Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

For SECCOMP messages translate arch, syscall, sig #64

Merged
merged 2 commits into from
Jun 18, 2020
Merged

For SECCOMP messages translate arch, syscall, sig #64

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a1fc673
For SECCOMP messages translate arch, syscall, sig
andrewkroh Jun 18, 2020
7ab9034
tidy up
andrewkroh Jun 18, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
### Added

- Vagrantfile for development ease. #61
- Added enrichment of arch, syscall, and sig to type=SECCOMP messages. #64

### Changed

Expand Down
28 changes: 26 additions & 2 deletions auparse/auparse.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,11 @@ import (
"regexp"
"strconv"
"strings"
"syscall"
"time"

"github.com/pkg/errors"
"golang.org/x/sys/unix"
)

//go:generate sh -c "go run mk_audit_msg_types.go && gofmt -s -w zaudit_msg_types.go"
Expand Down Expand Up @@ -332,11 +334,16 @@ func enrichData(msg *AuditMessage) error {
hexDecode("cwd", msg.fields)

switch msg.RecordType {
case AUDIT_SECCOMP:
if err := setSignalName(msg.fields); err != nil {
return err
}
fallthrough
case AUDIT_SYSCALL:
if err := arch(msg.fields); err != nil {
return err
}
if err := syscall(msg.fields); err != nil {
if err := setSyscallName(msg.fields); err != nil {
return err
}
if err := hexDecode("exe", msg.fields); err != nil {
Expand Down Expand Up @@ -388,7 +395,7 @@ func arch(data map[string]*field) error {
return nil
}

func syscall(data map[string]*field) error {
func setSyscallName(data map[string]*field) error {
field, found := data["syscall"]
if !found {
return errors.New("syscall key not found")
Expand All @@ -410,6 +417,23 @@ func syscall(data map[string]*field) error {
return nil
}

func setSignalName(data map[string]*field) error {
field, found := data["sig"]
if !found {
return errors.New("sig key not found")
}

signalNum, err := strconv.Atoi(field.Value())
if err != nil {
return errors.Wrap(err, "failed to parse sig")
}

if signalName := unix.SignalName(syscall.Signal(signalNum)); signalName != "" {
field.Set(signalName)
}
return nil
}

func saddr(data map[string]*field) error {
field, found := data["saddr"]
if !found {
Expand Down
1 change: 1 addition & 0 deletions auparse/testdata/test3.log
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,4 @@ type=PROCTITLE msg=audit(1451781471.394:194438): proctitle="bash"
type=PROCTITLE msg=audit(1451781471.394:194440): proctitle=737368643A206275726E205B707269765D
type=ADD_GROUP msg=audit(1451781471.602:194894): pid=1321 uid=0 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=add-group acct="frodo" exe="/usr/sbin/useradd" hostname=? addr=? terminal=pts/0 res=success'
type=EXECVE msg=audit(1507304439.922:1865): argc=5 a0="useradd" a1="-u" a2="3005" a3="-m" a4="trainer5"
type=SECCOMP msg=audit(1433785727.186:10262): auid=20003 uid=22 gid=22 ses=21 pid=11217 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=40000003 syscall=132 compat=0 ip=0xb7670aac code=0x0
21 changes: 21 additions & 0 deletions auparse/testdata/test3.log.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -356,5 +356,26 @@
"a4": "trainer5",
"argc": "5"
}
},
{
"@timestamp": "2015-06-08T17:48:47.186Z",
"record_type": "seccomp",
"sequence": 10262,
"raw_msg": "audit(1433785727.186:10262): auid=20003 uid=22 gid=22 ses=21 pid=11217 comm=\"sshd\" exe=\"/usr/sbin/sshd\" sig=31 arch=40000003 syscall=132 compat=0 ip=0xb7670aac code=0x0",
"data": {
"arch": "i386",
"auid": "20003",
"code": "0x0",
"comm": "sshd",
"compat": "0",
"exe": "/usr/sbin/sshd",
"gid": "22",
"ip": "0xb7670aac",
"pid": "11217",
"ses": "21",
"sig": "SIGSYS",
"syscall": "getpgid",
"uid": "22"
}
}
]
2 changes: 1 addition & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,6 @@ require (
github.com/pkg/errors v0.8.1-0.20170505043639-c605e284fe17
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/stretchr/testify v1.1.5-0.20170601210322-f6abca593680
golang.org/x/sys v0.0.0-20170608164803-0b25a408a500 // indirect
golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1
gopkg.in/yaml.v2 v2.3.0
)
4 changes: 2 additions & 2 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/stretchr/testify v1.1.5-0.20170601210322-f6abca593680 h1:oAXco1Ts88F75L1qvG3BAa4ChXI3EZDfxbB+p+y8+gE=
github.com/stretchr/testify v1.1.5-0.20170601210322-f6abca593680/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
golang.org/x/sys v0.0.0-20170608164803-0b25a408a500 h1:fhpo4nhRTq7HDlHaX8W7357HRWFlwsS1IAkGNCmoZ+E=
golang.org/x/sys v0.0.0-20170608164803-0b25a408a500/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1 h1:ogLJMz+qpzav7lGMh10LMvAkM/fAoGlaiiHYiFYdm80=
golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
Expand Down