Re: libaudit: android support
by William Roberts
On Wed, Oct 15, 2025, 09:15 Jean-Jacques Pitrolle <
jean-jacques.pitrolle(a)sysgo.com> wrote:
> Hi,
> I don't know if you forget to add the list as CC so i answer you
> directly and send it to the list if you are okay.
>
Oops, yeah all re-add the list.
>
> On 14/10/2025 19:52, William Roberts wrote:
> > On Tue, Oct 14, 2025 at 12:09 PM Jean-Jacques Pitrolle
> > <jean-jacques.pitrolle(a)sysgo.com> wrote:
> >>
> >> Hi Bill
> >>
> >> On 14/10/2025 18:54, William Roberts wrote:
> >>> I did a rewrite of libaudit for Android and it was merged into logd.
> >>> It's been a long time since I have looked at it,
> >>> but AFAIK, the logs should be available via logcat. None of this will
> >>> be part of the ndk if you want to build against it,
> >>> it's really a system only level thing.
> >>>
> >>> Here is where that libaudit code lives now:
> >>>
> https://cs.android.com/android/platform/superproject/main/+/main:system/
> >>> logging/logd/libaudit/libaudit.cpp
> >>
> >> Thanks for your quick answer.
> >>
> >> Okay at least something exists for libaudit. I need to take a look on it
> >> to see how i can use it.
> >
> > Ultimately you need permissions to the netlink socket that the audit
> > subsystem uses,
> > and that is not available to typical android applications, you would
> > need to build your
> > own custom Android that exposes that. However, that would violate the
> > required CTS
> > for Android branding IIRC.
>
> I think at the end it is a *problem* to build my own Android to access
> the netlink socket.
> My purpose is to stick as much as possible to a vanilla Android: so
> avoid as much as possible specific modification.
>
Yeah so you want to write an application for Android.
>
> >
> >>
> >> And what about libauparse?
> >
> > I don't believe that is there.
> >
> >> Should i consider to build it myself with Android build environment?
> >
> > You can grab and build anything, code is code, but the biggest part of
> > the way Android containers
> > work is, "Will I have permissions to get at the resource". If you just
> > want to look at the messages,
> > it's in logcat, and you can build an application that has the
> > permission READ_LOGS IIRC, in the
> > Android Manifest to look at logcat and then look for selinux/audit
> messages.
>
> Hmm i'm not very familiar with Android execution environment.
> I want to create a C/C++ application (not Kotlin/Java..) an i don't know
> if a manifest is required.
> I need to do my 'Android architecture' homework before to have a clear
> understanding of the pre-requisite for my use case.
>
Yeah this jargon is just part of the steps to create an application. Just a
quick
look, there is an open source Android logcat reader application:
- https://github.com/darshanparajuli/LogcatReader
You could probably just modify that.
I believe the Android NDK allows pure native applications, but ultimately
in Android now,
even Java/Kotlin gets reduced to native ELF binaries through OAT which is a
play on AOT
which is Ahead of Time Compilation. Essentially the byte code gets
translated into a shared
library loaded up by a framework and executed IIUC/IIRC.
I would recommend just using Kotlin because of the support, and you can
call any native
functions, like things from libauparse, from Kotlin. When I used to Android
it was all Java
and JNI, I would imagine it's essentially JNI for Kotlin too, but don't
quote me.
> >
> > More about your ultimate goal would help me understand and formulate a
> > better response if you
> > can share that?
>
> My ultimate goal is to read audit/log events from various daemons like
> auditd, syslogd, .. and transform those events to a format closed to
> Qualified Security Event defined by AUTOSAR[1].
> On a GNU/Linux distribution the services are "well" defined and known
> (at least by myself ^^)
> On an Android it seems that *everything* is logged by logd/logcat.
>
Yeah logcat is the central logger, so create an application that listens to
logcat, then look for
the events you care about and reformat them as needed calling libauparse.
>
> Thanks.
> Regards
>
> [1]:
>
> https://www.autosar.org/fileadmin/standards/R22-11/FO/AUTOSAR_PRS_Intrusi...>
>
>
> >>
> >> Regards.
>
1 week, 4 days
- 1
- 0
libaudit: android support
by Jean-Jacques Pitrolle
Hi list,
My concern is pretty simple: does audit userspace infrastructure
available for *Android*?
It seems not with the following components (installed through sdkmanager):
- build-tools: 36.0.0-rc3
- ndk: 27.2.12479018
- cmake: 3.31.1
Thanks.
Regards.
1 week, 6 days
- 2
- 2
libauparse: read audit events continously?
by Jean-Jacques Pitrolle
Hi list,
I'm looking for an example to receive auditd event *continously* and
print them to the standard output.
I found simple example which use *auparse* library here:
https://security-plus-data-science.blogspot.com/2017/04/writing-basic-aup...
I add a the following lines to loop 'forever'
8<---
[..]
while (1) {
auparse_first_record(au);
[..]
sleep(1);
}
auparse_destroy(au);
return 0;
}
-->8
The problem with this example is the output only shows the events which
are available *before* binary startup not the event arrived *after*.
8<---
./dummy-auditd &
~ # Record type: DAEMON_START -
type,op,ver,format,kernel,auid,pid,uid,ses,res
Record type: CONFIG_CHANGE - type,op,audit_backlog_limit,old,auid,ses,res
[..]
Record type: PROCTITLE - type,proctitle
Record type: 0 - (null)
Record type: 0 - (null)
..
-->8
I want to have the event print *continously* i.e the new events *shall*
appears on the standard output.
Can you point me some examples in the git repository or an url that
describes how to do it please?
I surely miss something in the documentation so let me know if it is the
case.
Thanks.
Regards.
2 weeks, 4 days
- 2
- 3
libaudit: fill structure audit_rule_data to use audit_add_rule_data
by Jean-Jacques Pitrolle
Hello list,
This is my first message and i hope i will provide the expected
information to get help (:
I'm looking in libaudit if there is a function to transform a line in
audit.rules's format to a *struct audit_rule_data* to feed
*audit_add_rule_data* to insert a new rule.
From tag *v3.0.9* (i need to stick to this version for the moment), i
see occurences of *audit_add_rule_data* in *autrace.c* and *auditctl.c*
but it seems that adding a rule is specific to those binaries.
Do i understand it correctly?
Do i need to specifically write a basic rule parser to call
*audit_add_rule_data* with a new rule when i use libaudit?
Or does libaudit provides a general way to tranform an auditd rule (i.e
in format of audit.rules file) to a struct audit_rule_data?
Thanks for help.
Regards.
2 weeks, 5 days
- 1
- 0
- ← Newer
- 1
- Older →