# # Copyright 2021- haccht # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. require "fluent/plugin/filter" module Fluent module Plugin class GoAuditParserFilter < Fluent::Plugin::Filter Fluent::Plugin.register_filter("go_audit_parser", self) SYSCALLS = { 0 => 'read', 1 => 'write', 2 => 'open', 3 => 'close', 4 => 'stat', 5 => 'fstat', 6 => 'lstat', 7 => 'poll', 8 => 'lseek', 9 => 'mmap', 10 => 'mprotect', 11 => 'munmap', 12 => 'brk', 13 => 'rt_sigaction', 14 => 'rt_sigprocmask', 15 => 'rt_sigreturn', 16 => 'ioctl', 17 => 'pread', 18 => 'pwrite', 19 => 'readv', 20 => 'writev', 21 => 'access', 22 => 'pipe', 23 => 'select', 24 => 'sched_yield', 25 => 'mremap', 26 => 'msync', 27 => 'mincore', 28 => 'madvise', 29 => 'shmget', 30 => 'shmat', 31 => 'shmctl', 32 => 'dup', 33 => 'dup2', 34 => 'pause', 35 => 'nanosleep', 36 => 'getitimer', 37 => 'alarm', 38 => 'setitimer', 39 => 'getpid', 40 => 'sendfile', 41 => 'socket', 42 => 'connect', 43 => 'accept', 44 => 'sendto', 45 => 'recvfrom', 46 => 'sendmsg', 47 => 'recvmsg', 48 => 'shutdown', 49 => 'bind', 50 => 'listen', 51 => 'getsockname', 52 => 'getpeername', 53 => 'socketpair', 54 => 'setsockopt', 55 => 'getsockopt', 56 => 'clone', 57 => 'fork', 58 => 'vfork', 59 => 'execve', 60 => 'exit', 61 => 'wait4', 62 => 'kill', 63 => 'uname', 64 => 'semget', 65 => 'semop', 66 => 'semctl', 67 => 'shmdt', 68 => 'msgget', 69 => 'msgsnd', 70 => 'msgrcv', 71 => 'msgctl', 72 => 'fcntl', 73 => 'flock', 74 => 'fsync', 75 => 'fdatasync', 76 => 'truncate', 77 => 'ftruncate', 78 => 'getdents', 79 => 'getcwd', 80 => 'chdir', 81 => 'fchdir', 82 => 'rename', 83 => 'mkdir', 84 => 'rmdir', 85 => 'creat', 86 => 'link', 87 => 'unlink', 88 => 'symlink', 89 => 'readlink', 90 => 'chmod', 91 => 'fchmod', 92 => 'chown', 93 => 'fchown', 94 => 'lchown', 95 => 'umask', 96 => 'gettimeofday', 97 => 'getrlimit', 98 => 'getrusage', 99 => 'sysinfo', 100 => 'times', 101 => 'ptrace', 102 => 'getuid', 103 => 'syslog', 104 => 'getgid', 105 => 'setuid', 106 => 'setgid', 107 => 'geteuid', 108 => 'getegid', 109 => 'setpgid', 110 => 'getppid', 111 => 'getpgrp', 112 => 'setsid', 113 => 'setreuid', 114 => 'setregid', 115 => 'getgroups', 116 => 'setgroups', 117 => 'setresuid', 118 => 'getresuid', 119 => 'setresgid', 120 => 'getresgid', 121 => 'getpgid', 122 => 'setfsuid', 123 => 'setfsgid', 124 => 'getsid', 125 => 'capget', 126 => 'capset', 127 => 'rt_sigpending', 128 => 'rt_sigtimedwait', 129 => 'rt_sigqueueinfo', 130 => 'rt_sigsuspend', 131 => 'sigaltstack', 132 => 'utime', 133 => 'mknod', 134 => 'uselib', 135 => 'personality', 136 => 'ustat', 137 => 'statfs', 138 => 'fstatfs', 139 => 'sysfs', 140 => 'getpriority', 141 => 'setpriority', 142 => 'sched_setparam', 143 => 'sched_getparam', 144 => 'sched_setscheduler', 145 => 'sched_getscheduler', 