• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

e.g. Description of the bug or feature

Reproducible in:

go-audit version:
OS version(s):

Steps to reproduce:

Expected result:

e.g. What you expected to happen

Actual result:

e.g. What actually happened

Attachments:

e.g. Logs, screenshots, screencast, sample project, funny gif, etc.

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

Using the provided go-audit.yaml.example prevents the go-audit service from starting. To resolve the issue, you can edit the example configuration file to enable container monitoring

Reproducible in:

go-audit version:
latest git clone at 42f8f96

OS version(s):
Ubuntu 18.04.4 LTS

Steps to reproduce:

1. Clone latest version of repo, follow instructions to build (used go version go1.13.7 linux/amd64)
2. Copy go-audit.yaml.example to go-audit.yaml. Run generated binary with sudo ./go-audit -config go-audit.yaml or as root with ./go-audit -config go-audit.yaml

extras:
  containers:
    enabled: false
    # if enabled, make requests to the local docker daemon for extra container details
    docker: false
    docker_api_version: 1.24
    # number of pid -> container_id mappings to cache (0 means disable cache)
    pid_cache: 0
    # number of container_id -> docker_details to cache (0 means disable cache)
    docker_cache: 0

3. Optionally, and for this test, I modified extras.go to print more debug information. The steps can be reproduced without this modification.

     4  import "fmt"
.....
    30  func (ps ExtraParsers) Parse(am *AuditMessage) {
    31          for _, p := range ps {
    32                  fmt.Printf("%#v, %#v", p, ps)
    33                  p.Parse(am)
    34          }
    35  }

3. Observe errors in console

4. Edit the configuration file to set values to true

extras:
  containers:
    enabled: true
    # if enabled, make requests to the local docker daemon for extra container details
    docker: true
    docker_api_version: 1.24
    # number of pid -> container_id mappings to cache (0 means disable cache)
    pid_cache: 0
    # number of container_id -> docker_details to cache (0 means disable cache)
    docker_cache: 0

4. Restart service and observe successful event auditing.

$ sudo ./go-audit -config examples/go-audit/go-audit2.yaml 
Flushed existing audit rules
Added audit rule #1
Added audit rule #2
Added audit rule #3
Ignoring syscall `49` containing message type `1306` matching string `saddr=(10..|0A..)`
Socket receive buffer size: 32768
ContainerParser enabled (docker=true pid_cache=0 docker_cache=0)
Started processing events in the range [1300, 1399]
{"sequence":23099,"timestamp":"1580767369.656","messages":[{"type":1305,"data":"audit_pid=2067 old=0 auid=1000 ses=3 res=1"}],"uid_map":{"1000":"computer"}}

Expected result:

Without modifications to the example file, service starts, begins collecting audit data. This should also support instances where Docker is not installed on a host.

Actual result:

[remotephone@computer:~/gits/work/go-audit] 
$ sudo ./go-audit -config go-audit.yaml
Flushed existing audit rules
Added audit rule #1
Added audit rule #2
Added audit rule #3
Ignoring syscall `49` containing message type `1306` matching string `saddr=(10..|0A..)`
Socket receive buffer size: 32768
Started processing events in the range [1300, 1399]
<nil>, main.ExtraParsers{main.ExtraParser(nil)}panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x94e708]

goroutine 1 [running]:
main.ExtraParsers.Parse(0xc00030cc40, 0x1, 0x1, 0xc000292ec0)
        /home/remotephone/gits/work/go-audit/extras.go:33 +0x148
main.(*AuditMarshaller).Consume(0xc000225e60, 0xc000317050)
        /home/remotephone/gits/work/go-audit/marshaller.go:97 +0xf9
main.main()
        /home/remotephone/gits/work/go-audit/audit.go:420 +0x674

Attachments:

e.g. Logs, screenshots, screencast, sample project, funny gif, etc.

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

Backend: streamstash wont put the go-audit events in the "streamstash" index

Reproducible in:

go-audit version: latest
streamstash version: latest, as the suggested version in the example docs (sudo npm install -g https://github.com/nbrownus/streamstash#2.0) didn't work
OS version(s): Ubuntu 16.04 (on both backend & client)

Steps to reproduce:

1. Follow the example docs to install & configure
2. Start up everything

Expected result:

According to the example docs a custom index should be created named "streamstash"
https://github.com/slackhq/go-audit/blob/master/examples/streamstash/streamstash.js#L21

Actual result:

streamstash puts all events in the (default?) "logstash-*" index

Attachments:

