kernel

package
v6.0.1+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 2, 2017 License: Apache-2.0 Imports: 20 Imported by: 0

Documentation

Overview

Package kernel is a metricset that subscribes to the Linux Audit Framework to receive audit events from the the kernel.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func New 

func New(base mb.BaseMetricSet) (mb.MetricSet, error)

New constructs a new MetricSet.

Types

type Config 

type Config struct {
	ResolveIDs   bool   `config:"kernel.resolve_ids"`         // Resolve UID/GIDs to names.
	FailureMode  string `config:"kernel.failure_mode"`        // Failure mode for the kernel (silent, log, panic).
	BacklogLimit uint32 `config:"kernel.backlog_limit"`       // Max number of message to buffer in the kernel.
	RateLimit    uint32 `config:"kernel.rate_limit"`          // Rate limit in messages/sec of messages from kernel.
	RawMessage   bool   `config:"kernel.include_raw_message"` // Include the list of raw audit messages in the event.
	Warnings     bool   `config:"kernel.include_warnings"`    // Include warnings in the event (for dev/debug purposes only).
	RulesBlob    string `config:"kernel.audit_rules"`         // Audit rules. One rule per line.
	SocketType   string `config:"kernel.socket_type"`         // Socket type to use with the kernel (unicast or multicast).

	// Tuning options (advanced, use with care)
	ReassemblerMaxInFlight uint32        `config:"kernel.reassembler.max_in_flight"`
	ReassemblerTimeout     time.Duration `config:"kernel.reassembler.timeout"`
	StreamBufferQueueSize  uint32        `config:"kernel.reassembler.queue_size"`
}

Config defines the kernel metricset's possible configuration options.

func (*Config) Validate 

func (c *Config) Validate() error

Validate validates the rules specified in the config.

type MetricSet 

type MetricSet struct {
	mb.BaseMetricSet
	// contains filtered or unexported fields
}

MetricSet listens for audit messages from the Linux kernel using a netlink socket. It buffers the messages to ensure ordering and then streams the output. MetricSet implements the mb.PushMetricSet interface, and therefore does not rely on polling.

func (*MetricSet) Run 

func (ms *MetricSet) Run(reporter mb.PushReporter)

Run initializes the audit client and receives audit messages from the kernel until the reporter's done channel is closed.

Source Files

  • audit_linux.go
  • config.go
  • doc.go

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.