Re: Writting to audit with an application
Steve,
Thanks for the reply. I must have something wrong with my system as I
can't get it to work even running it as root. I get an error of:
FAILURE: errno = 22
Error writing audit file: Invalid argument
Error writing audit: Illegal seek
Also how do I set auditd to allow other process(s) running not as root
to write to the netlink/kernel ( i.e. set CAP_AUDIT_WRITE)? I could not
find any info on this. Also where do I find these trusted app examples?
Is this something I down loa the src of Linux and look for?
snip
-----
fd = audit_open();
if (fd < 0)
{
printf("audit open failure, errno = %d\n", errno);
}
else
{
printf("audit file opened, fd = %d\n", fd);
printf("attempting to write to audit log.\n");
snprintf(msg, sizeof(msg), "My mesg to audit");
if ((rc = audit_log_user_message(fd, 1101,
msg, NULL, NULL, NULL, 0)) > 0)
printf("SUCCESS: rc = %d\n", rc);
else
{
printf("FAILURE: errno = %d\n", errno);
perror( "Error writing audit file" );
printf( "Error writing audit: %s\n", strerror( errno ) );
}
Steve Grubb wrote:
On Saturday 17 March 2007 14:54:54 geckiv wrote:
>I was wondering if anyone had a good example of how to write to the
>audit log on linux for a custom application wanting to log events.
>
>
There's several examples in trusted apps. But its really simple to do. This is
from aide:
#ifdef WITH_AUDIT
if(nadd!=0||nrem!=0||nchg!=0){
int fd=audit_open();
if (fd>=0){
char msg[64];
snprintf(msg, sizeof(msg), "added=%ld removed=%ld changed=%ld",
nadd, nrem, nchg);
if (audit_log_user_message(fd, AUDIT_ANOM_RBAC_INTEGRITY_FAIL,
msg, NULL, NULL, NULL, 0)<=0)
#ifdef HAVE_SYSLOG
syslog(LOG_ERR, "Failed sending audit message:%s", msg);
#else
;
#endif
close(fd);
}
Being that I don't know what your app is doing, I'd say that you should use
the AUDIT_TRUSTED_APP event type. Also try to follow guidelines so that it
can be parsed correctly by tools:
http://people.redhat.com/sgrubb/audit/audit-parse.txt
>Does it write to the demon then write to the /var/log/auit/audit.log?
>
>
No, it sends it to the kernel which decides what to do with it.
>Also how do yo set this up so not just any one or any process write to that
>log?
>
>
The audit system is intended to be high integrity, meaning that its not able
to be written to by ordinary users. You have to have CAP_AUDIT_WRITE in order
to write to the audit system.
-Steve
Attachments:
- attachment.html (text/html — 4.1 KB)