Class: Fluent::Plugin::GoAuditParserFilter

Inherits:
Filter
  • Object
show all
Defined in:
lib/fluent/plugin/filter_go_audit_parser.rb

Constant Summary collapse

SYSCALLS = 
{
  0 => 'read',
  1 => 'write',
  2 => 'open',
  3 => 'close',
  4 => 'stat',
  5 => 'fstat',
  6 => 'lstat',
  7 => 'poll',
  8 => 'lseek',
  9 => 'mmap',
  10 => 'mprotect',
  11 => 'munmap',
  12 => 'brk',
  13 => 'rt_sigaction',
  14 => 'rt_sigprocmask',
  15 => 'rt_sigreturn',
  16 => 'ioctl',
  17 => 'pread',
  18 => 'pwrite',
  19 => 'readv',
  20 => 'writev',
  21 => 'access',
  22 => 'pipe',
  23 => 'select',
  24 => 'sched_yield',
  25 => 'mremap',
  26 => 'msync',
  27 => 'mincore',
  28 => 'madvise',
  29 => 'shmget',
  30 => 'shmat',
  31 => 'shmctl',
  32 => 'dup',
  33 => 'dup2',
  34 => 'pause',
  35 => 'nanosleep',
  36 => 'getitimer',
  37 => 'alarm',
  38 => 'setitimer',
  39 => 'getpid',
  40 => 'sendfile',
  41 => 'socket',
  42 => 'connect',
  43 => 'accept',
  44 => 'sendto',
  45 => 'recvfrom',
  46 => 'sendmsg',
  47 => 'recvmsg',
  48 => 'shutdown',
  49 => 'bind',
  50 => 'listen',
  51 => 'getsockname',
  52 => 'getpeername',
  53 => 'socketpair',
  54 => 'setsockopt',
  55 => 'getsockopt',
  56 => 'clone',
  57 => 'fork',
  58 => 'vfork',
  59 => 'execve',
  60 => 'exit',
  61 => 'wait4',
  62 => 'kill',
  63 => 'uname',
  64 => 'semget',
  65 => 'semop',
  66 => 'semctl',
  67 => 'shmdt',
  68 => 'msgget',
  69 => 'msgsnd',
  70 => 'msgrcv',
  71 => 'msgctl',
  72 => 'fcntl',
  73 => 'flock',
  74 => 'fsync',
  75 => 'fdatasync',
  76 => 'truncate',
  77 => 'ftruncate',
  78 => 'getdents',
  79 => 'getcwd',
  80 => 'chdir',
  81 => 'fchdir',
  82 => 'rename',
  83 => 'mkdir',
  84 => 'rmdir',
  85 => 'creat',
  86 => 'link',
  87 => 'unlink',
  88 => 'symlink',
  89 => 'readlink',
  90 => 'chmod',
  91 => 'fchmod',
  92 => 'chown',
  93 => 'fchown',
  94 => 'lchown',
  95 => 'umask',
  96 => 'gettimeofday',
  97 => 'getrlimit',
  98 => 'getrusage',
  99 => 'sysinfo',
  100 => 'times',
  101 => 'ptrace',
  102 => 'getuid',
  103 => 'syslog',
  104 => 'getgid',
  105 => 'setuid',
  106 => 'setgid',
  107 => 'geteuid',
  108 => 'getegid',
  109 => 'setpgid',
  110 => 'getppid',
  111 => 'getpgrp',
  112 => 'setsid',
  113 => 'setreuid',
  114 => 'setregid',
  115 => 'getgroups',
  116 => 'setgroups',
  117 => 'setresuid',
  118 => 'getresuid',
  119 => 'setresgid',
  120 => 'getresgid',
  121 => 'getpgid',
  122 => 'setfsuid',
  123 => 'setfsgid',
  124 => 'getsid',
  125 => 'capget',
  126 => 'capset',
  127 => 'rt_sigpending',
  128 => 'rt_sigtimedwait',
  129 => 'rt_sigqueueinfo',
  130 => 'rt_sigsuspend',
  131 => 'sigaltstack',
  132 => 'utime',
  133 => 'mknod',
  134 => 'uselib',
  135 => 'personality',
  136 => 'ustat',
  137 => 'statfs',
  138 => 'fstatfs',
  139 => 'sysfs',
  140 => 'getpriority',
  141 => 'setpriority',
  142 => 'sched_setparam',
  143 => 'sched_getparam',
  144 => 'sched_setscheduler',
  145 => 'sched_getscheduler',
  146 => 'sched_get_priority_max',
  147 => 'sched_get_priority_min',
  148 => 'sched_rr_get_interval',
  149 => 'mlock',
