Re: Query regarding to audit netlink call

On Monday, November 26, 2018 2:09:57 AM EST Avinash Patwari wrote: > Hi, > > I wrote a program to listen to iptables modification through netlink > sockets, for this I used NETLINK_AUDIT family, when I execute the program > and modify the iptables rule, program doesn't receive any message from > kernel and it will be in blocking mode only. Could you help me to find what > is wrong in this program or what else I need to do to receive iptables > notification ? To receive audit events, you have to register your program as the audit daemon by setting the audit pid via audit_set_pid() . Then you will get events. All of them. That might be disruptive if you needed auditing. In that case, you have 2 options. Write your program as a plugin to the audit daemon. There is example code here: https://github.com/linux-audit/audit-userspace/tree/master/contrib/plugin The other option is to open a connection to the audit multicast socket as systemd's journal does. You might look at it for example code. -Steve > I ran this program as a root user & audit deamon is also running. > > ps -eaf | grep -i auditd > > root 499 2 0 Nov16 ? 00:00:00 [kauditd] > > root 926 1 0 Nov16 ? 00:00:00 /sbin/auditd -n > > > I tried configuring auditctl setting as well directly using auditctl > command & can see the modifcation with "ausearch -k iptablesChange" command > output but notification is not received in application. > > Here is the program :- > > #include "libaudit.h" > > #include <stdio.h>#include <string.h>#include <unistd.h> > int main(){ > int rc; > struct audit_message rep; > int fd; > struct sockaddr_nl sa; > > memset(&sa, 0, sizeof(sa)); > sa.nl_family = AF_NETLINK; > sa.nl_groups = 0; > > fd = audit_open(); > > bind(fd, (struct sockaddr *) &sa, sizeof(sa)); > > rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0); > if(rc < 0) > { > printf("Error"); > } > else > { > printf("msg received %d \n",rep.nlh.nlmsg_type ); > break; > } > > > audit_close(fd); > > return 0;} > > Thanks,Avinash