Merge pull request #95 from psanford/cgroup-extras

Cgroup extras.
slackhq · Jan 24, 2022 · 01b9e1c · 01b9e1c
2 parents 79b6814 + 67f760b
commit 01b9e1c
Show file tree

Hide file tree

Showing 2 changed files with 58 additions and 0 deletions.
diff --git a/extras_cgroups.go b/extras_cgroups.go
@@ -0,0 +1,53 @@
+package main
+
+import (
+	"github.com/spf13/viper"
+)
+
+func init() {
+	RegisterExtraParser(func(config *viper.Viper) (ExtraParser, error) {
+		if config.GetBool("extras.cgroups.enabled") {
+			l.Printf("cgroup parser enabled")
+			return &CgroupParser{}, nil
+		}
+		return nil, nil
+	})
+}
+
+type CgroupParser struct {
+}
+
+func (p *CgroupParser) Parse(am *AuditMessage) {
+	switch am.Type {
+	case 1300, 1302, 1309, 1326: // AUDIT_SYSCALL, AUDIT_PATH, AUDIT_EXECVE, AUDIT_SECCOMP
+		pid, _ := getPid(am.Data)
+		cgroup := p.getCgroupRootForPid(pid)
+		if cgroup != "" {
+			am.Extras = &AuditExtras{CgroupRoot: cgroup}
+		}
+	}
+}
+
+func (p *CgroupParser) getCgroupRootForPid(pid int) string {
+	if pid == 0 {
+		return ""
+	}
+
+	var v1PidPath string
+	cgroups, err := taskControlGroups(pid, pid)
+	if err != nil {
+		return ""
+	}
+
+	for _, cgroup := range cgroups {
+		if cgroup.ID == 0 {
+			// v2 path
+			return cgroup.Path
+		} else if len(cgroup.Controllers) > 0 && cgroup.Controllers[0] == "pids" {
+			// fall back to cgroup v1 pid path if we don't have cgroups v2
+			v1PidPath = cgroup.Path
+		}
+	}
+
+	return v1PidPath
+}
diff --git a/parser.go b/parser.go
@@ -27,6 +27,11 @@ type AuditMessage struct {
 	AuditTime string `json:"-"`
 
 	Containers map[string]string `json:"containers,omitempty"`
+	Extras     *AuditExtras      `json:"extras,omitempty"`
+}
+
+type AuditExtras struct {
+	CgroupRoot string `json:"cgroup_root,omitempty"`
 }
 
 type AuditMessageGroup struct {