Re: Writting to audit with an application

[geckiv]

Steve,  
Thanks for the reply.  I must have something wrong  with my system as I 
can't get it to work even running it as root. I get an error of:

FAILURE:  errno = 22
Error writing audit file: Invalid argument
Error writing audit: Illegal seek
Also how do I set auditd to allow other process(s) running not as root 
to write to the netlink/kernel ( i.e. set CAP_AUDIT_WRITE)? I could not 
find any info on this.  Also where do I find these trusted app examples? 
Is this something I down loa the src of Linux and look for?



snip
-----
   fd = audit_open();
   if (fd < 0)
   {
       printf("audit open failure, errno = %d\n", errno);
   }
   else
   {
       printf("audit file opened, fd = %d\n", fd);
       printf("attempting to write to audit log.\n");

      snprintf(msg, sizeof(msg), "My mesg to audit");

       if ((rc = audit_log_user_message(fd, 1101,
           msg, NULL, NULL, NULL, 0)) > 0)
           printf("SUCCESS:  rc = %d\n", rc);
       else
       {
           printf("FAILURE:  errno = %d\n", errno);
           perror( "Error writing audit file" );
           printf( "Error writing audit: %s\n", strerror( errno ) );
       }




Steve Grubb wrote:

On Saturday 17 March 2007 14:54:54 geckiv wrote:
 

I was wondering if anyone had a good example of how to write to the
audit log on linux for a custom application wanting to log events.
   


There's several examples in trusted apps. But its really simple to do. This is 
from aide:

#ifdef WITH_AUDIT
 if(nadd!=0||nrem!=0||nchg!=0){
   int fd=audit_open();
   if (fd>=0){
      char msg[64];

      snprintf(msg, sizeof(msg), "added=%ld removed=%ld changed=%ld", 
               nadd, nrem, nchg);

      if (audit_log_user_message(fd, AUDIT_ANOM_RBAC_INTEGRITY_FAIL,
                                 msg, NULL, NULL, NULL, 0)<=0)
#ifdef HAVE_SYSLOG
         syslog(LOG_ERR, "Failed sending audit message:%s", msg);
#else
         ;
#endif
      close(fd);
   }

Being that I don't know what your app is doing, I'd say that you should use 
the AUDIT_TRUSTED_APP event type. Also try to follow guidelines so that it 
can be parsed correctly by tools:

http://people.redhat.com/sgrubb/audit/audit-parse.txt

 

Does it write to the demon then write to the /var/log/auit/audit.log?
   


No, it sends it to the kernel which decides what to do with it.

 

Also how do yo set this up so not just any one or any process write to that
log? 
   


The audit system is intended to be high integrity, meaning that its not able 
to be written to by ordinary users. You have to have CAP_AUDIT_WRITE in order 
to write to the audit system.

-Steve


 

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit