Home

Awesome

go-audit

License

About

go-audit is an alternative to the auditd daemon that ships with many distros. After having created an auditd audisp plugin to convert audit logs to json, I became interested in creating a replacement for the existing daemon.

Goals

Usage

Installation
  1. Install golang, version 1.14 or greater is required

  2. Clone the repo

    git clone (this repo)
    cd go-audit
    
  3. Build the binary

    make
    
  4. Copy the binary go-audit to wherever you'd like

Testing
Running as a service

Check the contrib folder, it contains examples for how to run go-audit as a proper service on your machine.

Example Config

See go-audit.yaml.example

FAQ

I am seeing Error during message receive: no buffer space available in the logs

This is because go-audit is not receiving data as quickly as your system is generating it. You can increase the receive buffer system wide and maybe it will help. Best to try and reduce the amount of data go-audit has to handle.

If reducing audit velocity is not an option you can try increasing socket_buffer.receive in your config. See Example Config for more information

socket_buffer:
    receive: <some number bigger than (the current value * 2)>

Sometime files don't have a name, only inode, what gives?

The kernel doesn't always know the filename for file access. Figuring out the filename from an inode is expensive and error prone.

You can map back to a filename, possibly not the filename, that triggured the audit line though.

sudo debugfs -R "ncheck <inode to map>" /dev/<your block device here>

I don't like math and want you to tell me the syslog priority to use

Use the default, or consult this handy table.

Wikipedia has a pretty good page on this

emerg (0)alert (1)crit (2)err (3)warn (4)notice (5)info (6)debug (7)
kernel (0)01234567
user (1)89101112131415
mail (2)1617181920212223
daemon (3)2425262728293031
auth (4)3233343536373839
syslog (5)4041424344454647
lpr (6)4849505152535455
news (7)5657585960616263
uucp (8)6465666768697071
clock (9)7273747576777879
authpriv (10)8081828384858687
ftp (11)8889909192939495
ntp (12)96979899100101102103
logaudit (13)104105106107108109110111
logalert (14)112113114115116117118119
cron (15)120121122123124125126127
local0 (16)128129130131132133134135
local1 (17)136137138139140141142143
local2 (18)144145146147148149150151
local3 (19)152153154155156157158159
local4 (20)160161162163164165166167
local5 (21)168169170171172173174175
local6 (22)176177178179180181182183
local7 (23)184185186187188189190191

I am seeing duplicate entries in syslog!

This is likely because you are running journald which is also reading audit events. To disable it you need to disable the functionality in journald.

sudo systemctl mask systemd-journald-audit.socket

Thanks!

To Hardik Juneja, Arun Sori, Aalekh Nigam Aalekhn for the inspiration via https://github.com/mozilla/audit-go