morpheus wrote:Thank you for letting me know! It's a minor bug, with a quick fix. Try the attached. (I'll admit I'm not a fan of JSON, so that output hasn't been rigorously tested).
And thanks for using my tools! If you have any other ideas for improvements, let me know!
** EDIT ** Added a fix. Saw the missing comma and added it. Then saw your reply
But also forgot about INET6, Now fixed that too. AND, put a new feature from the Pro version, that you might want to try
One more thing... we need to trim the trailing comma (after the last event) at the end of the json:
{ "events" : [
{ "event" },
{ "event" },
{ "event" }
,]
}
Also went ahead and tested all three filters and un-filtered output - without the trailing comma, the filtered output all pass lint. But, I found some more bugs in the un-filtered output:
Same issue as INET4 (wrap socket label and socket value in quotes and add comma){
"timestamp": "1526483136.990",
"procName": "Enterprise",
"pid": 950,
"uid": 501,
"eventType": "connect",
"fd": 9,
"socket
":
"/var/run / mDNSResponder
", "retVal": 0
},
Duplicate label names - name{
"timestamp": "1526483133.651",
"procName": "sysmond",
"pid": 273,
"uid": 0,
"eventType": "sysctl (non admin)",
"name": 1,
"name": 49,
"name": 13415,
"retVal": 0
},
Duplicate label names - cmd and arg{
"timestamp": "1526483133.652",
"procName": "",
"pid": 44192,
"uid": 0,
"eventType": "ioctl",
"fd": 3,
"cmd": "0x80086804",
"cmd": 2148034564,
"arg": "0x7ffee81bd268",
"arg": 140732792558184,
"path": "/dev/dtracehelper",
"retVal": -1,
"error": "Permission denied"
},
Duplicate label names - addr{
"timestamp": "1526483133.652",
"procName": "",
"pid": 44192,
"uid": 0,
"eventType": "mprotect",
"addr": "0x107a50000",
"addr": 4423221248,
"len": 4096,
"protection": 0,
"retVal": 0
},
Duplicate label names - cmd{
"timestamp": "1526483133.652",
"procName": "VShieldScanner",
"pid": 705,
"uid": 0,
"eventType": "fcntl",
"fd": 19,
"cmd": "0x4",
"cmd": 4,
"fd flags": 0,
"retVal": 0
},
Thank you so much for your quick responses!
I tried out the new feature but i didn't see it logging - running as root:
supraudit -L /var/audit/current - getting nothing but a bunch of opendirectoryd messages in console.app (enabled info/debug messages).
info 10:55:52.803849 -0500 opendirectoryd UID: 0, EUID: 0, GID: 0, EGID: 0
info 10:55:52.803892 -0500 opendirectoryd RPC: getpwuid, Module: SystemCache, rpc_version: 2, uid: 4294967295
info 10:55:52.804022 -0500 opendirectoryd an error of 2 'record not found' occurred
default 10:55:52.804081 -0500 opendirectoryd getpwuid failed with result Not Found