146 => 'sched_get_priority_max', 147 => 'sched_get_priority_min', 148 => 'sched_rr_get_interval', 149 => 'mlock', 150 => 'munlock', 151 => 'mlockall', 152 => 'munlockall', 153 => 'vhangup', 154 => 'modify_ldt', 155 => 'pivot_root', 156 => '_sysctl', 157 => 'prctl', 158 => 'arch_prctl', 159 => 'adjtimex', 160 => 'setrlimit', 161 => 'chroot', 162 => 'sync', 163 => 'acct', 164 => 'settimeofday', 165 => 'mount', 166 => 'umount2', 167 => 'swapon', 168 => 'swapoff', 169 => 'reboot', 170 => 'sethostname', 171 => 'setdomainname', 172 => 'iopl', 173 => 'ioperm', 174 => 'create_module', 175 => 'init_module', 176 => 'delete_module', 177 => 'get_kernel_syms', 178 => 'query_module', 179 => 'quotactl', 180 => 'nfsservctl', 181 => 'getpmsg', 182 => 'putpmsg', 183 => 'afs_syscall', 184 => 'tuxcall', 185 => 'security', 186 => 'gettid', 187 => 'readahead', 188 => 'setxattr', 189 => 'lsetxattr', 190 => 'fsetxattr', 191 => 'getxattr', 192 => 'lgetxattr', 193 => 'fgetxattr', 194 => 'listxattr', 195 => 'llistxattr', 196 => 'flistxattr', 197 => 'removexattr', 198 => 'lremovexattr', 199 => 'fremovexattr', 200 => 'tkill', 201 => 'time', 202 => 'futex', 203 => 'sched_setaffinity', 204 => 'sched_getaffinity', 205 => 'set_thread_area', 206 => 'io_setup', 207 => 'io_destroy', 208 => 'io_getevents', 209 => 'io_submit', 210 => 'io_cancel', 211 => 'get_thread_area', 212 => 'lookup_dcookie', 213 => 'epoll_create', 214 => 'epoll_ctl_old', 215 => 'epoll_wait_old', 216 => 'remap_file_pages', 217 => 'getdents64', 218 => 'set_tid_address', 219 => 'restart_syscall', 220 => 'semtimedop', 221 => 'fadvise64', 222 => 'timer_create', 223 => 'timer_settime', 224 => 'timer_gettime', 225 => 'timer_getoverrun', 226 => 'timer_delete', 227 => 'clock_settime', 228 => 'clock_gettime', 229 => 'clock_getres', 230 => 'clock_nanosleep', 231 => 'exit_group', 232 => 'epoll_wait', 233 => 'epoll_ctl', 234 => 'tgkill', 235 => 'utimes', 236 => 'vserver', 237 => 'mbind', 238 => 'set_mempolicy', 239 => 'get_mempolicy', 240 => 'mq_open', 241 => 'mq_unlink', 242 => 'mq_timedsend', 243 => 'mq_timedreceive', 244 => 'mq_notify', 245 => 'mq_getsetattr', 246 => 'kexec_load', 247 => 'waitid', 248 => 'add_key', 249 => 'request_key', 250 => 'keyctl', 251 => 'ioprio_set', 252 => 'ioprio_get', 253 => 'inotify_init', 254 => 'inotify_add_watch', 255 => 'inotify_rm_watch', 256 => 'migrate_pages', 257 => 'openat', 258 => 'mkdirat', 259 => 'mknodat', 260 => 'fchownat', 261 => 'futimesat', 262 => 'newfstatat', 263 => 'unlinkat', 264 => 'renameat', 265 => 'linkat', 266 => 'symlinkat', 267 => 'readlinkat', 268 => 'fchmodat', 269 => 'faccessat', 270 => 'pselect6', 271 => 'ppoll', 272 => 'unshare', 273 => 'set_robust_list', 274 => 'get_robust_list', 275 => 'splice', 276 => 'tee', 277 => 'sync_file_range', 278 => 'vmsplice', 279 => 'move_pages', 280 => 'utimensat', 281 => 'epoll_pwait', 282 => 'signalfd', 283 => 'timerfd', 284 => 'eventfd', 285 => 'fallocate', 286 => 'timerfd_settime', 287 => 'timerfd_gettime', 288 => 'accept4', 289 => 'signalfd4', 290 => 'eventfd2', 291 => 'epoll_create1', 292 => 'dup3', 293 => 'pipe2', 294 => 'inotify_init1', 295 => 'preadv', 296 => 'pwritev', 297 => 'rt_tgsigqueueinfo', 298 => 'perf_event_open', 299 => 'recvmmsg', 300 => 'fanotify_init', 301 => 'fanotify_mark', 302 => 'prlimit64', 303 => 'name_to_handle_at', 304 => 'open_by_handle_at', 305 => 'clock_adjtime', 306 => 'syncfs', 307 => 'sendmmsg', 308 => 'setns', 309 => 'getcpu', 310 => 'process_vm_readv', 311 => 'process_vm_writev', 312 => 'kcmp', 313 => 'finit_module', 314 => 'sched_setattr', 315 => 'sched_getattr', 316 => 'renameat2', 317 => 'seccomp', 318 => 'getrandom', 319 => 'memfd_create', 320 => 'kexec_file_load', 321 => 'bpf', 322 => 'execveat', 323 => 'userfaultfd', 324 => 'membarrier', 325 => 'mlock2', 326 => 'copy_file_range', 327 => 'preadv2', 328 => 'pwritev2', 329 => 'pkey_mprotect', 330 => 'pkey_alloc', 331 => 'pkey_free', 332 => 'statx', 333 => 'io_pgetevents', 334 => 'rseq', } TYPES = { 1100 => 'user_auth', 1101 => 'user_acct', 1102 => 'user_mgmt', 1103 => 'cred_acq', 1104 => 'cred_disp', 1105 => 'user_start', 1106 => 'user_end', 1107 => 'user_avc', 1108 => 'user_chauthtok', 1109 => 'user_err', 1110 => 'cred_refr', 1111 => 'usys_config', 1112 => 'user_login', 1113 => 'user_logout', 1114 => 'add_user', 1115 => 'del_user', 1116 => 'add_group', 1117 => 'del_group', 1118 => 'dac_check', 1119 => 'chgrp_id', 1120 => 'test', 1121 => 'trusted_app', 1122 => 'user_selinux_err', 1123 => 'user_cmd', 1124 => 'user_tty', 1125 => 'chuser_id', 1126 => 'grp_auth', 1127 => 'system_boot', 1128 => 'system_shutdown', 1129 => 'system_runlevel', 1130 => 'service_start', 1131 => 'service_stop', 1132 => 'grp_mgmt', 1133 => 'grp_chauthtok', 1134 => 'mac_check', 1135 => 'acct_lock', 1136 => 'acct_unlock', 1137 => 'user_device', 1138 => 'software_update', 1200 => 'daemon_start', 1201 => 'daemon_end', 1202 => 'daemon_abort', 1203 => 'daemon_config', 1204 => 'daemon_reconfig', 1205 => 'daemon_rotate', 1206 => 'daemon_resume', 1207 => 'daemon_accept', 1208 => 'daemon_close', 1209 => 'daemon_err', 1300 => 'syscall', 1302 => 'path', 1303 => 'ipc', 1304 => 'socketcall', 1305 => 'config_change', 1306 => 'sockaddr', 1307 => 'cwd', 1309 => 'execve', 1311 => 'ipc_set_perm', 1312 => 'mq_open', 1313 => 'mq_sendrecv', 1314 => 'mq_notify', 1315 => 'mq_getsetattr', 1316 => 'kernel_other', 1317 => 'fd_pair', 1318 => 'obj_pid', 1319 => 'tty', 1320 => 'eoe', 1321 => 'bprm_fcaps', 1322 => 'capset', 1323 => 'mmap', 1324 => 'netfilter_pkt', 1325 => 'netfilter_cfg', 1326 => 'seccomp', 