Better errors when kernel does not support auditing

libaudit.NewAuditClient() returns EPROTONOSUPPORT (protocol not supported) if the kernel does not have audit supported compiled in (CONFIG_AUDIT=y). This change adds "audit not supported by kernel" to the error message when EINVAL, EPROTONOSUPPORT, or EAFNOSUPPORT are returned by the socket syscall. Fixes elastic#32
andrewkroh · May 1, 2018 · f72f75f · f72f75f
1 parent 28fa2d3
commit f72f75f
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,9 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ### Added
 
+- Added better error messages for when `NewAuditClient` fails due to the
+  Linux kernel not supporting auditing (CONFIG_AUDIT=n). #32
+
 ### Changed
 
 ### Deprecated

diff --git a/audit.go b/audit.go
@@ -105,7 +105,12 @@ func newAuditClient(netlinkGroups uint32, resp io.Writer) (*AuditClient, error)
 
 	netlink, err := NewNetlinkClient(syscall.NETLINK_AUDIT, netlinkGroups, buf, resp)
 	if err != nil {
-		return nil, err
+		switch err {
+		case syscall.EINVAL, syscall.EPROTONOSUPPORT, syscall.EAFNOSUPPORT:
+			return nil, errors.Wrap(err, "audit not supported by kernel")
+		default:
+			return nil, errors.Wrap(err, "failed to open audit netlink socket")
+		}
 	}
 
 	return &AuditClient{Netlink: netlink}, nil

diff --git a/audit_test.go b/audit_test.go
@@ -35,8 +35,7 @@ import (
 )
 
 // This can be run inside of Docker with:
-// docker run -it --rm -v `pwd`:/go/src/github.com/elastic/go-libaudit \
-//   --pid=host --privileged golang:1.8.3 /bin/bash
+// docker run -it --rm -v `pwd`:/go/src/github.com/elastic/go-libaudit --pid=host --privileged golang:1.10.1 /bin/bash
 
 var (
 	hexdump = flag.Bool("hexdump", false, "dump kernel responses to stdout in hexdump -C format")