auditd-plugin-clickhouse/auditd-record.cpp

757 lines
24 KiB
C++

/*
* auditd-plugin-clickhouse is an auditd plugin for sending auditd data
* to clickhouse DB.
* Copyright (C) 2019-2020 Aleksei Nikiforov <darktemplar@basealt.ru>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
*/
#include "auditd-record.hpp"
#include "logging.hpp"
#include "utils.hpp"
#include <functional>
#include <set>
#include <boost/lexical_cast.hpp>
#include <clickhouse-cpp/columns/array.h>
#include <clickhouse-cpp/columns/nullable.h>
#include <clickhouse-cpp/columns/numeric.h>
#include <clickhouse-cpp/columns/string.h>
namespace {
std::map<auparse_type_t, std::function<bool(const std::string &)> >& get_audit_type_check_instance()
{
static std::map<auparse_type_t, std::function<bool(const std::string &)> > instance;
return instance;
}
class AuditTypeCheckRegister
{
public:
AuditTypeCheckRegister(auparse_type_t type, const std::function<bool(const std::string &)> &func)
{
get_audit_type_check_instance()[type] = func;
}
};
std::function<bool(const std::string &)> integer_record_type_check_function()
{
return [](const std::string &value) -> bool {
std::set<std::string> allowed_values = {
"integer"
};
return (allowed_values.find(value) != allowed_values.end());
};
}
std::function<bool(const std::string &)> interpreted_string_record_type_check_function()
{
return [](const std::string &value) -> bool {
std::set<std::string> allowed_values = {
"string",
"string_array"
};
return (allowed_values.find(value) != allowed_values.end());
};
}
std::function<bool(const std::string &)> any_record_type_check_function()
{
return [](const std::string &value) -> bool {
return true;
};
}
} // unnamed namespace
#define register_record_type(audit_type, check_function) \
static const AuditTypeCheckRegister audit_type_check_register_##audit_type(audit_type, check_function)
register_record_type(AUPARSE_TYPE_UNCLASSIFIED, any_record_type_check_function());
register_record_type(AUPARSE_TYPE_UID, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_GID, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_SYSCALL, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_ARCH, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_EXIT, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_ESCAPED, interpreted_string_record_type_check_function());
register_record_type(AUPARSE_TYPE_PERM, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_MODE, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_SOCKADDR, interpreted_string_record_type_check_function());
register_record_type(AUPARSE_TYPE_FLAGS, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_PROMISC, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_CAPABILITY, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_SUCCESS, interpreted_string_record_type_check_function());
register_record_type(AUPARSE_TYPE_A0, interpreted_string_record_type_check_function());
register_record_type(AUPARSE_TYPE_A1, interpreted_string_record_type_check_function());
register_record_type(AUPARSE_TYPE_A2, interpreted_string_record_type_check_function());
register_record_type(AUPARSE_TYPE_A3, interpreted_string_record_type_check_function());
register_record_type(AUPARSE_TYPE_SIGNAL, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_LIST, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_TTY_DATA, interpreted_string_record_type_check_function());
register_record_type(AUPARSE_TYPE_SESSION, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_CAP_BITMAP, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_NFPROTO, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_ICMPTYPE, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_PROTOCOL, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_ADDR, interpreted_string_record_type_check_function());
register_record_type(AUPARSE_TYPE_PERSONALITY, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_SECCOMP, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_OFLAG, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_MMAP, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_MODE_SHORT, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_MAC_LABEL, interpreted_string_record_type_check_function());
register_record_type(AUPARSE_TYPE_PROCTITLE, interpreted_string_record_type_check_function());
