From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Interface between the plugin and auditdispacher
Date: Wed, 16 Dec 2009 11:31:08 -0500
Message-ID: <200912161131.09121.sgrubb@redhat.com>
References: <246d04460912160645y3ce3e814k94fa692d9c11295a@mail.gmail.com>
Mime-Version: 1.0
Content-Type: Text/Plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <246d04460912160645y3ce3e814k94fa692d9c11295a@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday 16 December 2009 09:45:07 am =E9=99=88=E6=B4=81=E4=B8=B9 wro=
te:
> I want to write some plugin to do something , but I still do not have a
> clear view of the interface between the plugin and dispacher.

The source code tarball ships with a sample plugin and you can also read =
it=20
online:

https://fedorahosted.org/audit/browser/trunk/contrib/plugin

The events are written to stdin of the plugin by the dispatcher. Each plu=
gin=20
has a configuration file that should be installed to /etc/audisp/plugins.=
d/ with=20
a defined format.=20

One of the items tells audispd whether to send the event in binary format=
 as=20
the dispatcher itself received it or if it should be changed to string fo=
rmat.=20
If you chose binary, then you are responsible to check the version number=
 of=20
the event to make sure that you handle future versions of the event forma=
t.=20
So, I would recommend to people to write plugins that expect string forma=
t=20
since that is most portable.

If you choose string format, then you get the benefit of being able to us=
e the=20
audit parsing library. And you can debug your plugin by creating a raw au=
dit=20
event log and cat'ing it to the plugin's stdin. For example if your plugi=
n=20
does something when someone accesses passwd, you can make a raw log like =
this:

ausearch --start today -f passwd --raw > test.log

then debug like:

cat test.log | ./my-app

Hope this helps...

-Steve