Hi Steve,

Thanks for your suggestion.

I tried by passing audit deamon process id in audit_set_pid call but still i didn't receive any iptable modification notification,what else we need to do to receive notification ?

Could please also share the right configuration for iptable notifications  ?

I didn't get your suggestion with 2 options,could you please elaborate more ?

Br,
avinash

On Mon, Nov 26, 2018 at 9:46 PM Steve Grubb <sgrubb@redhat.com> wrote:
On Monday, November 26, 2018 2:09:57 AM EST Avinash Patwari wrote:
> Hi,
>
> I wrote a program to listen to iptables modification through netlink
> sockets, for this I used NETLINK_AUDIT family, when I execute the program
> and modify the iptables rule, program doesn't receive any message from
> kernel and it will be in blocking mode only. Could you help me to find what
> is wrong in this program or what else I need to do to receive iptables
> notification ?

To receive audit events, you have to register your program as the audit
daemon by setting the audit pid via audit_set_pid() . Then you will get
events. All of them. That might be disruptive if you needed auditing. In that
case, you have 2 options. Write your program as a plugin to the audit daemon.
There is example code here:

https://github.com/linux-audit/audit-userspace/tree/master/contrib/plugin

The other option is to open a connection to the audit multicast socket as
systemd's journal does. You might look at it for example code.

-Steve

> I ran this program as a root user & audit deamon is also running.
>
> ps -eaf | grep -i auditd
>
> root 499 2 0 Nov16 ? 00:00:00 [kauditd]
>
>  root 926 1 0 Nov16 ? 00:00:00 /sbin/auditd -n
>
>
> I tried configuring  auditctl setting as well directly using auditctl
> command & can see the modifcation with "ausearch -k iptablesChange" command
> output but notification is not received in application.
>
> Here is the program :-
>
>  #include "libaudit.h"
>
> #include <stdio.h>#include <string.h>#include <unistd.h>
> int main(){
>         int rc;
>         struct audit_message rep;
>         int fd;
>         struct sockaddr_nl sa;
>
>         memset(&sa, 0, sizeof(sa));
>         sa.nl_family = AF_NETLINK;
>         sa.nl_groups = 0;
>
>         fd = audit_open();
>
>         bind(fd, (struct sockaddr *) &sa, sizeof(sa));
>
>         rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
>         if(rc < 0)
>         {
>                 printf("Error");
>         }
>         else
>         {
>                 printf("msg received %d \n",rep.nlh.nlmsg_type );
>                 break;
>         }
>
>
>         audit_close(fd);
>
>         return 0;}
>
> Thanks,Avinash