https://github.com/athoune/audisp-go

golang audisp client for auditd
https://github.com/athoune/audisp-go

auditd

Last synced: 5 months ago
JSON representation

golang audisp client for auditd

• Host: GitHub
• URL: https://github.com/athoune/audisp-go
• Owner: athoune
• License: bsd-3-clause
• Created: 2022-03-26T20:36:45.000Z (about 4 years ago)
• Default Branch: main
• Last Pushed: 2022-05-31T13:07:25.000Z (about 4 years ago)
• Last Synced: 2024-06-21T03:17:49.357Z (almost 2 years ago)
• Topics: auditd
• Language: Go
• Homepage:
• Size: 50.8 KB
• Stars: 2
• Watchers: 1
• Forks: 0
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • License: LICENSE
  • Audit: audit/audit.go

Awesome Lists containing this project

README

          
Audisp-go

=========

[![Build Status](https://drone.garambrogne.net/api/badges/athoune/audisp-go/status.svg)](https://drone.garambrogne.net/athoune/audisp-go)

[![go-report](https://goreportcard.com/badge/github.com/athoune/audisp-go)](https://goreportcard.com/report/github.com/athoune/audisp-go)

[Godoc](https://pkg.go.dev/github.com/athoune/audisp-go)

`audisp` client for Linux auditd `service`.

Test it

-------

Edit your `audisp` `af_unix` config

    vi /etc/audisp/plugins.d/af_unix.conf

```

# This file controls the configuration of the

# af_unix socket plugin. It simply takes events

# and writes them to a unix domain socket. This

# plugin can take 2 arguments, the path for the

# socket and the socket permissions in octal.

active = yes

direction = out

path = builtin_af_unix

type = builtin

args = 0640 /var/run/audispd_events

format = string

```

`active = yes` and `args` path are important.

You can now build and test:

    make

    ./bin/  audisp-expr 'line.type == "SYSCALL" and line.syscall == syscall("connect") and line.comm == "curl" '

Do something that trigger auditd, some curl