Re: Interface between the plugin and auditdispacher

[Steve Grubb <sgrubb@redhat.com>]

On Wednesday 16 December 2009 09:45:07 am 陈洁丹 wrote:
> I want to write some plugin to do something , but I still do not have a
> clear view of the interface between the plugin and dispacher.

The source code tarball ships with a sample plugin and you can also read it 
online:

https://fedorahosted.org/audit/browser/trunk/contrib/plugin

The events are written to stdin of the plugin by the dispatcher. Each plugin 
has a configuration file that should be installed to /etc/audisp/plugins.d/ with 
a defined format. 

One of the items tells audispd whether to send the event in binary format as 
the dispatcher itself received it or if it should be changed to string format. 
If you chose binary, then you are responsible to check the version number of 
the event to make sure that you handle future versions of the event format. 
So, I would recommend to people to write plugins that expect string format 
since that is most portable.

If you choose string format, then you get the benefit of being able to use the 
audit parsing library. And you can debug your plugin by creating a raw audit 
event log and cat'ing it to the plugin's stdin. For example if your plugin 
does something when someone accesses passwd, you can make a raw log like this:

ausearch --start today -f passwd --raw > test.log

then debug like:

cat test.log | ./my-app

Hope this helps...

-Steve