forked from slackhq/go-audit
/
parser.go
69 lines (59 loc) · 1.87 KB
/
parser.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
package auditrd
import (
"bytes"
"strconv"
"strings"
"syscall"
"time"
)
var uidMap = map[string]string{}
var headerEndChar = []byte{")"[0]}
var headerSepChar = byte(':')
var spaceChar = byte(' ')
const (
HEADER_MIN_LENGTH = 7 // Minimum length of an audit header
HEADER_START_POS = 6 // Position in the audit header that the data starts
COMPLETE_AFTER = time.Second * 2 // Log a message after this time or EOE
)
// Creates a new message group from the details parsed from the message
func newAuditMessageGroup(am *AuditMessage) *AuditMessageGroup {
//TODO: allocating 6 msgs per group is lame and we _should_ know ahead of
//time roughly how many we need
amg := &AuditMessageGroup{
Seq: am.Seq,
AuditTime: am.AuditTime,
CompleteAfter: time.Now().Add(COMPLETE_AFTER),
Msgs: make([]*AuditMessage, 0, 6),
}
amg.addMessage(am)
return amg
}
// Creates a new auditrd message from a netlink message
func newAuditMessage(nlm *syscall.NetlinkMessage) *AuditMessage {
aTime, seq := parseAuditHeader(nlm)
return &AuditMessage{
Type: nlm.Header.Type,
Data: string(nlm.Data),
Seq: seq,
AuditTime: aTime,
}
}
// Gets the timestamp and audit sequence id from a netlink message
func parseAuditHeader(msg *syscall.NetlinkMessage) (time string, seq int) {
headerStop := bytes.Index(msg.Data, headerEndChar)
// If the position the header appears to stop is less than the minimum
// length of a header, bail out
if headerStop < HEADER_MIN_LENGTH {
return
}
header := string(msg.Data[:headerStop])
if header[:HEADER_START_POS] == "audit(" {
//TODO: out of range check, possibly fully binary?
sep := strings.IndexByte(header, headerSepChar)
time = header[HEADER_START_POS:sep]
seq, _ = strconv.Atoi(header[sep+1:])
// Remove the header from data
msg.Data = msg.Data[headerStop+3:]
}
return time, seq
}