register_record_type(AUPARSE_TYPE_HOOK, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_NETACTION, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_MACPROTO, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_IOCTL_REQ, integer_record_type_check_function());
register_record_type(AUPARSE_TYPE_ESCAPED_KEY, interpreted_string_record_type_check_function());
register_record_type(AUPARSE_TYPE_ESCAPED_FILE, interpreted_string_record_type_check_function());
register_record_type(AUPARSE_TYPE_FANOTIFY, interpreted_string_record_type_check_function());
#undef register_record_type
bool check_field_type(auparse_type_t field_type, const std::string &database_type, const std::string &database_field_name)
{
const auto &check_instance = get_audit_type_check_instance();
auto check_type_function = check_instance.find(field_type);
if (check_type_function != check_instance.end())
{
return check_type_function->second(database_type);
}
else
{
Logger::write("Warning: unknown record type for record name \"%s\"", database_field_name.c_str());
return interpreted_string_record_type_check_function()(database_type);
}
}
std::string field_type_to_string(auparse_type_t field_type)
{
#define field_type_macro(T) { T, #T }
static const std::map<auparse_type_t, std::string> s_field_type_to_string_map = {
field_type_macro(AUPARSE_TYPE_UNCLASSIFIED),
field_type_macro(AUPARSE_TYPE_UID),
field_type_macro(AUPARSE_TYPE_GID),
field_type_macro(AUPARSE_TYPE_SYSCALL),
field_type_macro(AUPARSE_TYPE_ARCH),
field_type_macro(AUPARSE_TYPE_EXIT),
field_type_macro(AUPARSE_TYPE_ESCAPED),
field_type_macro(AUPARSE_TYPE_PERM),
field_type_macro(AUPARSE_TYPE_MODE),
field_type_macro(AUPARSE_TYPE_SOCKADDR),
field_type_macro(AUPARSE_TYPE_FLAGS),
field_type_macro(AUPARSE_TYPE_PROMISC),
field_type_macro(AUPARSE_TYPE_CAPABILITY),
field_type_macro(AUPARSE_TYPE_SUCCESS),
field_type_macro(AUPARSE_TYPE_A0),
field_type_macro(AUPARSE_TYPE_A1),
field_type_macro(AUPARSE_TYPE_A2),
field_type_macro(AUPARSE_TYPE_A3),
field_type_macro(AUPARSE_TYPE_SIGNAL),
field_type_macro(AUPARSE_TYPE_LIST),
field_type_macro(AUPARSE_TYPE_TTY_DATA),
field_type_macro(AUPARSE_TYPE_SESSION),
field_type_macro(AUPARSE_TYPE_CAP_BITMAP),
field_type_macro(AUPARSE_TYPE_NFPROTO),
field_type_macro(AUPARSE_TYPE_ICMPTYPE),
field_type_macro(AUPARSE_TYPE_PROTOCOL),
field_type_macro(AUPARSE_TYPE_ADDR),
field_type_macro(AUPARSE_TYPE_PERSONALITY),
field_type_macro(AUPARSE_TYPE_SECCOMP),
field_type_macro(AUPARSE_TYPE_OFLAG),
field_type_macro(AUPARSE_TYPE_MMAP),
field_type_macro(AUPARSE_TYPE_MODE_SHORT),
field_type_macro(AUPARSE_TYPE_MAC_LABEL),
field_type_macro(AUPARSE_TYPE_PROCTITLE),
field_type_macro(AUPARSE_TYPE_HOOK),
field_type_macro(AUPARSE_TYPE_NETACTION),
field_type_macro(AUPARSE_TYPE_MACPROTO),
field_type_macro(AUPARSE_TYPE_IOCTL_REQ),
field_type_macro(AUPARSE_TYPE_ESCAPED_KEY),
field_type_macro(AUPARSE_TYPE_ESCAPED_FILE),
field_type_macro(AUPARSE_TYPE_FANOTIFY)
};
#undef field_type_macro
auto iter = s_field_type_to_string_map.find(field_type);
if (iter != s_field_type_to_string_map.end())
{
return iter->second;
}
else
{
Logger::write("Warning: unknown field type for field type id \"%d\"", field_type);
return "unknown";
}
}
std::string generate_name_for_audit_record(const AuditRecord &record)
{
return boost::lexical_cast<std::string>(record.time)
+ "_" + boost::lexical_cast<std::string>(record.milliseconds)
+ "_" + boost::lexical_cast<std::string>(record.serial)
+ "_" + record.node
+ ".json";
}
AbstractRecordField::AbstractRecordField(const std::string &name)
: m_name(name)
{
}
CommonStringRecordField::CommonStringRecordField(const std::string &name)
: AbstractRecordField(name)
{
}
std::vector<AbstractRecordField::Column> CommonStringRecordField::generateColumnsAndNames() const
{
return std::vector<AbstractRecordField::Column> {
Column { m_name, std::make_shared<clickhouse::ColumnNullable>(std::make_shared<clickhouse::ColumnString>(), std::make_shared<clickhouse::ColumnUInt8>()) }
};
}
void CommonStringRecordField::addToColumn(const std::vector<Column> &columns) const
{
if ((columns.size() != 1) || (!columns[0].value))
{
throw std::runtime_error("CommonStringRecordField::addToColumn: invalid columns argument");
}
auto nullable = columns[0].value->As<clickhouse::ColumnNullable>();
if (!nullable)
{
throw std::runtime_error("Invalid column type: not ColumnNullable");
}