  150 => 'munlock',
  151 => 'mlockall',
  152 => 'munlockall',
  153 => 'vhangup',
  154 => 'modify_ldt',
  155 => 'pivot_root',
  156 => '_sysctl',
  157 => 'prctl',
  158 => 'arch_prctl',
  159 => 'adjtimex',
  160 => 'setrlimit',
  161 => 'chroot',
  162 => 'sync',
  163 => 'acct',
  164 => 'settimeofday',
  165 => 'mount',
  166 => 'umount2',
  167 => 'swapon',
  168 => 'swapoff',
  169 => 'reboot',
  170 => 'sethostname',
  171 => 'setdomainname',
  172 => 'iopl',
  173 => 'ioperm',
  174 => 'create_module',
  175 => 'init_module',
  176 => 'delete_module',
  177 => 'get_kernel_syms',
  178 => 'query_module',
  179 => 'quotactl',
  180 => 'nfsservctl',
  181 => 'getpmsg',
  182 => 'putpmsg',
  183 => 'afs_syscall',
  184 => 'tuxcall',
  185 => 'security',
  186 => 'gettid',
  187 => 'readahead',
  188 => 'setxattr',
  189 => 'lsetxattr',
  190 => 'fsetxattr',
  191 => 'getxattr',
  192 => 'lgetxattr',
  193 => 'fgetxattr',
  194 => 'listxattr',
  195 => 'llistxattr',
  196 => 'flistxattr',
  197 => 'removexattr',
  198 => 'lremovexattr',
  199 => 'fremovexattr',
  200 => 'tkill',
  201 => 'time',
  202 => 'futex',
  203 => 'sched_setaffinity',
  204 => 'sched_getaffinity',
  205 => 'set_thread_area',
  206 => 'io_setup',
  207 => 'io_destroy',
  208 => 'io_getevents',
  209 => 'io_submit',
  210 => 'io_cancel',
  211 => 'get_thread_area',
  212 => 'lookup_dcookie',
  213 => 'epoll_create',
  214 => 'epoll_ctl_old',
  215 => 'epoll_wait_old',
  216 => 'remap_file_pages',
  217 => 'getdents64',
  218 => 'set_tid_address',
  219 => 'restart_syscall',
  220 => 'semtimedop',
  221 => 'fadvise64',
  222 => 'timer_create',
  223 => 'timer_settime',
  224 => 'timer_gettime',
  225 => 'timer_getoverrun',
  226 => 'timer_delete',
  227 => 'clock_settime',
  228 => 'clock_gettime',
  229 => 'clock_getres',
  230 => 'clock_nanosleep',
  231 => 'exit_group',
  232 => 'epoll_wait',
  233 => 'epoll_ctl',
  234 => 'tgkill',
  235 => 'utimes',
  236 => 'vserver',
  237 => 'mbind',
  238 => 'set_mempolicy',
  239 => 'get_mempolicy',
  240 => 'mq_open',
  241 => 'mq_unlink',
  242 => 'mq_timedsend',
  243 => 'mq_timedreceive',
  244 => 'mq_notify',
  245 => 'mq_getsetattr',
  246 => 'kexec_load',
  247 => 'waitid',
  248 => 'add_key',
  249 => 'request_key',
  250 => 'keyctl',
  251 => 'ioprio_set',
  252 => 'ioprio_get',
  253 => 'inotify_init',
  254 => 'inotify_add_watch',
  255 => 'inotify_rm_watch',
  256 => 'migrate_pages',
  257 => 'openat',
  258 => 'mkdirat',
  259 => 'mknodat',
  260 => 'fchownat',
  261 => 'futimesat',
  262 => 'newfstatat',
  263 => 'unlinkat',
  264 => 'renameat',
  265 => 'linkat',
  266 => 'symlinkat',
  267 => 'readlinkat',
  268 => 'fchmodat',
  269 => 'faccessat',
  270 => 'pselect6',
  271 => 'ppoll',
  272 => 'unshare',
  273 => 'set_robust_list',
  274 => 'get_robust_list',
  275 => 'splice',
  276 => 'tee',
  277 => 'sync_file_range',
  278 => 'vmsplice',
  279 => 'move_pages',
  280 => 'utimensat',
  281 => 'epoll_pwait',
  282 => 'signalfd',
  283 => 'timerfd',
  284 => 'eventfd',
  285 => 'fallocate',
  286 => 'timerfd_settime',
