From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Writtign to audit with an application Date: Sat, 17 Mar 2007 16:59:20 -0400 Message-ID: <200703171659.20981.sgrubb@redhat.com> References: <45FC397E.3050307@optonline.net> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <45FC397E.3050307@optonline.net> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Saturday 17 March 2007 14:54:54 geckiv wrote: > I was wondering if anyone had a good example of how to write to the > audit log on linux for a custom application wanting to log events. There's several examples in trusted apps. But its really simple to do. This is from aide: #ifdef WITH_AUDIT if(nadd!=0||nrem!=0||nchg!=0){ int fd=audit_open(); if (fd>=0){ char msg[64]; snprintf(msg, sizeof(msg), "added=%ld removed=%ld changed=%ld", nadd, nrem, nchg); if (audit_log_user_message(fd, AUDIT_ANOM_RBAC_INTEGRITY_FAIL, msg, NULL, NULL, NULL, 0)<=0) #ifdef HAVE_SYSLOG syslog(LOG_ERR, "Failed sending audit message:%s", msg); #else ; #endif close(fd); } Being that I don't know what your app is doing, I'd say that you should use the AUDIT_TRUSTED_APP event type. Also try to follow guidelines so that it can be parsed correctly by tools: http://people.redhat.com/sgrubb/audit/audit-parse.txt > Does it write to the demon then write to the /var/log/auit/audit.log? No, it sends it to the kernel which decides what to do with it. > Also how do yo set this up so not just any one or any process write to that > log? The audit system is intended to be high integrity, meaning that its not able to be written to by ordinary users. You have to have CAP_AUDIT_WRITE in order to write to the audit system. -Steve