On Tuesday, September 07, 2010 04:38:29 pm Nestler, Roger - IS wrote: > Using syslog it seems straight forward to insert a new message , 'syslog > (LOG_NOTICE, "Hello This is just a notice")' for instance. > > Does this capability exist already in linux audit and I'm just not seeing > it???
The Linux audit system is protected by virtue of apps needing CAP_AUDIT_WRITE in order to send an event. Assuming that your app has this, you will want to use one of the functions here: https://fedorahosted.org/audit/browser/trunk/lib/libaudit.h#L375 > Is it a bad idea to build and then to insert a custom audit/message, or any > standard audit, into the audit.log file? Yes. Do not do it. It has to be sent to the kernel for timestamping and correlation. Not to mention the kernel will collect a few things about the sender to be put in the audit trail. > If so are there any problems to look out for , e.g event id/sequence number > collisions, auparse or ausearch problems, formatting issues to adhere > to??? You must send to the kernel. Aside from that, events must have a type. If you do not see a type that matches what you are doing, then use the AUDIT_TRUSTED_APP type which you may do (nearly) anything to. The audit system wants name=value fields. You should use the same field name as an existing one any time you find one. If you are not using AUDIT_TRUSTED_APP, then you must fill in the same fields in the same order as the original source does. The value part may not have a space or certain control characters in it. If it does you must encode the contents of the value with the audit_encode_value() function. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
