Re: Writtign to audit with an application

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Writtign to audit with an application
Date: Sat, 17 Mar 2007 16:59:20 -0400	[thread overview]
Message-ID: <200703171659.20981.sgrubb@redhat.com> (raw)
In-Reply-To: <45FC397E.3050307@optonline.net>

On Saturday 17 March 2007 14:54:54 geckiv wrote:
> I was wondering if anyone had a good example of how to write to the
> audit log on linux for a custom application wanting to log events.

There's several examples in trusted apps. But its really simple to do. This is 
from aide:

#ifdef WITH_AUDIT
  if(nadd!=0||nrem!=0||nchg!=0){
    int fd=audit_open();
    if (fd>=0){
       char msg[64];

       snprintf(msg, sizeof(msg), "added=%ld removed=%ld changed=%ld", 
                nadd, nrem, nchg);

       if (audit_log_user_message(fd, AUDIT_ANOM_RBAC_INTEGRITY_FAIL,
                                  msg, NULL, NULL, NULL, 0)<=0)
#ifdef HAVE_SYSLOG
          syslog(LOG_ERR, "Failed sending audit message:%s", msg);
#else
          ;
#endif
       close(fd);
    }

Being that I don't know what your app is doing, I'd say that you should use 
the AUDIT_TRUSTED_APP event type. Also try to follow guidelines so that it 
can be parsed correctly by tools:

http://people.redhat.com/sgrubb/audit/audit-parse.txt

> Does it write to the demon then write to the /var/log/auit/audit.log?

No, it sends it to the kernel which decides what to do with it.

> Also how do yo set this up so not just any one or any process write to that
> log? 

The audit system is intended to be high integrity, meaning that its not able 
to be written to by ordinary users. You have to have CAP_AUDIT_WRITE in order 
to write to the audit system.

-Steve

next prev parent reply	other threads:[~2007-03-17 20:59 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-03-17 18:54 Writtign to audit with an application geckiv
2007-03-17 20:59 ` Steve Grubb [this message]
2007-03-17 21:34   ` Writting " geckiv
2007-03-17 22:24     ` Steve Grubb
2007-03-19 19:58       ` geckiv
2007-03-19 21:38         ` Steve Grubb
2007-03-17 22:50     ` Steve Grubb
2007-03-18 21:15       ` geckiv

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200703171659.20981.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.