Yes youre missing setting the audit pid so the kernel knows who to send messages too.
I wrote an auditd from scratch for android, feel free to look at the code. Its very simple, and includes the libaudit pieces I needed to re-implement to get a version that was NOT GPL'd. Recently it got a bit more complex when watch rules were added. Its used by the SE for Android projects found here: https://bitbucket.org/seandroid/system-core/src/7c66471348a59107cb4a1f68835eb1937b2137ce/auditd/?at=seandroid Look for function: int audit_set_pid (int fd, uint32_t pid, rep_wait_t wmode) in libaudit.c Good luck, Bill On Wed, Dec 25, 2013 at 2:48 AM, Aaron Lewis <[email protected]> wrote: > Hi I wrote a very simple program to retrieve netlink sockets (audit messages), > > But it stuck at recvfrom, am I missing something? > > #include <stdio.h> > #include <unistd.h> > #include <assert.h> > #include <string.h> > #include <stdlib.h> > #include <math.h> > #include <sys/socket.h> > #include <linux/netlink.h> > > #define ERR_QUIT(a) do { perror(a); exit (1); } while (0); > > #ifndef PF_NETLINK > # define PF_NETLINK 16 > #endif > > char message [10000]; > > int main (int argc , char **argv) > { > int fd, len; > struct sockaddr_nl nladdr; > socklen_t nladdrlen = sizeof(nladdr); > > fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_AUDIT); > if (fd < 0) > ERR_QUIT("socket"); > > len = recvfrom(fd, &message, sizeof(message), 0, (struct > sockaddr*)&nladdr, &nladdrlen); > if (len < 0) > ERR_QUIT("recvfrom"); > > printf ("Received %d bytes\n", len); > > return 0; > } > > > -- > Best Regards, > Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com ) > Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Respectfully, William C Roberts -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
