'clone',
81
+ 57 => 'fork',
82
+ 58 => 'vfork',
83
+ 59 => 'execve',
84
+ 60 => 'exit',
85
+ 61 => 'wait4',
86
+ 62 => 'kill',
87
+ 63 => 'uname',
88
+ 64 => 'semget',
89
+ 65 => 'semop',
90
+ 66 => 'semctl',
91
+ 67 => 'shmdt',
92
+ 68 => 'msgget',
93
+ 69 => 'msgsnd',
94
+ 70 => 'msgrcv',
95
+ 71 => 'msgctl',
96
+ 72 => 'fcntl',
97
+ 73 => 'flock',
98
+ 74 => 'fsync',
99
+ 75 => 'fdatasync',
100
+ 76 => 'truncate',
101
+ 77 => 'ftruncate',
102
+ 78 => 'getdents',
103
+ 79 => 'getcwd',
104
+ 80 => 'chdir',
105
+ 81 => 'fchdir',
106
+ 82 => 'rename',
107
+ 83 => 'mkdir',
108
+ 84 => 'rmdir',
109
+ 85 => 'creat',
110
+ 86 => 'link',
111
+ 87 => 'unlink',
112
+ 88 => 'symlink',
113
+ 89 => 'readlink',
114
+ 90 => 'chmod',
115
+ 91 => 'fchmod',
116
+ 92 => 'chown',
117
+ 93 => 'fchown',
118
+ 94 => 'lchown',
119
+ 95 => 'umask',
120
+ 96 => 'gettimeofday',
121
+ 97 => 'getrlimit',
122
+ 98 => 'getrusage',
123
+ 99 => 'sysinfo',
124
+ 100 => 'times',
125
+ 101 => 'ptrace',
126
+ 102 => 'getuid',
127
+ 103 => 'syslog',
128
+ 104 => 'getgid',
129
+ 105 => 'setuid',
130
+ 106 => 'setgid',
131
+ 107 => 'geteuid',
132
+ 108 => 'getegid',
133
+ 109 => 'setpgid',
134
+ 110 => 'getppid',
135
+ 111 => 'getpgrp',
136
+ 112 => 'setsid',
137
+ 113 => 'setreuid',
138
+ 114 => 'setregid',
139
+ 115 => 'getgroups',
140
+ 116 => 'setgroups',
141
+ 117 => 'setresuid',
142
+ 118 => 'getresuid',
143
+ 119 => 'setresgid',
144
+ 120 => 'getresgid',
145
+ 121 => 'getpgid',
146
+ 122 => 'setfsuid',
147
+ 123 => 'setfsgid',
148
+ 124 => 'getsid',
149
+ 125 => 'capget',
150
+ 126 => 'capset',
151
+ 127 => 'rt_sigpending',
152
+ 128 => 'rt_sigtimedwait',
153
+ 129 => 'rt_sigqueueinfo',
154
+ 130 => 'rt_sigsuspend',
155
+ 131 => 'sigaltstack',
156
+ 132 => 'utime',
157
+ 133 => 'mknod',
158
+ 134 => 'uselib',
159
+ 135 => 'personality',
160
+ 136 => 'ustat',
161
+ 137 => 'statfs',
162
+ 138 => 'fstatfs',
163
+ 139 => 'sysfs',
164
+ 140 => 'getpriority',
165
+ 141 => 'setpriority',
166
+ 142 => 'sched_setparam',
167
+ 143 => 'sched_getparam',
168
+ 144 => 'sched_setscheduler',
169
+ 145 => 'sched_getscheduler',
170
+ 146 => 'sched_get_priority_max',
171
+ 147 => 'sched_get_priority_min',
172
+ 148 => 'sched_rr_get_interval',
173
+ 149 => 'mlock',
174
+ 150 => 'munlock',
175
+ 151 => 'mlockall',
176
+ 152 => 'munlockall',
177
+ 153 => 'vhangup',
178
+ 154 => 'modify_ldt',
179
+ 155 => 'pivot_root',
180
+ 156 => '_sysctl',
181
+ 157 => 'prctl',
182
+ 158 => 'arch_prctl',
183
+ 159 => 'adjtimex',
184
+ 160 => 'setrlimit',
185
+ 161 => 'chroot',
186
+ 162 => 'sync',
187
+ 163 => 'acct',
188
+ 164 => 'settimeofday',
189
+ 165 => 'mount',
190
+ 166 => 'umount2',
191
+ 167 => 'swapon',
192
+ 168 => 'swapoff',
193
+ 169 => 'reboot',
194
+ 170 => 'sethostname',
195
+ 171 => 'setdomainname',
196
+ 172 => 'iopl',
197
+ 173 => 'ioperm',
198
+ 174 => 'create_module',
199
+ 175 => 'init_module',
200
+ 176 => 'delete_module',
201
+ 177 => 'get_kernel_syms',
202
+ 178 => 'query_module',
203
+ 179 => 'quotactl',
204
+ 180 => 'nfsservctl',
205
+ 181 => 'getpmsg',
206
+ 182 => 'putpmsg',
207
+ 183 => 'afs_syscall',
208
+ 184 => 'tuxcall',
209
+ 185 => 'security',
210
+ 186 => 'gettid',
211
+ 187 => 'readahead',
212
+ 188 => 'setxattr',
213
+ 189 => 'lsetxattr',
214
+ 190 => 'fsetxattr',
215
+ 191 => 'getxattr',
216
+ 192 => 'lgetxattr',
217
+ 193 => 'fgetxattr',
218
+ 194 => 'listxattr',
219
+ 195 => 'llistxattr',
220
+ 196 => 'flistxattr',
221
+ 197 => 'removexattr',
222
+ 198 => 'lremovexattr',
223
+ 199 => 'fremovexattr',
224
+ 200 => 'tkill',
225
+ 201 => 'time',
226
+ 202 => 'futex',
227
+ 203 => 'sched_setaffinity',
228
+ 204 => 'sched_getaffinity',
229
+ 205 => 'set_thread_area',
230
+ 206 => 'io_setup',
231
+ 207 => 'io_destroy',
232
+ 208 => 'io_getevents',
233
+ 209 => 'io_submit',
234
+ 210 => 'io_cancel',
235
+ 211 => 'get_thread_area',
236
+ 212 => 'lookup_dcookie',
237
+ 213 => 'epoll_create',
238
+ 214 => 'epoll_ctl_old',
239
+ 215 => 'epoll_wait_old',
240
+ 216 => 'remap_file_pages',
241
+ 217 => 'getdents64',
242
+ 218 => 'set_tid_address',
243
+ 219 => 'restart_syscall',
244
+ 220 => 'semtimedop',
245
+ 221 => 'fadvise64',
246
+ 222 => 'timer_create',
247
+ 223 => 'timer_settime',
248
+ 224 => 'timer_gettime',
249
+ 225 => 'timer_getoverrun',
250
+ 226 => 'timer_delete',
251
+ 227 => 'clock_settime',
252
+ 228 => 'clock_gettime',
253
+ 229 => 'clock_getres',
254
+ 230 => 'clock_nanosleep',
255
+ 231 => 'exit_group',
256
+ 232 => 'epoll_wait',
257
+ 233 => 'epoll_ctl',
258
+ 234 => 'tgkill',
259
+ 235 => 'utimes',
260
+ 236 => 'vserver',
261
+ 237 => 'mbind',
262
+ 238 => 'set_mempolicy',
263
+ 239 => 'get_mempolicy',
264
+ 240 => 'mq_open',
265
+ 241 => 'mq_unlink',
266
+ 242 => 'mq_timedsend',
267
+ 243 => 'mq_timedreceive',
268
+ 244 => 'mq_notify',
269
+ 245 => 'mq_getsetattr',
270
+ 246 => 'kexec_load',
271
+ 247 => 'waitid',
272
+ 248 => 'add_key',
273
+ 249 => 'request_key',
274
+ 250 => 'keyctl',
275
+ 251 => 'ioprio_set',
276
+ 252 => 'ioprio_get',
277
+ 253 => 'inotify_init',
278
+ 254 => 'inotify_add_watch',
279
+ 255 => 'inotify_rm_watch',
280
+ 256 => 'migrate_pages',
281
+ 257 => 'openat',
282
+ 258 => 'mkdirat',
283
+ 259 => 'mknodat',
284
+ 260 => 'fchownat',
285
+ 261 => 'futimesat',
286
+ 262 => 'newfstatat',
287
+ 263 => 'unlinkat',
288
+ 264 => 'renameat',
289
+ 265 => 'linkat',
290
+ 266 => 'symlinkat',
291
+ 267 => 'readlinkat',
292
+ 268 => 'fchmodat',
293
+ 269 => 'faccessat',
294
+ 270 => 'pselect6',
295
+ 271 => 'ppoll',
296
+ 272 => 'unshare',
297
+ 273 => 'set_robust_list',
298
+ 274 => 'get_robust_list',
299
+ 275 => 'splice',
300
+ 276 => 'tee',
301
+ 277 => 'sync_file_range',
302
+ 278 => 'vmsplice',
303
+ 279 => 'move_pages',
304
+ 280 => 'utimensat',
305
+ 281 => 'epoll_pwait',
306
+ 282 => 'signalfd',
307
+ 283 => 'timerfd',
308
+ 284 => 'eventfd',
309
+ 285 => 'fallocate',
310
+ 286 => 'timerfd_settime',
311
+ 287 => 'timerfd_gettime',
312
+ 288 => 'accept4',
313
+ 289 => 'signalfd4',
314
+ 290 => 'eventfd2',
315
+ 291 => 'epoll_create1',
316
+ 292 => 'dup3',
317
+ 293 => 'pipe2',
318
+ 294 => 'inotify_init1',
319
+ 295 => 'preadv',
320
