On Wed, Oct 15, 2025, 09:15 Jean-Jacques Pitrolle <jean- jacques.pitrolle(a)sysgo.com <mailto:jean-jacques.pitrolle@sysgo.com>> wrote: Hi, I don't know if you forget to add the list as CC so i answer you directly and send it to the list if you are okay. Oops, yeah all re-add the list. On 14/10/2025 19:52, William Roberts wrote: > On Tue, Oct 14, 2025 at 12:09 PM Jean-Jacques Pitrolle > <jean-jacques.pitrolle(a)sysgo.com <mailto:jean- jacques.pitrolle(a)sysgo.com&gt;&gt; wrote: >> >> Hi Bill >> >> On 14/10/2025 18:54, William Roberts wrote: >>> I did a rewrite of libaudit for Android and it was merged into logd. >>> It's been a long time since I have looked at it, >>> but AFAIK, the logs should be available via logcat. None of this will >>> be part of the ndk if you want to build against it, >>> it's really a system only level thing. >>> >>> Here is where that libaudit code lives now: >>> https://cs.android.com/android/platform/superproject/main/+/ main:system/ <https://cs.android.com/android/platform/superproject/ main/+/main:system/> >>> logging/logd/libaudit/libaudit.cpp >> >> Thanks for your quick answer. >> >> Okay at least something exists for libaudit. I need to take a look on it >> to see how i can use it. > > Ultimately you need permissions to the netlink socket that the audit > subsystem uses, > and that is not available to typical android applications, you would > need to build your > own custom Android that exposes that. However, that would violate the > required CTS > for Android branding IIRC. I think at the end it is a *problem* to build my own Android to access the netlink socket. My purpose is to stick as much as possible to a vanilla Android: so avoid as much as possible specific modification. Yeah so you want to write an application for Android.

> >> >> And what about libauparse? > > I don't believe that is there. > >> Should i consider to build it myself with Android build environment? > > You can grab and build anything, code is code, but the biggest part of > the way Android containers > work is, "Will I have permissions to get at the resource". If you just > want to look at the messages, > it's in logcat, and you can build an application that has the > permission READ_LOGS IIRC, in the > Android Manifest to look at logcat and then look for selinux/ audit messages. Hmm i'm not very familiar with Android execution environment. I want to create a C/C++ application (not Kotlin/Java..) an i don't know if a manifest is required. I need to do my 'Android architecture' homework before to have a clear understanding of the pre-requisite for my use case. Yeah this jargon is just part of the steps to create an application. Just a quick look, there is an open source Android logcat reader application: - https://github.com/darshanparajuli/LogcatReader <https://github.com/ darshanparajuli/LogcatReader> You could probably just modify that. I believe the Android NDK allows pure native applications, but ultimately in Android now, even Java/Kotlin gets reduced to native ELF binaries through OAT which is a play on AOT which is Ahead of Time Compilation. Essentially the byte code gets translated into a shared library loaded up by a framework and executed IIUC/IIRC. I would recommend just using Kotlin because of the support, and you can call any native functions, like things from libauparse, from Kotlin. When I used to Android it was all Java and JNI, I would imagine it's essentially JNI for Kotlin too, but don't quote me.

> > More about your ultimate goal would help me understand and formulate a > better response if you > can share that? My ultimate goal is to read audit/log events from various daemons like auditd, syslogd, .. and transform those events to a format closed to Qualified Security Event defined by AUTOSAR[1]. On a GNU/Linux distribution the services are "well" defined and known (at least by myself ^^) On an Android it seems that *everything* is logged by logd/logcat. Yeah logcat is the central logger, so create an application that listens to logcat, then look for the events you care about and reformat them as needed calling libauparse.

On Thu, Oct 16, 2025 at 8:38 AM Jean-Jacques Pitrolle <jean-jacques.pitrolle(a)sysgo.com&gt; wrote: > > Hello, > > On 15/10/2025 18:07, William Roberts wrote: > > > > > > On Wed, Oct 15, 2025, 09:15 Jean-Jacques Pitrolle <jean- > > jacques.pitrolle(a)sysgo.com <mailto:jean-jacques.pitrolle@sysgo.com>> wrote: > > > > Hi, > > I don't know if you forget to add the list as CC so i answer you > > directly and send it to the list if you are okay. > > > > > > Oops, yeah all re-add the list. > > > > > > On 14/10/2025 19:52, William Roberts wrote: > > > On Tue, Oct 14, 2025 at 12:09 PM Jean-Jacques Pitrolle > > > <jean-jacques.pitrolle(a)sysgo.com <mailto:jean- > > jacques.pitrolle(a)sysgo.com&gt;&gt; wrote: > > >> > > >> Hi Bill > > >> > > >> On 14/10/2025 18:54, William Roberts wrote: > > >>> I did a rewrite of libaudit for Android and it was merged into > > logd. > > >>> It's been a long time since I have looked at it, > > >>> but AFAIK, the logs should be available via logcat. None of > > this will > > >>> be part of the ndk if you want to build against it, > > >>> it's really a system only level thing. > > >>> > > >>> Here is where that libaudit code lives now: > > >>> https://cs.android.com/android/platform/superproject/main/+/ > > main:system/ <https://cs.android.com/android/platform/superproject/ > > main/+/main:system/> > > >>> logging/logd/libaudit/libaudit.cpp > > >> > > >> Thanks for your quick answer. > > >> > > >> Okay at least something exists for libaudit. I need to take a > > look on it > > >> to see how i can use it. > > > > > > Ultimately you need permissions to the netlink socket that the audit > > > subsystem uses, > > > and that is not available to typical android applications, you would > > > need to build your > > > own custom Android that exposes that. However, that would violate the > > > required CTS > > > for Android branding IIRC. > > > > I think at the end it is a *problem* to build my own Android to access > > the netlink socket. > > My purpose is to stick as much as possible to a vanilla Android: so > > avoid as much as possible specific modification. > > > > > > Yeah so you want to write an application for Android. > > Yes but this application *shall* work on a 'classic' Linux distribution > as well. > I don't really think that's going to be possible. The architectures between a classic linux distro and Android are wildly different. They can share some common code for sure, but see my comment below for more details. > > > > > > > > > >> > > >> And what about libauparse? > > > > > > I don't believe that is there. > > > > > >> Should i consider to build it myself with Android build environment? > > > > > > You can grab and build anything, code is code, but the biggest > > part of > > > the way Android containers > > > work is, "Will I have permissions to get at the resource". If you > > just > > > want to look at the messages, > > > it's in logcat, and you can build an application that has the > > > permission READ_LOGS IIRC, in the > > > Android Manifest to look at logcat and then look for selinux/ > > audit messages. > > > > Hmm i'm not very familiar with Android execution environment. > > I want to create a C/C++ application (not Kotlin/Java..) an i don't > > know > > if a manifest is required. > > I need to do my 'Android architecture' homework before to have a clear > > understanding of the pre-requisite for my use case. > > > > > > Yeah this jargon is just part of the steps to create an application. > > Just a quick > > look, there is an open source Android logcat reader application: > > - https://github.com/darshanparajuli/LogcatReader <https://github.com/ > > darshanparajuli/LogcatReader> > > > > You could probably just modify that. > > > > I believe the Android NDK allows pure native applications, but > > ultimately in Android now, > > even Java/Kotlin gets reduced to native ELF binaries through OAT which > > is a play on AOT > > which is Ahead of Time Compilation. Essentially the byte code gets > > translated into a shared > > library loaded up by a framework and executed IIUC/IIRC. > > > > I would recommend just using Kotlin because of the support, and you can > > call any native > > functions, like things from libauparse, from Kotlin. When I used to > > Android it was all Java > > and JNI, I would imagine it's essentially JNI for Kotlin too, but don't > > quote me. > > According to the point defined before i.e the *portability* to other > GNU/Linux distribution, i want to have the *same* code basis between > Android and other distributions. You could refactor the code to get most of the logic into some library that is called from either a more standard linux application and Android application. > > From what you explain before with the Java/Kotlin combo i don't see how > to make it work especially with !Android distributions. > > The program shall be written in C/C++. I already have a PoC running > smoothly on 'classic' GNU/Linux distributions. > Ideally, if i need a specific handling for Android in C/C++ it is fine > but use an other framework and languages shall be avoided... You can create purely native apps with the NDK, but the frameworks between application life cycles are quite different between a classic distro and Android. Ie on a classic distro you have main and signals, and on Android you have a framework that calls various entry point functions in the application. The code to get events will be different, but the code to parse, and handle events and reformat could all be the same. > > > > > > > > > > > More about your ultimate goal would help me understand and > > formulate a > > > better response if you > > > can share that? > > > > My ultimate goal is to read audit/log events from various daemons like > > auditd, syslogd, .. and transform those events to a format closed to > > Qualified Security Event defined by AUTOSAR[1]. > > On a GNU/Linux distribution the services are "well" defined and known > > (at least by myself ^^) > > On an Android it seems that *everything* is logged by logd/logcat. > > > > > > Yeah logcat is the central logger, so create an application that listens > > to logcat, then look for > > the events you care about and reformat them as needed calling libauparse. > > If i can read from logcat source (socket, pipe, message queue?) and > manage the events myself it is fine. > The purpose is to get the events simultaneous to logcat. > I don't know if it is possible cleanly but i prefer to share this idea > to give you my ideal wishes (: I have no idea the source, I just always dumped stuff over adb, I would look at the logcat command on the device and see where it's getting the information from to display.