allow empty syscall in filter to filter message_type 1305
imreACTmd opened this issue · 1 comments
- I've read and understood the Contributing guidelines and have done my best effort to follow them.
- I've read and agree to the Code of Conduct.
- I've searched for any related issues and avoided creating a duplicate issue.
Description
To solve issue #13 and filter on internal entries that don't have "syscall" @nbrownus added a patch to allow an empty string for syscall.
A subsequent patch on audit.go line 299 explicitly checks for an empty string and throws an error.
Would you mind removing this second check? Thanks
Reproducible in:
go-audit version: master
OS version(s): 4.14.47-64.38.amzn2.x86_64
Steps to reproduce:
-
add the following configuration:
filters:- syscall: ""
message_type: 1305
regex: .*
- syscall: ""
-
Watch go-audit exit with the error message "Filter 1 is missing the
syscallentry" -
Profit
Expected result:
skipping these messages every five second:
audit[14960]: {"sequence":15404,"timestamp":"1531162561.286","messages":[{"type":1305,"data":"audit_pid=14960 old=14960 auid=4294967295 ses=4294967295 res=0"}],"uid_map":{"4294967295":"UNKNOWN_USER"}}
Actual result:
go-audit exits with the error message "Filter 1 is missing the syscall entry"
Attachments:
audit.go line 299:
if af.syscall == "" {
return filters, fmt.Errorf("Filter %d is missing the syscall entry", i+1)
}