RE: creating and inserting audits

Thanks, The below sequence of functions seems to do the trick... int audit_fd = audit_open(); audit_log_user_message(audit_fd, AUDIT_USER, "MY Message" NULL, NULL, NULL, 1); audit_close(audit_fd); Also the executable that I created, then copied to a root area and then ran as root, seemed to have the CAP_AUDIT_WRITE permission by default... how did my app get that permission, is it just because it’s a root app... I didnt explicitly assign it to the app, did I? Just out of curiosity if I wanted to add a new type, say 'MY_CUSTOM_AUDIT' that would appear as say 'type=HELLOWORLD' in the audit file. Is that possible with a config file or function call?... It looks as if I'd have to modify stuff in maybe libaudit.h and msg_typetab.h, recompile.. etc... in order to add a custom type? Thanks Roger -----Original Message----- From: Steve Grubb [mailto:sgrubb@redhat.com] Sent: Tuesday, September 07, 2010 5:17 PM To: linux-audit(a)redhat.com Cc: LC Bruzenak; Nestler, Roger - IS Subject: Re: creating and inserting audits On Tuesday, September 07, 2010 05:02:21 pm LC Bruzenak wrote: To make sure we don't give conflicting advice, I was thinking he meant writing directly to the file (which you should not do). Events must be sent to the kernel. But you are free to make your own audit events as long as you mimic the existing events. -Steve This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail.