i tried to run auditdispatcher from http://people.redhat.com/sgrubb/audit/audit-rt-events.txt with little modification.
i converted TYPE numeric value to name using audit library function "audit_msg_type_to_name".
Then i printed audit TYPE number with corresponding name using above function.
The program is running fine but i have little doubt.
i restarted audit daemon
i changed login to some other user and back to root. to generate records as USER_LOGIN,USER_AUTH,etc
and looked to syslog where i have printed messages from program.
I got this output :
type=1305 typename=CONFIG_CHANGE, payload size=110
type=539770685 typename=(null), payload size=1836213620
type=1836213620 typename=(null), payload size=1818324585
type=1702109228 typename=(null), payload size=1852403058
first one is ok but look at the rest lines.
so what does type=539770685means? how does this numeric values maps to USER_AUTH,USER_ACCT,etc
why typename coming out to be null?
Please help.
here is the code:
----------------------------------------------------------------------------------------------------------------------------------------
//change mode of binary version of this file as "chmod 0750 skeleton" very very important
//switch off selinux by command "setenforce 0" or use GUI application
//data from audit daemon is "header+msg"
//header has field like type,etc which is an integer,map that type number with macros defined in
linuxaudit.h
//msg contains various fields specific to the type number
//note down important security specific type number and create table for each type with fields that type contains
#include <stdio.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <fcntl.h>
#include <errno.h>
#include <string.h
>
#include <locale.h>
#include "libaudit.h"
// Local data
static volatile int signaled = 0;
static int pipe_fd;
static const char *pgm = "skeleton";
// Local functions
static int event_loop(void);
// SIGTERM handler
static void term_handler( int sig )
{
signaled = 1;
}
/*
* main is started by auditd. See dispatcher in auditd.conf
*/
int main(int argc, char *argv[])
{
struct sigaction sa;
setlocale (LC_ALL, "");
openlog(pgm, LOG_PID, LOG_DAEMON);
syslog(LOG_NOTICE, "starting ABHISHEK...");
#ifndef DEBUG
// Make sure we are root
if (getuid() != 0) {
syslog(LOG_ERR, "You must be root to run this program.");
return 4;
}
#endif
// register sighandlers
sa.sa_flags = 0 ;
sa.sa_handler
= term_handler;
sigemptyset( &sa.sa_mask ) ;
sigaction( SIGTERM, &sa, NULL );
sa.sa_handler = term_handler;
sigemptyset( &sa.sa_mask ) ;
sigaction( SIGCHLD, &sa, NULL );
sa.sa_handler = SIG_IGN;
sigaction( SIGHUP, &sa, NULL );
(void)chdir("/");
// change over to pipe_fd
pipe_fd = dup(0);
close(0);
open("/dev/null", O_RDONLY);
fcntl(pipe_fd, F_SETFD, FD_CLOEXEC);
// Start the program
return event_loop();
}
static int event_loop(void)
{
void* data;
int i=0;
struct iovec vec[2];
struct audit_dispatcher_header hdr;
+ const char *typename;
int res;
// allocate data structures
data = malloc(MAX_AUDIT_MESSAGE_LENGTH);
if (data == NULL) {
syslog(LOG_ERR, "Cannot allocate buffer");
return 1;
}
memset(data, 0, MAX_AUDIT_MESSAGE_LENGTH);
memset(&hdr, 0, sizeof(hdr));
do {
int rc;
struct timeval tv;
fd_set fd;
tv.tv_sec = 1;
tv.tv_usec = 0;
FD_ZERO(&fd);
FD_SET(pipe_fd, &fd);
rc = select(pipe_fd+1, &fd, NULL, NULL, &tv);
if (rc == 0)
continue;
else if (rc == -1)
break;
/* Get header first. it is fixed size */
vec[0].iov_base = (void*)&hdr;
vec[0].iov_len = sizeof(hdr);
// Next payload
vec[1].iov_base = data;
vec[1].iov_len = MAX_AUDIT_MESSAGE_LENGTH;
rc = readv(pipe_fd, vec, 2);
if (rc == 0 || rc == -1) {
syslog(LOG_ERR, "rc == %d(%s)", rc, strerror(errno));
break;
}
// handle events here. Just for illustration, we print
// to syslog, but you will want to do something else.
+ typename=audit_msg_type_to_name(
hdr.type);
+ syslog(LOG_NOTICE,"type=%d typename=%s, payload size=%d",hdr.type,typename,hdr.size);
//syslog(LOG_NOTICE,"data=\"%.*s\"", hdr.size,(char *)data);
} while(!signaled);
return 0;
}
------------------------------------------------------------------------------------------------------------------------------------------