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

During boot, I'm getting a kernel oops

[ 26.856596] BUG: stack guard page was hit at ffffc900011bbff8 (stack is ffffc900011bc000..ffffc900011bffff) [ 26.859714] kernel stack overflow (double-fault): 0000 [#1] PREEMPT SMP [ 26.859714] Modules linked in: intel_rapl sb_edac edac_core crct10dif_pclmul mousedev crc32_pclmul crc32c_intel ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd ttm glue_helper cryptd drm_kms_helper drm intel_rapl_perf pcspkr psmouse syscopyarea sysfillrect ppdev sysimgblt parport_pc fb_sys_fops i2c_piix4 parport input_leds led_class fjes intel_agp intel_gtt acpi_cpufreq evdev tpm_tis tpm_tis_core tpm mac_hid sch_fq_codel ip_tables x_tables ext4 crc16 jbd2 fscrypto mbcache ata_generic pata_acpi serio_raw atkbd libps2 ata_piix libata scsi_mod floppy i8042 serio ixgbevf xen_privcmd xen_netfront xen_blkfront virtio_pci virtio_net virtio_blk virtio_ring virtio ipmi_poweroff ipmi_devintf ipmi_msghandler button [ 26.859714] CPU: 1 PID: 459 Comm: go-audit Not tainted 4.10.11-1-pagarme #1 [ 26.859714] Hardware name: Xen HVM domU, BIOS 4.2.amazon 02/16/2017 [ 26.859714] task: ffff8801090e5580 task.stack: ffffc900011bc000 [ 26.859714] RIP: 0010:_raw_spin_lock_irqsave+0x9/0x50 [ 26.859714] RSP: 0018:ffffc900011bc000 EFLAGS: 00010246 [ 26.859714] RAX: 0000000000000000 RBX: ffff8801090cc800 RCX: 0000000000000000 [ 26.859714] RDX: 0000000100100001 RSI: ffffea0004243200 RDI: ffff88010ac00d40 [ 26.859714] RBP: ffffc900011bc000 R08: 0000000000000001 R09: ffff88010ac00d40 [ 26.859714] R10: ffff8801090cc800 R11: dead000000000100 R12: ffffea0004243200 [ 26.859714] R13: ffff8801090c9800 R14: 0000000000000000 R15: ffff88010ac03040 [ 26.859714] FS: 00007f59a7a7d700(0000) GS:ffff88010b240000(0000) knlGS:0000000000000000 [ 26.859714] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 26.915296] CR2: ffffc900011bbff8 CR3: 0000000108a4a000 CR4: 00000000001406e0 [ 26.915296] Call Trace: [ 26.919284] __slab_free+0x148/0x3d0 [ 26.919465] ? skb_free_head+0x21/0x30 [ 26.919465] kfree+0x177/0x190 [ 26.919465] skb_free_head+0x21/0x30 [ 26.919465] skb_release_data+0x101/0x110 [ 26.919465] ? kauditd_hold_skb+0x74/0xb0 [ 26.919465] skb_release_all+0x24/0x30 [ 26.919465] kfree_skb+0x36/0xb0 [ 26.919465] kauditd_hold_skb+0x74/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 26.919465] auditd_reset+0x2f/0x70 [ 26.919465] kauditd_hold_skb+0x79/0xb0 [ 27.361241] auditd_reset+0x2f/0x70 [ 27.361241] kauditd_hold_skb+0x79/0xb0 [ 27.361241] auditd_reset+0x2f/0x70 [ 27.361241] kauditd_hold_skb+0x79/0xb0 [ 27.361241] auditd_reset+0x2f/0x70 [ 27.361241] kauditd_hold_skb+0x79/0xb0 [ 27.361241] auditd_reset+0x2f/0x70 [ 27.361241] kauditd_hold_skb+0x79/0xb0 [ 27.361241] auditd_reset+0x2f/0x70 [ 27.361241] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.375353] kauditd_hold_skb+0x79/0xb0 [ 27.375353] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.552103] kauditd_hold_skb+0x79/0xb0 [ 27.552103] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] kauditd_hold_skb+0x79/0xb0 [ 27.603420] auditd_reset+0x2f/0x70 [ 27.603420] audit_receive_msg+0x94e/0xcd0 [ 27.603420] ? __kmalloc_node_track_caller+0x35/0x2c0 [ 27.603420] audit_receive+0x4a/0xa0 [ 27.603420] netlink_unicast+0x17c/0x240 [ 27.603420] netlink_sendmsg+0x348/0x3b0 [ 27.603420] sock_sendmsg+0x17/0x30 [ 27.603420] SyS_sendto+0x101/0x150 [ 27.603420] ? __audit_syscall_entry+0xad/0xf0 [ 27.603420] ? syscall_trace_enter+0x1d9/0x300 [ 27.603420] ? __do_page_fault+0x2dc/0x510 [ 27.603420] do_syscall_64+0x54/0xc0 [ 27.603420] entry_SYSCALL64_slow_path+0x25/0x25 [ 27.603420] RIP: 0033:0x4780ba [ 27.603420] RSP: 002b:000000c42002ee10 EFLAGS: 00000202 ORIG_RAX: 000000000000002c [ 27.603420] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004780ba [ 27.603420] RDX: 0000000000000038 RSI: 000000c420172020 RDI: 0000000000000005 [ 27.603420] RBP: 000000c42002ee70 R08: 000000c42015010c R09: 000000000000000c [ 27.603420] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 27.603420] R13: 00000000ffffffee R14: 0000000000000060 R15: 00000000000000aa [ 27.603420] Code: f0 80 60 02 df 0f ae f0 48 8b 00 a8 08 74 0b 65 81 25 88 ba 9c 7e ff ff ff 7f 89 d0 5d c3 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 <53> 9c 58 0f 1f 44 00 00 48 89 c3 fa 66 0f 1f 44 00 00 65 ff 05 [ 27.603420] RIP: _raw_spin_lock_irqsave+0x9/0x50 RSP: ffffc900011bc000 [ 27.603420] ---[ end trace 179041e7187b5cc2 ]--- [ 27.743043] note: go-audit[459] exited with preempt_count 1

And then I can't SSH to the machine to get more details (AWS instance)

Reproducible in:

go-audit version: Compiled from e194f88
OS version(s): Arch Linux with kernel 4.11.6

Steps to reproduce:

1. Run go-audit

Expected result:

go-audit runs

Actual result:

Kernel oops

Attachments:

e.g. Logs, screenshots, screencast, sample project, funny gif, etc.

Description

I'm seeing a failure to open syslog writer. Is there additional setup that I need? I also tried making syslogd listen on /var/run/go-audit.sock but still no luck. I tried this on Ubuntu 16.04.

$ sudo go-audit -config examples/go-audit/go-audit.yaml 
Flushed existing audit rules
Added audit rule #1
Added audit rule #2
Added audit rule #3
Added audit rule #4
Added audit rule #5
Added audit rule #6
Added audit rule #7
Added audit rule #8
Added audit rule #9
Added audit rule #10
Failed to open syslog writer. Error: dial unix /var/run/go-audit.sock: connect: connection refused

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

To solve issue #13 and filter on internal entries that don't have "syscall" @nbrownus added a patch to allow an empty string for syscall.

A subsequent patch on audit.go line 299 explicitly checks for an empty string and throws an error.

Would you mind removing this second check? Thanks

Reproducible in:

go-audit version: master
OS version(s): 4.14.47-64.38.amzn2.x86_64

Steps to reproduce:

1. add the following configuration:
   filters:

   • syscall: ""
     message_type: 1305
     regex: .*

2. Watch go-audit exit with the error message "Filter 1 is missing the syscall entry"

3. Profit

Expected result:

skipping these messages every five second:
audit[14960]: {"sequence":15404,"timestamp":"1531162561.286","messages":[{"type":1305,"data":"audit_pid=14960 old=14960 auid=4294967295 ses=4294967295 res=0"}],"uid_map":{"4294967295":"UNKNOWN_USER"}}

Actual result:

go-audit exits with the error message "Filter 1 is missing the syscall entry"

Attachments:

audit.go line 299:
if af.syscall == "" {
return filters, fmt.Errorf("Filter %d is missing the syscall entry", i+1)
}

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

This is more of a best practice as I'm not aware of any specific issues caused by the older dep.

As of today go-audit uses the "syscall" package which has been frozen since Go 1.4:

Deprecated: this package is locked down. Callers should use the corresponding package in the golang.org/x/sys repository instead. That is also where updates required by new systems or versions should be applied. See https://golang.org/s/go1.4-syscall for more information.

go-audit should migrate to using golang.org/x/sys/unix instead as new fixes/features are implemented there.

This should be a pretty straightforward migration as most structures are the same in both packages, any concerns with me sending over a pull request for this?

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

After proper deployment of go-audit, the service functions as it should for some time and then it randomly stops logging to file (var/log/go-audit.log). Service shows as functioning and restarting the service does not fix the issue. Increasing the socket.buffer size in go-audit.yaml does not fix the issue.

This issue was reproducible in both Ubuntu and opensuse. Reverting to older VM snapshots resulted in logging restored, however, after some time or even a reboot the service still stop logging to file. I don't think this is a resource issue and both VM's have plenty of drive space.

Reproducible in:

go-audit version: 1.0.0
OS version(s): Ubuntu 20.04.1 LTS
OS version(s): opensuse 15.2

Expected result:

Process does not stop logging.

Actual result:

Process stops logging after working for some time.

Attachments:

root@ubuntu:/var/log# service go-audit status
● go-audit.service - go-audit
Loaded: loaded (/etc/systemd/system/go-audit.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-01-07 17:42:06 PST; 35min ago
Main PID: 13144 (go-audit)
Tasks: 7 (limit: 2281)
Memory: 6.3M
CGroup: /system.slice/go-audit.service
└─13144 /usr/local/bin/go-audit -config /etc/go-audit.yaml

Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #193
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #194
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #195
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #196
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #197
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #198
Jan 07 17:42:06 ubuntu go-audit[13144]: Ignoring syscall 42 containing message type 1306 matching string saddr=(0200....7F|01> Jan 07 17:42:06 ubuntu go-audit[13144]: Ignoring syscall `` containing message type 1305matching string.*`
Jan 07 17:42:06 ubuntu go-audit[13144]: Socket receive buffer size: 212992
Jan 07 17:42:06 ubuntu go-audit[13144]: Started processing events in the range [1300, 1399]

I could not find any other systems logs that hint any related issues... Any help would be much appreciated!

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

Build of go-audit not successful due to go path issues.

Troubleshooting path issue, I attempted to use 'go get' but this failed with
error 177: undefined: user.LookupGroup

Reproducible in:

go-audit version:
OS version(s): CentOS 7

Steps to reproduce:

$ go get github.com/slackhq/go-audit

pwd
/home/user/go/src/github.com/slackhq/go-audit
[user@localhost go-audit]$ make
govendor sync
go build
# github.com/slackhq/go-audit
./audit.go:177: undefined: user.LookupGroup
make: *** [bin] Error 2

Expected result:

Actual result:

./audit.go:177: undefined: user.LookupGroup

Attachments:

e.g. Logs, screenshots, screencast, sample project, funny gif, etc.

• [x ] I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• [x ] I've searched for any related issues and avoided creating a duplicate issue.

Description

Now using the contrib spec file which means I need to complile on 6 to create the el6 rpm.
using a docker 6.5 container with golang 1.7 and govendor installed, when make executes govendor sync, it just hangs. Did same process on rhel 7.3 and does not hang

Reproducible in:

go-audit version: 752b3358719278e32d780677e9dde2b075a3c6d5OS version(s):

Steps to reproduce:

1. spectool -g -C ./rpmbuild go-audit.rpmbuild.spec
   rpmbuild --define "_topdir %(pwd)/rpmbuild"
   --define "_builddir %{_topdir}"
   --define "_rpmdir %{_topdir}"
   --define "_srcrpmdir %{_topdir}"
   --define '_rpmfilename %%{NAME}-%%{VERSION}-%%{RELEASE}.%%{ARCH}.rpm'
   --define "_specdir %{_topdir}"
   --define "_sourcedir %{_topdir}"
   -ba go-audit.rpmbuild.spec2.

Expected result:

make completes

Actual result:

make hangs at govendor

Attachments:

e.g. Logs, screenshots, screencast, sample project, funny gif, etc.

• [X ] I've read and understood the Contributing guidelines and have done my best effort to follow them.
• [ X] I've read and agree to the Code of Conduct.
• [X ] I've searched for any related issues and avoided creating a duplicate issue.

Description

Do we need to implement logrotate for the go-audit.log file? Or is there a way to add logrotate in the go-audit.yaml file?

In auditd you can set logrotate in the auditd.conf file just wondering if there is something similar in go-audit.

max_log_file = 8
num_logs = 5
max_log_file_action = ROTATE

Reproducible in:

go-audit version: 1
OS version(s): Centos 8

Steps to reproduce:

Expected result:

go-audit.log does not grow to big in size.

Actual result:

e.g. What actually happened

Attachments:

e.g. Logs, screenshots, screencast, sample project, funny gif, etc.

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

The current README.md file describes using govendor to install the package:

Install govendor if you haven't already
go get -u github.com/kardianos/govendor

govendor is now deprecated and go modules is recommended.
It appears that a go.mod file was added in e90a1ca already.

Does the README file just need an update or is some other migration work necessary to remove the govendor pattern.

I was discussing go-audit and looking at the code, and noticed I couldn't check out one of the dependencies.
I do see it on archive.org wayback machine, but I guess that project is dead.

https://github.com/capsule8/capsule8 404s

https://github.com/slackhq/go-audit/search?q=capsule8

Just an FYI that you might want to consider migrating off it.

• [x ] I've read and understood the Contributing guidelines and have done my best effort to follow them.
• [x ] I've read and agree to the Code of Conduct.
• [ x] I've searched for any related issues and avoided creating a duplicate issue.

Description

latest version has wrong app in syslogs.

Reproducible in:

go-audit version:
latest git clone
OS version(s):
amzn linux

Steps to reproduce:

when go audit is running I see host FQDN as app name

Expected result:

Aug 15 03:25:07 instance-test.abc.local /usr/local/bin/go-audit[3262]

e.g. What you expected to happen

Actual result:

Aug 15 03:25:07 instance-test instance-test.abc.local /usr/local/bin/go-audit[3262]

e.g. What actually happened

I had a more fundamental question. I was playing with go-audit in Centos7. If go-audit is supposed to be a replacement for auditd, is it possible to stop auditd on the distro, and even possibly remove it all together? I ask this because when I tried, I got the following error:

[root@CyCentos myuser]# systemctl stop auditd
Failed to stop auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is configured to refuse manual start/stop).
See system logs and 'systemctl status auditd.service' for details

I would be concerned running auditd and go-audit together on the same system would be a performance bottleneck.

Thanks! I could pull the repo and document the answer you provided if you want.

Description

Following a clean install (Ubuntu 16.04 LTS), and apt-get install golang, the install guidance to add govendor fails with this error:

~$ go get -u github.com/kardianos/govendor
package github.com/kardianos/govendor: cannot download, $GOPATH not set. For more details see: go help gopath

~$ sudo go get -u github.com/kardianos/govendor
package github.com/kardianos/govendor: cannot download, $GOPATH not set. For more details see: go help gopath

Reproducible in:

go-audit version: all - installation guidance issue.
OS version(s): Ubuntu 16.04

Steps to reproduce:

~$ go get -u github.com/kardianos/govendor

Expected result:

Actual result:

package github.com/kardianos/govendor: cannot download, $GOPATH not set. For more details see: go help gopath

Attachments:

n/a

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

Ship an official Docker image for go-auditd. Should be as simple as adding a Dockerfile here and setting up automated builds on DockerHub. Would be quite useful for folks wanting to run this inside docker containers.

Currently config is read from a file based on --config command line argument. For an environment where thousands of nodes are monitored using go-audit, these config files need to be pushed from an external tool like chef.

Here are a few thoughts I have:

• If configs are pulled in a scheduled interval, securely over HTTPS from a central fleet manager exposing config as a REST API, changes in audit configuration can be added and removed frequently and managed more easily.
• If an external plugin is used (https://golang.org/pkg/plugin/) to read configs, then any custom config plugins can be developed and used at runtime without disturbing the core part of the code.

I could send up a pull request if you like this idea.

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

Test run fails.

Reproducible in:

go-audit version:
OS version(s): CentOS 6.8
go version go1.7.3 linux/amd64

Steps:

go test -v

=== RUN Test_loadConfig
--- PASS: Test_loadConfig (0.00s)
=== RUN Test_setRules
Flushed existing audit rules
Flushed existing audit rules
Flushed existing audit rules
Added audit rule 1
Added audit rule 3
--- PASS: Test_setRules (0.00s)
=== RUN Test_createFileOutput
--- FAIL: Test_createFileOutput (0.00s)
Error Trace: audit_test.go:160
Error: Expected value not to be nil.
Messages: An error is expected but got nil.
Error Trace: audit_test.go:161
Error: Expected nil, but got: &main.AuditWriter{e:(*json.Encoder)(0xc4201423c0), w:(*os.File)(0xc420030148), attempts:1}

=== RUN Test_createSyslogOutput
--- FAIL: Test_createSyslogOutput (0.00s)
Error Trace: audit_test.go:205
Error: Expected nil, but got: &errors.errorString{s:"Failed to open syslog writer. Error: dial tcp [::]:38761: connect: no route to host"}
Error Trace: audit_test.go:206
Error: Expected value not to be nil.
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x48c6c0]
goroutine 8 [running]:
panic(0x7e85c0, 0xc420010120)
/usr/lib/golang/src/runtime/panic.go:500 +0x1a1
testing.tRunner.func1(0xc420092600)
/usr/lib/golang/src/testing/testing.go:579 +0x25d
panic(0x7e85c0, 0xc420010120)
/usr/lib/golang/src/runtime/panic.go:458 +0x243
go-audit.Test_createSyslogOutput(0xc420092600)
/root/go/src/go-audit/audit_test.go:207 +0xdc0
testing.tRunner(0xc420092600, 0x88a0f8)
/usr/lib/golang/src/testing/testing.go:610 +0x81
created by testing.(*T).Run
/usr/lib/golang/src/testing/testing.go:646 +0x2ec
exit status 2
FAIL go-audit 0.011s

Hey. I followed the steps on your github readme. I cannot build due to this error:

some:~/goshit/src/github.com/slackhq/go-audit$ make
govendor sync
go build
# github.com/slackhq/go-audit
./audit.go:226: undefined: user.LookupGroup
Makefile:2: recipe for target 'bin' failed
make: *** [bin] Error 2

I tried to debug it, its probably happening because go cannot import os/user package. Can someone please help me with this?

Reproducible in:

go-audit version: GIT head
OS version(s): Ubuntu 16.04 (Xenial)
Go version: go1.6.2 linux/amd64

Hi,

Have issue on Debian 12 with go-audit 1.2.0

go-audit -config /etc/go-audit/go-audit.yaml 
Failed to open syslog writer. Error: dial unix /var/run/go-audit.sock: connect: no such file or directory

Best Regards

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

compiled on both ubuntu and redhat. When running on redhat, nothing is logged until an event happens which is expected. On ubuntu, usng the same exact yaml file, the following entry is generated every 5 seconds ( example of two messages )
[root@ld4643 tmp]# nc -u -l 514 | tee audit.out
<129>2016-12-19T14:34:43-05:00 ld4645 audit-thing[6000]: {"sequence":10672,"timestamp":"1482176078.578","messages":[{"type":1305,"data":"audit_pid=6000 old=6000 auid=1000 ses=497 res=1"}],"uid_map":{"1000":"ubuntu"}}
<129>2016-12-19T14:34:48-05:00 ld4645 audit-thing[6000]: {"sequence":10673,"timestamp":"1482176083.578","messages":[{"type":1305,"data":"audit_pid=6000 old=6000 auid=1000 ses=497 res=1"}],"uid_map":{"1000":"ubuntu"}}

Reproducible in:

go-audit version:

OS version(s):
root@ld4645:/home/bxj6191# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial

[root@ld4643 tmp]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.3 (Maipo)#### Steps to reproduce:

The following rules were added to the YAML file
-w /tmp/bxj6191/ -p wa -k selinux_changes
-w /tmp/bxj6191/test_audit -p x -k module_insertion

1. start nc on other server
2. start go-audit on ubuntu
3. messages start appearing in the log

Expected result:

no entries added to log until rule is applicable

Actual result:

entry added every 5 seconds

[root@ld4643 tmp]# nc -u -l 514 | tee audit.out
<129>2016-12-19T14:34:43-05:00 ld4645 audit-thing[6000]: {"sequence":10672,"timestamp":"1482176078.578","messages":[{"type":1305,"data":"audit_pid=6000 old=6000 auid=1000 ses=497 res=1"}],"uid_map":{"1000":"ubuntu"}}
<129>2016-12-19T14:34:48-05:00 ld4645 audit-thing[6000]: {"sequence":10673,"timestamp":"1482176083.578","messages":[{"type":1305,"data":"audit_pid=6000 old=6000 auid=1000 ses=497 res=1"}],"uid_map":{"1000":"ubuntu"}}

Attachments:

e.g. Logs, screenshots, screencast, sample project, funny gif, etc.

Does go-audit decode the encoded fields such as saddr, a0, etc...?
If so are there special configuration parameter that need to be set?

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

make is running for day with progress

Reproducible in:

go-audit version:
OS version(s): go1.7.4 linux/amd64

Steps to reproduce:

1. mkdir ~/go-test
2. export GOPATH=$HOME/go-test
3. cd go-test
4. go get -u github.com/kardianos/govendor
   5.cd src
5. git clone https://github.com/slackhq/go-audit.git
6. cd go-audit
7. make

Expected result:

N/A

Actual result:

[go-audit]# make
govendor sync

make stays here, no progress on this.

[ go-test]# du -sh *
8.9M bin
1.4M pkg
9.0M src
[go-test]# du -sh .cache
64M .cache

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

Hi,
go-audit process dies frequently on a server which is too busy. it work as expected on rest of the servers. so far I have increased socket buffer receive 16384 x 3 with no luck. can you help us out on this?

Failed to write message, retrying in 1 second. Error: write unixgram @->/dev/log: write: message too long
Failed to write message, retrying in 1 second. Error: write unixgram @->/dev/log: write: message too long
Failed to write message, retrying in 1 second. Error: write unixgram @->/dev/log: write: message too long
Failed to write message, retrying in 1 second. Error: write unixgram @->/dev/log: write: message too long
Failed to write message, retrying in 1 second. Error: write unixgram @->/dev/log: write: message too long
Failed to write message. Error: write unixgram @->/dev/log: write: message too long

rsyslog is allowing message size $MaxMessageSize 20k

Reproducible in:

go-audit version: current version
OS version(s):Amazon Linux AMI release 2016.09

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

No releases/tags, and (per #65), no prebuilt binaries. I did notice that make_deb.sh includes a version 0.16.0, but contrib/go-audit.rpmbuild.spec specifies version 1.

I am trying to integrate go-audit into an AWS AMI build pipeline. At present I am cloning, checking out a specific commit, building a binary and copying it into my AMI volume. This works, but it's not particularly nice — which version have I installed? It also precludes semantic versioning.

With build tooling being very much a matter of taste and also org suitability I have not immediately created a PR. If a Goreleaser config would work for Slack I'll happily contribute one as I'm somewhat familiar with it via my own projects.

Thanks for sharing this software!

Reproducible in:

N/A

Steps to reproduce:

N/A

Expected result:

Github releases, or at least version tags

Actual result:

No tags or releases

Attachments:

N/A

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

e.g. Description of the bug or feature

Reproducible in:

go-audit version: master build
OS version(s): ubuntu 14.04 virtual appliance

Steps to reproduce:

1. build go-audit with golang 1.7.1
2. generate config file
3. stop auditd
4. start go-audit

Expected result:

e.g. What you expected to happen

Actual result:

kernel panic

e.g. What actually happened

Attachments:

e.g. Logs, screenshots, screencast, sample project, funny gif, etc.

[11569.640940] audit: netlink_unicast sending to audit_pid=30964 returned error: -111
[11569.643620] Kernel panic - not syncing: audit: audit_pid=30964 reset
[11569.643620]
[11569.644928] CPU: 0 PID: 918 Comm: kauditd Not tainted 4.4.0-75-generic #9614.04.1-Ubuntu
[11569.644928] Hardware name: OpenStack Foundation OpenStack Nova, BIOS Ubuntu-1.8.2-1ubuntu1cloud0 04/01/2014
[11569.644928] 0000000000000000 ffff880235253d68 ffffffff813dce3c ffffffff81ccf361
[11569.644928] ffff8802347191e4 ffff880235253de0 ffffffff81182e9c 0000000000000010
[11569.644928] ffff880235253df0 ffff880235253d90 ffff880235253da0 ffff880235253e28
[11569.644928] Call Trace:
[11569.644928] [] dump_stack+0x63/0x87
[11569.644928] [] panic+0xc8/0x20f
[11569.644928] [] audit_panic+0x5e/0x60
[11569.644928] [] audit_log_lost+0x3f/0xc0
[11569.644928] [] kauditd_send_skb+0x122/0x150
[11569.644928] [] ? audit_printk_skb+0x70/0x70
[11569.644928] [] kauditd_thread+0x78/0x190
[11569.644928] [] ? prepare_to_wait_event+0xf0/0xf0
[11569.644928] [] kthread+0xc9/0xe0
[11569.644928] [] ? kthread_park+0x60/0x60
[11569.644928] [] ret_from_fork+0x3f/0x70
[11569.644928] [] ? kthread_park+0x60/0x60
[11569.644928] Kernel Offset: disabled
[11569.644928] ---[ end Kernel panic - not syncing: audit: audit_pid=30964 reset
[11569.644928]

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

e.g. Description of the bug or feature

Reproducible in:

go-audit version: Latest master branch
OS version(s): Ubuntu 16.04.3 LTS (4.4.0-1028-aws)
rsyslog (preinstalled in Ubuntu): 8.16.0

Steps to reproduce:

1. Install go-audit with go get github.com/slackhq/go-audit, or make in $GOPATH/src/github.com/slackhq/go-audit after go get github.com/slackhq/go-audit.
2. Copy go-audit from $GOPATH/bin of former in step 1 or $GOPATH/src/github.com/slackhq/go-audit of latter in step 1, into /usr/local/bin.
3. Configure /etc/go-audit.yml with syslog output following https://github.com/slackhq/go-audit/blob/master/go-audit.yaml.example and run go-audit with systemd.
4. Configure /etc/go-audit.yml with file output and sudo mkdir /var/log/go-audit, and restart go-audit yields the same failure.
5. Configure /etc/rsyslog.conf with module(load="imtcp") and input(type="imtcp" port="514"), /etc/go-audit.yml configured with network: tcp and address: localhost:514, and restart go-audit yields the same failure.

Expected result:

Normal run of go-audit.

