Re: ABI guarantee for auditd

[Steve Grubb <sgrubb@redhat.com>]

On Thursday, January 15, 2015 06:20:41 PM hsultan@thefroid.net wrote:
> Thanks for the info, so I tried using libauparse (again, Ubuntu 14.04 
> LTS), however I'm hitting something truly weird: once I've adddd the 
> event parsing code (taken from 
> https://fedorahosted.org/audit/browser/trunk/contrib/plugin/audisp-example.c
>   ) and added -lauparse, what I get out of audit_get_reply now is
> mangled.

Why are you using that in an analytical program? That is a very low level 
function for getting events out of the kernel. You might want to have a look 
at this presentation to understand the audit architecture:

http://people.redhat.com/sgrubb/audit/audit_ids_2011.pdf

Auditd handles getting events from the kernel, passes them to audispd, you 
have a plugin to audispd and get the event in realtime. If you want events on 
disk, you just tell auparse_init that you want to use the logs as your source.

Libauparse handles events after they have been processed by auditd.


> That clearly can't be a code mistake because I didn't touch the event 
> retrieval code, 

It is a mistake. The example code works and demonstrates how to get events and 
iterate over the records and fields of the record. The presentation mentioned 
above also shows how to iterate over events, records, and fields. It also has a 
UML diagram to orient a developer to the data abstractions.


> Is there a conflict or some specific setup between the 2 libraries I 
> should know about ? 

No. Auparse needs to be linked against libaudit for syscall lookup functions 
and a couple other items.

> Does libauparse configures the audit infrastructure 
> in the kernel somehow ?

No. Its used for post-processing audit events. Its not meant for grabbing 
events out of the audit netlink socket. Its expects events that are properly 
formatted. 

-Steve