auto nested = nullable->Nested();
if ((!nested) || (nested->Type()->GetCode() != clickhouse::Type::String))
{
throw std::runtime_error("Invalid nested column type: not String");
}
auto data_column = std::make_shared<clickhouse::ColumnString>();
auto null_column = std::make_shared<clickhouse::ColumnUInt8>();
if (m_value)
{
data_column->Append(*m_value);
null_column->Append(0);
}
else
{
data_column->Append(std::string());
null_column->Append(1);
}
columns[0].value->Append(std::make_shared<clickhouse::ColumnNullable>(data_column, null_column));
}
const boost::optional<std::string>& CommonStringRecordField::getStringValue() const
{
return m_value;
}
void CommonStringRecordField::setStringValue(const boost::optional<std::string> &value)
{
m_value = value;
}
std::shared_ptr<StringRecordField> StringRecordField::createRecord(const std::string &name)
{
std::shared_ptr<StringRecordField> result;
result.reset(new StringRecordField(name));
return result;
}
void StringRecordField::addOrUpdateValue(auparse_state_t *record)
{
if (record)
{
m_value = string_or_null(auparse_get_field_str(record));
}
else
{
m_value = boost::none;
}
}
StringRecordField::StringRecordField(const std::string &name)
: CommonStringRecordField(name)
{
}
AbstractRecordField::Type StringRecordField::getType() const
{
return AbstractRecordField::Type::String;
}
std::shared_ptr<InterpretedStringRecordField> InterpretedStringRecordField::createRecord(const std::string &name)
{
std::shared_ptr<InterpretedStringRecordField> result;
result.reset(new InterpretedStringRecordField(name));
return result;
}
InterpretedStringRecordField::InterpretedStringRecordField(const std::string &name)
: CommonStringRecordField(name)
{
}
void InterpretedStringRecordField::addOrUpdateValue(auparse_state_t *record)
{
if (record)
{
m_value = string_or_null(auparse_interpret_field(record));
}
else
{
m_value = boost::none;
}
}
AbstractRecordField::Type InterpretedStringRecordField::getType() const
{
return AbstractRecordField::Type::InterpretedString;
}
std::shared_ptr<IntegerRecordField> IntegerRecordField::createRecord(const std::string &name)
{
std::shared_ptr<IntegerRecordField> result;
result.reset(new IntegerRecordField(name));
return result;
}
IntegerRecordField::IntegerRecordField(const std::string &name)
: InterpretedStringRecordField(name)
{
}
void IntegerRecordField::addOrUpdateValue(auparse_state_t *record)
{
InterpretedStringRecordField::addOrUpdateValue(record);
if (record)
{
m_int_value = auparse_get_field_int(record);
}
else
{
m_int_value = boost::none;
}
}
std::vector<AbstractRecordField::Column> IntegerRecordField::generateColumnsAndNames() const
{
return std::vector<AbstractRecordField::Column> {
Column { m_name + "_IntValue", std::make_shared<clickhouse::ColumnNullable>(std::make_shared<clickhouse::ColumnInt64>(), std::make_shared<clickhouse::ColumnUInt8>()) },
Column { m_name + "_InterpretedValue", std::make_shared<clickhouse::ColumnNullable>(std::make_shared<clickhouse::ColumnString>(), std::make_shared<clickhouse::ColumnUInt8>()) }
};
}
void IntegerRecordField::addToColumn(const std::vector<Column> &columns) const
{
if ((columns.size() != 2) || (!columns[0].value) || (!columns[1].value))
{
throw std::runtime_error("IntegerRecordField::addToColumn: invalid columns argument");
}
auto nullable = columns[0].value->As<clickhouse::ColumnNullable>();
if (!nullable)
{
throw std::runtime_error("Invalid column type: not ColumnNullable");
}
auto nested = nullable->Nested();
if ((!nested) || (nested->Type()->GetCode() != clickhouse::Type::Int64))
{
throw std::runtime_error("Invalid nested column type: not Int64");
}
auto data_column = std::make_shared<clickhouse::ColumnInt64>();
auto null_column = std::make_shared<clickhouse::ColumnUInt8>();
if (m_int_value)
{
data_column->Append(*m_int_value);
null_column->Append(0);
}
else
{
data_column->Append(0);
null_column->Append(1);
}
std::vector<Column> string_columns;
string_columns.push_back(columns[1]);
columns[0].value->Append(std::make_shared<clickhouse::ColumnNullable>(data_column, null_column));
// now also add string value
InterpretedStringRecordField::addToColumn(string_columns);
}
AbstractRecordField::Type IntegerRecordField::getType() const
{
return AbstractRecordField::Type::Int;
}
const boost::optional<int>& IntegerRecordField::getIntValue() const
{
