Re: Writtign to audit with an application

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Writtign to audit with an application
Date: Sat, 17 Mar 2007 16:59:20 -0400	[thread overview]
Message-ID: <200703171659.20981.sgrubb@redhat.com> (raw)
In-Reply-To: <45FC397E.3050307@optonline.net>

On Saturday 17 March 2007 14:54:54 geckiv wrote:
> I was wondering if anyone had a good example of how to write to the
> audit log on linux for a custom application wanting to log events.

There's several examples in trusted apps. But its really simple to do. This is 
from aide:

#ifdef WITH_AUDIT
  if(nadd!=0||nrem!=0||nchg!=0){
    int fd=audit_open();
    if (fd>=0){
       char msg[64];

       snprintf(msg, sizeof(msg), "added=%ld removed=%ld changed=%ld", 
                nadd, nrem, nchg);

       if (audit_log_user_message(fd, AUDIT_ANOM_RBAC_INTEGRITY_FAIL,
                                  msg, NULL, NULL, NULL, 0)<=0)
#ifdef HAVE_SYSLOG
          syslog(LOG_ERR, "Failed sending audit message:%s", msg);
#else
          ;
#endif
       close(fd);
    }

Being that I don't know what your app is doing, I'd say that you should use 
the AUDIT_TRUSTED_APP event type. Also try to follow guidelines so that it 
can be parsed correctly by tools:

http://people.redhat.com/sgrubb/audit/audit-parse.txt

> Does it write to the demon then write to the /var/log/auit/audit.log?

No, it sends it to the kernel which decides what to do with it.

> Also how do yo set this up so not just any one or any process write to that
> log? 

The audit system is intended to be high integrity, meaning that its not able 
to be written to by ordinary users. You have to have CAP_AUDIT_WRITE in order 
to write to the audit system.

-Steve

next prev parent reply	other threads:[~2007-03-17 20:59 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-03-17 18:54 Writtign to audit with an application geckiv
2007-03-17 20:59 ` Steve Grubb [this message]
2007-03-17 21:34   ` Writting " geckiv
2007-03-17 22:24     ` Steve Grubb
2007-03-19 19:58       ` geckiv
2007-03-19 21:38         ` Steve Grubb
2007-03-17 22:50     ` Steve Grubb
2007-03-18 21:15       ` geckiv

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200703171659.20981.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox