{"id":15050502,"url":"https://github.com/mozilla/libaudit-go","last_synced_at":"2025-10-19T23:31:09.762Z","repository":{"id":25390082,"uuid":"28818642","full_name":"mozilla/libaudit-go","owner":"mozilla","description":"INACTIVE - http://mzl.la/ghe-archive - go package for interfacing with Linux audit","archived":true,"fork":false,"pushed_at":"2020-12-07T07:35:04.000Z","size":468,"stargazers_count":92,"open_issues_count":0,"forks_count":32,"subscribers_count":23,"default_branch":"master","last_synced_at":"2025-02-02T12:32:46.495Z","etag":null,"topics":["audit","go","inactive","linux-audit","unmaintained"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"exascaleproject/proxy-apps","license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mozilla.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":"audit_constant.go","citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-01-05T15:34:20.000Z","updated_at":"2024-11-28T04:42:12.000Z","dependencies_parsed_at":"2022-08-23T06:10:08.385Z","dependency_job_id":null,"html_url":"https://github.com/mozilla/libaudit-go","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mozilla%2Flibaudit-go","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mozilla%2Flibaudit-go/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mozilla%2Flibaudit-go/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mozilla%2Flibaudit-go/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mozilla","download_url":"https://codeload.github.com/mozilla/libaudit-go/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":237228638,"owners_count":19275731,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit","go","inactive","linux-audit","unmaintained"],"created_at":"2024-09-24T21:26:59.332Z","updated_at":"2025-10-19T23:31:04.477Z","avatar_url":"https://github.com/mozilla.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# libaudit in Go\n\nlibaudit-go is a go package for interfacing with Linux audit.\n\n[![Build Status](https://travis-ci.org/mozilla/libaudit-go.svg?branch=master)](https://travis-ci.org/mozilla/libaudit-go)\n[![Go Report Card](https://goreportcard.com/badge/mozilla/libaudit-go \"Go Report Card\")](https://goreportcard.com/report/mozilla/libaudit-go)\n\nlibaudit-go is a pure Go client library for interfacing with the Linux auditing framework. It provides functions\nto interact with the auditing subsystems over Netlink, including controlling the rule set and obtaining/interpreting\nincoming audit events.\n\nlibaudit-go can be used to build go applications which perform tasks similar to the standard Linux auditing daemon\n`auditd`.\n\nTo get started see package documentation at [godoc](https://godoc.org/github.com/mozilla/libaudit-go).\n\nFor a simple example of usage, see the [auditprint](./auditprint/) tool included in this repository.\n\n```bash\nsudo service stop auditd\ngo get -u github.com/mozilla/libaudit-go\ncd $GOPATH/src/github.com/mozilla/libaudit-go\ngo install github.com/mozilla/libaudit-go/auditprint\nsudo $GOPATH/bin/auditprint testdata/rules.json\n```\n\nSome key functions are discussed in the overview section below.\n\n## Overview\n\n### General \n\n##### NewNetlinkConnection \n\nTo use libaudit-go programs will need to initialize a new Netlink connection. `NewNetlinkConnection` can be used\nto allocate a new `NetlinkConnection` type which can then be passed to other functions in the library.\n\n```go\ns, err := libaudit.NewNetlinkConnection()\nif err != nil {\n        fmt.Printf(\"NewNetlinkConnection: %v\\n\", err)\n} \ndefer s.Close()\n```\n\n`NetlinkConnection` provides a `Send` and `Receive` method to send and receive Netlink messages to the kernel,\nhowever generally applications will use the various other functions included in libaudit-go and do not need to\ncall these functions directly.\n\n##### GetAuditEvents\n\nGetAuditEvents starts an audit event monitor in a go-routine and returns. Programs can call this function and\nspecify a callback function as an argument. When the audit event monitor receives a new event, this callback\nfunction will be called with the parsed `AuditEvent` as an argument.\n\n```go\n\nfunc myCallback(msg *libaudit.AuditEvent, err error) {\n        if err != nil {\n            // An error occurred getting or parsing the audit event\n            return\n        }\n\t// Print the fields\n        fmt.Println(msg.Data)\n\t// Print the raw event\n        fmt.Println(msg.Raw)\n}\n\nlibaudit.GetAuditEvents(s, myCallback)\n```\n\n##### GetRawAuditEvents\n\n`GetRawAuditEvents` behaves in a similar manner to `GetAuditEvents`, however programs can use this function\nto instead just retrieve raw audit events from the kernel as a string, instead of having libaudit-go parse\nthese audit events into an `AuditEvent` type.\n\n### Audit Rules\n\nAudit rules can be loaded into the kernel using libaudit-go, however the format differs from the common rule\nset used by userspace tools such as auditctl/auditd.\n\nlibaudit-go rulesets are defined as a JSON document. See [rules.json](./testdata/rules.json) as an example.\nThe libaudit-go type which stores the rule set is `AuditRules`.\n\n##### SetRules\n\n`SetRules` can be used to load an audit rule set into the kernel. The function takes a marshalled `AuditRules`\ntype as an argument (slice of bytes), and converts the JSON based rule set into a set of audit rules suitable\nfor submission to the kernel.\n\nThe function then makes the required Netlink calls to clear the existing rule set and load the new rules.\n\n```go\n// Load all rules from a file\ncontent, err := ioutil.ReadFile(\"audit.rules.json\")\nif err != nil {\n        fmt.Printf(\"error: %v\\n\", err)\n\tos.Exit(1)\n}\n\n// Set audit rules\nerr = libaudit.SetRules(s, content)\nif err != nil {\n        fmt.Printf(\"error: %v\\n\", err)\n        os.Exit(1)\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmozilla%2Flibaudit-go","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmozilla%2Flibaudit-go","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmozilla%2Flibaudit-go/lists"}