1:54 p.m.
I was wondering if anyone had a good example of how to write to the
audit log on linux for a custom application wanting to log events. Also
how that would work. I found a little information but I have been unable
to get anything to work properly. Does it write to the demon then write
to the /var/log/auit/audit.log? Also how do yo set this up so not just
any one or any process write to that log?
Thanks,
Frank
3:59 p.m.
On Saturday 17 March 2007 14:54:54 geckiv wrote:
I was wondering if anyone had a good example of how to write to the
audit log on linux for a custom application wanting to log events.
There's several examples in trusted apps. But its really simple to do. This is
from aide:
#ifdef WITH_AUDIT
if(nadd!=0||nrem!=0||nchg!=0){
int fd=audit_open();
if (fd>=0){
char msg[64];
snprintf(msg, sizeof(msg), "added=%ld removed=%ld changed=%ld",
nadd, nrem, nchg);
if (audit_log_user_message(fd, AUDIT_ANOM_RBAC_INTEGRITY_FAIL,
msg, NULL, NULL, NULL, 0)<=0)
#ifdef HAVE_SYSLOG
syslog(LOG_ERR, "Failed sending audit message:%s", msg);
#else
;
#endif
close(fd);
}
Being that I don't know what your app is doing, I'd say that you should use
the AUDIT_TRUSTED_APP event type. Also try to follow guidelines so that it
can be parsed correctly by tools:
http://people.redhat.com/sgrubb/audit/audit-parse.txt
Does it write to the demon then write to the /var/log/auit/audit.log?
No, it sends it to the kernel which decides what to do with it.
Also how do yo set this up so not just any one or any process write
to that
log?
The audit system is intended to be high integrity, meaning that its not able
to be written to by ordinary users. You have to have CAP_AUDIT_WRITE in order
to write to the audit system.
-Steve
4:34 p.m.
New subject: Writting to audit with an application
Steve,
Thanks for the reply. I must have something wrong with my system as I
can't get it to work even running it as root. I get an error of:
FAILURE: errno = 22
Error writing audit file: Invalid argument
Error writing audit: Illegal seek
Also how do I set auditd to allow other process(s) running not as root
to write to the netlink/kernel ( i.e. set CAP_AUDIT_WRITE)? I could not
find any info on this. Also where do I find these trusted app examples?
Is this something I down loa the src of Linux and look for?
snip
-----
fd = audit_open();
if (fd < 0)
{
printf("audit open failure, errno = %d\n", errno);
}
else
{
printf("audit file opened, fd = %d\n", fd);
printf("attempting to write to audit log.\n");
snprintf(msg, sizeof(msg), "My mesg to audit");
if ((rc = audit_log_user_message(fd, 1101,
msg, NULL, NULL, NULL, 0)) > 0)
printf("SUCCESS: rc = %d\n", rc);
else
{
printf("FAILURE: errno = %d\n", errno);
perror( "Error writing audit file" );
printf( "Error writing audit: %s\n", strerror( errno ) );
}
Steve Grubb wrote:
On Saturday 17 March 2007 14:54:54 geckiv wrote:
>I was wondering if anyone had a good example of how to write to the
>audit log on linux for a custom application wanting to log events.
>
>
There's several examples in trusted apps. But its really simple to do. This is
from aide:
#ifdef WITH_AUDIT
if(nadd!=0||nrem!=0||nchg!=0){
int fd=audit_open();
if (fd>=0){
char msg[64];
snprintf(msg, sizeof(msg), "added=%ld removed=%ld changed=%ld",
nadd, nrem, nchg);
if (audit_log_user_message(fd, AUDIT_ANOM_RBAC_INTEGRITY_FAIL,
msg, NULL, NULL, NULL, 0)<=0)
#ifdef HAVE_SYSLOG
syslog(LOG_ERR, "Failed sending audit message:%s", msg);
#else
;
#endif
close(fd);
}
Being that I don't know what your app is doing, I'd say that you should use
the AUDIT_TRUSTED_APP event type. Also try to follow guidelines so that it
can be parsed correctly by tools:
http://people.redhat.com/sgrubb/audit/audit-parse.txt
>Does it write to the demon then write to the /var/log/auit/audit.log?
>
>
No, it sends it to the kernel which decides what to do with it.
>Also how do yo set this up so not just any one or any process write to that
>log?
>
>
The audit system is intended to be high integrity, meaning that its not able
to be written to by ordinary users. You have to have CAP_AUDIT_WRITE in order
to write to the audit system.
