From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Abhishek Gupta" Subject: difficulty with TYPE Date: Tue, 15 Jan 2008 12:44:02 +0530 Message-ID: <18436f8f0801142314g46f77485x311cfb2826f2dff4@mail.gmail.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2113021748==" Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m0F7EOQw015027 for ; Tue, 15 Jan 2008 02:14:24 -0500 Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.236]) by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id m0F7E3dq013564 for ; Tue, 15 Jan 2008 02:14:03 -0500 Received: by nz-out-0506.google.com with SMTP id r28so1322542nza.36 for ; Mon, 14 Jan 2008 23:14:03 -0800 (PST) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============2113021748== Content-Type: multipart/alternative; boundary="----=_Part_12619_9472146.1200381242657" ------=_Part_12619_9472146.1200381242657 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline i tried to run auditdispatcher from http://people.redhat.com/sgrubb/audit/audit-rt-events.txt with little modification. i converted TYPE numeric value to name using audit library function "audit_msg_type_to_name". Then i printed audit TYPE number with corresponding name using above function. The program is running fine but i have little doubt. i restarted audit daemon i changed login to some other user and back to root. to generate records as USER_LOGIN,USER_AUTH,etc and looked to syslog where i have printed messages from program. I got this output : type=1305 typename=CONFIG_CHANGE, payload size=110 type=539770685 typename=(null), payload size=1836213620 type=1836213620 typename=(null), payload size=1818324585 type=1702109228 typename=(null), payload size=1852403058 first one is ok but look at the rest lines. so what does type=539770685means? how does this numeric values maps to USER_AUTH,USER_ACCT,etc why typename coming out to be null? Please help. here is the code: ---------------------------------------------------------------------------------------------------------------------------------------- //change mode of binary version of this file as "chmod 0750 skeleton" very very important //switch off selinux by command "setenforce 0" or use GUI application //data from audit daemon is "header+msg" //header has field like type,etc which is an integer,map that type number with macros defined in linuxaudit.h //msg contains various fields specific to the type number //note down important security specific type number and create table for each type with fields that type contains #include #include #include #include #include #include #include #include #include #include #include "libaudit.h" // Local data static volatile int signaled = 0; static int pipe_fd; static const char *pgm = "skeleton"; // Local functions static int event_loop(void); // SIGTERM handler static void term_handler( int sig ) { signaled = 1; } /* * main is started by auditd. See dispatcher in auditd.conf */ int main(int argc, char *argv[]) { struct sigaction sa; setlocale (LC_ALL, ""); openlog(pgm, LOG_PID, LOG_DAEMON); syslog(LOG_NOTICE, "starting ABHISHEK..."); #ifndef DEBUG // Make sure we are root if (getuid() != 0) { syslog(LOG_ERR, "You must be root to run this program."); return 4; } #endif // register sighandlers sa.sa_flags = 0 ; sa.sa_handler = term_handler; sigemptyset( &sa.sa_mask ) ; sigaction( SIGTERM, &sa, NULL ); sa.sa_handler = term_handler; sigemptyset( &sa.sa_mask ) ; sigaction( SIGCHLD, &sa, NULL ); sa.sa_handler = SIG_IGN; sigaction( SIGHUP, &sa, NULL ); (void)chdir("/"); // change over to pipe_fd pipe_fd = dup(0); close(0); open("/dev/null", O_RDONLY); fcntl(pipe_fd, F_SETFD, FD_CLOEXEC); // Start the program return event_loop(); } static int event_loop(void) { void* data; int i=0; struct iovec vec[2]; struct audit_dispatcher_header hdr; + const char *typename; int res; // allocate data structures data = malloc(MAX_AUDIT_MESSAGE_LENGTH); if (data == NULL) { syslog(LOG_ERR, "Cannot allocate buffer"); return 1; } memset(data, 0, MAX_AUDIT_MESSAGE_LENGTH); memset(&hdr, 0, sizeof(hdr)); do { int rc; struct timeval tv; fd_set fd; tv.tv_sec = 1; tv.tv_usec = 0; FD_ZERO(&fd); FD_SET(pipe_fd, &fd); rc = select(pipe_fd+1, &fd, NULL, NULL, &tv); if (rc == 0) continue; else if (rc == -1) break; /* Get header first. it is fixed size */ vec[0].iov_base = (void*)&hdr; vec[0].iov_len = sizeof(hdr); // Next payload vec[1].iov_base = data; vec[1].iov_len = MAX_AUDIT_MESSAGE_LENGTH; rc = readv(pipe_fd, vec, 2); if (rc == 0 || rc == -1) { syslog(LOG_ERR, "rc == %d(%s)", rc, strerror(errno)); break; } // handle events here. Just for illustration, we print // to syslog, but you will want to do something else. + typename=audit_msg_type_to_name(hdr.type); + syslog(LOG_NOTICE,"type=%d typename=%s, payload size=%d",hdr.type ,typename,hdr.size); //syslog(LOG_NOTICE,"data=\"%.*s\"", hdr.size,(char *)data); } while(!signaled); return 0; } ------------------------------------------------------------------------------------------------------------------------------------------ ------=_Part_12619_9472146.1200381242657 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline i tried to run auditdispatcher from http://people.redhat.com/sgrubb/audit/audit-rt-events.txt with little modification.
i converted TYPE numeric value to name using audit library function "audit_msg_type_to_name".
Then i printed audit TYPE number with corresponding name using above function.
The program is running fine but i have little doubt.

i restarted audit daemon
i changed login to some other user and back to root. to generate records as USER_LOGIN,USER_AUTH,etc
and looked to syslog where i have printed messages from program.


I got this output :
type=1305 typename=CONFIG_CHANGE, payload size=110
type=539770685 typename=(null), payload size=1836213620
type=1836213620 typename=(null), payload size=1818324585
type=1702109228 typename=(null), payload size=1852403058

first one is ok but look  at the rest lines.
so what does type=539770685means? how does this numeric values maps to USER_AUTH,USER_ACCT,etc
why typename coming out to be null?
Please help.
here is the code:
----------------------------------------------------------------------------------------------------------------------------------------
//change mode of binary version of this file as "chmod 0750 skeleton" very very important
//switch off selinux by command "setenforce 0" or use GUI application
//data from audit daemon is "header+msg"
//header has field like type,etc which is an integer,map that type number with macros defined in linuxaudit.h
//msg contains various fields specific to the type number
//note down important security specific type number and create table for each type with fields that type contains
#include <stdio.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <fcntl.h>
#include <errno.h>
#include <string.h >
#include <locale.h>
#include "libaudit.h"


// Local data
static volatile int signaled = 0;
static int pipe_fd;
static const char *pgm = "skeleton";

// Local functions
static int event_loop(void);

// SIGTERM handler
static void term_handler( int sig )
{
    signaled = 1;
}


/*
 * main is started by auditd. See dispatcher in auditd.conf
 */
int main(int argc, char *argv[])
{
    struct sigaction sa;

    setlocale (LC_ALL, "");
    openlog(pgm, LOG_PID, LOG_DAEMON);
    syslog(LOG_NOTICE, "starting ABHISHEK...");

#ifndef DEBUG
    // Make sure we are root
    if (getuid() != 0) {
        syslog(LOG_ERR, "You must be root to run this program.");
        return 4;
    }
#endif

    // register sighandlers
    sa.sa_flags = 0 ;
    sa.sa_handler = term_handler;
    sigemptyset( &sa.sa_mask ) ;
    sigaction( SIGTERM, &sa, NULL );
    sa.sa_handler = term_handler;
    sigemptyset( &sa.sa_mask ) ;
    sigaction( SIGCHLD, &sa, NULL );
    sa.sa_handler = SIG_IGN;
    sigaction( SIGHUP, &sa, NULL );
    (void)chdir("/");

    // change over to pipe_fd
    pipe_fd = dup(0);
    close(0);
    open("/dev/null", O_RDONLY);
    fcntl(pipe_fd, F_SETFD, FD_CLOEXEC);

    // Start the program
    return event_loop();
}

static int event_loop(void)
{
    void* data;
    int i=0;
    struct iovec vec[2];
    struct audit_dispatcher_header hdr;
   + const char *typename;
    int res;   
           
    // allocate data structures
    data = malloc(MAX_AUDIT_MESSAGE_LENGTH);
    if (data == NULL) {
        syslog(LOG_ERR, "Cannot allocate buffer");
        return 1;
    }
    memset(data, 0, MAX_AUDIT_MESSAGE_LENGTH);
    memset(&hdr, 0, sizeof(hdr));

 
    do {
        int rc;
        struct timeval tv;
        fd_set fd;

        tv.tv_sec = 1;
        tv.tv_usec = 0;
        FD_ZERO(&fd);
        FD_SET(pipe_fd, &fd);
        rc = select(pipe_fd+1, &fd, NULL, NULL, &tv);
        if (rc == 0)
            continue;
         else if (rc == -1)
            break;

        /* Get header first. it is fixed size */
        vec[0].iov_base = (void*)&hdr;
        vec[0].iov_len = sizeof(hdr);

            // Next payload
        vec[1].iov_base = data;
        vec[1].iov_len = MAX_AUDIT_MESSAGE_LENGTH;

        rc = readv(pipe_fd, vec, 2);
        if (rc == 0 || rc == -1) {
            syslog(LOG_ERR, "rc == %d(%s)", rc, strerror(errno));
            break;
        }

        // handle events here. Just for illustration, we print
        // to syslog, but you will want to do something else.


   +     typename=audit_msg_type_to_name( hdr.type);   
   +  syslog(LOG_NOTICE,"type=%d typename=%s, payload size=%d",hdr.type,typename,hdr.size);
        //syslog(LOG_NOTICE,"data=\"%.*s\"", hdr.size,(char *)data);

    } while(!signaled);

    return 0;
}
------------------------------------------------------------------------------------------------------------------------------------------
------=_Part_12619_9472146.1200381242657-- --===============2113021748== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============2113021748==--