Update the examples

auditNG · Sep 15, 2016 · a8ecf08 · a8ecf08
1 parent 60cc585
commit a8ecf08
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 11 deletions.
diff --git a/audit.go b/audit.go
@@ -11,9 +11,9 @@ import (
 	"log/syslog"
 	"os"
 	"os/exec"
+	"regexp"
 	"strconv"
 	"strings"
-	"regexp"
 )
 
 var l = log.New(os.Stdout, "", 0)

diff --git a/go-audit.yaml.example b/go-audit.yaml.example
@@ -1,5 +1,5 @@
 #########################################################################################
-# Please not that until this bug https://github.com/spf13/viper/pull/165 is fixed       #
+# Please note that until this bug https://github.com/spf13/viper/pull/165 is fixed      #
 # you _must_ specify all values despite the fact that they talk about having a default. #
 # Hopefully this problem with viper goes away soon                                      #
 #########################################################################################
@@ -73,3 +73,10 @@ rules:
   - -a exit,always -F arch=b64 -S execve
   # Watch all 32 bit program executions
   - -a exit,always -F arch=b32 -S execve
+
+# If kaudit filtering isn't powerful enough you can use the following filter mechanism
+filters:
+  # Each filter consists of exactly 3 parts
+  - syscall: 49 # The syscall id of the message group (a single log line from go-audit), to test against the regex
+    message_type: 1306 # The message type identifier containing the data to test against the regex
+    regex: saddr=(10..|0A..) # The regex to test against the message specific message types data
diff --git a/marshaller.go b/marshaller.go
@@ -41,19 +41,19 @@ func NewAuditMarshaller(w *AuditWriter, trackMessages, logOOO bool, maxOOO int,
 		trackMessages: trackMessages,
 		logOutOfOrder: logOOO,
 		maxOutOfOrder: maxOOO,
-		filters: make(map[string]map[uint16][]*regexp.Regexp),
+		filters:       make(map[string]map[uint16][]*regexp.Regexp),
 	}
 
-   for _, filter := range filters {
-       if _, ok := am.filters[filter.syscall]; !ok {
-           am.filters[filter.syscall] = make(map[uint16][]*regexp.Regexp)
-       }
+	for _, filter := range filters {
+		if _, ok := am.filters[filter.syscall]; !ok {
+			am.filters[filter.syscall] = make(map[uint16][]*regexp.Regexp)
+		}
 
-	   if _, ok := am.filters[filter.syscall][filter.messageType]; !ok {
-		   am.filters[filter.syscall][filter.messageType] = []*regexp.Regexp{}
-	   }
+		if _, ok := am.filters[filter.syscall][filter.messageType]; !ok {
+			am.filters[filter.syscall][filter.messageType] = []*regexp.Regexp{}
+		}
 
-	   am.filters[filter.syscall][filter.messageType] = append(am.filters[filter.syscall][filter.messageType], filter.regex)
+		am.filters[filter.syscall][filter.messageType] = append(am.filters[filter.syscall][filter.messageType], filter.regex)
 	}
 
 	return &am