Actual result:

Output of /var/log/syslog:

Aug  6 02:28:05 ip-10-255-0-48 go-audit[1138]: Flushed existing audit rules
Aug  6 02:28:05 ip-10-255-0-48 go-audit[1138]: Added audit rule #1
Aug  6 02:28:05 ip-10-255-0-48 go-audit[1138]: Added audit rule #2
Aug  6 02:28:05 ip-10-255-0-48 go-audit[1138]: Added audit rule #3
Aug  6 02:28:05 ip-10-255-0-48 go-audit[1138]: Socket receive buffer size: 32768
Aug  6 02:28:05 ip-10-255-0-48 go-audit[1138]: panic: runtime error: invalid memory address or nil pointer dereference
Aug  6 02:28:05 ip-10-255-0-48 go-audit[1138]: [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x75ef0f]
Aug  6 02:28:05 ip-10-255-0-48 go-audit[1138]: goroutine 1 [running]:
Aug  6 02:28:05 ip-10-255-0-48 go-audit[1138]: main.createFilters(0xc42007c1e0, 0x838967, 0x21, 0x1f4)
Aug  6 02:28:05 ip-10-255-0-48 go-audit[1138]: #011/home/ubuntu/go/src/github.com/slackhq/go-audit/audit.go:299 +0x55f
Aug  6 02:28:05 ip-10-255-0-48 go-audit[1138]: main.main()
Aug  6 02:28:05 ip-10-255-0-48 go-audit[1138]: #011/home/ubuntu/go/src/github.com/slackhq/go-audit/audit.go:339 +0x374
Aug  6 02:28:05 ip-10-255-0-48 systemd[1]: go-audit.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Aug  6 02:28:05 ip-10-255-0-48 kernel: [   15.659200] audit_printk_skb: 15 callbacks suppressed
Aug  6 02:28:05 ip-10-255-0-48 kernel: [   15.659203] audit: type=1131 audit(1501957685.404:17): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=go-audit comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Aug  6 02:28:05 ip-10-255-0-48 systemd[1]: go-audit.service: Unit entered failed state.
Aug  6 02:28:05 ip-10-255-0-48 systemd[1]: go-audit.service: Failed with result 'exit-code'.
Aug  6 02:28:05 ip-10-255-0-48 kernel: [   15.668861] audit: type=1300 audit(1501957685.416:18): arch=c000003e syscall=59 success=yes exit=0 a0=134e8e8 a1=134d6c8 a2=1343008 a3=598 items=2 ppid=1359 pid=1361 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/bin/sed" key=(null)
Aug  6 02:28:05 ip-10-255-0-48 kernel: [   15.668867] audit: type=1309 audit(1501957685.416:18): argc=2 a0="sed" a1="s/\([^.]*\)[^@]*\(.*\)/\1\2/"
Aug  6 02:28:05 ip-10-255-0-48 kernel: [   15.668869] audit: type=1307 audit(1501957685.416:18):  cwd="/"
Aug  6 02:28:05 ip-10-255-0-48 kernel: [   15.668873] audit: type=1302 audit(1501957685.416:18): item=0 name="/bin/sed" inode=15 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
Aug  6 02:28:05 ip-10-255-0-48 kernel: [   15.668876] audit: type=1302 audit(1501957685.416:18): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=2041 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
Aug  6 02:28:05 ip-10-255-0-48 kernel: [   15.668880] audit: type=1327 audit(1501957685.416:18): proctitle=73656400732F5C285B5E2E5D2A5C295B5E405D2A5C282E2A5C292F5C315C322F
Aug  6 02:28:05 ip-10-255-0-48 kernel: [   15.696417] audit: type=1300 audit(1501957685.416:19): arch=c000003e syscall=59 success=yes exit=0 a0=134d9c8 a1=1344308 a2=1343008 a3=598 items=2 ppid=1339 pid=1362 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="localedef" exe="/usr/bin/localedef" key=(null)
Aug  6 02:28:05 ip-10-255-0-48 kernel: [   15.696424] audit: type=1309 audit(1501957685.416:19): argc=9 a0="localedef" a1="-i" a2="en_US" a3="-c" a4="-f" a5="UTF-8" a6="-A" a7="/usr/share/locale/locale.alias" a8="en_US.UTF-8"
Aug  6 02:28:05 ip-10-255-0-48 kernel: [   15.696427] audit: type=1307 audit(1501957685.416:19):  cwd="/"

Note:

The auditd is loaded but not active:

$ systemctl status auditd
● auditd.service - Security Auditing Service
   Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: inactive (dead)

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

Hello. I would like to known how I can split messages, or prevent go-audit from aggregating them into a single log line.

For example:

2017-06-29T00:46:11Z ip-10-0-0-99 go-audit[297]: {"sequence":2487,"timestamp":"1498697171.657","messages":[{"type":1300,"data":"arch=c000003e syscall=59 success=yes exit=0 a0=e4fee0 a1=e510a0 a2=e22540 a3=5a1 items=2 ppid=18824 pid=18848 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=\"cat\" exe=\"/usr/bin/cat\" key=\"user_commands\""},{"type":1309,"data":"argc=2 a0=\"cat\" a1=\"/etc/passwd\""},{"type":1302,"data":"item=0 name=\"/usr/bin/cat\" inode=409296 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL"},{"type":1302,"data":"item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=395436 dev=ca:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL"},{"type":1327,"data":"proctitle=636174002F6574632F706173737764"}],"uid_map":{"0":"root","1000":"henrique.goncalves"}}

Under "messages", there are several entries. This is proving a pain in the buttocks to parse with logstash. All my "split" tries didnt work.

How can I log each of those messages separated, even if duplicating the sequence and timestamp values, and the uid_map.

Reproducible in:

go-audit version: all
OS version(s): all

Steps to reproduce:

1. Log anything

Expected result:

Messages are logged separated

Actual result:

Messages are put into a JSON array somewhat hard to parse using logstash.

Attachments:

e.g. Logs, screenshots, screencast, sample project, funny gif, etc.

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

I've seen docker containers are supported since a while. Is there some way to get events specifically from LXD containers?

• [x ] I've read and understood the Contributing guidelines and have done my best effort to follow them.
• [x ] I've read and agree to the Code of Conduct.
• [x ] I've searched for any related issues and avoided creating a duplicate issue.

Description

When I run go-audit it logs AUDIT_CONFIG_CHANGE messages every few seconds. Any idea why this is happening? I don't see this when running ordinary auditd.

Reproducible in:

go-audit version: dev+20200629015509
I also tried with version 1.00 and got the same result.
OS version(s): Ubuntu 20.04 LTS
kernel 5.4.0-39-generic
go v1.13.8

Steps to reproduce:

1. go-audit /etc/example.yaml
   example.yaml is an umodified copy of go-audit.yaml.example

Expected result:

e.g. What you expected to happen

No AUDIT_CONFIG_CHANGE messages.
A similar volume of messages as when I run auditd with the same rules.

Actual result:

{"sequence":904,"timestamp":"1593402441.566","messages":[{"type":1305,"data":"op=set audit_pid=1585 old=1585 auid=0 ses=5 res=0"}],"uid_map":{"0":"root"}}
{"sequence":905,"timestamp":"1593402446.567","messages":[{"type":1305,"data":"op=set audit_pid=1585 old=1585 auid=0 ses=5 res=0"}],"uid_map":{"0":"root"}}
{"sequence":906,"timestamp":"1593402451.567","messages":[{"type":1305,"data":"op=set audit_pid=1585 old=1585 auid=0 ses=5 res=0"}],"uid_map":{"0":"root"}}

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

Link in CONTRIBUTING.md points to CODE_OF_CONDUCT.md within .github, however is actually located in project root. Should contributing docs be updated to point to correct location, or code file moved to .github?

Hi,

I want to filter for just see all commands running by users in local0 to 7

I think is here: ?

# If kaudit filtering isn't powerful enough you can use the following filter mechanism
filters:
  # Each filter consists of exactly 3 parts
  - syscall: 54 # The syscall id of the message group (a single log line from go-audit), to test against the regex
    message_type: 1306 # The message type identifier containing the data to test against the regex
    regex: saddr=(10..|0A..) # The regex to test against the message specific message types data

For example i want to filter on this :

{"sequence":1737967,"timestamp":"1687420435.434","messages":[{"type":1300,"data":"arch=c000003e syscall=59 success=yes exit=0 a0=5558db82cfb0 a1=5558db82bfe0 a2=5558db70ebc0 a3=8 items=2 ppid=75483 pid=1615780 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm=\"cat\" exe=\"/usr/bin/cat\" subj=unconfined key=(null)"},{"type":1309,"data":"argc=2 a0=\"cat\" a1=\"/var/log/pacman.log\""},{"type":1307,"data":"cwd=\"/root\""},{"type":1302,"data":"item=0 name=\"/usr/bin/cat\" inode=17698222 dev=00:18 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0"},{"type":1302,"data":"item=1 name=\"/lib64/ld-linux-x86-64.so.2\" inode=18143793 dev=00:18 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0"},{"type":1327,"data":"proctitle=636174002F7661722F6C6F672F7061636D616E2E6C6F67"}],"uid_map":{"0":"root","1000":"pc"}}

Also have limited to events to 1327

Best Regards

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

When attempting to build and run go-audit I find that no messages are received on ubuntu 16.10. auditctl -l shows the rules being there, but all messages that come in have Seq==0, and they seem to be responses to the config change heartbeat. (used the examples/go-audit/go-audit.yaml but modified to get output to stdout)

Reproducible in:

go-audit version: 2cd7fc8
OS version(s): Ubuntu server 16.10

Expected result:

We should get messages for the hooked syscalls.

Actual result:

No messages are received

Would it be a nice idea to auto-decode any hex-encoded values (eg; proctitle is frequently encoded as such). This apparently happens automagically when the value contains a space

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

Should we add automation to build and publish Debian/Ubuntu packages? There's currently a script to build the package (make_deb.sh) that will build the Debian package. Curious if there is any interest in getting this setup to publish to the right places to make generally available.

Reproducible in:

N/A

Steps to reproduce:

N/A

Expected result:

apt install go-audit

Actual result:

N/A

Attachments:

N/A

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

Hello!
I want to ask you to consider creating ECS (https://www.elastic.co/guide/en/ecs/1.9/ecs-field-reference.html) compatible go-audit output format.
ECS is a field name normalization scheme used in the Elastic Security (SIEM) module, which we want to use in our SOC.

At the moment, the correspondence of field names to the ECS scheme out of the box is present when using the Auditbeat utility with the auditd module (https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-module-auditd.html).
It looks like we can use Filebeat with auditd module to simply read auditd logs too (https://www.elastic.co/guide/en/beats/filebeat/7.11/filebeat-module-auditd.html).

But I think these options could not be used if we want to use go-audit instead of classic auditd.
Manually converting field names in accordance with the ECS format is a very time-consuming task and it would be very cool if a go-audit could do it out of the box.

I found another interesting Elastic repository with similar topic https://github.com/elastic/go-libaudit, maybe it will give you some additional useful data.

• [ x] I've read and understood the Contributing guidelines and have done my best effort to follow them.
• [x ] I've read and agree to the Code of Conduct.
• [x ] I've searched for any related issues and avoided creating a duplicate issue.

Description

incessant "Likely Missed sequence" messages

Reproducible in:

go-audit version:

OS version(s):
root@ld5333:/tmp# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial

Steps to reproduce:

1. start go-audit and let run

Expected result:

e.g. What you expected to happen

Actual result:

root@ld5333:/tmp# ./go-audit -config go-audit.yaml
2017/02/03 Flushed existing audit rules
2017/02/03 Added audit rule #1
2017/02/03 Added audit rule #2
2017/02/03 Socket receive buffer size: 32768
2017/02/03 Ignoring syscall 49 containing message type 1306 matching string saddr=(10..|0A..)
2017/02/03 Ignoring syscall `` containing message type 1305 matching string `.*`
2017/02/03 Started processing events
2017/02/03 Likely missed sequence 504532, current 505034, worst message delay 0
2017/02/03 Likely missed sequence 504534, current 505036, worst message delay 0
2017/02/03 Likely missed sequence 504536, current 505038, worst message delay 0
2017/02/03 Likely missed sequence 504538, current 505040, worst message delay 0
2017/02/03 Likely missed sequence 504540, current 505042, worst message delay 0
2017/02/03 Likely missed sequence 504542, current 505044, worst message delay 0
2017/02/03 Likely missed sequence 504544, current 505046, worst message delay 0
2017/02/03 Likely missed sequence 504546, current 505048, worst message delay 0
2017/02/03 Likely missed sequence 504548, current 505050, worst message delay 0
2017/02/03 Likely missed sequence 504550, current 505052, worst message delay 0
2017/02/03 Likely missed sequence 504552, current 505054, worst message delay 0
2017/02/03 Likely missed sequence 504554, current 505056, worst message delay 0
2017/02/03 Likely missed sequence 504556, current 505058, worst message delay 0
2017/02/03 Likely missed sequence 504558, current 505060, worst message delay 0
2017/02/03 Likely missed sequence 504561, current 505062, worst message delay 0
2017/02/03 Likely missed sequence 504563, current 505064, worst message delay 0
2017/02/03 Likely missed sequence 504566, current 505068, worst message delay 0
2017/02/03 Likely missed sequence 504569, current 505070, worst message delay 0
2017/02/03 Likely missed sequence 504571, current 505072, worst message delay 0
2017/02/03 Likely missed sequence 504573, current 505074, worst message delay 0
2017/02/03 Likely missed sequence 504575, current 505076, worst message delay 0
^C

