RE: Audit reporting Invalid argument
Hi Steve,
> The plugin will be restarted when the next event arrives to
audispd.
I do not want my plug-in to be running unnecessarily all the time until the
auditd is running.
I can accomplish my requirement by sending SIGHUP to audispd and changing the plug-in
configuration's option active=yes/no.
Regards,
Ketan
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Monday, June 13, 2016 8:31 PM
To: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat(a)hpe.com>
Cc: linux-audit(a)redhat.com
Subject: Re: Audit reporting Invalid argument
On Monday, June 13, 2016 08:15:36 AM Bhagwat, Shriniketan Manjunath wrote:
Hi,
Is it possible to start and stop the user written audit plug-in while
auditd and audispd running? As I understand, audispd is started by
auditd. Audispd starts the user plug-in program using their
configuration files present in /etc/audisp/plugins.d directory. Auditd
and user plug-in are started and stopped as part of auditd startup and
stop. Is it possible to start the user plug-in after the auditd is
started and stop the user plug-in before the auditd is stopped?
There is nothing that prevents you from sending a SIGTERM to the plugin if you are root.
The plugin will be restarted when the next event arrives to audispd.
-Steve
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Monday, May 16, 2016 6:24 PM
To: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat(a)hpe.com>
Cc: linux-audit(a)redhat.com
Subject: Re: Audit reporting Invalid argument
On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote:
> > Not today. The check for uid 0 is a poor man's check for
> > CAP_AUDIT_CONTROL
>
> Are there any future plans to support enabling audit from non root
> user using CAP_AUDIT_CONTROL?
You are the only person who has asked for it. I suppose it can be done
in a couple lines of code. But you still have the permissions of the
directories that hold the rules to correct. Easy to fix, but I think
you might be fighting the distribution's package manager which would
set things back to root every update.
> Regarding suppression of events, I will do some testing and let you
> know later.
>
> Is there a way I can avoid default logging of the audit events to
> /var/log/audit/audit.log?
If you have an old copy old the audit system (2.5.1 or earlier) then
use log_format = NOLOG. If you have a current copy, then use write_logs = no.
-Steve
> I do not want audit to log audit events to audit.log, however I will
> capture them using my plug-in. Is there a way I can accomplish this?
> I tried to commenting the log_file filed from auditd.conf, however
> the events are still written to audit.log. I think below code from
> auditd-config.c is causing audit to write to audit.log
>
> config->log_file = strdup("/var/log/audit/audit.log");