1327 => 'proctitle', 1328 => 'feature_change', 1329 => 'replace', 1330 => 'kern_module', 1331 => 'fanotify', 1332 => 'time_injoffset', 1333 => 'time_adjntpval', 1334 => 'bpf', 1335 => 'event_listener', 1400 => 'avc', 1401 => 'selinux_err', 1402 => 'avc_path', 1403 => 'mac_policy_load', 1404 => 'mac_status', 1405 => 'mac_config_change', 1406 => 'mac_unlbl_allow', 1407 => 'mac_cipsov4_add', 1408 => 'mac_cipsov4_del', 1409 => 'mac_map_add', 1410 => 'mac_map_del', 1411 => 'mac_ipsec_addsa', 1412 => 'mac_ipsec_delsa', 1413 => 'mac_ipsec_addspd', 1414 => 'mac_ipsec_delspd', 1415 => 'mac_ipsec_event', 1416 => 'mac_unlbl_stcadd', 1417 => 'mac_unlbl_stcdel', 1418 => 'mac_calipso_add', 1419 => 'mac_calipso_del', 1500 => 'aa', 1501 => 'apparmor_audit', 1502 => 'apparmor_allowed', 1503 => 'apparmor_denied', 1504 => 'apparmor_hint', 1505 => 'apparmor_status', 1506 => 'apparmor_error', 1507 => 'apparmor_kill', 1700 => 'anom_promiscuous', 1701 => 'anom_abend', 1702 => 'anom_link', 1703 => 'anom_creat', 1800 => 'integrity_data', 1801 => 'integrity_metadata', 1802 => 'integrity_status', 1803 => 'integrity_hash', 1804 => 'integrity_pcr', 1805 => 'integrity_rule', 1806 => 'integrity_evm_xattr', 1807 => 'integrity_policy_rule', 1899 => 'integrity_last_msg', 2000 => 'kernel', 2100 => 'anom_login_failures', 2101 => 'anom_login_time', 2102 => 'anom_login_sessions', 2103 => 'anom_login_acct', 2104 => 'anom_login_location', 2105 => 'anom_max_dac', 2106 => 'anom_max_mac', 2107 => 'anom_amtu_fail', 2108 => 'anom_rbac_fail', 2109 => 'anom_rbac_integrity_fail', 2110 => 'anom_crypto_fail', 2111 => 'anom_access_fs', 2112 => 'anom_exec', 2113 => 'anom_mk_exec', 2114 => 'anom_add_acct', 2115 => 'anom_del_acct', 2116 => 'anom_mod_acct', 2117 => 'anom_root_trans', 2118 => 'anom_login_service', 2119 => 'anom_login_root', 2120 => 'anom_origin_failures', 2121 => 'anom_session', 2200 => 'resp_anomaly', 2201 => 'resp_alert', 2202 => 'resp_kill_proc', 2203 => 'resp_term_access', 2204 => 'resp_acct_remote', 2205 => 'resp_acct_lock_timed', 2206 => 'resp_acct_unlock_timed', 2207 => 'resp_acct_lock', 2208 => 'resp_term_lock', 2209 => 'resp_sebool', 2210 => 'resp_exec', 2211 => 'resp_single', 2212 => 'resp_halt', 2213 => 'resp_origin_block', 2214 => 'resp_origin_block_timed', 2215 => 'resp_origin_unblock_timed', 2300 => 'user_role_change', 2301 => 'role_assign', 2302 => 'role_remove', 2303 => 'label_override', 2304 => 'label_level_change', 2305 => 'user_labeled_export', 2306 => 'user_unlabeled_export', 2307 => 'dev_alloc', 2308 => 'dev_dealloc', 2309 => 'fs_relabel', 2310 => 'user_mac_policy_load', 2311 => 'role_modify', 2312 => 'user_mac_config_change', 2313 => 'user_mac_status', 2400 => 'crypto_test_user', 2401 => 'crypto_param_change_user', 2402 => 'crypto_login', 2403 => 