• Stars
    star
    1,569
  • Rank 29,832 (Top 0.6 %)
  • Language
    Go
  • License
    MIT License
  • Created about 8 years ago
  • Updated 7 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

go-audit is an alternative to the auditd daemon that ships with many distros

go-audit

License

About

go-audit is an alternative to the auditd daemon that ships with many distros. After having created an auditd audisp plugin to convert audit logs to json, I became interested in creating a replacement for the existing daemon.

Goals
  • Safe : Written in a modern language that is type safe and performant
  • Fast : Never ever ever ever block if we can avoid it
  • Outputs json : Yay
  • Pluggable pipelines : Can write to syslog, local file, Graylog2 or stdout. Additional outputs are easily written.
  • Connects to the linux kernel via netlink (info here and here)

Usage

Installation
  1. Install golang, version 1.14 or greater is required

  2. Clone the repo

    git clone (this repo)
    cd go-audit
    
  3. Build the binary

    make
    
  4. Copy the binary go-audit to wherever you'd like

Testing
  • make test - run the unit test suite
  • make test-cov-html - run the unit tests and open up the code coverage results
  • make bench - run the benchmark test suite
  • make bench-cpu - run the benchmark test suite with cpu profiling
  • make bench-cpulong - run the benchmark test suite with cpu profiling and try to get some gc collection
Running as a service

Check the contrib folder, it contains examples for how to run go-audit as a proper service on your machine.

Example Config

See go-audit.yaml.example

FAQ

I am seeing Error during message receive: no buffer space available in the logs

This is because go-audit is not receiving data as quickly as your system is generating it. You can increase the receive buffer system wide and maybe it will help. Best to try and reduce the amount of data go-audit has to handle.

If reducing audit velocity is not an option you can try increasing socket_buffer.receive in your config. See Example Config for more information

socket_buffer:
    receive: <some number bigger than (the current value * 2)>

Sometime files don't have a name, only inode, what gives?

The kernel doesn't always know the filename for file access. Figuring out the filename from an inode is expensive and error prone.

You can map back to a filename, possibly not the filename, that triggured the audit line though.

sudo debugfs -R "ncheck <inode to map>" /dev/<your block device here>

I don't like math and want you to tell me the syslog priority to use

Use the default, or consult this handy table.

Wikipedia has a pretty good page on this

emerg (0) alert (1) crit (2) err (3) warn (4) notice (5) info (6) debug (7)
kernel (0) 0 1 2 3 4 5 6 7
user (1) 8 9 10 11 12 13 14 15
mail (2) 16 17 18 19 20 21 22 23
daemon (3) 24 25 26 27 28 29 30 31
auth (4) 32 33 34 35 36 37 38 39
syslog (5) 40 41 42 43 44 45 46 47
lpr (6) 48 49 50 51 52 53 54 55
news (7) 56 57 58 59 60 61 62 63
uucp (8) 64 65 66 67 68 69 70 71
clock (9) 72 73 74 75 76 77 78 79
authpriv (10) 80 81 82 83 84 85 86 87
ftp (11) 88 89 90 91 92 93 94 95
ntp (12) 96 97 98 99 100 101 102 103
logaudit (13) 104 105 106 107 108 109 110 111
logalert (14) 112 113 114 115 116 117 118 119
cron (15) 120 121 122 123 124 125 126 127
local0 (16) 128 129 130 131 132 133 134 135
local1 (17) 136 137 138 139 140 141 142 143
local2 (18) 144 145 146 147 148 149 150 151
local3 (19) 152 153 154 155 156 157 158 159
local4 (20) 160 161 162 163 164 165 166 167
local5 (21) 168 169 170 171 172 173 174 175
local6 (22) 176 177 178 179 180 181 182 183
local7 (23) 184 185 186 187 188 189 190 191

I am seeing duplicate entries in syslog!

This is likely because you are running journald which is also reading audit events. To disable it you need to disable the functionality in journald.

sudo systemctl mask systemd-journald-audit.socket

Thanks!