  287 => 'timerfd_gettime',
  288 => 'accept4',
  289 => 'signalfd4',
  290 => 'eventfd2',
  291 => 'epoll_create1',
  292 => 'dup3',
  293 => 'pipe2',
  294 => 'inotify_init1',
  295 => 'preadv',
  296 => 'pwritev',
  297 => 'rt_tgsigqueueinfo',
  298 => 'perf_event_open',
  299 => 'recvmmsg',
  300 => 'fanotify_init',
  301 => 'fanotify_mark',
  302 => 'prlimit64',
  303 => 'name_to_handle_at',
  304 => 'open_by_handle_at',
  305 => 'clock_adjtime',
  306 => 'syncfs',
  307 => 'sendmmsg',
  308 => 'setns',
  309 => 'getcpu',
  310 => 'process_vm_readv',
  311 => 'process_vm_writev',
  312 => 'kcmp',
  313 => 'finit_module',
  314 => 'sched_setattr',
  315 => 'sched_getattr',
  316 => 'renameat2',
  317 => 'seccomp',
  318 => 'getrandom',
  319 => 'memfd_create',
  320 => 'kexec_file_load',
  321 => 'bpf',
  322 => 'execveat',
  323 => 'userfaultfd',
  324 => 'membarrier',
  325 => 'mlock2',
  326 => 'copy_file_range',
  327 => 'preadv2',
  328 => 'pwritev2',
  329 => 'pkey_mprotect',
  330 => 'pkey_alloc',
  331 => 'pkey_free',
  332 => 'statx',
  333 => 'io_pgetevents',
  334 => 'rseq',
}
TYPES = 
{
  1100 => 'user_auth',
  1101 => 'user_acct',
  1102 => 'user_mgmt',
  1103 => 'cred_acq',
  1104 => 'cred_disp',
  1105 => 'user_start',
  1106 => 'user_end',
  1107 => 'user_avc',
  1108 => 'user_chauthtok',
  1109 => 'user_err',
  1110 => 'cred_refr',
  1111 => 'usys_config',
  1112 => 'user_login',
  1113 => 'user_logout',
  1114 => 'add_user',
  1115 => 'del_user',
  1116 => 'add_group',
  1117 => 'del_group',
  1118 => 'dac_check',
  1119 => 'chgrp_id',
  1120 => 'test',
  1121 => 'trusted_app',
  1122 => 'user_selinux_err',
  1123 => 'user_cmd',
  1124 => 'user_tty',
  1125 => 'chuser_id',
  1126 => 'grp_auth',
  1127 => 'system_boot',
  1128 => 'system_shutdown',
  1129 => 'system_runlevel',
  1130 => 'service_start',
  1131 => 'service_stop',
  1132 => 'grp_mgmt',
  1133 => 'grp_chauthtok',
  1134 => 'mac_check',
  1135 => 'acct_lock',
  1136 => 'acct_unlock',
  1137 => 'user_device',
  1138 => 'software_update',
  1200 => 'daemon_start',
  1201 => 'daemon_end',
  1202 => 'daemon_abort',
  1203 => 'daemon_config',
  1204 => 'daemon_reconfig',
  1205 => 'daemon_rotate',
  1206 => 'daemon_resume',
  1207 => 'daemon_accept',
  1208 => 'daemon_close',
  1209 => 'daemon_err',
  1300 => 'syscall',
  1302 => 'path',
  1303 => 'ipc',
  1304 => 'socketcall',
  1305 => 'config_change',
  1306 => 'sockaddr',
  1307 => 'cwd',
  1309 => 'execve',
  1311 => 'ipc_set_perm',
  1312 => 'mq_open',
  1313 => 'mq_sendrecv',
  1314 => 'mq_notify',
  1315 => 'mq_getsetattr',
  1316 => 'kernel_other',
  1317 => 'fd_pair',
  1318 => 'obj_pid',
  1319 => 'tty',
  1320 => 'eoe',
  1321 => 'bprm_fcaps',
  1322 => 'capset',
  1323 => 'mmap',
  1324 => 'netfilter_pkt',
  1325 => 'netfilter_cfg',
  1326 => 'seccomp',
  1327 => 'proctitle',
  1328 => 'feature_change',
  1329 => 'replace',
  1330 => 'kern_module',
  1331 => 'fanotify',
  1332 => 'time_injoffset',
  1333 => 'time_adjntpval',
  1334 => 'bpf',
  1335 => 'event_listener',
  1400 => 'avc',
  1401 => 'selinux_err',
  1402 => 'avc_path',
