Re: ABI guarantee for auditd
On Thursday, January 15, 2015 06:20:41 PM hsultan(a)thefroid.net wrote:
Thanks for the info, so I tried using libauparse (again, Ubuntu 14.04
LTS), however I'm hitting something truly weird: once I've adddd the
event parsing code (taken from
https://fedorahosted.org/audit/browser/trunk/contrib/plugin/audisp-example.c
) and added -lauparse, what I get out of audit_get_reply now is
mangled.
Why are you using that in an analytical program? That is a very low level
function for getting events out of the kernel. You might want to have a look
at this presentation to understand the audit architecture:
http://people.redhat.com/sgrubb/audit/audit_ids_2011.pdf
Auditd handles getting events from the kernel, passes them to audispd, you
have a plugin to audispd and get the event in realtime. If you want events on
disk, you just tell auparse_init that you want to use the logs as your source.
Libauparse handles events after they have been processed by auditd.
That clearly can't be a code mistake because I didn't touch
the event
retrieval code,
It is a mistake. The example code works and demonstrates how to get events and
iterate over the records and fields of the record. The presentation mentioned
above also shows how to iterate over events, records, and fields. It also has a
UML diagram to orient a developer to the data abstractions.
Is there a conflict or some specific setup between the 2 libraries I
should know about ?
No. Auparse needs to be linked against libaudit for syscall lookup functions
and a couple other items.
Does libauparse configures the audit infrastructure
in the kernel somehow ?
No. Its used for post-processing audit events. Its not meant for grabbing
events out of the audit netlink socket. Its expects events that are properly
formatted.
-Steve