From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Linux-audit@redhat.com
Subject: Re: Query regarding to audit netlink call
Date: Mon, 26 Nov 2018 11:16:05 -0500 [thread overview]
Message-ID: <3771511.m91g0iRPmf@x2> (raw)
In-Reply-To: <CAOBms4LZz+FoE_Hw0q10nOfgsJN24nb7a61f2Ly=nsijPUwhhw@mail.gmail.com>
On Monday, November 26, 2018 2:09:57 AM EST Avinash Patwari wrote:
> Hi,
>
> I wrote a program to listen to iptables modification through netlink
> sockets, for this I used NETLINK_AUDIT family, when I execute the program
> and modify the iptables rule, program doesn't receive any message from
> kernel and it will be in blocking mode only. Could you help me to find what
> is wrong in this program or what else I need to do to receive iptables
> notification ?
To receive audit events, you have to register your program as the audit
daemon by setting the audit pid via audit_set_pid() . Then you will get
events. All of them. That might be disruptive if you needed auditing. In that
case, you have 2 options. Write your program as a plugin to the audit daemon.
There is example code here:
https://github.com/linux-audit/audit-userspace/tree/master/contrib/plugin
The other option is to open a connection to the audit multicast socket as
systemd's journal does. You might look at it for example code.
-Steve
> I ran this program as a root user & audit deamon is also running.
>
> ps -eaf | grep -i auditd
>
> root 499 2 0 Nov16 ? 00:00:00 [kauditd]
>
> root 926 1 0 Nov16 ? 00:00:00 /sbin/auditd -n
>
>
> I tried configuring auditctl setting as well directly using auditctl
> command & can see the modifcation with "ausearch -k iptablesChange" command
> output but notification is not received in application.
>
> Here is the program :-
>
> #include "libaudit.h"
>
> #include <stdio.h>#include <string.h>#include <unistd.h>
> int main(){
> int rc;
> struct audit_message rep;
> int fd;
> struct sockaddr_nl sa;
>
> memset(&sa, 0, sizeof(sa));
> sa.nl_family = AF_NETLINK;
> sa.nl_groups = 0;
>
> fd = audit_open();
>
> bind(fd, (struct sockaddr *) &sa, sizeof(sa));
>
> rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
> if(rc < 0)
> {
> printf("Error");
> }
> else
> {
> printf("msg received %d \n",rep.nlh.nlmsg_type );
> break;
> }
>
>
> audit_close(fd);
>
> return 0;}
>
> Thanks,Avinash
next prev parent reply other threads:[~2018-11-26 16:16 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-26 7:09 Query regarding to audit netlink call Avinash Patwari
2018-11-26 16:16 ` Steve Grubb [this message]
2018-11-28 8:30 ` Avinash Patwari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3771511.m91g0iRPmf@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.