Documentation
¶
Overview ¶
Package audit reads auditd events from the builtin af_unix plugin, and parses the messages in order to proactively monitor pids which make connections. Once a connection is made and redirected to us via NFQUEUE, we lookup the connection inode in /proc, and add the corresponding PID with all the information of the process to a list of known PIDs.
TODO: Prompt the user to allow/deny a connection/program as soon as it's started.
Requisities: - install auditd and audispd-plugins - enable af_unix plugin /etc/audisp/plugins.d/af_unix.conf (active = yes) - auditctl -a always,exit -F arch=b64 -S socket,connect,execve -k opensnitchd - increase /etc/audisp/audispd.conf q_depth if there're dropped events - set write_logs to no if you don't need/want audit logs to be stored in the disk.
read messages from the pipe to verify that it's working: socat unix-connect:/var/run/audispd_events stdio
Audit event fields: https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv Record types: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Audit_Record_Types.html
Documentation: https://github.com/linux-audit/audit-documentation
Index ¶
Constants ¶
const ( AuditTypePROCTITLE = "type=PROCTITLE" AuditTypeCWD = "type=CWD" AuditTypePATH = "type=PATH" AuditTypeEXECVE = "type=EXECVE" AuditTypeSOCKADDR = "type=SOCKADDR" AuditTypeSOCKETCALL = "type=SOCKETCALL" AuditTypeEOE = "type=EOE" )
const (
MaxEventAge = int(10)
)
MaxEventAge is the maximum minutes an audit process can live without network activity.
const (
OpensnitchRulesKey = "key=\"opensnitch\""
)
OPENSNITCH_RULES_KEY is the mark we place on every event we are interested in.
Variables ¶
var ( // Lock holds a mutex Lock sync.RWMutex // TODO: EventChan is an output channel where incoming auditd events will be written. // If a client opens it. EventChan = (chan Event)(nil) )
Functions ¶
func AddEvent ¶
func AddEvent(aevent *Event)
AddEvent adds new event to the list of PIDs which have generate network activity. If the PID is already in the list, the LastSeen field is updated, to keep it alive.
func Reader ¶
Reader reads events from audisd af_unix pipe plugin. If the auditd daemon is stopped or restarted, the reader handle is closed, so we need to restablished the connection.
func StartChannel ¶
func StartChannel()
StartChannel creates a channel to receive events from Audit. Launch audit.Reader() in a goroutine: go audit.Reader(c, (chan<- audit.Event)(audit.EventChan))
Types ¶
type Event ¶
type Event struct {
Timestamp string // audit(xxxxxxx:nnnn)
Serial string
ProcName string // comm
ProcPath string // exe
ProcCmdLine string // proctitle
ProcDir string // cwd
ProcMode string // mode
TTY string
Pid int
UID int
Gid int
PPid int
EUid int
EGid int
OUid int
OGid int
UserName string // auid
DstHost net.IP
DstPort int
NetFamily string // inet, inet6, local
Success string
INode int
Dev string
Syscall int
Exit int
EventType string
RawEvent string
LastSeen time.Time
}
Event represents an audit event, which in our case can be an event of type socket, execve, socketpair or connect.
Source Files