diff --git a/README.md b/README.md index 2b70466..7ddaaa1 100644 --- a/README.md +++ b/README.md @@ -1,15 +1,12 @@ # pauditd [![CircleCI](https://circleci.com/gh/pantheon-systems/pauditd/tree/master.svg?style=svg)](https://circleci.com/gh/pantheon-systems/pauditd/tree/master) -[![Unsupported](https://img.shields.io/badge/Pantheon-Unsupported-yellow?logo=pantheon&color=FFDC28)](https://pantheon.io/docs/oss-support-levels#unsupported) - +[![Unsupported](https://img.shields.io/badge/Pantheon-Unsupported-yellow?logo=pantheon&color=FFDC28)](https://pantheon.io/docs/oss-support-levels#unsupported) ![GitHub](https://img.shields.io/github/license/pantheon-systems/pauditd?color=FFDC28&logo=go) ## About pauditd is an alternative to the auditd daemon that ships with many distros. -[![License](http://img.shields.io/badge/license-MIT-blue.svg?style=flat-square)](http://opensource.org/licenses/MIT) - ## Audit Documentation Kernel Audit System: [audit.c](https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tree/kernel/audit.c?id=refs/tags/v3.14.56) [audit.h](https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tree/include/uapi/linux/audit.h?h=linux-3.14.y) @@ -175,22 +172,22 @@ This is likely because you are running `journald` which is also reading audit ev sudo systemctl mask systemd-journald-audit.socket ``` -You may have to restart the _systemd-journald.service_ after masking the socket. +You may have to restart the *systemd-journald.service* after masking the socket. if this problem persists it is because the netlink socket buffers are getting full and the default for overflow is to dump to the kernel logging sub-system. This can be disabled by setting the audit configuration option for what to do when the enqueue on the buffer fails. You can set this setting by using a special audit rule in the `pauditd.yaml` configuration file: -``` +```console -f N ``` Where the `N` is either 0, 1 or 2. -``` +```console 0 -> discard 1 -> kernel logging subsystem 2 -> panic ``` -## Thanks +## Thank You -To slackhq for the inspiration via https://github.com/slackhq/go-audit +To slackhq for the inspiration via [Slack go-audit](https://github.com/slackhq/go-audit) diff --git a/client.go b/client.go index e111db0..9ed64bb 100644 --- a/client.go +++ b/client.go @@ -16,11 +16,11 @@ import ( var Endianness = binary.LittleEndian const ( - // MAX_AUDIT_MESSAGE_LENGTH see http://lxr.free-electrons.com/source/include/uapi/linux/audit.h#L398 - MAX_AUDIT_MESSAGE_LENGTH = 8970 + // MAX_AUDIT_MESSAGE_LENGTH see https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/include/uapi/linux/audit.h#n454 + MAX_AUDIT_MESSAGE_LENGTH = 8560 ) -//TODO: this should live in a marshaller +// TODO: this should live in a marshaller type AuditStatusPayload struct { Mask uint32 Enabled uint32 diff --git a/examples/pauditd.yaml.example b/examples/pauditd.yaml.example index a122173..5392174 100644 --- a/examples/pauditd.yaml.example +++ b/examples/pauditd.yaml.example @@ -6,6 +6,7 @@ socket_buffer: # Maximum max is net.core.rmem_max (/proc/sys/net/core/rmem_max) receive: 16384 +# Netlink message types and ranges https://github.com/torvalds/linux/blob/master/include/uapi/linux/audit.h#L31-L53 events: # Minimum event type to capture, default 1300 min: 1300