Re: creating and inserting audits
On Wednesday, September 08, 2010 09:48:44 am Nestler, Roger - IS wrote:
The below sequence of functions seems to do the trick...
int audit_fd = audit_open();
audit_log_user_message(audit_fd, AUDIT_USER, "MY Message" NULL, NULL, NULL,
1); audit_close(audit_fd);
Yes. There are a couple other log functions that may be better suited
depending on your needs. If you want the program name to show up, use
audit_log_user_comm_message(). Also, please note this:
#define AUDIT_USER 1005 /* Message from userspace -- deprecated */
That type is deprecated, please do not use it.
Also the executable that I created, then copied to a root area and
then ran
as root, seemed to have the CAP_AUDIT_WRITE permission by default... how
did my app get that permission, is it just because it’s a root app... I
didnt explicitly assign it to the app, did I?
If your app runs as root, it inherits that capability by virtue of being under
the root account. If your app ran as a normal user, then you would have a
problem because normal users do not have CAP_AUDIT_WRITE. You would either
have to make your app setuid or a helper that is to do the logging. If you
have a helper, then you have to worry if it can be abused to flood the log. If
don't go this route, you have to ask if a normal user can do anything that is
security critical in the first place.
Just out of curiosity if I wanted to add a new type, say
'MY_CUSTOM_AUDIT'
that would appear as say 'type=HELLOWORLD' in the audit file. Is that
possible with a config file or function call?...
No. We create types as they are needed for other projects. We have patched
everything that needs auditing to create audit events. We also created the
generic AUDIT_TRUSTED_APP type for private use. You can do anything with that
type you want. If you have types that you think other projects might need, let
me know and I'll see how we can fit them in.
It looks as if I'd have to modify stuff in maybe libaudit.h and
msg_typetab.h, recompile.. etc...in order to add a custom type?
And update aureport/ausearch and libauparse perhaps.
-Steve