  1403 => 'mac_policy_load',
  1404 => 'mac_status',
  1405 => 'mac_config_change',
  1406 => 'mac_unlbl_allow',
  1407 => 'mac_cipsov4_add',
  1408 => 'mac_cipsov4_del',
  1409 => 'mac_map_add',
  1410 => 'mac_map_del',
  1411 => 'mac_ipsec_addsa',
  1412 => 'mac_ipsec_delsa',
  1413 => 'mac_ipsec_addspd',
  1414 => 'mac_ipsec_delspd',
  1415 => 'mac_ipsec_event',
  1416 => 'mac_unlbl_stcadd',
  1417 => 'mac_unlbl_stcdel',
  1418 => 'mac_calipso_add',
  1419 => 'mac_calipso_del',
  1500 => 'aa',
  1501 => 'apparmor_audit',
  1502 => 'apparmor_allowed',
  1503 => 'apparmor_denied',
  1504 => 'apparmor_hint',
  1505 => 'apparmor_status',
  1506 => 'apparmor_error',
  1507 => 'apparmor_kill',
  1700 => 'anom_promiscuous',
  1701 => 'anom_abend',
  1702 => 'anom_link',
  1703 => 'anom_creat',
  1800 => 'integrity_data',
  1801 => 'integrity_metadata',
  1802 => 'integrity_status',
  1803 => 'integrity_hash',
  1804 => 'integrity_pcr',
  1805 => 'integrity_rule',
  1806 => 'integrity_evm_xattr',
  1807 => 'integrity_policy_rule',
  1899 => 'integrity_last_msg',
  2000 => 'kernel',
  2100 => 'anom_login_failures',
  2101 => 'anom_login_time',
  2102 => 'anom_login_sessions',
  2103 => 'anom_login_acct',
  2104 => 'anom_login_location',
  2105 => 'anom_max_dac',
  2106 => 'anom_max_mac',
  2107 => 'anom_amtu_fail',
  2108 => 'anom_rbac_fail',
  2109 => 'anom_rbac_integrity_fail',
  2110 => 'anom_crypto_fail',
  2111 => 'anom_access_fs',
  2112 => 'anom_exec',
  2113 => 'anom_mk_exec',
  2114 => 'anom_add_acct',
  2115 => 'anom_del_acct',
  2116 => 'anom_mod_acct',
  2117 => 'anom_root_trans',
  2118 => 'anom_login_service',
  2119 => 'anom_login_root',
  2120 => 'anom_origin_failures',
  2121 => 'anom_session',
  2200 => 'resp_anomaly',
  2201 => 'resp_alert',
  2202 => 'resp_kill_proc',
  2203 => 'resp_term_access',
  2204 => 'resp_acct_remote',
  2205 => 'resp_acct_lock_timed',
  2206 => 'resp_acct_unlock_timed',
  2207 => 'resp_acct_lock',
  2208 => 'resp_term_lock',
  2209 => 'resp_sebool',
  2210 => 'resp_exec',
  2211 => 'resp_single',
  2212 => 'resp_halt',
  2213 => 'resp_origin_block',
  2214 => 'resp_origin_block_timed',
  2215 => 'resp_origin_unblock_timed',
  2300 => 'user_role_change',
  2301 => 'role_assign',
  2302 => 'role_remove',
  2303 => 'label_override',
  2304 => 'label_level_change',
  2305 => 'user_labeled_export',
  2306 => 'user_unlabeled_export',
  2307 => 'dev_alloc',
  2308 => 'dev_dealloc',
  2309 => 'fs_relabel',
  2310 => 'user_mac_policy_load',
  2311 => 'role_modify',
  2312 => 'user_mac_config_change',
  2313 => 'user_mac_status',
  2400 => 'crypto_test_user',
  2401 => 'crypto_param_change_user',
  2402 => 'crypto_login',
  2403 => 'crypto_logout',
  2404 => 'crypto_key_user',
  2405 => 'crypto_failure_user',
  2406 => 'crypto_replay_user',
  2407 => 'crypto_session',
  2408 => 'crypto_ike_sa',
  2409 => 'crypto_ipsec_sa',
  2500 => 'virt_control',
  2501 => 'virt_resource',
  2502 => 'virt_machine_id',
  2503 => 'virt_integrity_check',
  2504 => 'virt_create',
  2505 => 'virt_destroy',
  2506 => 'virt_migrate_in',
  2507 => 'virt_migrate_out',
}

