• Stars
    star
    142
  • Rank 258,495 (Top 6 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 7 years ago
  • Updated 4 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

go-libaudit is a library for communicating with the Linux Audit Framework.

go-libaudit

Build Status Go Documentation

go-libaudit is a library for Go (golang) for communicating with the Linux Audit Framework. The Linux Audit Framework provides system call auditing in the kernel and logs the events to user-space using netlink sockets. This library facilitates user-space applications that want to receive audit events.

Installation and Usage

Package documentation can be found on GoDoc.

Installation can be done with a normal go get:

$ go get github.com/elastic/go-libaudit

audit example

go-libaudit has two example applications that you can use to try the library. The first is audit which registers to receive audit events from the kernel and outputs the data it receives to stdout. The system's auditd process should be stopped first.

$ go install github.com/elastic/go-libaudit/cmd/audit@main
$ sudo $GOPATH/bin/audit -d

auparse example

The second is auparse which parses the log files from the Linux auditd process or the output of the audit example command. It combines related log messages that are a part of the same event.

$ go install github.com/elastic/go-libaudit/cmd/auparse@main
$ sudo cat /var/log/audit/audit.log | auparse
---
type=CRED_ACQ msg=audit(1481077334.302:545): pid=1444 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
---
type=USER_START msg=audit(1481077334.303:546): pid=1444 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
---
type=SYSCALL msg=audit(1481077334.304:547): arch=c000003e syscall=59 success=yes exit=0 a0=7f683953a5d8 a1=7f683953fd38 a2=7f6839543a90 a3=6 items=2 ppid=1444 pid=1445 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="su" exe="/usr/bin/su" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=EXECVE msg=audit(1481077334.304:547): argc=1 a0="su"
type=CWD msg=audit(1481077334.304:547):  cwd="/home/andrew_kroh"
type=PATH msg=audit(1481077334.304:547): item=0 name="/bin/su" inode=5026 dev=08:01 mode=0104755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:su_exec_t:s0 objtype=NORMAL
type=PATH msg=audit(1481077334.304:547): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=16778495 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL

It supports outputting the messages as plain text (default), JSON, or YAML by using -format=yaml for example.

$ sudo cat /var/log/audit/audit.log | auparse -format=json
---
{"@timestamp":"2016-12-07 02:22:14.302 +0000 UTC","acct":"root","auid":"1000","exe":"/usr/bin/sudo","grantors":"pam_env,pam_unix","op":"PAM:setcred","pid":"1444","raw_msg":"audit(1481077334.302:545): pid=1444 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct=\"root\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=/dev/pts/1 res=success'","record_type":"CRED_ACQ","result":"success","sequence":"545","ses":"4","subj_category":"c0.c1023","subj_domain":"unconfined_t","subj_level":"s0-s0","subj_role":"unconfined_r","subj_user":"unconfined_u","terminal":"/dev/pts/1","uid":"0"}
---
{"@timestamp":"2016-12-07 02:22:14.303 +0000 UTC","acct":"root","auid":"1000","exe":"/usr/bin/sudo","grantors":"pam_keyinit,pam_limits","op":"PAM:session_open","pid":"1444","raw_msg":"audit(1481077334.303:546): pid=1444 uid=0 auid=1000 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits acct=\"root\" exe=\"/usr/bin/sudo\" hostname=? addr=? terminal=/dev/pts/1 res=success'","record_type":"USER_START","result":"success","sequence":"546","ses":"4","subj_category":"c0.c1023","subj_domain":"unconfined_t","subj_level":"s0-s0","subj_role":"unconfined_r","subj_user":"unconfined_u","terminal":"/dev/pts/1","uid":"0"}
---
{"@timestamp":"2016-12-07 02:22:14.304 +0000 UTC","a0":"7f683953a5d8","a1":"7f683953fd38","a2":"7f6839543a90","a3":"6","arch":"x86_64","auid":"1000","comm":"su","egid":"0","euid":"0","exe":"/usr/bin/su","exit":"0","fsgid":"0","fsuid":"0","gid":"0","items":"2","pid":"1445","ppid":"1444","raw_msg":"audit(1481077334.304:547): arch=c000003e syscall=59 success=yes exit=0 a0=7f683953a5d8 a1=7f683953fd38 a2=7f6839543a90 a3=6 items=2 ppid=1444 pid=1445 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm=\"su\" exe=\"/usr/bin/su\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)","record_type":"SYSCALL","result":"success","sequence":"547","ses":"4","sgid":"0","subj_category":"c0.c1023","subj_domain":"unconfined_t","subj_level":"s0-s0","subj_role":"unconfined_r","subj_user":"unconfined_u","suid":"0","syscall":"execve","tty":"pts1","uid":"0"}
{"@timestamp":"2016-12-07 02:22:14.304 +0000 UTC","a0":"su","argc":"1","raw_msg":"audit(1481077334.304:547): argc=1 a0=\"su\"","record_type":"EXECVE","sequence":"547"}
{"@timestamp":"2016-12-07 02:22:14.304 +0000 UTC","cwd":"/home/andrew_kroh","raw_msg":"audit(1481077334.304:547):  cwd=\"/home/andrew_kroh\"","record_type":"CWD","sequence":"547"}
{"@timestamp":"2016-12-07 02:22:14.304 +0000 UTC","dev":"08:01","inode":"5026","item":"0","mode":"0104755","name":"/bin/su","obj_domain":"su_exec_t","obj_level":"s0","obj_role":"object_r","obj_user":"system_u","objtype":"NORMAL","ogid":"0","ouid":"0","raw_msg":"audit(1481077334.304:547): item=0 name=\"/bin/su\" inode=5026 dev=08:01 mode=0104755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:su_exec_t:s0 objtype=NORMAL","rdev":"00:00","record_type":"PATH","sequence":"547"}
{"@timestamp":"2016-12-07 02:22:14.304 +0000 UTC","dev":"08:01","inode":"16778495","item":"1","mode":"0100755","name":"/lib64/ld-linux-x86-64.so.2","obj_domain":"ld_so_t","obj_level":"s0","obj_role":"object_r","obj_user":"system_u","objtype":"NORMAL","ogid":"0","ouid":"0","raw_msg":"audit(1481077334.304:547): item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=16778495 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL","rdev":"00:00","record_type":"PATH","sequence":"547"}

To normalize and interpret the messages, use the -i flag for "interpret". This adds a category to the event and creates the actor, action, thing, and how fields based on data from the event. By default it will resolve UID and GID values to their names (use -id=false to disable this).

$ sudo cat /var/log/audit/audit.log | auparse -format=yaml -i
---
timestamp: 2016-12-07T02:22:14.302Z
sequence: 545
category: user-login
record_type: cred_acq
result: success
session: "4"
summary:
  actor:
    primary: vagrant
    secondary: root
  action: acquired-credentials
  object:
    type: user-session
    primary: /dev/pts/1
  how: /usr/bin/sudo
user:
  ids:
    auid: "1000"
    uid: "0"
  names:
    auid: vagrant
    uid: root
  selinux:
    category: c0.c1023
    domain: unconfined_t
    level: s0-s0
    role: unconfined_r
    user: unconfined_u
process:
  pid: "1444"
  exe: /usr/bin/sudo
data:
  acct: root
  grantors: pam_env,pam_unix
  op: PAM:setcred
  terminal: /dev/pts/1
ecs:
  event:
    category:
    - authentication
    type:
    - info
  user:
    name: vagrant
    id: "1000"
    effective:
      name: root
      id: "0"
    target: {}
    changes: {}
  group: {}

---
timestamp: 2016-12-07T02:22:14.303Z
sequence: 546
category: user-login
record_type: user_start
result: success
session: "4"
summary:
  actor:
    primary: vagrant
    secondary: root
  action: started-session
  object:
    type: user-session
    primary: /dev/pts/1
  how: /usr/bin/sudo
user:
  ids:
    auid: "1000"
    uid: "0"
  names:
    auid: vagrant
    uid: root
  selinux:
    category: c0.c1023
    domain: unconfined_t
    level: s0-s0
    role: unconfined_r
    user: unconfined_u
process:
  pid: "1444"
  exe: /usr/bin/sudo
data:
  acct: root
  grantors: pam_keyinit,pam_limits
  op: PAM:session_open
  terminal: /dev/pts/1
ecs:
  event:
    category:
    - authentication
    type:
    - info
  user:
    name: vagrant
    id: "1000"
    effective:
      name: root
      id: "0"
    target: {}
    changes: {}
  group: {}

