From bc965790a29d94323c7e4a9ae982952916c2800c Mon Sep 17 00:00:00 2001 From: Phil Cogbill Date: Tue, 11 Apr 2023 19:19:42 -0400 Subject: [PATCH 1/2] Began looking into updating the project Looked at docs and read some audit source code from the linux kernel. --- README.md | 15 ++++++--------- client.go | 6 +++--- examples/pauditd.yaml.example | 1 + 3 files changed, 10 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 2b70466..7ddaaa1 100644 --- a/README.md +++ b/README.md @@ -1,15 +1,12 @@ # pauditd [![CircleCI](https://circleci.com/gh/pantheon-systems/pauditd/tree/master.svg?style=svg)](https://circleci.com/gh/pantheon-systems/pauditd/tree/master) -[![Unsupported](https://img.shields.io/badge/Pantheon-Unsupported-yellow?logo=pantheon&color=FFDC28)](https://pantheon.io/docs/oss-support-levels#unsupported) - +[![Unsupported](https://img.shields.io/badge/Pantheon-Unsupported-yellow?logo=pantheon&color=FFDC28)](https://pantheon.io/docs/oss-support-levels#unsupported) ![GitHub](https://img.shields.io/github/license/pantheon-systems/pauditd?color=FFDC28&logo=go) ## About pauditd is an alternative to the auditd daemon that ships with many distros. -[![License](http://img.shields.io/badge/license-MIT-blue.svg?style=flat-square)](http://opensource.org/licenses/MIT) - ## Audit Documentation Kernel Audit System: [audit.c](https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tree/kernel/audit.c?id=refs/tags/v3.14.56) [audit.h](https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tree/include/uapi/linux/audit.h?h=linux-3.14.y) @@ -175,22 +172,22 @@ This is likely because you are running `journald` which is also reading audit ev sudo systemctl mask systemd-journald-audit.socket ``` -You may have to restart the _systemd-journald.service_ after masking the socket. +You may have to restart the *systemd-journald.service* after masking the socket. if this problem persists it is because the netlink socket buffers are getting full and the default for overflow is to dump to the kernel logging sub-system. This can be disabled by setting the audit configuration option for what to do when the enqueue on the buffer fails. You can set this setting by using a special audit rule in the `pauditd.yaml` configuration file: -``` +```console -f N ``` Where the `N` is either 0, 1 or 2. -``` +```console 0 -> discard 1 -> kernel logging subsystem 2 -> panic ``` -## Thanks +## Thank You -To slackhq for the inspiration via https://github.com/slackhq/go-audit +To slackhq for the inspiration via [Slack go-audit](https://github.com/slackhq/go-audit) diff --git a/client.go b/client.go index e111db0..5e2c2cb 100644 --- a/client.go +++ b/client.go @@ -16,11 +16,11 @@ import ( var Endianness = binary.LittleEndian const ( - // MAX_AUDIT_MESSAGE_LENGTH see http://lxr.free-electrons.com/source/include/uapi/linux/audit.h#L398 - MAX_AUDIT_MESSAGE_LENGTH = 8970 + // MAX_AUDIT_MESSAGE_LENGTH see https://github.com/torvalds/linux/blob/master/include/uapi/linux/audit.h#L454 + MAX_AUDIT_MESSAGE_LENGTH = 8560 ) -//TODO: this should live in a marshaller +// TODO: this should live in a marshaller type AuditStatusPayload struct { Mask uint32 Enabled uint32 diff --git a/examples/pauditd.yaml.example b/examples/pauditd.yaml.example index a122173..5392174 100644 --- a/examples/pauditd.yaml.example +++ b/examples/pauditd.yaml.example @@ -6,6 +6,7 @@ socket_buffer: # Maximum max is net.core.rmem_max (/proc/sys/net/core/rmem_max) receive: 16384 +# Netlink message types and ranges https://github.com/torvalds/linux/blob/master/include/uapi/linux/audit.h#L31-L53 events: # Minimum event type to capture, default 1300 min: 1300 From 8d5e83a9aeefd8d022d6df331d0f203cd9a9f0d8 Mon Sep 17 00:00:00 2001 From: Phil Cogbill Date: Wed, 12 Apr 2023 12:10:06 -0400 Subject: [PATCH 2/2] Updated link to kernel.org --- client.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client.go b/client.go index 5e2c2cb..9ed64bb 100644 --- a/client.go +++ b/client.go @@ -16,7 +16,7 @@ import ( var Endianness = binary.LittleEndian const ( - // MAX_AUDIT_MESSAGE_LENGTH see https://github.com/torvalds/linux/blob/master/include/uapi/linux/audit.h#L454 + // MAX_AUDIT_MESSAGE_LENGTH see https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/include/uapi/linux/audit.h#n454 MAX_AUDIT_MESSAGE_LENGTH = 8560 )