Instance Method Summary collapse

Instance Method Details

#filter_with_time(tag, time, record) ⇒ Object 



558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
 
# File 'lib/fluent/plugin/filter_go_audit_parser.rb', line 558

def filter_with_time(tag, time, record)
  if record.key?('timestamp')
    timestamp = record.delete('timestamp').to_f
    time = Fluent::EventTime.from_time(Time.at(timestamp))
  end

  if record.key?('messages') && record.key?('uid_map')
    messages = record.delete('messages')
    uid_map  = record.delete('uid_map')

    new_messages = messages.each.with_object({}) do |message, new_messages|
      type, data = message.values_at('type', 'data')

      name = TYPES[type.to_i]
      hash = { 'type' => type.to_i }
      parseline(data).each do |key, val|
        case key
        when 'syscall'
          hash[key] = SYSCALLS[val.to_i]
        when 'msg'
          hash[key] = parseline(val)
        when 'saddr'
          hash[key] = sockaddr(val)
        when 'proctitle'
          hash[key] = packhex(val)
        when 'uid', 'euid', 'suid', 'ouid', 'fsuid', 'auid'
          hash[key] = uid(val, uid_map)
        when 'gid', 'egid', 'sgid', 'ogid', 'fsgid'
          hash[key] = val.to_i
        when 'exit', 'item', 'items', 'pid', 'ppid', 'ses', 'argc', 'inode'
          hash[key] = val.to_i
        else
          hash[key] = val
        end
      end

      name = "#{name}#{hash['item']}" if name == 'path'
      new_messages.update(name => hash)
    end

    record['messages']      = new_messages
    record['message_types'] = new_messages.keys
  end

  return time, record
end

#packhex(text) ⇒ Object 



617
618
619
 
# File 'lib/fluent/plugin/filter_go_audit_parser.rb', line 617

def packhex(text)
  [text].pack("H*").gsub(/[^[:print:]]/, ' ')
end

#parseline(text) ⇒ Object 



605
606
607
608
609
610
611
 
# File 'lib/fluent/plugin/filter_go_audit_parser.rb', line 605

def parseline(text)
  regex = /([^\s=]+)=('[^']*'|"[^"]*"|\S+)/
  text.scan(regex).each.with_object({}) do |(key, val), hash|
    val = val[1..-2] if val.start_with?('\'') || val.start_with?('"')
    hash[key] = val
  end
end

#sockaddr(text) ⇒ Object 



621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
 
# File 'lib/fluent/plugin/filter_go_audit_parser.rb', line 621

def sockaddr(text)
  addr = {}

  case text[0, 2].hex + (256 * text[2, 2].hex)
  when 1
    pos = text.index('00', 4) - 4
    pos = text.size - 4 if pos < 0
    addr.update('family'    => 'local')
    addr.update('path'      => packhex(text[4, pos]))
    addr.update('unknown'   => text[pos+4..-1]) if text.size > pos + 5
  when 2
    addr.update('family'    => 'inet')
    addr.update('port'      => (text[4, 2].hex * 256) + text[6, 2].hex)
    addr.update('ip'        => text[8, 8].scan(/.{2}/).map{ |x| x.hex }.join("."))
    addr.update('unknown'   => text[16..-1]) if text.length > 16
  when 10
    addr.update('family'    => 'inet6')
    addr.update('port'      => (text[4, 2].hex * 256) + text[6, 2].hex)
    addr.update('flow_info' => text[8, 8])
    addr.update('ip'        => text[16, 32].scan(/.{4}/).map{ |x| x.downcase }.join(":"))
    addr.update('scope_id'  => text[48, 8])
    addr.update('unknown'   => text[56..-1]) if text.size > 56
  else
    addr.update('unknown' => text[4..-1])
  end

  addr
end

#uid(id, uid_map) ⇒ Object 



613
614
615
 
# File 'lib/fluent/plugin/filter_go_audit_parser.rb', line 613

def uid(id, uid_map)
  { 'id' => id.to_i, 'name' => uid_map[id] }
end