From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Writting to audit with an application
Date: Sat, 17 Mar 2007 18:24:36 -0400
Message-ID: <200703171824.37027.sgrubb@redhat.com>
References: <45FC397E.3050307@optonline.net>
	<200703171659.20981.sgrubb@redhat.com>
	<45FC5F01.4070504@optonline.net>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <45FC5F01.4070504@optonline.net>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Saturday 17 March 2007 17:34:57 geckiv wrote:
> =C2=A0Thanks for the reply. =C2=A0I must have something wrong =C2=A0wit=
h my system as I
> can't get it to work even running it as root. I get an error of:
>
> FAILURE: =C2=A0errno =3D 22
> Error writing audit file: Invalid argument
> Error writing audit: Illegal seek

This does sound wrong. Maybe strace would shed some light on how its goin=
g=20
wrong? What kernel are you using?

> Also how do I set auditd to allow other process(s) running not as root
> to write to the netlink/kernel ( i.e. set CAP_AUDIT_WRITE)?

You can't. The audit system is designed to be high integrity meaning only=
=20
trusted apps or processes that run as root or started as root but dropped=
=20
privileges keeping CAP_AUDIT_WRITE. The audit event is written to the ker=
nel,=20
not auditd (meaning the kernel must be compiled with syscall audit suppor=
t at=20
a minimum). The kernel may decide to give the event to auditd.

> I could not find any info on this. =C2=A0Also where do I find these tru=
sted app
> examples?

dbus, nscd, passwd, shadow-utils, pam, ...

> Is this something I down loa the src of Linux and look for?

No, dbus is an example of a program that keeps CAP_AUDIT_WRITE after star=
ting=20
as root but changes uids. passwd is setuid root. pam runs as part of=20
applications that stay root.

-Steve