search

athoune / audisp-go

golang audisp client for auditd
BSD 3-Clause "New" or "Revised" License
2 stars 0 forks source link
auditd

readme

Audisp-go

Build Status go-report

Godoc

audisp client for Linux auditd service.

Test it

Edit your audisp af_unix config

vi /etc/audisp/plugins.d/af_unix.conf
# This file controls the configuration of the
# af_unix socket plugin. It simply takes events
# and writes them to a unix domain socket. This
# plugin can take 2 arguments, the path for the
# socket and the socket permissions in octal.

active = yes
direction = out
path = builtin_af_unix
type = builtin
args = 0640 /var/run/audispd_events
format = string

active = yes and args path are important.

You can now build and test:

make
./bin/  audisp-expr 'line.type == "SYSCALL" and line.syscall == syscall("connect") and line.comm == "curl" '

Do something that trigger auditd, some curl