'crypto_logout', 2404 => 'crypto_key_user', 2405 => 'crypto_failure_user', 2406 => 'crypto_replay_user', 2407 => 'crypto_session', 2408 => 'crypto_ike_sa', 2409 => 'crypto_ipsec_sa', 2500 => 'virt_control', 2501 => 'virt_resource', 2502 => 'virt_machine_id', 2503 => 'virt_integrity_check', 2504 => 'virt_create', 2505 => 'virt_destroy', 2506 => 'virt_migrate_in', 2507 => 'virt_migrate_out', } def filter_with_time(tag, time, record) if record.key?('timestamp') timestamp = record.delete('timestamp').to_f time = Fluent::EventTime.from_time(Time.at(timestamp)) end if record.key?('messages') && record.key?('uid_map') messages = record.delete('messages') uid_map = record.delete('uid_map') new_messages = messages.each.with_object({}) do |message, new_messages| type, data = message.values_at('type', 'data') name = TYPES[type.to_i] hash = { 'type' => type.to_i } parseline(data).each do |key, val| case key when 'syscall' hash[key] = SYSCALLS[val.to_i] when 'msg' hash[key] = parseline(val) when 'saddr' hash[key] = sockaddr(val) when 'proctitle' hash[key] = packhex(val) when 'uid', 'euid', 'suid', 'ouid', 'fsuid', 'auid' hash[key] = uid(val, uid_map) when 'gid', 'egid', 'sgid', 'ogid', 'fsgid' hash[key] = val.to_i when 'exit', 'item', 'items', 'pid', 'ppid', 'ses', 'argc', 'inode' hash[key] = val.to_i else hash[key] = val end end name = "#{name}#{hash['item']}" if name == 'path' new_messages.update(name => hash) end record['messages'] = new_messages record['message_types'] = new_messages.keys end return time, record end def parseline(text) regex = /([^\s=]+)=('[^']*'|"[^"]*"|\S+)/ text.scan(regex).each.with_object({}) do |(key, val), hash| val = val[1..-2] if val.start_with?('\'') || val.start_with?('"') hash[key] = val end end def uid(id, uid_map) { 'id' => id.to_i, 'name' => uid_map[id] } end def packhex(text) [text].pack("H*").gsub(/[^[:print:]]/, ' ') end def sockaddr(text) addr = {} case text[0, 2].hex + (256 * text[2, 2].hex) when 1 pos = text.index('00', 4) - 4 pos = text.size - 4 if pos < 0 addr.update('family' => 'local') addr.update('path' => packhex(text[4, pos])) addr.update('unknown' => text[pos+4..-1]) if text.size > pos + 5 when 2 addr.update('family' => 'inet') addr.update('port' => (text[4, 2].hex * 256) + text[6, 2].hex) addr.update('ip' => text[8, 8].scan(/.{2}/).map{ |x| x.hex }.join(".")) addr.update('unknown' => text[16..-1]) if text.length > 16 when 10 addr.update('family' => 'inet6') addr.update('port' => (text[4, 2].hex * 256) + text[6, 2].hex) addr.update('flow_info' => text[8, 8]) addr.update('ip' => text[16, 32].scan(/.{4}/).map{ |x| x.downcase }.join(":")) addr.update('scope_id' => text[48, 8]) addr.update('unknown' => text[56..-1]) if text.size > 56 else addr.update('unknown' => text[4..-1]) end addr end end end end