tom-chaoscube/go-audit.yaml

## go-audit.yaml
# Configure socket buffers, leave unset to use the system defaults
# Values will be doubled by the kernel
# It is recommended you do not set any of these values unless you really need to
socket_buffer:
  # Default is net.core.rmem_default (/proc/sys/net/core/rmem_default)
  # Maximum max is net.core.rmem_max (/proc/sys/net/core/rmem_max)
  receive: 16384

# Configure message sequence tracking
message_tracking:
  # Track messages and identify if we missed any, default true
  enabled: true

  # Log out of orderness, these messages typically signify an overloading system, default false
  log_out_of_order: false

  # Maximum out of orderness before a missed sequence is presumed dropped, default 500
  max_out_of_order: 500

# Configure where to output audit events
# Only 1 output can be active at a given time
output:
  # Writes to stdout
  # All program status logging will be moved to stderr
  stdout:
    enabled: false

    # Total number of attempts to write a line before considering giving up
    # If a write fails go-audit will sleep for 1 second before retrying
    # Default is 3
    attempts: 3

  # Writes logs to syslog
  syslog:
    enabled: false
    attempts: 5
    # Configure the type of socket this should be, default is unixgram
    # This maps to `network` in golangs net.Dial: https://golang.org/pkg/net/#Dial
    network: unixgram

    # Set the remote address to connect to, this can be a path or an ip address
    # This maps to `address` in golangs net.Dial: https://golang.org/pkg/net/#Dial
    address: /dev/log

    # Sets the facility and severity for all events. See the table below for help
    # The default is 132 which maps to local0 | warn
    priority: 129 # local0 | emerg

    # Typically the name of the program generating the message. The PID is of the process is appended for you: [1233]
    # Default value is "go-audit"
    tag: "audit-thing"

  # Appends logs to a file
  file:
    enabled: true
    attempts: 2

    # Path of the file to write lines to
    # The actual file will be created if it is missing but make sure the parent directory exists
    path: /var/log/go-audit.log

    # Octal file mode for the log file, make sure to always have a leading 0
    mode: 0600

    # User and group that should own the log file
    user: root
    group: root

# Configure logging, only stdout and stderr are used.
log:
  # Gives you a bit of control over log line prefixes. Default is 0 - nothing.
  # To get the `filename:lineno` you would set this to 16
  #
  # Ldate         = 1  // the date in the local time zone: 2009/01/23
  # Ltime         = 2  // the time in the local time zone: 01:23:23
  # Lmicroseconds = 4  // microsecond resolution: 01:23:23.123123.  assumes Ltime.

  # Llongfile     = 8  // full file name and line number: /a/b/c/d.go:23
  # Lshortfile    = 16 // final file name element and line number: d.go:23. overrides Llongfile
  # LUTC          = 32 // if Ldate or Ltime is set, use UTC rather than the local time zone
  #
  # See also: https://golang.org/pkg/log/#pkg-constants
  flags: 0

rules:
  # Watch all 64 bit program executions
  #- -a exit,always -F arch=b64 -S execve
  # Watch all 32 bit program executions
  #- -a exit,always -F arch=b32 -S execve
  ### TOM ###
  - -a exit,always -F path=/opt/secret.txt -F perm=wra -k test_changes
  # Enable kernel auditing (required if not done via the "audit" kernel boot parameter)
  # You can also use this to lock the rules. Locking requires a reboot to modify the ruleset.
  # This should be the last rule in the chain.
  - -e 1

# If kaudit filtering isn't powerful enough you can use the following filter mechanism
#filters:
  # Each filter consists of exactly 3 parts
  #- syscall: 49 # The syscall id of the message group (a single log line from go-audit), to test against the regex
  #  message_type: 1306 # The message type identifier containing the data to test against the regex
  #  regex: saddr=(10..|0A..) # The regex to test against the message specific message types data
	# Configure socket buffers, leave unset to use the system defaults
	# Values will be doubled by the kernel
	# It is recommended you do not set any of these values unless you really need to
	socket_buffer:
	# Default is net.core.rmem_default (/proc/sys/net/core/rmem_default)
	# Maximum max is net.core.rmem_max (/proc/sys/net/core/rmem_max)
	receive: 16384

	# Configure message sequence tracking
	message_tracking:
	# Track messages and identify if we missed any, default true
	enabled: true

	# Log out of orderness, these messages typically signify an overloading system, default false
	log_out_of_order: false

	# Maximum out of orderness before a missed sequence is presumed dropped, default 500
	max_out_of_order: 500

	# Configure where to output audit events
	# Only 1 output can be active at a given time
	output:
	# Writes to stdout
	# All program status logging will be moved to stderr
	stdout:
	enabled: false

	# Total number of attempts to write a line before considering giving up
	# If a write fails go-audit will sleep for 1 second before retrying
	# Default is 3
	attempts: 3

	# Writes logs to syslog
	syslog:
	enabled: false
	attempts: 5
	# Configure the type of socket this should be, default is unixgram
	# This maps to `network` in golangs net.Dial: https://golang.org/pkg/net/#Dial
	network: unixgram

	# Set the remote address to connect to, this can be a path or an ip address
	# This maps to `address` in golangs net.Dial: https://golang.org/pkg/net/#Dial
	address: /dev/log

	# Sets the facility and severity for all events. See the table below for help
	# The default is 132 which maps to local0 \| warn
	priority: 129 # local0 \| emerg

	# Typically the name of the program generating the message. The PID is of the process is appended for you: [1233]
	# Default value is "go-audit"
	tag: "audit-thing"

	# Appends logs to a file
	file:
	enabled: true
	attempts: 2

	# Path of the file to write lines to
	# The actual file will be created if it is missing but make sure the parent directory exists
	path: /var/log/go-audit.log

	# Octal file mode for the log file, make sure to always have a leading 0
	mode: 0600

	# User and group that should own the log file
	user: root
	group: root

	# Configure logging, only stdout and stderr are used.
	log:
	# Gives you a bit of control over log line prefixes. Default is 0 - nothing.
	# To get the `filename:lineno` you would set this to 16
	#
	# Ldate = 1 // the date in the local time zone: 2009/01/23
	# Ltime = 2 // the time in the local time zone: 01:23:23
	# Lmicroseconds = 4 // microsecond resolution: 01:23:23.123123. assumes Ltime.

	# Llongfile = 8 // full file name and line number: /a/b/c/d.go:23
	# Lshortfile = 16 // final file name element and line number: d.go:23. overrides Llongfile
	# LUTC = 32 // if Ldate or Ltime is set, use UTC rather than the local time zone
	#
	# See also: https://golang.org/pkg/log/#pkg-constants
	flags: 0

	rules:
	# Watch all 64 bit program executions
	#- -a exit,always -F arch=b64 -S execve
	# Watch all 32 bit program executions
	#- -a exit,always -F arch=b32 -S execve
	### TOM ###
	- -a exit,always -F path=/opt/secret.txt -F perm=wra -k test_changes
	# Enable kernel auditing (required if not done via the "audit" kernel boot parameter)
	# You can also use this to lock the rules. Locking requires a reboot to modify the ruleset.
	# This should be the last rule in the chain.
	- -e 1

	# If kaudit filtering isn't powerful enough you can use the following filter mechanism
	#filters:
	# Each filter consists of exactly 3 parts
	#- syscall: 49 # The syscall id of the message group (a single log line from go-audit), to test against the regex
	# message_type: 1306 # The message type identifier containing the data to test against the regex
	# regex: saddr=(10..\|0A..) # The regex to test against the message specific message types data