Query regarding to audit netlink call

Query regarding to audit netlink call

[Avinash Patwari]

[-- Attachment #1.1: Type: text/plain, Size: 1485 bytes --]

Hi,

I wrote a program to listen to iptables modification through netlink
sockets, for this I used NETLINK_AUDIT family, when I execute the program
and modify the iptables rule, program doesn't receive any message from
kernel and it will be in blocking mode only. Could you help me to find what
is wrong in this program or what else I need to do to receive iptables
notification ?

I ran this program as a root user & audit deamon is also running.

ps -eaf | grep -i auditd

root 499 2 0 Nov16 ? 00:00:00 [kauditd]

 root 926 1 0 Nov16 ? 00:00:00 /sbin/auditd -n


I tried configuring  auditctl setting as well directly using auditctl
command & can see the modifcation with "ausearch -k iptablesChange" command
output but notification is not received in application.

Here is the program :-

 #include "libaudit.h"

#include <stdio.h>#include <string.h>#include <unistd.h>
int main(){
        int rc;
        struct audit_message rep;
        int fd;
        struct sockaddr_nl sa;

        memset(&sa, 0, sizeof(sa));
        sa.nl_family = AF_NETLINK;
        sa.nl_groups = 0;

        fd = audit_open();

        bind(fd, (struct sockaddr *) &sa, sizeof(sa));

        rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
        if(rc < 0)
        {
                printf("Error");
        }
        else
        {
                printf("msg received %d \n",rep.nlh.nlmsg_type );
                break;
        }


        audit_close(fd);

        return 0;}

Thanks,Avinash

[-- Attachment #1.2: Type: text/html, Size: 45199 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Query regarding to audit netlink call

[Steve Grubb]

On Monday, November 26, 2018 2:09:57 AM EST Avinash Patwari wrote:
> Hi,
> 
> I wrote a program to listen to iptables modification through netlink
> sockets, for this I used NETLINK_AUDIT family, when I execute the program
> and modify the iptables rule, program doesn't receive any message from
> kernel and it will be in blocking mode only. Could you help me to find what
> is wrong in this program or what else I need to do to receive iptables
> notification ?

To receive audit events, you have to register your program as the audit 
daemon by setting the audit pid via audit_set_pid() . Then you will get 
events. All of them. That might be disruptive if you needed auditing. In that 
case, you have 2 options. Write your program as a plugin to the audit daemon. 
There is example code here:

https://github.com/linux-audit/audit-userspace/tree/master/contrib/plugin

The other option is to open a connection to the audit multicast socket as 
systemd's journal does. You might look at it for example code.

-Steve

> I ran this program as a root user & audit deamon is also running.
> 
> ps -eaf | grep -i auditd
> 
> root 499 2 0 Nov16 ? 00:00:00 [kauditd]
> 
>  root 926 1 0 Nov16 ? 00:00:00 /sbin/auditd -n
> 
> 
> I tried configuring  auditctl setting as well directly using auditctl
> command & can see the modifcation with "ausearch -k iptablesChange" command
> output but notification is not received in application.
> 
> Here is the program :-
> 
>  #include "libaudit.h"
> 
> #include <stdio.h>#include <string.h>#include <unistd.h>
> int main(){
>         int rc;
>         struct audit_message rep;
>         int fd;
>         struct sockaddr_nl sa;
> 
>         memset(&sa, 0, sizeof(sa));
>         sa.nl_family = AF_NETLINK;
>         sa.nl_groups = 0;
> 
>         fd = audit_open();
> 
>         bind(fd, (struct sockaddr *) &sa, sizeof(sa));
> 
>         rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
>         if(rc < 0)
>         {
>                 printf("Error");
>         }
>         else
>         {
>                 printf("msg received %d \n",rep.nlh.nlmsg_type );
>                 break;
>         }
> 
> 
>         audit_close(fd);
> 
>         return 0;}
> 
> Thanks,Avinash

Re: Query regarding to audit netlink call

[Avinash Patwari]

[-- Attachment #1.1: Type: text/plain, Size: 2819 bytes --]

Hi Steve,

Thanks for your suggestion.

I tried by passing audit deamon process id in audit_set_pid call but still
i didn't receive any iptable modification notification,what else we need to
do to receive notification ?

Could please also share the right configuration for iptable notifications  ?

I didn't get your suggestion with 2 options,could you please elaborate more
?

Br,
avinash

On Mon, Nov 26, 2018 at 9:46 PM Steve Grubb <sgrubb@redhat.com> wrote:

> On Monday, November 26, 2018 2:09:57 AM EST Avinash Patwari wrote:
> > Hi,
> >
> > I wrote a program to listen to iptables modification through netlink
> > sockets, for this I used NETLINK_AUDIT family, when I execute the program
> > and modify the iptables rule, program doesn't receive any message from
> > kernel and it will be in blocking mode only. Could you help me to find
> what
> > is wrong in this program or what else I need to do to receive iptables
> > notification ?
>
> To receive audit events, you have to register your program as the audit
> daemon by setting the audit pid via audit_set_pid() . Then you will get
> events. All of them. That might be disruptive if you needed auditing. In
> that
> case, you have 2 options. Write your program as a plugin to the audit
> daemon.
> There is example code here:
>
> https://github.com/linux-audit/audit-userspace/tree/master/contrib/plugin
>
> The other option is to open a connection to the audit multicast socket as
> systemd's journal does. You might look at it for example code.
>
> -Steve
>
> > I ran this program as a root user & audit deamon is also running.
> >
> > ps -eaf | grep -i auditd
> >
> > root 499 2 0 Nov16 ? 00:00:00 [kauditd]
> >
> >  root 926 1 0 Nov16 ? 00:00:00 /sbin/auditd -n
> >
> >
> > I tried configuring  auditctl setting as well directly using auditctl
> > command & can see the modifcation with "ausearch -k iptablesChange"
> command
> > output but notification is not received in application.
> >
> > Here is the program :-
> >
> >  #include "libaudit.h"
> >
> > #include <stdio.h>#include <string.h>#include <unistd.h>
> > int main(){
> >         int rc;
> >         struct audit_message rep;
> >         int fd;
> >         struct sockaddr_nl sa;
> >
> >         memset(&sa, 0, sizeof(sa));
> >         sa.nl_family = AF_NETLINK;
> >         sa.nl_groups = 0;
> >
> >         fd = audit_open();
> >
> >         bind(fd, (struct sockaddr *) &sa, sizeof(sa));
> >
> >         rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
> >         if(rc < 0)
> >         {
> >                 printf("Error");
> >         }
> >         else
> >         {
> >                 printf("msg received %d \n",rep.nlh.nlmsg_type );
> >                 break;
> >         }
> >
> >
> >         audit_close(fd);
> >
> >         return 0;}
> >
> > Thanks,Avinash
>
>
>
>
>

[-- Attachment #1.2: Type: text/html, Size: 4033 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]