Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
config file for go-audit
# Configure socket buffers, leave unset to use the system defaults
# Values will be doubled by the kernel
# It is recommended you do not set any of these values unless you really need to
socket_buffer:
# Default is net.core.rmem_default (/proc/sys/net/core/rmem_default)
# Maximum max is net.core.rmem_max (/proc/sys/net/core/rmem_max)
receive: 16384
# Configure message sequence tracking
message_tracking:
# Track messages and identify if we missed any, default true
enabled: true
# Log out of orderness, these messages typically signify an overloading system, default false
log_out_of_order: false
# Maximum out of orderness before a missed sequence is presumed dropped, default 500
max_out_of_order: 500
# Configure where to output audit events
# Only 1 output can be active at a given time
output:
# Writes to stdout
# All program status logging will be moved to stderr
stdout:
enabled: false
# Total number of attempts to write a line before considering giving up
# If a write fails go-audit will sleep for 1 second before retrying
# Default is 3
attempts: 3
# Writes logs to syslog
syslog:
enabled: false
attempts: 5
# Configure the type of socket this should be, default is unixgram
# This maps to `network` in golangs net.Dial: https://golang.org/pkg/net/#Dial
network: unixgram
# Set the remote address to connect to, this can be a path or an ip address
# This maps to `address` in golangs net.Dial: https://golang.org/pkg/net/#Dial
address: /dev/log
# Sets the facility and severity for all events. See the table below for help
# The default is 132 which maps to local0 | warn
priority: 129 # local0 | emerg
# Typically the name of the program generating the message. The PID is of the process is appended for you: [1233]
# Default value is "go-audit"
tag: "audit-thing"
# Appends logs to a file
file:
enabled: true
attempts: 2
# Path of the file to write lines to
# The actual file will be created if it is missing but make sure the parent directory exists
path: /var/log/go-audit.log
# Octal file mode for the log file, make sure to always have a leading 0
mode: 0600
# User and group that should own the log file
user: root
group: root
# Configure logging, only stdout and stderr are used.
log:
# Gives you a bit of control over log line prefixes. Default is 0 - nothing.
# To get the `filename:lineno` you would set this to 16
#
# Ldate = 1 // the date in the local time zone: 2009/01/23
# Ltime = 2 // the time in the local time zone: 01:23:23
# Lmicroseconds = 4 // microsecond resolution: 01:23:23.123123. assumes Ltime.
# Llongfile = 8 // full file name and line number: /a/b/c/d.go:23
# Lshortfile = 16 // final file name element and line number: d.go:23. overrides Llongfile
# LUTC = 32 // if Ldate or Ltime is set, use UTC rather than the local time zone
#
# See also: https://golang.org/pkg/log/#pkg-constants
flags: 0
rules:
# Watch all 64 bit program executions
#- -a exit,always -F arch=b64 -S execve
# Watch all 32 bit program executions
#- -a exit,always -F arch=b32 -S execve
### TOM ###
- -a exit,always -F path=/opt/secret.txt -F perm=wra -k test_changes
# Enable kernel auditing (required if not done via the "audit" kernel boot parameter)
# You can also use this to lock the rules. Locking requires a reboot to modify the ruleset.
# This should be the last rule in the chain.
- -e 1
# If kaudit filtering isn't powerful enough you can use the following filter mechanism
#filters:
# Each filter consists of exactly 3 parts
#- syscall: 49 # The syscall id of the message group (a single log line from go-audit), to test against the regex
# message_type: 1306 # The message type identifier containing the data to test against the regex
# regex: saddr=(10..|0A..) # The regex to test against the message specific message types data
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.