-Steve
5:24 p.m.
New subject: Writting to audit with an application
On Saturday 17 March 2007 17:34:57 geckiv wrote:
Thanks for the reply. I must have something wrong with my system
as I
can't get it to work even running it as root. I get an error of:
FAILURE: errno = 22
Error writing audit file: Invalid argument
Error writing audit: Illegal seek
This does sound wrong. Maybe strace would shed some light on how its going
wrong? What kernel are you using?
Also how do I set auditd to allow other process(s) running not as
root
to write to the netlink/kernel ( i.e. set CAP_AUDIT_WRITE)?
You can't. The audit system is designed to be high integrity meaning only
trusted apps or processes that run as root or started as root but dropped
privileges keeping CAP_AUDIT_WRITE. The audit event is written to the kernel,
not auditd (meaning the kernel must be compiled with syscall audit support at
a minimum). The kernel may decide to give the event to auditd.
I could not find any info on this. Also where do I find these
trusted app
examples?
dbus, nscd, passwd, shadow-utils, pam, ...
Is this something I down loa the src of Linux and look for?
No, dbus is an example of a program that keeps CAP_AUDIT_WRITE after starting
as root but changes uids. passwd is setuid root. pam runs as part of
applications that stay root.
-Steve
2:58 p.m.
New subject: Writting to audit with an application
Steve,
I never heard of dbus before. Is there an example how it keeps it's
CAP_AUDIT_WRITE and changes uids? Is this just using setuid() some how?
Thanks,
Frank
Steve Grubb wrote:
On Saturday 17 March 2007 17:34:57 geckiv wrote:
> Thanks for the reply. I must have something wrong with my system as I
>can't get it to work even running it as root. I get an error of:
>
>FAILURE: errno = 22
>Error writing audit file: Invalid argument
>Error writing audit: Illegal seek
>
>
This does sound wrong. Maybe strace would shed some light on how its going
wrong? What kernel are you using?
>Also how do I set auditd to allow other process(s) running not as root
>to write to the netlink/kernel ( i.e. set CAP_AUDIT_WRITE)?
>
>
You can't. The audit system is designed to be high integrity meaning only
trusted apps or processes that run as root or started as root but dropped
privileges keeping CAP_AUDIT_WRITE. The audit event is written to the kernel,
not auditd (meaning the kernel must be compiled with syscall audit support at
a minimum). The kernel may decide to give the event to auditd.
>I could not find any info on this. Also where do I find these trusted app
>examples?
>
>
dbus, nscd, passwd, shadow-utils, pam, ...
>Is this something I down loa the src of Linux and look for?
>
>
No, dbus is an example of a program that keeps CAP_AUDIT_WRITE after starting
as root but changes uids. passwd is setuid root. pam runs as part of
applications that stay root.
-Steve
4:38 p.m.
New subject: Writting to audit with an application
On Monday 19 March 2007 15:58, geckiv wrote:
I never heard of dbus before. Is there an example how it keeps
it's
CAP_AUDIT_WRITE and changes uids?
Not without looking at its source code. Here's its patch:
http://developer.momonga-linux.org/viewvc/trunk/pkgs/dbus/dbus-0.61-selin...
nscd also does the same trick, but its coded in glibc style.
Is this just using setuid() some how?
No, there's an intricate dance regarding setuid, prctl, & capabilities
that must be followed exactly or bad things can happen.
-Steve
5:50 p.m.
New subject: Writting to audit with an application
On Saturday 17 March 2007 17:34:57 geckiv wrote:
FAILURE: errno = 22
Error writing audit file: Invalid argument
I bet this is the problem. ^^^^ EINVAL. That can be bad arguments or
sometimes a permission problem from selinux.
Error writing audit: Illegal seek
This was probably a changed errno from perror.
-Steve
4:15 p.m.
New subject: Writting to audit with an application
Steve,
I updated my kernel and that seemed to fix the problem.
Thanks,
Frank
Steve Grubb wrote:
On Saturday 17 March 2007 17:34:57 geckiv wrote:
>FAILURE: errno = 22
>Error writing audit file: Invalid argument
>
>
I bet this is the problem. ^^^^ EINVAL. That can be bad arguments or
sometimes a permission problem from selinux.
>Error writing audit: Illegal seek
>
>
This was probably a changed errno from perror.
-Steve
6487
days inactive
6489
days old
linux-audit@lists.linux-audit.osci.io
7 comments
2 participants
participants (2)
-
geckiv -
Steve Grubb