return m_int_value;
}
void IntegerRecordField::setIntValue(const boost::optional<int> &value)
{
m_int_value = value;
}
std::shared_ptr<InterpretedStringArrayRecordField> InterpretedStringArrayRecordField::createRecord(const std::string &name)
{
std::shared_ptr<InterpretedStringArrayRecordField> result;
result.reset(new InterpretedStringArrayRecordField(name));
return result;
}
void InterpretedStringArrayRecordField::addOrUpdateValue(auparse_state_t *record)
{
if (record)
{
m_names_array.push_back(string_or_null(auparse_get_field_name(record)));
m_values_array.push_back(string_or_null(auparse_interpret_field(record)));
}
}
std::vector<AbstractRecordField::Column> InterpretedStringArrayRecordField::generateColumnsAndNames() const
{
return std::vector<AbstractRecordField::Column> {
Column { m_name + "_Name", std::make_shared<clickhouse::ColumnArray>(std::make_shared<clickhouse::ColumnString>()) },
Column { m_name + "_Value", std::make_shared<clickhouse::ColumnArray>(std::make_shared<clickhouse::ColumnString>()) }
};
}
void InterpretedStringArrayRecordField::addToColumn(const std::vector<Column> &columns) const
{
if ((columns.size() != 2) || (!columns[0].value) || (!columns[1].value))
{
throw std::runtime_error("InterpretedStringArrayRecordField::addToColumn: invalid columns argument");
}
auto array_names = columns[0].value->As<clickhouse::ColumnArray>();
if (!array_names)
{
throw std::runtime_error("Invalid column 0 type: not ColumnArray");
}
auto array_values = columns[1].value->As<clickhouse::ColumnArray>();
if (!array_values)
{
throw std::runtime_error("Invalid column 1 type: not ColumnArray");
}
auto name_column = std::make_shared<clickhouse::ColumnString>();
for (auto iter = m_names_array.begin(); iter != m_names_array.end(); ++iter)
{
name_column->Append(*iter);
}
auto value_column = std::make_shared<clickhouse::ColumnString>();
for (auto iter = m_values_array.begin(); iter != m_values_array.end(); ++iter)
{
value_column->Append(*iter);
}
array_names->AppendAsColumn(name_column);
array_values->AppendAsColumn(value_column);
}
InterpretedStringArrayRecordField::InterpretedStringArrayRecordField(const std::string &name)
: AbstractRecordField(name)
{
}
AbstractRecordField::Type InterpretedStringArrayRecordField::getType() const
{
return AbstractRecordField::Type::InterpretedStringArray;
}
const std::list<std::string>& InterpretedStringArrayRecordField::getNamesArray() const
{
return m_names_array;
}
const std::list<std::string>& InterpretedStringArrayRecordField::getValuesArray() const
{
return m_values_array;
}
void InterpretedStringArrayRecordField::setArrays(std::list<std::string> names_array, std::list<std::string> values_array)
{
if (names_array.size() != values_array.size())
{
throw std::runtime_error("InterpretedStringArrayRecordField::setArrays: array sizes mismatch");
}
m_names_array.swap(names_array);
m_values_array.swap(values_array);
}
boost::property_tree::ptree AuditRecord::toPtree() const
{
boost::property_tree::ptree data;
data.put_child("time", boost::property_tree::ptree(boost::lexical_cast<std::string>(this->time)));
data.put_child("milliseconds", boost::property_tree::ptree(boost::lexical_cast<std::string>(this->milliseconds)));
data.put_child("serial", boost::property_tree::ptree(boost::lexical_cast<std::string>(this->serial)));
data.put_child("node", boost::property_tree::ptree(this->node));
boost::property_tree::ptree fields_data;
for (auto iter = this->fields.begin(); iter != this->fields.end(); ++iter)
{
boost::property_tree::ptree item;
item.put_child("type", boost::property_tree::ptree(boost::lexical_cast<std::string>(static_cast<int>(iter->second->getType()))));
switch (iter->second->getType())
{
case AbstractRecordField::Type::Int:
{
auto ptr = std::dynamic_pointer_cast<IntegerRecordField>(iter->second);
if (ptr)
{
auto int_value = ptr->getIntValue();
if (int_value)
{
item.put_child("value_int", boost::property_tree::ptree(boost::lexical_cast<std::string>(*int_value)));
}
auto str_value = ptr->getStringValue();
if (str_value)
{
item.put_child("value_str", boost::property_tree::ptree(*str_value));
}
}
}
break;
case AbstractRecordField::Type::String:
case AbstractRecordField::Type::InterpretedString:
{
auto ptr = std::dynamic_pointer_cast<CommonStringRecordField>(iter->second);
if (ptr)
{
auto str_value = ptr->getStringValue();