---
timestamp: 2016-12-07T02:22:14.304Z
sequence: 547
category: audit-rule
record_type: syscall
result: success
session: "4"
summary:
  actor:
    primary: vagrant
    secondary: root
  action: executed
  object:
    type: file
    primary: /bin/su
  how: /usr/bin/su
user:
  ids:
    auid: "1000"
    egid: "0"
    euid: "0"
    fsgid: "0"
    fsuid: "0"
    gid: "0"
    sgid: "0"
    suid: "0"
    uid: "0"
  names:
    auid: vagrant
    egid: root
    euid: root
    fsgid: root
    fsuid: root
    gid: root
    sgid: root
    suid: root
    uid: root
  selinux:
    category: c0.c1023
    domain: unconfined_t
    level: s0-s0
    role: unconfined_r
    user: unconfined_u
process:
  pid: "1445"
  ppid: "1444"
  name: su
  exe: /usr/bin/su
  cwd: /home/andrew_kroh
  args:
  - su
file:
  path: /bin/su
  device: "00:00"
  inode: "5026"
  mode: "0755"
  uid: "0"
  gid: "0"
  owner: root
  group: root
  selinux:
    domain: su_exec_t
    level: s0
    role: object_r
    user: system_u
data:
  a0: 7f683953a5d8
  a1: 7f683953fd38
  a2: 7f6839543a90
  a3: "6"
  arch: x86_64
  argc: "1"
  exit: "0"
  syscall: execve
  tty: pts1
paths:
- dev: "08:01"
  inode: "5026"
  item: "0"
  mode: "0104755"
  name: /bin/su
  obj_domain: su_exec_t
  obj_level: s0
  obj_role: object_r
  obj_user: system_u
  objtype: NORMAL
  ogid: "0"
  ouid: "0"
  rdev: "00:00"
- dev: "08:01"
  inode: "16778495"
  item: "1"
  mode: "0100755"
  name: /lib64/ld-linux-x86-64.so.2
  obj_domain: ld_so_t
  obj_level: s0
  obj_role: object_r
  obj_user: system_u
  objtype: NORMAL
  ogid: "0"
  ouid: "0"
  rdev: "00:00"
ecs:
  event:
    category:
    - process
    type:
    - start
  user:
    effective: {}
    target: {}
    changes: {}
  group: {}

ECS compatibility

This currently provides Elastic Common Schema (ECS) 1.8 categorization support for some of the more prominent or meaningful auditd events and syscalls.

More Repositories

1

elasticsearch

Free and Open, Distributed, RESTful Search Engine
Java
65,029
star
2

kibana

Your window into the Elastic Stack
TypeScript
19,520
star
3

logstash

Logstash - transport and process your logs, events, or other data
Java
13,615
star
4

elasticsearch-php

Official PHP client for Elasticsearch.
PHP
5,190
star
5

elasticsearch-js

Official Elasticsearch client library for Node.js
TypeScript
5,174
star
6

go-elasticsearch

The official Go client for Elasticsearch
Go
4,933
star
7

elasticsearch-py

Official Python client for Elasticsearch
Python
4,034
star
8

elasticsearch-dsl-py

High level Python client for Elasticsearch
Python
3,695
star
9

elasticsearch-definitive-guide

The Definitive Guide to Elasticsearch
HTML
3,521
star
10

elasticsearch-net

This strongly-typed, client library enables working with Elasticsearch. It is the official client maintained and supported by Elastic.
C#
3,469
star
11

curator

Curator: Tending your Elasticsearch indices
Python
3,032
star
12

elasticsearch-rails

Elasticsearch integrations for ActiveModel/Record and Ruby on Rails
Ruby
3,017
star
13

examples

Home for Elasticsearch examples available to everyone. It's a great way to get started.
Jupyter Notebook
2,587
star
14

