Hi @cristiansavaro , thanks for raising the issue, can you please share with us the architecture of your machine ? This will help us resolve the issue.

from audit-go.

[root@oel6 ~]# uname -a
Linux oel6 3.8.13-55.el6uek.x86_64 #2 SMP Mon Dec 1 11:32:40 PST 2014 x86_64 x86_64 x86_64 GNU/Linux

from audit-go.

audit-2.4.1-1.el6.x86_64

from audit-go.

@AALEKH any updates on this issue?

from audit-go.

Hi @cosminilie , @cristiansavaro , we were trying to make some major change with the library, but nevertheless this issue will end by this week. Sorry for any inconvenience caused !!

from audit-go.

@AALEKH and team, thanks a lot for the great work!!

from audit-go.

Hi @cosminilie , many of us are busy with some Internship/ Academic Programmes , which is causing delay in addressing the issue, however we will try our our best to complete the issue ASAP.

from audit-go.

@AALEKH Thanks a lot of the update, really appreciate it.

from audit-go.

Hi, any updates on how things are moving along?

from audit-go.

Hello. Any updates?

from audit-go.

Seems like we have a race condition here.
Since I am not able to reproduce this on my system, Can anyone of you please post output of
go run -race main.go ?

from audit-go.

Here it is :

2015/11/16 11:44:14 Acknowledged!!
2015/11/16 11:44:14 NLMSG_ERROR Received..
2015/11/16 11:44:14 Enabled Audit!!
2015/11/16 11:44:14 Acknowledged!!
2015/11/16 11:44:14 Acknowledged!!
2015/11/16 11:44:14 Acknowledged!!
2015/11/16 11:44:14 Set pid successful!!
2015/11/16 11:44:14 Deleting all rules
2015/11/16 11:44:14 NLMSG_ERROR

2015/11/16 11:44:14 Deleting Done!
2015/11/16 11:44:14 actions are : always
2015/11/16 11:44:14 fields are map[name:path op:eq value:/bin/ls]
2015/11/16 11:44:15 fields are map[op:eq value:x name:perm]
2015/11/16 11:44:15 setting syscall rule rmdir
2015/11/16 11:44:15 Going for arch
2015/11/16 11:44:15 Going for key
2015/11/16 11:44:15 setting syscall rule mkdir
2015/11/16 11:44:15 Going for arch
2015/11/16 11:44:15 Ack
2015/11/16 11:44:15 Ack
2015/11/16 11:44:15 type=CONFIG_CHANGE msg=audit(1447667055.000:15444): auid=0 ses=2413 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add rule" key="rmd" list=4 res=1

2015/11/16 11:44:15 type=CONFIG_CHANGE msg=audit(1447667055.001:15445): auid=0 ses=2413 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add rule" key=(null) list=4 res=1

WARNING: DATA RACE
Write by main goroutine:
os.(_file).close()
/usr/lib/golang/src/os/file_unix.go:109 +0x1d7
os.(_File).Close()
/usr/lib/golang/src/os/file_unix.go:98 +0x91
main.main()
/audit-go/main.go:88 +0x1245

Previous read by goroutine 5:
os.(_File).write()
/usr/lib/golang/src/os/file_unix.go:212 +0xc4
os.(_File).Write()
/usr/lib/golang/src/os/file.go:139 +0xc3
os.(*File).WriteString()
/usr/lib/golang/src/os/file.go:199 +0xc6
main.func·001()
/audit-go/main.go:71 +0x296

Goroutine 5 (running) created at:
main.main()

/audit-go/main.go:79 +0x119f

Found 1 data race(s)
exit status 66

from audit-go.

@cristiansavaro can you git pull and test again?

from audit-go.

i've done that also.
i still get some NLMSG_ERROR messages but it seems to be working.
here's the output now:

2015/11/20 08:34:38 Acknowledged!!
2015/11/20 08:34:38 NLMSG_ERROR Received..
2015/11/20 08:34:38 Enabled Audit!!
2015/11/20 08:34:38 Acknowledged!!
2015/11/20 08:34:38 Acknowledged!!
2015/11/20 08:34:38 Acknowledged!!
2015/11/20 08:34:38 Set pid successful!!
2015/11/20 08:34:38 Deleting all rules
2015/11/20 08:34:38 NLMSG_ERROR

2015/11/20 08:34:38 Deleting Done!
2015/11/20 08:34:38 fields are map[name:path op:eq value:/bin/ls]
2015/11/20 08:34:38 fields are map[value:x name:perm op:eq]
2015/11/20 08:34:38 actions are : always
2015/11/20 08:34:38 setting syscall rule rmdir
2015/11/20 08:34:38 Going for arch
2015/11/20 08:34:38 Going for key
2015/11/20 08:34:38 setting syscall rule mkdir
2015/11/20 08:34:38 Going for arch
2015/11/20 08:34:38 NLMSG_ERROR
2015/11/20 08:34:38 type=CONFIG_CHANGE msg=audit(1448001278.521:19917): auid=0 ses=3079 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="remove rule" key="" list=4 res=0

2015/11/20 08:34:38 Ack
2015/11/20 08:34:38 NLMSG_ERROR
2015/11/20 08:34:38 type=CONFIG_CHANGE msg=audit(1448001278.521:19918): auid=0 ses=3079 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="remove rule" key=(null) list=4 res=1

2015/11/20 08:34:38 type=CONFIG_CHANGE msg=audit(1448001278.528:19919): auid=0 ses=3079 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add rule" key="rmd" list=4 res=0

2015/11/20 08:34:38 Ack
2015/11/20 08:34:38 type=CONFIG_CHANGE msg=audit(1448001278.529:19920): auid=0 ses=3079 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op="add rule" key=(null) list=4 res=1

from audit-go.

After a while leaving it run i also got these:

2015/11/20 08:40:01 Unknown: 1101
2015/11/20 08:40:01 Unknown: 1103
2015/11/20 08:40:01 Unknown: 1006
2015/11/20 08:40:01 Unknown: 1105
2015/11/20 08:40:01 Unknown: 1104
2015/11/20 08:40:01 Unknown: 1106

from audit-go.

@cristiansavaro Note that NLMSG_ERROR is not always an error when first 4 bytes of data are zero they represent acknowledgment from kernel. We emitted this for debugging purposes. We will fix this as library matures.

Also, regarding Unknown, currently we don't support all 'Types' so we just emit unknown for type which are not known. This will be fixed soon.

closing this issue.

from audit-go.

@cristiansavaro just added support for all message types should work now.
please pull and test

from audit-go.

here's the result now :

go run -race ./main.go
2015/12/16 14:04:14 Acknowledged!!
2015/12/16 14:04:14 NLMSG_ERROR Received..
2015/12/16 14:04:14 Error while fetching status!
exit status 1

PS : i pulled from master as issue #7 was merged.

from audit-go.