/* * auditd-plugin-clickhouse is an auditd plugin for sending auditd data * to clickhouse DB. * Copyright (C) 2019 Aleksei Nikiforov * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * */ #ifndef AUDITD_PLUGIN_CLICKHOUSE_RECORD_HPP #define AUDITD_PLUGIN_CLICKHOUSE_RECORD_HPP #include #include #include #include #include #include #include #include #include #include class AbstractRecordFieldFactory; class AbstractRecordField { public: enum class Type { Int, String, InterpretedString, InterpretedStringArray }; virtual ~AbstractRecordField() = default; virtual void addOrUpdateValue(auparse_state_t *record) = 0; virtual void addToColumn(const std::vector &columns) const = 0; virtual Type getType() const = 0; std::string getName() const { return m_name; } protected: explicit AbstractRecordField(const std::string &name); AbstractRecordField(const AbstractRecordField &other) = default; AbstractRecordField& operator=(const AbstractRecordField &other) = default; std::string m_name; friend class AbstractRecordFieldFactory; }; class AuditRecord { public: private: time_t m_seconds; uint64_t m_milliseconds; uint64_t m_serial; std::string m_node; // skip processing node from record fields std::map > m_fields; }; class AbstractRecordFieldFactory { public: std::shared_ptr createFromAuditRecord(const std::string &field_name, auparse_type_t field_type); static AbstractRecordFieldFactory& instance(); template class AuditRecordFieldRegister { public: explicit AuditRecordFieldRegister(auparse_type_t type) { AbstractRecordFieldFactory::instance().m_factoryMap[type] = &RecordFieldType::createRecord; } }; protected: AbstractRecordFieldFactory() = default; AbstractRecordFieldFactory(const AbstractRecordFieldFactory &other) = delete; AbstractRecordFieldFactory& operator=(const AbstractRecordFieldFactory &other) = delete; std::map(const std::string &name)> > m_factoryMap; }; class CommonStringRecordField: public AbstractRecordField { public: virtual void addToColumn(const std::vector &columns) const override; protected: explicit CommonStringRecordField(const std::string &name); boost::optional m_value; }; class StringRecordField: public CommonStringRecordField { public: static std::shared_ptr createRecord(const std::string &name); virtual void addOrUpdateValue(auparse_state_t *record) override; virtual Type getType() const override; protected: explicit StringRecordField(const std::string &name); }; class InterpretedStringRecordField: public CommonStringRecordField { public: static std::shared_ptr createRecord(const std::string &name); virtual void addOrUpdateValue(auparse_state_t *record) override; virtual Type getType() const override; protected: explicit InterpretedStringRecordField(const std::string &name); }; class IntegerRecordField: public InterpretedStringRecordField { public: static std::shared_ptr createRecord(const std::string &name); virtual void addOrUpdateValue(auparse_state_t *record) override; virtual void addToColumn(const std::vector &columns) const override; virtual Type getType() const override; protected: explicit IntegerRecordField(const std::string &name); boost::optional m_int_value; }; class InterpretedStringArrayRecordField: public AbstractRecordField { public: static std::shared_ptr createRecord(const std::string &name); virtual void addOrUpdateValue(auparse_state_t *record) override; virtual void addToColumn(const std::vector &columns) const override; virtual Type getType() const override; protected: explicit InterpretedStringArrayRecordField(const std::string &name); std::list m_value; }; #endif /* AUDITD_PLUGIN_CLICKHOUSE_RECORD_HPP */