1:28 p.m.
Hi Steve,
I used your plugin code sample
-https://github.com/linux-audit/audit-userspace/blob/master/contrib/plugin/audisp-example.c
to handle audit messages when I write some audit rules. it works perfectly fine with some
minor tweaks
Now I want to extend the same plugin to filter AVC and USER_AVC messages and sent to our
system log. But while developing SELINUX policy there are too many of these and hence the
plugin is unable to handle it and system hangs. Is there a way to increase the capacity of
plugin to handle so many AVC denials. Eventually when the SELINUX policy is matured , I
expect to see a lot less of these denials.
3:52 p.m.
Hello,
On Wednesday, August 14, 2024 2:28:17 PM EDT nupurdeora(a)gmail.com wrote:
I used your plugin code sample
-https://github.com/linux-audit/audit-userspace/blob/master/contrib/plugin
/audisp-example.c to handle audit messages when I write some audit rules.
it works perfectly fine with some minor tweaks
Now I want to extend the same plugin to filter AVC and USER_AVC
messages
and sent to our system log. But while developing SELINUX policy there are
too many of these and hence the plugin is unable to handle it and system
hangs. Is there a way to increase the capacity of plugin to handle so many
AVC denials. Eventually when the SELINUX policy is matured , I expect to
see a lot less of these denials.
For anything dealing with a high volume of events, I would make it multi-
threaded. The main thread waits at select/epoll for inbound events and places
them in a fifo between the two threads. The other thread does the call to
auparse_feed().
When events trigger the callback, the callback runs synchronously under the
auparse_feed function call. Since this is what takes longer, it needs to be
it's own thread. This way the main thread keeps auditd moving which in turn
keeps the kernel moving.
-Steve
1:12 p.m.
ok Thanks I 'll try the multithreading . I have one more thing that I want to acheive
using the handle_event
I want to print the logs with different severity based on TYPE and permissive set to 1 or
0 . SO my sample code is like below. When I use the API "auparse_find_field" ,
does it move the pointer to the field value permanently ? Do I need to reset the pointer
before I pass the "au" to next function ?
static void handle_event(auparse_state_t *au,
151 auparse_cb_event_t cb_event_type, void *user_data)
152 {
153 int type, num = 0;
154
155 if (cb_event_type != AUPARSE_CB_EVENT_READY)
156 return;
157
158 while (auparse_goto_record_num(au, num) > 0) {
159 type = auparse_get_type(au);
160 const char *perm = auparse_find_field(au, "permissive");
161
162 switch (type) {
163 case AUDIT_AVC:
164 case AUDIT_USER_AVC:
165 if (perm) {
166 if (strncmp(perm, "0", 1) == 0) {
167 dump_avc_critical_record(au);
168 }
169 else if (strncmp(perm, "1", 1) == 0) {
170 dump_avc_info_record(au);
171 }
172 }
173 else {
174 dump_avc_info_record(au);
175 }
176 break;
177 default:
178 dump_whole_record(au);
179 break;
180 }
181 num ++;
182 }
183 }
2:14 p.m.
Hello,
On Thursday, August 15, 2024 2:12:41 PM EDT nupurdeora(a)gmail.com wrote:
ok Thanks I 'll try the multithreading . I have one more thing
that I want
to acheive using the handle_event
I want to print the logs with different severity based on TYPE and
permissive set to 1 or 0 . SO my sample code is like below. When I use the
API "auparse_find_field" , does it move the pointer to the field value
permanently ?
Yes.
Do I need to reset the pointer before I pass the "au" to
next function ?
It depends on the function. Some automatically rewind and some don't. I
suppose it doesn't hurt to reset the internal cursor. Couple points below
static void handle_event(auparse_state_t *au,
151 auparse_cb_event_t cb_event_type, void *user_data)
152 {
153 int type, num = 0;
154
155 if (cb_event_type != AUPARSE_CB_EVENT_READY)
156 return;
I should probably get rid of this ^^^ in examples. There is only one state
for cb_event_type and it is always that state.