cloud-on-k8s

Elastic Cloud on Kubernetes
Go
2,574
star
15

elasticsearch-ruby

Ruby integrations for Elasticsearch
Ruby
1,928
star
16

elasticsearch-hadoop

🐘 Elasticsearch real-time search and analytics natively integrated with Hadoop
Java
1,915
star
17

detection-rules

Python
1,884
star
18

helm-charts

You know, for Kubernetes
Python
1,807
star
19

search-ui

Search UI. Libraries for the fast development of modern, engaging search experiences.
TypeScript
1,796
star
20

logstash-forwarder

An experiment to cut logs in preparation for processing elsewhere. Replaced by Filebeat: https://github.com/elastic/beats/tree/master/filebeat
Go
1,788
star
21

ansible-elasticsearch

Ansible playbook for Elasticsearch
Ruby
1,567
star
22

stack-docker

Project no longer maintained.
Shell
1,189
star
23

apm-server

APM Server
Go
1,100
star
24

protections-artifacts

Elastic Security detection content for Endpoint
YARA
980
star
25

ecs

Elastic Common Schema
Python
920
star
26

ember

Elastic Malware Benchmark for Empowering Researchers
Jupyter Notebook
799
star
27

elasticsearch-docker

Official Elasticsearch Docker image
Python
790
star
28

elasticsearch-rs

Official Elasticsearch Rust Client
Rust
612
star
29

elasticsearch-labs

Notebooks & Example Apps for Search & AI Applications with Elasticsearch
Jupyter Notebook
597
star
30

elasticsearch-cloud-aws

AWS Cloud Plugin for Elasticsearch
580
star
31

apm-agent-nodejs

Elastic APM Node.js Agent
JavaScript
540
star
32

apm-agent-dotnet

Elastic APM .NET Agent
C#
540
star
33

apm-agent-java

Elastic APM Java Agent
Java
536
star
34

eland

Python Client and Toolkit for DataFrames, Big Data, Machine Learning and ETL in Elasticsearch
Python
516
star
35

elasticsearch-mapper-attachments

Mapper Attachments Type plugin for Elasticsearch
Java
503
star
36

elasticsearch-servicewrapper

A service wrapper on top of elasticsearch
Shell
489
star
37

apm-agent-go

Official Go agent for Elastic APM
Go
390
star
38

sense

A JSON aware developer's interface to Elasticsearch. Comes with handy machinery such as syntax highlighting, autocomplete, formatting and code folding.
JavaScript
382
star
39

apm-agent-python

Official Python agent for Elastic APM
Python
381
star
40

elastic-charts

TypeScript
365
star
41

stream2es

Stream data into ES (Wikipedia, Twitter, stdin, or other ESes)
Clojure
356
star
42

timelion

Timelion was absorbed into Kibana 5. Don't use this. Time series composer for Elasticsearch and beyond.
JavaScript
347
star
43

apm

Elastic Application Performance Monitoring - resources and general issue tracking for Elastic APM.
Gherkin
317
star
44

elasticsearch-net-example

A tutorial repository for Elasticsearch and NEST
305
star
45

elasticsearch-migration

This plugin will help you to check whether you can upgrade directly to the next major version of Elasticsearch, or whether you need to make changes to your data and cluster before doing so.
291
star
46

logstash-docker

Official Logstash Docker image
Python
286
star
47

elasticsearch-py-async

Backend for elasticsearch-py based on python's asyncio module.
Python
283
star
48

support-diagnostics

Support diagnostics utility for elasticsearch and logstash
Java
278
star
49

elasticsearch-java

Official Elasticsearch Java Client
Java
274
star
50

es2unix

Command-line ES
Clojure
274
star
51

elasticsearch-analysis-smartcn

Smart Chinese Analysis Plugin for Elasticsearch
268
star
52

dockerfiles

Dockerfiles for the official Elastic Stack images
Shell
253
star
53

go-sysinfo

go-sysinfo is a library for collecting system information.
Go
249
star
54

kibana-docker

Official Kibana Docker image
Python
243
star
55

elasticsearch-metrics-reporter-java

Metrics reporter, which reports to elasticsearch
Java
232
star
56

apm-agent-php

Elastic APM PHP Agent
PHP
229
star
57

docs

Ruby
229
star
58

elasticsearch-river-twitter

Twitter River Plugin for elasticsearch (STOPPED)
Java
202
star
59

elasticsearch-formal-models

Formal models of core Elasticsearch algorithms
Isabelle
200
star
60

rally-tracks

Track specifications for the Elasticsearch benchmarking tool Rally
Python
197
star
61

