Hi Steve, Thanks for your suggestion.
I tried by passing audit deamon process id in audit_set_pid call but still i didn't receive any iptable modification notification,what else we need to do to receive notification ? Could please also share the right configuration for iptable notifications ? I didn't get your suggestion with 2 options,could you please elaborate more ? Br, avinash On Mon, Nov 26, 2018 at 9:46 PM Steve Grubb <[email protected]> wrote: > On Monday, November 26, 2018 2:09:57 AM EST Avinash Patwari wrote: > > Hi, > > > > I wrote a program to listen to iptables modification through netlink > > sockets, for this I used NETLINK_AUDIT family, when I execute the program > > and modify the iptables rule, program doesn't receive any message from > > kernel and it will be in blocking mode only. Could you help me to find > what > > is wrong in this program or what else I need to do to receive iptables > > notification ? > > To receive audit events, you have to register your program as the audit > daemon by setting the audit pid via audit_set_pid() . Then you will get > events. All of them. That might be disruptive if you needed auditing. In > that > case, you have 2 options. Write your program as a plugin to the audit > daemon. > There is example code here: > > https://github.com/linux-audit/audit-userspace/tree/master/contrib/plugin > > The other option is to open a connection to the audit multicast socket as > systemd's journal does. You might look at it for example code. > > -Steve > > > I ran this program as a root user & audit deamon is also running. > > > > ps -eaf | grep -i auditd > > > > root 499 2 0 Nov16 ? 00:00:00 [kauditd] > > > > root 926 1 0 Nov16 ? 00:00:00 /sbin/auditd -n > > > > > > I tried configuring auditctl setting as well directly using auditctl > > command & can see the modifcation with "ausearch -k iptablesChange" > command > > output but notification is not received in application. > > > > Here is the program :- > > > > #include "libaudit.h" > > > > #include <stdio.h>#include <string.h>#include <unistd.h> > > int main(){ > > int rc; > > struct audit_message rep; > > int fd; > > struct sockaddr_nl sa; > > > > memset(&sa, 0, sizeof(sa)); > > sa.nl_family = AF_NETLINK; > > sa.nl_groups = 0; > > > > fd = audit_open(); > > > > bind(fd, (struct sockaddr *) &sa, sizeof(sa)); > > > > rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0); > > if(rc < 0) > > { > > printf("Error"); > > } > > else > > { > > printf("msg received %d \n",rep.nlh.nlmsg_type ); > > break; > > } > > > > > > audit_close(fd); > > > > return 0;} > > > > Thanks,Avinash > > > > >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