158 while (auparse_goto_record_num(au, num) > 0) {
159 type = auparse_get_type(au);
160 const char *perm = auparse_find_field(au, "permissive");
I'd move this ^^^ into the case for AUDIT_USER_AVC so that it doesn't look
for it in non-avc records. Also, that function will cross record boundaries
while looking for it. It stops at the end of the event if it can't find it.
161
162 switch (type) {
163 case AUDIT_AVC:
164 case AUDIT_USER_AVC:
165 if (perm) {
166 if (strncmp(perm, "0", 1) == 0) {
could be if (*perm == '0')
167 dump_avc_critical_record(au);
168 }
169 else if (strncmp(perm, "1", 1) == 0) {
170 dump_avc_info_record(au);
171 }
172 }
173 else {
174 dump_avc_info_record(au);
175 }
176 break;
177 default:
178 dump_whole_record(au);
179 break;
180 }
181 num ++;
182 }
183 }
_______________________________________________
Linux-audit mailing list -- linux-audit(a)lists.linux-audit.osci.io
To unsubscribe send an email to linux-audit-leave(a)lists.linux-audit.osci.io
3:27 p.m.
I 'll use auparse_reset() but from the description it's not clear if it will reset
the curson to the beginning to the current record ?
https://github.com/linux-audit/audit-userspace/blob/4e6deae41d4646d28bb3b...
150 static void handle_event(auparse_state_t *au,
151 auparse_cb_event_t cb_event_type, void *user_data)
152 {
153 int type, num = 0;
154 const char *perm;
155 while (auparse_goto_record_num(au, num) > 0) {
156 type = auparse_get_type(au);
157
158 switch (type) {
159 case AUDIT_AVC:
160 case AUDIT_USER_AVC:
161 perm = auparse_find_field(au, "permissive");
162 auparse_reset(au);
163 if (perm) {
164 if (*perm == '0') {
165 dump_avc_critical_record(au);
166 }
167 else if (*perm == '1') {
168 dump_avc_info_record(au);
169 }
170 }
171 else {
172 dump_avc_info_record(au);
173 }
174 break;
175 default:
176 dump_whole_record(au);
177 break;
178 }
179 num ++;
180 }
181 }
3:50 p.m.
On Thursday, August 15, 2024 4:27:34 PM EDT nupurdeora(a)gmail.com wrote:
I 'll use auparse_reset() but from the description it's not
clear if it
will reset the curson to the beginning to the current record ?
https://github.com/linux-audit/audit-userspace/blob/4e6deae41d4646d28bb3ba
9524a8a227a38ccd0b/docs/auparse_reset.3#L11
What you want to use is auparse_first_record. This puts the internal cursor on
the first field of the first record in the current event.
-Steve
150 static void handle_event(auparse_state_t *au,
151 auparse_cb_event_t cb_event_type, void *user_data)
152 {
153 int type, num = 0;
154 const char *perm;
155 while (auparse_goto_record_num(au, num) > 0) {
156 type = auparse_get_type(au);
157
158 switch (type) {
159 case AUDIT_AVC:
160 case AUDIT_USER_AVC:
161 perm = auparse_find_field(au, "permissive");
162 auparse_reset(au);
163 if (perm) {
164 if (*perm == '0') {
165 dump_avc_critical_record(au);
166 }
167 else if (*perm == '1') {
168 dump_avc_info_record(au);
169 }
170 }
171 else {
172 dump_avc_info_record(au);
173 }
174 break;
175 default:
176 dump_whole_record(au);
177 break;
178 }
179 num ++;
180 }
181 }
_______________________________________________
Linux-audit mailing list -- linux-audit(a)lists.linux-audit.osci.io
To unsubscribe send an email to linux-audit-leave(a)lists.linux-audit.osci.io
128
days inactive
129
days old
linux-audit@lists.linux-audit.osci.io
5 comments
2 participants
participants (2)
-
nupurdeora@gmail.com -
Steve Grubb