Attachments:

e.g. Logs, screenshots, screencast, sample project, funny gif, etc.

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

Hello, not really a go-audit issue, but there is some systemd behaviour that I think should be noticed: on recent versions of journald, journald by default listens to kernel audit messages by directly using a netlink socket.

That behaviour could generate double audit entries, or other strange issues, for example if you configure rsyslog to ingest journald messages, and also configure rsyslog to ingest go-audit messages.

To disable the journald audit socket:
sudo systemctl mask systemd-journald-audit.socket

Kind regards !

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

Currently go-audit uses the stdlib encoding/json class to marshal the AuditMessageGroup and AuditMessage structs into a []byte. Internally the encoding/json package uses reflection so it can marshal arbitrary objects.

Because go-audit only uses two static structures there would likely be a significant performance improvement using a code generation library like easyjson to serialize the structures into bytes.

You can find various benchmarks on JSON serialization performance across code generation packages vs stdlib but I am partial to go_serialization_benchmarks:

This comes at the cost of an additional dependency (primarily when the models change only)

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

The example yaml indicates that it's blocked by viper issue, that's since been resolved. Yay viper!

Reproducible in:

Uhh here: https://github.com/slackhq/go-audit/blob/master/go-audit.yaml.example#L1-L5

Steps to reproduce:

Look above

Expected result:

Nothing particularly. This is a heads up that it's been fixed.

Actual result:

I filled out an awkward set of questions.

Attachments:

Here's a cat! https://s-media-cache-ak0.pinimg.com/564x/45/91/b2/4591b2ec5726c7ad10537568415e8b07.jpg

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• [ x] I've read and agree to the Code of Conduct.
• [x ] I've searched for any related issues and avoided creating a duplicate issue.

Description

using a docker 6.5 container with golang 1.7 and govendor installed, when make executes govendor sync, it just hangs. Did same process on rhel 7.3 and does not hang

Reproducible in:

go-audit version:
OS version(s):
rhel 6.5

bash-4.1# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.5 (Santiago)

Steps to reproduce:

bash-4.1# ls -a
. .travis.yml README.md contrib marshaller.go writer.go
.. BATTLE_TESTING.md audit.go examples marshaller_test.go
.git CODE_OF_CONDUCT.md audit_test.go go-audit parser.go
.github LICENSE client.go go-audit.yaml.example parser_test.go
.gitignore Makefile client_test.go make_deb.sh vendor
bash-4.1# yum list golang
Loaded plugins: product-id, subscription-manager
Installed Packages
golang.x86_64 1.7.4-1.el6 @epel1.

bash-4.1# govendor -version
v1.0.8

bash-4.1# ls vendor
github.com golang.org vendor.json

I 've tested and found out its the vendor.json which is causing it to hang.

bash-4.1# govendor sync . ->? just hangs

Expected result:

e.g. What you expected to happen

Actual result:

e.g. What actually happened

Attachments:

e.g. Logs, screenshots, screencast, sample project, funny gif, etc.

Would like to move from auditd to go-audit, but the problem for me is that the machines that this will be installed on have no internet access. This means that the govendor sync cannot resolve the dependencies venor/vendor.json. I'm not very familiar with go but know that it's compiled. If it's possible could you release a pre-compiled version? Cheers :)

I wanted help in making the filter function to filter out that particular filter instead of ignoring it !

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

Hi! There is no option to include node name/ip in log output, like "name_format" in auditd.conf:
name_format
This option controls how computer node names are inserted
into the audit event stream. It has the following choices:
none, hostname, fqd, numeric, and user. None means that
no computer name is inserted into the audit event.
hostname is the name returned by the gethostname syscall.
The fqd means that it takes the hostname and resolves it
with dns for a fully qualified domain name of that
machine. Numeric is similar to fqd except it resolves the
IP address of the machine. In order to use this option,
you might want to test that 'hostname -i' or 'domainname
-i' returns a numeric address. Also, this option is not
recommended if dhcp is used because you could have
different addresses over time for the same machine. User
is an admin defined string from the name option. The
default value is none.

Is there any way to include such info in current output?

Reproducible in:

go-audit version: 1.2.0

Expected result:

Every log line can include node hostname/ip if the option is set to (hostname | fqd | numeric | user) in config file, like:
{ "sequence": 101, "timestamp": "1482700861.088", "node": "192.168.0.1", "messages": [ { "type": 1300, "data": "arch=c000003e syscall=2 success=yes exit=3 a0=7ffff76f7938 a1=0 a2=20000 a3=69d items=1 ppid=12166 pid=12602 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm=\"cat\" exe=\"/bin/cat\" key=\"bees_in_my_honey\"" }, { "type": 1307, "data": " cwd=\"/root\"" }, { "type": 1302, "data": "item=0 name=\"/opt/secret.txt\" inode=785716 dev=fc:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL" }, { "type": 1327, "data": "proctitle=636174002F6F70742F7365637265742E747874" } ], "uid_map": { "0": "root", "1000": "user" } }

Actual result:

Currently, there is no such option in config file.

• [X ] I've read and understood the Contributing guidelines and have done my best effort to follow them.
• [ X] I've read and agree to the Code of Conduct.
• [ X] I've searched for any related issues and avoided creating a duplicate issue.

Description

Had once a panic in logs that came from an out of bound array in parser.go.

Reproducible in:

go-audit version: HEAD
OS version(s): Linux Ubuntu 16.04

Steps to reproduce:

??