Fix support of kernel < 3.0

[moaddib666]

Changed min auditStatus size to 32 bite as old kernel do have only the following fields:

enabled 1
failure 1
pid 66
rate_limit 0
backlog_limit 320
lost 0
backlog 0

[cla-checker-service]

💚 CLA has been signed

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-07-14T19:54:13.856+0000

• Duration: 2 min 16 sec

Test stats 🧪

Test	Results
Failed	0
Passed	386
Skipped	40
Total	426

[andrewkroh]

Based on the audit_status struct in earliest kernel version supported by Go, 2.6.23, I would say the proposed minimum is correct. The feature bitmap was add later.

[moaddib666]

Based on the audit_status struct in earliest kernel version supported by Go, 2.6.23, I would say the proposed minimum is correct. The feature bitmap was add later.

It's looks strange as I face unexpected EOF at 2.6.32-954.3.5 on the CentOS 6,

I'll double check and found the following:

• When I'd try to convert response manually it really works fine, but with libaudit.GetStatus() it fails;

Please have a look:

2022/07/12 12:14:15 Expected size is: 36
2022/07/12 12:14:15 failed to unmarshal reply: unexpected EOF
2022/07/12 12:14:15 status
2022/07/12 12:14:15 pointer number 8
2022/07/12 12:14:15 Expected size of message 36
2022/07/12 12:14:15 Recv buffer size 36
2022/07/12 12:14:15 {"Mask":36,"Enabled":2,"Failure":1,"PID":4269107896,"RateLimit":0,"BacklogLimit":16,"Lost":328680,"Backlog":1,"FeatureBitmap":4269107896,"BacklogWaitTime":0,"BacklogWaitTimeActual":0}

func main () {
        expectedSize := libaudit.MinSizeofAuditStatus
	log.Printf("Expected size is: %d", expectedSize)
	client, err := libaudit.NewMulticastAuditClient(nil)
	if err != nil {
		log.Fatalln(err)
	}
	status, err := client.GetStatus()
	if err != nil {
		log.Println(err)
	}
	log.Printf("status %+v", status)
	buf := make([]byte, syscall.NLMSG_HDRLEN+libaudit.AuditMessageMaxLength)
	netlink, _ := libaudit.NewNetlinkClient(syscall.NETLINK_AUDIT, 1, buf, nil)
	flags := uint16(syscall.NLM_F_REQUEST)
	msg := syscall.NetlinkMessage{
		Header: syscall.NlMsghdr{
			Type:  libaudit.AuditGet,
			Flags: flags | syscall.NLM_F_ACK,
		},
		Data: nil,
	}
	_, err = netlink.Send(msg)
	if err != nil {
		log.Printf("Can't send valid get status err: %v", err)
	}

	fd := GetNetlinkFd(netlink)
	n, _, _, _, err := syscall.Recvmsg(fd, buf, nil, unix.MSG_PEEK)
	log.Printf("Expected size of message %d", n)
	newBuff := make([]byte, n)
	_, _, _, _, err = syscall.Recvmsg(fd, newBuff, nil, 0)
	replyStatus := &libaudit.AuditStatus{}
	log.Printf("Recv buffer size %d", len(newBuff))
	err = replyStatus.FromWireFormat(newBuff)
	if err != nil {
		log.Printf("Worng: %v", err)
	}
	data, _ := json.Marshal(replyStatus)
	log.Printf("%s", data)
}

func GetNetlinkFd(client *libaudit.NetlinkClient) int {
	fv := reflect.ValueOf(client).Elem().FieldByName("fd")
	log.Printf("pointer number %d", fv.Int())
	return int(fv.Int())
}

Perhaps this situation happends because of MSG_DONTWAIT ?

[andrewkroh]

Can you please sign the CLA (https://www.elastic.co/contributor-agreement).

[andrewkroh]

Please also add an entry to the CHANGELOG.md file.

[moaddib666]

Can you please sign the CLA (https://www.elastic.co/contributor-agreement).

Sure, I've already done it.

[andrewkroh]

Yep, I see your GH username in the CLA database, but the email in your commits does not match the one in the database. See the email in https://github.com/elastic/go-libaudit/pull/119.patch.

[moaddib666]

Yep, I see your GH username in the CLA database, but the email in your commits does not match the one in the database. See the email in https://github.com/elastic/go-libaudit/pull/119.patch.

Sorry my fault, looks I've use my work account instead of personal one, updated.

[andrewkroh]

/test