if (str_value)
{
item.put_child("value_str", boost::property_tree::ptree(*str_value));
}
}
}
break;
case AbstractRecordField::Type::InterpretedStringArray:
{
auto ptr = std::dynamic_pointer_cast<InterpretedStringArrayRecordField>(iter->second);
if (ptr)
{
const auto &names_list = ptr->getNamesArray();
const auto &values_list = ptr->getValuesArray();
boost::property_tree::ptree names_tree, values_tree;
for (auto array_iter = names_list.begin(); array_iter != names_list.end(); ++array_iter)
{
names_tree.push_back(std::make_pair(std::string(), boost::property_tree::ptree(*array_iter)));
}
for (auto array_iter = values_list.begin(); array_iter != values_list.end(); ++array_iter)
{
values_tree.push_back(std::make_pair(std::string(), boost::property_tree::ptree(*array_iter)));
}
item.put_child("names", names_tree);
item.put_child("values", values_tree);
}
}
break;
}
fields_data.put_child(iter->first, item);
}
data.put_child("fields", fields_data);
return data;
}
AuditRecord AuditRecord::fromPtree(const boost::property_tree::ptree &data)
{
AuditRecord result;
{
auto child = data.get_child_optional("time");
if (child)
{
result.time = boost::lexical_cast<decltype(AuditRecord::time)>(child->get_value<std::string>());
}
}
{
auto child = data.get_child_optional("milliseconds");
if (child)
{
result.milliseconds = boost::lexical_cast<decltype(AuditRecord::milliseconds)>(child->get_value<std::string>());
}
}
{
auto child = data.get_child_optional("serial");
if (child)
{
result.serial = boost::lexical_cast<decltype(AuditRecord::serial)>(child->get_value<std::string>());
}
}
{
auto child = data.get_child_optional("node");
if (child)
{
result.node = boost::lexical_cast<decltype(AuditRecord::node)>(child->get_value<std::string>());
}
}
{
auto fields = data.get_child_optional("fields");
if (fields)
{
for (auto iter = fields->begin(); iter != fields->end(); ++iter)
{
auto field_type = iter->second.get_child_optional("type");
if (field_type)
{
auto field_type_value = static_cast<AbstractRecordField::Type>(boost::lexical_cast<int>(field_type->get_value<std::string>()));
switch (field_type_value)
{
case AbstractRecordField::Type::Int:
{
auto record_field = IntegerRecordField::createRecord(iter->first);
if (record_field)
{
auto int_value = iter->second.get_child_optional("value_int");
if (int_value)
{
record_field->setIntValue(boost::lexical_cast<int>(int_value->get_value<std::string>()));
}
auto str_value = iter->second.get_child_optional("value_str");
if (str_value)
{
record_field->setStringValue(str_value->get_value<std::string>());
}
result.fields[iter->first] = record_field;
}
}
break;
case AbstractRecordField::Type::String:
{
auto record_field = StringRecordField::createRecord(iter->first);
if (record_field)
{
auto str_value = iter->second.get_child_optional("value_str");
if (str_value)
{
record_field->setStringValue(str_value->get_value<std::string>());
}
result.fields[iter->first] = record_field;
}
}
break;
case AbstractRecordField::Type::InterpretedString:
{
auto record_field = InterpretedStringRecordField::createRecord(iter->first);
if (record_field)
{
auto str_value = iter->second.get_child_optional("value_str");
if (str_value)
{
record_field->setStringValue(str_value->get_value<std::string>());
}
result.fields[iter->first] = record_field;
}
}
break;
case AbstractRecordField::Type::InterpretedStringArray:
{
auto record_field = InterpretedStringArrayRecordField::createRecord(iter->first);
if (record_field)
{
std::list<std::string> names, values;
auto name_child = iter->second.get_child_optional("names");
if (name_child)
{
for (auto child_iter = name_child->begin(); child_iter != name_child->end(); ++child_iter)
{
names.push_back(child_iter->second.get_value<std::string>());
}
}
auto value_child = iter->second.get_child_optional("values");
if (value_child)
{
for (auto child_iter = value_child->begin(); child_iter != value_child->end(); ++child_iter)
{
values.push_back(child_iter->second.get_value<std::string>());
}
}
record_field->setArrays(names, values);
result.fields[iter->first] = record_field;
}
}
break;
}
}
}
}
}
return result;
}
bool AuditRecord::operator<(const AuditRecord &other) const
{
return std::make_tuple(this->time, this->milliseconds, this->serial, this->node)
< std::make_tuple(other.time, other.milliseconds, other.serial, other.node);
}