forked from slackhq/go-audit
-
Notifications
You must be signed in to change notification settings - Fork 0
/
go-audit.yaml.example
106 lines (88 loc) · 4.27 KB
/
go-audit.yaml.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
#########################################################################################
# Please note that until this bug https://github.com/spf13/viper/pull/165 is fixed #
# you _must_ specify all values despite the fact that they talk about having a default. #
# Hopefully this problem with viper goes away soon #
#########################################################################################
# Configure socket buffers, leave unset to use the system defaults
# Values will be doubled by the kernel
# It is recommended you do not set any of these values unless you really need to
socket_buffer:
# Default is net.core.rmem_default (/proc/sys/net/core/rmem_default)
# Maximum max is net.core.rmem_max (/proc/sys/net/core/rmem_max)
receive: 16384
# Configure message sequence tracking
message_tracking:
# Track messages and identify if we missed any, default true
enabled: true
# Log out of orderness, these messages typically signify an overloading system, default false
log_out_of_order: false
# Maximum out of orderness before a missed sequence is presumed dropped, default 500
max_out_of_order: 500
# Configure where to output audit events
# Only 1 output can be active at a given time
output:
# Writes to stdout
# All program status logging will be moved to stderr
stdout:
enabled: true
# Total number of attempts to write a line before considering giving up
# If a write fails go-audit will sleep for 1 second before retrying
# Default is 3
attempts: 2
# Writes logs to syslog
syslog:
enabled: false
attempts: 5
# Configure the type of socket this should be, default is unixgram
# This maps to `network` in golangs net.Dial: https://golang.org/pkg/net/#Dial
network: unixgram
# Set the remote address to connect to, this can be a path or an ip address
# This maps to `address` in golangs net.Dial: https://golang.org/pkg/net/#Dial
address: /dev/log
# Sets the facility and severity for all events. See the table below for help
# The default is 132 which maps to local0 | warn
priority: 129 # local0 | emerg
# Typically the name of the program generating the message. The PID is of the process is appended for you: [1233]
# Default value is "go-audit"
tag: "audit-thing"
# Appends logs to a file
file:
enabled: false
attempts: 2
# Path of the file to write lines to
# The actual file will be created if it is missing but make sure the parent directory exists
path: /tmp/go-audit.log
# Octal file mode for the log file, make sure to always have a leading 0
mode: 0600
# User and group that should own the log file
user: nobody
group: nogroup
# Configure logging, only stdout and stderr are used.
log:
# Gives you a bit of control over log line prefixes. Default is 0 - nothing.
# To get the `filename:lineno` you would set this to 16
#
# Ldate = 1 // the date in the local time zone: 2009/01/23
# Ltime = 2 // the time in the local time zone: 01:23:23
# Lmicroseconds = 4 // microsecond resolution: 01:23:23.123123. assumes Ltime.
# Llongfile = 8 // full file name and line number: /a/b/c/d.go:23
# Lshortfile = 16 // final file name element and line number: d.go:23. overrides Llongfile
# LUTC = 32 // if Ldate or Ltime is set, use UTC rather than the local time zone
#
# See also: https://golang.org/pkg/log/#pkg-constants
flags: 0
rules:
# Watch all 64 bit program executions
- -a exit,always -F arch=b64 -S execve
# Watch all 32 bit program executions
- -a exit,always -F arch=b32 -S execve
# Enable kernel auditing (required if not done via the "audit" kernel boot parameter)
# You can also use this to lock the rules. Locking requires a reboot to modify the ruleset.
# This should be the last rule in the chain.
- -e 1
# If kaudit filtering isn't powerful enough you can use the following filter mechanism
filters:
# Each filter consists of exactly 3 parts
- syscall: 49 # The syscall id of the message group (a single log line from go-audit), to test against the regex
message_type: 1306 # The message type identifier containing the data to test against the regex
regex: saddr=(10..|0A..) # The regex to test against the message specific message types data