integrations

Elastic Integrations
Handlebars
194
star
62

beats-dashboards

DEPRECATED. Moved to https://github.com/elastic/beats. Please use the new repository to add new issues.
Shell
192
star
63

elasticsearch-analysis-icu

ICU Analysis plugin for Elasticsearch
189
star
64

elasticsearch-river-rabbitmq

RabbitMQ River Plugin for elasticsearch (STOPPED)
Java
173
star
65

terraform-provider-ec

Go
171
star
66

elasticsearch-analysis-kuromoji

Japanese (kuromoji) Analysis Plugin
168
star
67

dorothy

Dorothy is a tool to test security monitoring and detection for Okta environments
Python
167
star
68

beats-docker

Official Beats Docker images
Python
165
star
69

elasticsearch-river-couchdb

CouchDB River Plugin for elasticsearch (STOPPED)
Java
163
star
70

SWAT

Simple Workspace Attack Tool (SWAT) is a tool for simulating malicious behavior against Google Workspace in reference to the MITRE ATT&CK framework.
Python
156
star
71

apm-agent-ruby

Elastic APM agent for Ruby
Ruby
156
star
72

go-freelru

GC-less, fast and generic LRU hashmap library for Go
Go
151
star
73

require-in-the-middle

Module to hook into the Node.js require function
JavaScript
149
star
74

harp

Secret management by contract toolchain
Go
145
star
75

ml-cpp

Machine learning C++ code
C++
139
star
76

ecs-logging-java

Centralized logging for Java applications with the Elastic stack made easy
Java
137
star
77

ansible-beats

Ansible Beats Role
Ruby
131
star
78

logstash-contrib

THIS REPOSITORY IS NO LONGER USED.
Ruby
128
star
79

elasticsearch-analysis-phonetic

Phonetic Analysis Plugin for Elasticsearch
127
star
80

azure-marketplace

Elasticsearch Azure Marketplace offering + ARM template
Shell
122
star
81

golang-crossbuild

Shell
121
star
82

elastic-agent

Elastic Agent - single, unified way to add monitoring for logs, metrics, and other types of data to a host.
Go
121
star
83

anonymize-it

a general utility for anonymizing data
Python
117
star
84

bpfcov

Source-code based coverage for eBPF programs actually running in the Linux kernel
C
115
star
85

windows-installers

Windows installers for the Elastic stack
C#
113
star
86

terraform-provider-elasticstack

Terraform provider for Elastic Stack
Go
111
star
87

makelogs

JavaScript
108
star
88

elasticsearch-lang-python

Python language Plugin for elasticsearch
104
star
89

stack-docs

Elastic Stack Documentation
Java
96
star
90

sysgrok

LLM-driven assistant for analyzing, understanding and optimizing systems
Python
94
star
91

elasticsearch-lang-javascript

JavaScript language Plugin for elasticsearch
93
star
92

crawler

Ruby
92
star
93

elasticsearch-specification

Elasticsearch full specification
TypeScript
89
star
94

elasticsearch-perl

Official Perl low-level client for Elasticsearch.
Perl
87
star
95

next-eui-starter

Start building Kibana protoypes quickly with the Next.js EUI Starter
TypeScript
87
star
96

vue-search-ui-demo

A demo of implementing Elastic's Search UI and App Search using Vue.js
Vue
87
star
97

elasticsearch-transport-thrift

Thrift Transport for elasticsearch (STOPPED)
Java
84
star
98

beats

🐠 Beats - Lightweight shippers for Elasticsearch & Logstash
Go
83
star
99

ecs-dotnet

.NET integrations that use the Elastic Common Schema (ECS)
HTML
82
star
100

generator-kibana-plugin

DEPRECATED Yeoman Generator for Kibana Plugins, please use https://github.com/elastic/template-kibana-plugin/
JavaScript
79
star