Re: I'm looking for a pointer on the programming model
On Thursday 23 March 2006 09:48, Taylor_Tad(a)emc.com wrote:
I've gone over all the audit-related man pages that I could find
on a RHEL 4
system and searched/googled for a while but I can't find a clear description
of the programming model/paradigm that trusted processes would follow to
generate audit records.
They would simply use one of these functions:
/* The following are for standard formatting of messages */
extern int audit_log_user_message(int audit_fd, int type, const char *message,
const char *hostname, const char *addr, const char *tty, int result);
extern int audit_log_user_comm_message(int audit_fd, int type,
const char *message, const char *comm, const char *hostname,
const char *addr, const char *tty, int result);
extern int audit_log_acct_message(int audit_fd, int type, const char *pgname,
const char *op, const char *name, unsigned int id,
const char *host, const char *addr, const char *tty, int result);
extern int audit_log_user_avc_message(int audit_fd, int type,
const char *message, const char *hostname, const char *addr,
const char *tty, uid_t uid);
The top one would be the most likely choice.
I could go through something like the login code to see what it does,
but
then I'd be making an assumption that it does it correctly :-).
It does. :)
A good, simple example is util-linux login & hwclock programs or passwd. The
one thing to note is that you need to have CAP_AUDIT_WRITE in order to be
successful.
-Steve