Giters

slackhq / go-audit

go-audit is an alternative to the auditd daemon that ships with many distros

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Including node hostname/ip info in log

Orrien opened this issue · comments

commented
  • I've read and understood the Contributing guidelines and have done my best effort to follow them.
  • I've read and agree to the Code of Conduct.
  • I've searched for any related issues and avoided creating a duplicate issue.

Description

Hi! There is no option to include node name/ip in log output, like "name_format" in auditd.conf:
name_format
This option controls how computer node names are inserted
into the audit event stream. It has the following choices:
none, hostname, fqd, numeric, and user. None means that
no computer name is inserted into the audit event.
hostname is the name returned by the gethostname syscall.
The fqd means that it takes the hostname and resolves it
with dns for a fully qualified domain name of that
machine. Numeric is similar to fqd except it resolves the
IP address of the machine. In order to use this option,
you might want to test that 'hostname -i' or 'domainname
-i' returns a numeric address. Also, this option is not
recommended if dhcp is used because you could have
different addresses over time for the same machine. User
is an admin defined string from the name option. The
default value is none.

Is there any way to include such info in current output?

Reproducible in:

go-audit version: 1.2.0

Expected result:

Every log line can include node hostname/ip if the option is set to (hostname | fqd | numeric | user) in config file, like:
{ "sequence": 101, "timestamp": "1482700861.088", "node": "192.168.0.1", "messages": [ { "type": 1300, "data": "arch=c000003e syscall=2 success=yes exit=3 a0=7ffff76f7938 a1=0 a2=20000 a3=69d items=1 ppid=12166 pid=12602 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm=\"cat\" exe=\"/bin/cat\" key=\"bees_in_my_honey\"" }, { "type": 1307, "data": " cwd=\"/root\"" }, { "type": 1302, "data": "item=0 name=\"/opt/secret.txt\" inode=785716 dev=fc:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL" }, { "type": 1327, "data": "proctitle=636174002F6F70742F7365637265742E747874" } ], "uid_map": { "0": "root", "1000": "user" } }

Actual result:

Currently, there is no such option in config file.

commented

I think this is related? #91

commented

@wadey It is related only partially. #91 enables writing arbitrary key/value static pairs described in config file. Hostname/ip however, must be obtained with querying somehow operating system on each host.