* Interface between the plugin and auditdispacher
@ 2009-12-16 14:45 陈洁丹
2009-12-16 16:31 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: 陈洁丹 @ 2009-12-16 14:45 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 741 bytes --]
Hello,everyone.
I want to write some plugin to do something , but I still do not have a
clear view of the interface between the plugin and dispacher.
Can anyone tell me how the event is passed to the specific plugin.
For example, if anyone read the /ect/passwd file, the plugin will record the
event in another file.
Maybe the problem is that I do not konw how the event is passed.
I hope someone could show me the flow of how the the event is dealed since
it's happened.
I'm now working it alone.Hoping for your help.
Thanks very much.
Jeedan
-----------------------------
陈洁丹 北京邮电大学软件学院
地 址: 北京邮电大学学二D12寝室
邮 编: 100876
Email: jeedan.chen@gmail.com
---------------------------------
[-- Attachment #1.2: Type: text/html, Size: 1466 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Interface between the plugin and auditdispacher
2009-12-16 14:45 Interface between the plugin and auditdispacher 陈洁丹
@ 2009-12-16 16:31 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2009-12-16 16:31 UTC (permalink / raw)
To: linux-audit
On Wednesday 16 December 2009 09:45:07 am 陈洁丹 wrote:
> I want to write some plugin to do something , but I still do not have a
> clear view of the interface between the plugin and dispacher.
The source code tarball ships with a sample plugin and you can also read it
online:
https://fedorahosted.org/audit/browser/trunk/contrib/plugin
The events are written to stdin of the plugin by the dispatcher. Each plugin
has a configuration file that should be installed to /etc/audisp/plugins.d/ with
a defined format.
One of the items tells audispd whether to send the event in binary format as
the dispatcher itself received it or if it should be changed to string format.
If you chose binary, then you are responsible to check the version number of
the event to make sure that you handle future versions of the event format.
So, I would recommend to people to write plugins that expect string format
since that is most portable.
If you choose string format, then you get the benefit of being able to use the
audit parsing library. And you can debug your plugin by creating a raw audit
event log and cat'ing it to the plugin's stdin. For example if your plugin
does something when someone accesses passwd, you can make a raw log like this:
ausearch --start today -f passwd --raw > test.log
then debug like:
cat test.log | ./my-app
Hope this helps...
-Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2009-12-16 16:31 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-12-16 14:45 Interface between the plugin and auditdispacher 陈洁丹
2009-12-16 16:31 ` Steve Grubb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.