// Licensed to Elasticsearch B.V. under one or more contributor // license agreements. See the NOTICE file distributed with // this work for additional information regarding copyright // ownership. Elasticsearch B.V. licenses this file to you under // the Apache License, Version 2.0 (the "License"); you may // not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, // software distributed under the License is distributed on an // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. package aucoalesce import ( . "github.com/elastic/go-libaudit/v2/auparse" ) // AuditEventType is a categorization of a simple or compound audit event. type AuditEventType uint16 const ( EventTypeUnknown AuditEventType = iota EventTypeUserspace EventTypeSystemServices EventTypeConfig EventTypeTTY EventTypeUserAccount EventTypeUserLogin EventTypeAuditDaemon EventTypeMACDecision EventTypeAnomaly EventTypeIntegrity EventTypeAnomalyResponse EventTypeMAC EventTypeCrypto EventTypeVirt EventTypeAuditRule EventTypeDACDecision EventTypeGroupChange ) var auditEventTypeNames = map[AuditEventType]string{ EventTypeUnknown: "unknown", EventTypeUserspace: "user-space", EventTypeSystemServices: "system-services", EventTypeConfig: "configuration", EventTypeTTY: "TTY", EventTypeUserAccount: "user-account", EventTypeUserLogin: "user-login", EventTypeAuditDaemon: "audit-daemon", EventTypeMACDecision: "mac-decision", EventTypeAnomaly: "anomaly", EventTypeIntegrity: "integrity", EventTypeAnomalyResponse: "anomaly-response", EventTypeMAC: "mac", EventTypeCrypto: "crypto", EventTypeVirt: "virt", EventTypeAuditRule: "audit-rule", EventTypeDACDecision: "dac-decision", EventTypeGroupChange: "group-change", } func (t AuditEventType) String() string { name, found := auditEventTypeNames[t] if found { return name } return auditEventTypeNames[EventTypeUnknown] } func (t AuditEventType) MarshalText() (text []byte, err error) { return []byte(t.String()), nil } func GetAuditEventType(t AuditMessageType) AuditEventType { // Ported from: https://github.com/linux-audit/audit-userspace/blob/v2.7.5/auparse/normalize.c#L681 switch { case t >= AUDIT_USER_AUTH && t <= AUDIT_USER_END, t >= AUDIT_USER_CHAUTHTOK && t <= AUDIT_CRED_REFR, t >= AUDIT_USER_LOGIN && t <= AUDIT_USER_LOGOUT, t == AUDIT_GRP_AUTH: return EventTypeUserLogin case t >= AUDIT_ADD_USER && t <= AUDIT_DEL_GROUP, t >= AUDIT_GRP_MGMT && t <= AUDIT_GRP_CHAUTHTOK, t >= AUDIT_ACCT_LOCK && t <= AUDIT_ACCT_UNLOCK: return EventTypeUserAccount case t == AUDIT_KERNEL, t >= AUDIT_SYSTEM_BOOT && t <= AUDIT_SERVICE_STOP: return EventTypeSystemServices case t == AUDIT_USYS_CONFIG, t == AUDIT_CONFIG_CHANGE, t == AUDIT_NETFILTER_CFG, t >= AUDIT_FEATURE_CHANGE && t <= AUDIT_REPLACE: return EventTypeConfig case t == AUDIT_SECCOMP: return EventTypeDACDecision case t >= AUDIT_CHGRP_ID && t <= AUDIT_TRUSTED_APP, t == AUDIT_USER_CMD, t == AUDIT_CHUSER_ID: return EventTypeUserspace case t == AUDIT_USER_TTY, t == AUDIT_TTY: return EventTypeTTY case t >= AUDIT_DAEMON_START && t <= AUDIT_LAST_DAEMON: return EventTypeAuditDaemon case t == AUDIT_USER_SELINUX_ERR, t == AUDIT_USER_AVC, t >= AUDIT_APPARMOR_ALLOWED && t <= AUDIT_APPARMOR_DENIED, t == AUDIT_APPARMOR_ERROR, t >= AUDIT_AVC && t <= AUDIT_AVC_PATH: return EventTypeMACDecision case t >= AUDIT_INTEGRITY_DATA && t <= AUDIT_INTEGRITY_LAST_MSG, t == AUDIT_ANOM_RBAC_INTEGRITY_FAIL: return EventTypeIntegrity case t >= AUDIT_ANOM_PROMISCUOUS && t <= AUDIT_LAST_KERN_ANOM_MSG, t >= AUDIT_ANOM_LOGIN_FAILURES && t <= AUDIT_ANOM_RBAC_FAIL, t >= AUDIT_ANOM_CRYPTO_FAIL && t <= AUDIT_LAST_ANOM_MSG: return EventTypeAnomaly case t >= AUDIT_RESP_ANOMALY && t <= AUDIT_LAST_ANOM_RESP: return EventTypeAnomalyResponse case t >= AUDIT_MAC_POLICY_LOAD && t <= AUDIT_LAST_SELINUX, t >= AUDIT_AA && t <= AUDIT_APPARMOR_AUDIT, t >= AUDIT_APPARMOR_HINT && t <= AUDIT_APPARMOR_STATUS, t >= AUDIT_USER_ROLE_CHANGE && t <= AUDIT_LAST_USER_LSPP_MSG: return EventTypeMAC case t >= AUDIT_FIRST_KERN_CRYPTO_MSG && t <= AUDIT_LAST_KERN_CRYPTO_MSG, t >= AUDIT_CRYPTO_TEST_USER && t <= AUDIT_LAST_CRYPTO_MSG: return EventTypeCrypto case t >= AUDIT_VIRT_CONTROL && t <= AUDIT_LAST_VIRT_MSG: return EventTypeVirt case t >= AUDIT_SYSCALL && t <= AUDIT_SOCKETCALL, t >= AUDIT_SOCKADDR && t <= AUDIT_MQ_GETSETATTR, t >= AUDIT_FD_PAIR && t <= AUDIT_OBJ_PID, t >= AUDIT_BPRM_FCAPS && t <= AUDIT_NETFILTER_PKT: return EventTypeAuditRule default: return EventTypeUnknown } }