To Hardik Juneja, Arun Sori, Aalekh Nigam Aalekhn for the inspiration via https://github.com/mozilla/audit-go

More Repositories

1

nebula

A scalable overlay networking tool with a focus on performance, simplicity and security
Go
14,374
star
2

SlackTextViewController

⛔️**DEPRECATED** ⛔️ A drop-in UIViewController subclass with a growing text input view and other useful messaging features
Objective-C
8,330
star
3

PanModal

An elegant and highly customizable presentation API for constructing bottom sheet modals on iOS.
Swift
3,631
star
4

circuit

⚑️ A Compose-driven architecture for Kotlin and Android applications.
Kotlin
1,432
star
5

EitherNet

A pluggable sealed API result type for modeling Retrofit responses.
Kotlin
735
star
6

goSDL

goSDL
PHP
522
star
7

foundry

Gradle and IntelliJ build tooling used in Slack's Android repo
Kotlin
429
star
8

slack-api-docs

API Docs for Slack.com
427
star
9

compose-lints

Lint checks to aid with a healthy adoption of Compose
Kotlin
387
star
10

keeper

A Gradle plugin that infers Proguard/R8 keep rules for androidTest sources.
Kotlin
259
star
11

slack-lints

A collection of custom Android/Kotlin lint checks we use in our Android and Kotlin code bases at Slack.
Kotlin
231
star
12

astra

Astra is a structured log search and analytics engine developed by Slack and Salesforce
Java
209
star
13

magic-cli

Ruby
199
star
14

simple-kubernetes-webhook

This project is aimed at illustrating how to build a fully functioning kubernetes admission webhook in the simplest way possible.
Go
183
star
15

csp-html-webpack-plugin

A plugin which, when combined with HTMLWebpackPlugin, adds CSP tags to the HTML output.
JavaScript
159
star
16

hakana

Another typechecker for Hack, built by Slack
Rust
75
star
17

hack-sql-fake

A library for testing database driven code in Hack
Hack
74
star
18

vscode-hack

Hack language & HHVM debugger support for Visual Studio Code
TypeScript
73
star
19

gsuite-oauth-third-party-app-report

Start enforcing G Suite third-party apps via OAuth
JavaScript
55
star
20

backend-interview-prep-questions

A few questions & data to help you prepare for the Slack HQ backend interview
PLpgSQL
45
star
21

moshi-gson-interop

An interop tool for safely mixing Moshi and Gson models in JSON serialization.
Kotlin
43
star
22

kotlin-cli-util

Kotlin CLI utilities, mostly intended for use with Clikt
Kotlin
36
star
23

tree-sitter-hack

Hack grammar for tree-sitter
JavaScript
33
star
24

hack-json-schema

Generate Hack JSON Schema validators based on a JSON Schema.
Hack
27
star
25

auto-value-kotlin

An AutoValue extension that generates binary and source compatible equivalent Kotlin data classes of AutoValue models.
Kotlin
26
star
26

deanimator

Go package that can detect animated images and "deanimate" them by rendering just the first frame as a static image.
Go
25
star
27

es-query-simple

A tiny command line utility to query elasticsearch. "
Python
23
star
28

go-rsyslog-pstats

Parses and forwards rsyslog process stats to a local statsite, statsd, or wire protocol compatible service.
Go
21
star
29

tiny-thumb

Novel, efficient, and practical image compression with visually appealing results. 🀏 ✨
Go
15
star
30

backend-interview-prerequisites

A project to ensure that your backend onsite interview at Slack runs smoothly.
Go
12
star
31

sqlite-go-connect

A simple go app that connects to a sqlite3 database
Go
11
star
32

sqlite-python-connect

Short bit of code to connect to a sqlite db and run a query in python
Python
10
star
33

hack-graphql

Playground for a hack graphql server
Hack
8
star
34

protoc-gen-ts

A Typescript Protocol Buffer Implementation from the Future ✨
TypeScript
8
star
35

htmlsanitizer-hack

A port of the PHP HTML Purifier originally developed by Edward Z. Yang into Hacklang
Hack
7
star
36

sqlite-java-connect

This is a minimal repo project that connects to a sqlite3 database and returns a single row.
Java
6
star
37

slack-astra-app

Grafana plugin that adds support for Astra
TypeScript
6
star
38

grpc-hack

A gRPC extension for HHVM
C++
4
star
39

sqlite-ruby-connect

Just a tiny lil something to connect to SQLite using Ruby
PLpgSQL
3
star
40

proto-hack

hacklang generator for protobuf
Hack
3
star
41

snow

Python
2
star
42

.github

1
star
43

go-metrics-prometheus

Go
1
star
44

quota

1
star