The project is to implement a module for MIG that support syscall monitoring via Audit Framework present in Linux kernel.
The module leverages libaudit-go a Go library that provides API to deal with Audit Framework and corelates messages coming from kernel into a single JSON message in a format identical to audisp-json and send them to web server that accepts POST requests.
NOTE: Module is only tested on amd64 architecture as libaudit-go currently only supports amd64.
-
Addition of the mig-audit module, Pull request, Commits #1 #2 #3
-
Fixing and testing the libaudit-go library, Commits
-
Comparing performance of audisp-json and the Go module
For the tests both audisp-json and go module were made blocking in nature therefore tests show high CPU usage.
But for every day uses both are non-blocking in nature.
The performance tests were done by creating a test for the go module that takes a single file consisting of audit messages and parses, corelates and sends events to a local web server.
Similarly the same file is feeded to audisp-json that also parses, corelates and sends events to the same local web server.
Results:
http://paste.ubuntu.com/23058381/ (with reverseMap), pprof: http://imgh.us/pprof001_5.svg
http://paste.ubuntu.com/23058390/ (without reverseMap), pprof: http://imgh.us/pprof001_6.svg
First, you should have a web server running that accepts POST requests. You can get ephemeral urls that allows POST on websites like requestb.in.
Modify params in the module to specify the address for the server.
Module also writes raw audit messages on /tmp/log so it can be checked as well to see that events are coming.
You can also use auditctl -l and auditctl -s to further check that audit settings are applied correctly.
Suggested Environment: Ubuntu 16.04 64bit , auditd version 2.4.5
Requires: Standard Go language setup, Version Go >= 1.5, auditd framework
To run the module(require super user access):
go build main.go
sudo ./main
All further modifications to the library will be added on its repo libaudit-go. All module related modifications and feature additions will be at MIG repo.