forked from slackhq/go-audit
-
Notifications
You must be signed in to change notification settings - Fork 2
/
go-audit.yaml.example
152 lines (128 loc) · 5.77 KB
/
go-audit.yaml.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
# Configure socket buffers, leave unset to use the system defaults
# Values will be doubled by the kernel
# It is recommended you do not set any of these values unless you really need to
socket_buffer:
# Default is net.core.rmem_default (/proc/sys/net/core/rmem_default)
# Maximum max is net.core.rmem_max (/proc/sys/net/core/rmem_max)
receive: 16384
events:
# Minimum event type to capture, default 1300
min: 1300
# Maximum event type to capture, default 1399
max: 1399
# Configure message sequence tracking
message_tracking:
# Track messages and identify if we missed any, default true
enabled: true
# Log out of orderness, these messages typically signify an overloading system, default false
log_out_of_order: false
# Maximum out of orderness before a missed sequence is presumed dropped, default 500
max_out_of_order: 500
# Configure where to output audit events
# Only 1 output can be active at a given time
output:
# Writes to stdout
# All program status logging will be moved to stderr
stdout:
enabled: true
# Total number of attempts to write a line before considering giving up
# If a write fails go-audit will sleep for 1 second before retrying
# Default is 3
attempts: 2
# Writes logs to syslog
syslog:
enabled: false
attempts: 5
# Configure the type of socket this should be, default is unixgram
# This maps to `network` in golangs net.Dial: https://golang.org/pkg/net/#Dial
network: unixgram
# Set the remote address to connect to, this can be a path or an ip address
# This maps to `address` in golangs net.Dial: https://golang.org/pkg/net/#Dial
address: /dev/log
# Sets the facility and severity for all events. See the table below for help
# The default is 132 which maps to local0 | warn
priority: 129 # local0 | emerg
# Typically the name of the program generating the message. The PID is of the process is appended for you: [1233]
# Default value is "go-audit"
tag: "audit-thing"
# Appends logs to a file
file:
enabled: false
attempts: 2
# Path of the file to write lines to
# The actual file will be created if it is missing but make sure the parent directory exists
path: /var/log/go-audit/go-audit.log
# Octal file mode for the log file, make sure to always have a leading 0
mode: 0600
# User and group that should own the log file
user: root
group: root
# Writes logs to Graylog2 server using GELF standard: http://docs.graylog.org/en/stable/pages/gelf.html
gelf:
enabled: false
attempts: 3
# Configure the type of socket this should be, this can only be "udp" or "tcp".
# Default value is "udp".
network: udp
# Set the remote address to connect to, this can be an IP address or a hostname and port.
# This setting is mandatory and has no default value.
address: localhost:12201
# Defines the compression settings when using GELF over UDP network
compression:
# Sets the level of compression
# This maps to `compress/flate` consts: https://godoc.org/compress/flate#pkg-constants
# Default value is: 1, which means "BestSpeed"
level: 1
# Configure the compression type the writer should use when sending messages to server
# This maps to `CompressionType` into gelf library: https://godoc.org/gopkg.in/Graylog2/go-gelf.v2/gelf#CompressType
# Default values is: 0, which means "Gzip"
type: 0
# Configure logging, only stdout and stderr are used.
log:
# Gives you a bit of control over log line prefixes. Default is 0 - nothing.
# To get the `filename:lineno` you would set this to 16
#
# Ldate = 1 // the date in the local time zone: 2009/01/23
# Ltime = 2 // the time in the local time zone: 01:23:23
# Lmicroseconds = 4 // microsecond resolution: 01:23:23.123123. assumes Ltime.
# Llongfile = 8 // full file name and line number: /a/b/c/d.go:23
# Lshortfile = 16 // final file name element and line number: d.go:23. overrides Llongfile
# LUTC = 32 // if Ldate or Ltime is set, use UTC rather than the local time zone
#
# See also: https://golang.org/pkg/log/#pkg-constants
flags: 0
rules:
# Watch all 64 bit program executions
- -a exit,always -F arch=b64 -S execve
# Watch all 32 bit program executions
- -a exit,always -F arch=b32 -S execve
# Enable kernel auditing (required if not done via the "audit" kernel boot parameter)
# You can also use this to lock the rules. Locking requires a reboot to modify the ruleset.
# This should be the last rule in the chain.
- -e 1
# If kaudit filtering isn't powerful enough you can use the following filter mechanism
filters:
# Each filter consists of exactly 3 parts
- syscall: 49 # The syscall id of the message group (a single log line from go-audit), to test against the regex
message_type: 1306 # The message type identifier containing the data to test against the regex
regex: saddr=(10..|0A..) # The regex to test against the message specific message types data
extras:
# Fetch extra fields for containers:
# - containers.id
# - containers.image (requires docker)
# - containers.name (from kubernetes, if docker enabled)
# - containers.pod_uid (from kubernetes, if docker enabled)
# - containers.pod_name (from kubernetes, if available)
# - containers.pod_namespace (from kubernetes, if available)
#
# The values listed below are the defaults, you can specify only the ones
# you need to change
containers:
enabled: false
# if enabled, make requests to the local docker daemon for extra container details
docker: false
docker_api_version: 1.24
# number of pid -> container_id mappings to cache (0 means disable cache)
pid_cache: 0
# number of container_id -> docker_details to cache (0 means disable cache)
docker_cache: 0