in aucoalesce/coalesce.go [320:352]
func addSockaddrRecord(sockaddr *auparse.AuditMessage, event *Event) {
data, err := sockaddr.Data()
if err != nil {
event.Warnings = append(event.Warnings, fmt.Errorf(
"failed to parse SOCKADDR message: %w", err))
return
}
syscall, found := event.Data["syscall"]
if !found {
event.Warnings = append(event.Warnings, errors.New(
"failed to add SOCKADDR data because syscall is unknown"))
return
}
for k, v := range data {
event.Data["socket_"+k] = v
}
switch syscall {
case "recvfrom", "recvmsg", "accept", "accept4":
addAddress(data, &event.Source)
event.Net = &Network{Direction: IncomingDir}
case "connect", "sendto", "sendmsg":
addAddress(data, &event.Dest)
event.Net = &Network{Direction: OutgoingDir}
default:
// These are the other syscalls that contain SOCKADDR, but they
// have no clear source or destination:
// bind, listen, getpeername, getsockname
return
}
}