+ 296 => 'pwritev',
321
+ 297 => 'rt_tgsigqueueinfo',
322
+ 298 => 'perf_event_open',
323
+ 299 => 'recvmmsg',
324
+ 300 => 'fanotify_init',
325
+ 301 => 'fanotify_mark',
326
+ 302 => 'prlimit64',
327
+ 303 => 'name_to_handle_at',
328
+ 304 => 'open_by_handle_at',
329
+ 305 => 'clock_adjtime',
330
+ 306 => 'syncfs',
331
+ 307 => 'sendmmsg',
332
+ 308 => 'setns',
333
+ 309 => 'getcpu',
334
+ 310 => 'process_vm_readv',
335
+ 311 => 'process_vm_writev',
336
+ 312 => 'kcmp',
337
+ 313 => 'finit_module',
338
+ 314 => 'sched_setattr',
339
+ 315 => 'sched_getattr',
340
+ 316 => 'renameat2',
341
+ 317 => 'seccomp',
342
+ 318 => 'getrandom',
343
+ 319 => 'memfd_create',
344
+ 320 => 'kexec_file_load',
345
+ 321 => 'bpf',
346
+ 322 => 'execveat',
347
+ 323 => 'userfaultfd',
348
+ 324 => 'membarrier',
349
+ 325 => 'mlock2',
350
+ 326 => 'copy_file_range',
351
+ 327 => 'preadv2',
352
+ 328 => 'pwritev2',
353
+ 329 => 'pkey_mprotect',
354
+ 330 => 'pkey_alloc',
355
+ 331 => 'pkey_free',
356
+ 332 => 'statx',
357
+ 333 => 'io_pgetevents',
358
+ 334 => 'rseq',
359
+ }
360
+
25
361
  TYPES = {
26
362
  1100 => 'user_auth',
27
363
  1101 => 'user_acct',
@@ -220,6 +556,11 @@ module Fluent
220
556
  }
221
557
 
222
558
  def filter_with_time(tag, time, record)
559
+ if record.key?('timestamp')
560
+ timestamp = record.delete('timestamp').to_f
561
+ time = Fluent::EventTime.from_time(Time.at(timestamp))
562
+ end
563
+
223
564
  if record.key?('messages') && record.key?('uid_map')
224
565
  messages = record.delete('messages')
225
566
  uid_map = record.delete('uid_map')
@@ -231,6 +572,8 @@ module Fluent
231
572
  hash = { 'type' => type.to_i }
232
573
  parseline(data).each do |key, val|
233
574
  case key
575
+ when 'syscall'
576
+ hash[key] = SYSCALLS[val.to_i]
234
577
  when 'msg'
235
578
  hash[key] = parseline(val)
236
579
  when 'saddr'
@@ -241,13 +584,14 @@ module Fluent
241
584
  hash[key] = uid(val, uid_map)
242
585
  when 'gid', 'egid', 'sgid', 'ogid', 'fsgid'
243
586
  hash[key] = val.to_i
244
- when 'syscall', 'pid', 'ses', 'argc', 'inode'
587
+ when 'exit', 'item', 'items', 'pid', 'ppid', 'ses', 'argc', 'inode'
245
588
  hash[key] = val.to_i
246
589
  else
247
590
  hash[key] = val
248
591
  end
249
592
  end
250
593
 
594
+ name = "#{name}#{hash['item']}" if name == 'path'
251
595
  new_messages.update(name => hash)
252
596
  end
253
597
 
@@ -255,11 +599,6 @@ module Fluent
255
599
  record['message_types'] = new_messages.keys
256
600
  end
257
601
 
258
- if record.key?('timestamp')
259
- timestamp = record.delete('timestamp').to_f
260
- time = Fluent::EventTime.from_time(Time.at(timestamp))
261
- end
262
-
263
602
  return time, record
264
603
  end
265
604
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: fluent-plugin-go-audit-parser
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.1
4
+ version: 0.1.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - haccht
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-07-16 00:00:00.000000000 Z
11
+ date: 2021-07-21 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler