Writtign to audit with an application

Writtign to audit with an application

[geckiv]

I was wondering if anyone had a good example of how to write to the 
audit log on linux for a custom application wanting to log events.  Also 
how that would work. I found a little information but I have been unable 
to get anything to work properly.  Does it write to the demon then write 
to the /var/log/auit/audit.log? Also how do yo set this up so not just 
any one or any process write to that log?

Thanks,

Frank

Re: Writtign to audit with an application

[Steve Grubb]

On Saturday 17 March 2007 14:54:54 geckiv wrote:
> I was wondering if anyone had a good example of how to write to the
> audit log on linux for a custom application wanting to log events.

There's several examples in trusted apps. But its really simple to do. This is 
from aide:

#ifdef WITH_AUDIT
  if(nadd!=0||nrem!=0||nchg!=0){
    int fd=audit_open();
    if (fd>=0){
       char msg[64];

       snprintf(msg, sizeof(msg), "added=%ld removed=%ld changed=%ld", 
                nadd, nrem, nchg);

       if (audit_log_user_message(fd, AUDIT_ANOM_RBAC_INTEGRITY_FAIL,
                                  msg, NULL, NULL, NULL, 0)<=0)
#ifdef HAVE_SYSLOG
          syslog(LOG_ERR, "Failed sending audit message:%s", msg);
#else
          ;
#endif
       close(fd);
    }

Being that I don't know what your app is doing, I'd say that you should use 
the AUDIT_TRUSTED_APP event type. Also try to follow guidelines so that it 
can be parsed correctly by tools:

http://people.redhat.com/sgrubb/audit/audit-parse.txt

> Does it write to the demon then write to the /var/log/auit/audit.log?

No, it sends it to the kernel which decides what to do with it.

> Also how do yo set this up so not just any one or any process write to that
> log? 

The audit system is intended to be high integrity, meaning that its not able 
to be written to by ordinary users. You have to have CAP_AUDIT_WRITE in order 
to write to the audit system.

-Steve

Re: Writting to audit with an application

[geckiv]

[-- Attachment #1.1: Type: text/plain, Size: 2735 bytes --]

Steve,  
 Thanks for the reply.  I must have something wrong  with my system as I 
can't get it to work even running it as root. I get an error of:

FAILURE:  errno = 22
Error writing audit file: Invalid argument
Error writing audit: Illegal seek

Also how do I set auditd to allow other process(s) running not as root 
to write to the netlink/kernel ( i.e. set CAP_AUDIT_WRITE)? I could not 
find any info on this.  Also where do I find these trusted app examples? 
Is this something I down loa the src of Linux and look for?



snip
-----
    fd = audit_open();
    if (fd < 0)
    {
        printf("audit open failure, errno = %d\n", errno);
    }
    else
    {
        printf("audit file opened, fd = %d\n", fd);
        printf("attempting to write to audit log.\n");

       snprintf(msg, sizeof(msg), "My mesg to audit");

        if ((rc = audit_log_user_message(fd, 1101,
            msg, NULL, NULL, NULL, 0)) > 0)
            printf("SUCCESS:  rc = %d\n", rc);
        else
        {
            printf("FAILURE:  errno = %d\n", errno);
            perror( "Error writing audit file" );
            printf( "Error writing audit: %s\n", strerror( errno ) );
        }




Steve Grubb wrote:

>On Saturday 17 March 2007 14:54:54 geckiv wrote:
>  
>
>>I was wondering if anyone had a good example of how to write to the
>>audit log on linux for a custom application wanting to log events.
>>    
>>
>
>There's several examples in trusted apps. But its really simple to do. This is 
>from aide:
>
>#ifdef WITH_AUDIT
>  if(nadd!=0||nrem!=0||nchg!=0){
>    int fd=audit_open();
>    if (fd>=0){
>       char msg[64];
>
>       snprintf(msg, sizeof(msg), "added=%ld removed=%ld changed=%ld", 
>                nadd, nrem, nchg);
>
>       if (audit_log_user_message(fd, AUDIT_ANOM_RBAC_INTEGRITY_FAIL,
>                                  msg, NULL, NULL, NULL, 0)<=0)
>#ifdef HAVE_SYSLOG
>          syslog(LOG_ERR, "Failed sending audit message:%s", msg);
>#else
>          ;
>#endif
>       close(fd);
>    }
>
>Being that I don't know what your app is doing, I'd say that you should use 
>the AUDIT_TRUSTED_APP event type. Also try to follow guidelines so that it 
>can be parsed correctly by tools:
>
>http://people.redhat.com/sgrubb/audit/audit-parse.txt
>
>  
>
>>Does it write to the demon then write to the /var/log/auit/audit.log?
>>    
>>
>
>No, it sends it to the kernel which decides what to do with it.
>
>  
>
>>Also how do yo set this up so not just any one or any process write to that
>>log? 
>>    
>>
>
>The audit system is intended to be high integrity, meaning that its not able 
>to be written to by ordinary users. You have to have CAP_AUDIT_WRITE in order 
>to write to the audit system.
>
>-Steve
>
>
>  
>

[-- Attachment #1.2: Type: text/html, Size: 4227 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Writting to audit with an application

[Steve Grubb]

On Saturday 17 March 2007 17:34:57 geckiv wrote:
>  Thanks for the reply.  I must have something wrong  with my system as I
> can't get it to work even running it as root. I get an error of:
>
> FAILURE:  errno = 22
> Error writing audit file: Invalid argument
> Error writing audit: Illegal seek

This does sound wrong. Maybe strace would shed some light on how its going 
wrong? What kernel are you using?

> Also how do I set auditd to allow other process(s) running not as root
> to write to the netlink/kernel ( i.e. set CAP_AUDIT_WRITE)?

You can't. The audit system is designed to be high integrity meaning only 
trusted apps or processes that run as root or started as root but dropped 
privileges keeping CAP_AUDIT_WRITE. The audit event is written to the kernel, 
not auditd (meaning the kernel must be compiled with syscall audit support at 
a minimum). The kernel may decide to give the event to auditd.

> I could not find any info on this.  Also where do I find these trusted app
> examples?

dbus, nscd, passwd, shadow-utils, pam, ...

> Is this something I down loa the src of Linux and look for?

No, dbus is an example of a program that keeps CAP_AUDIT_WRITE after starting 
as root but changes uids. passwd is setuid root. pam runs as part of 
applications that stay root.

-Steve

Re: Writting to audit with an application

[Steve Grubb]

On Saturday 17 March 2007 17:34:57 geckiv wrote:
> FAILURE:  errno = 22
> Error writing audit file: Invalid argument

I bet this is the problem. ^^^^  EINVAL. That can be bad arguments or 
sometimes a permission problem from selinux.

> Error writing audit: Illegal seek

This was probably a changed errno from perror.

-Steve

Re: Writting to audit with an application

[geckiv]

[-- Attachment #1.1: Type: text/plain, Size: 482 bytes --]

Steve,
    I updated my kernel and that seemed to fix the problem.

Thanks,

Frank

Steve Grubb wrote:

>On Saturday 17 March 2007 17:34:57 geckiv wrote:
>  
>
>>FAILURE:  errno = 22
>>Error writing audit file: Invalid argument
>>    
>>
>
>I bet this is the problem. ^^^^  EINVAL. That can be bad arguments or 
>sometimes a permission problem from selinux.
>
>  
>
>>Error writing audit: Illegal seek
>>    
>>
>
>This was probably a changed errno from perror.
>
>-Steve
>
>
>  
>

[-- Attachment #1.2: Type: text/html, Size: 1048 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Writting to audit with an application

[geckiv]

[-- Attachment #1.1: Type: text/plain, Size: 1587 bytes --]


Steve,
    I never heard of dbus before. Is there an example how it keeps it's  
CAP_AUDIT_WRITE and changes uids? Is this just using setuid() some how?

Thanks,

Frank

Steve Grubb wrote:

>On Saturday 17 March 2007 17:34:57 geckiv wrote:
>  
>
>> Thanks for the reply.  I must have something wrong  with my system as I
>>can't get it to work even running it as root. I get an error of:
>>
>>FAILURE:  errno = 22
>>Error writing audit file: Invalid argument
>>Error writing audit: Illegal seek
>>    
>>
>
>This does sound wrong. Maybe strace would shed some light on how its going 
>wrong? What kernel are you using?
>
>  
>
>>Also how do I set auditd to allow other process(s) running not as root
>>to write to the netlink/kernel ( i.e. set CAP_AUDIT_WRITE)?
>>    
>>
>
>You can't. The audit system is designed to be high integrity meaning only 
>trusted apps or processes that run as root or started as root but dropped 
>privileges keeping CAP_AUDIT_WRITE. The audit event is written to the kernel, 
>not auditd (meaning the kernel must be compiled with syscall audit support at 
>a minimum). The kernel may decide to give the event to auditd.
>
>  
>
>>I could not find any info on this.  Also where do I find these trusted app
>>examples?
>>    
>>
>
>dbus, nscd, passwd, shadow-utils, pam, ...
>
>  
>
>>Is this something I down loa the src of Linux and look for?
>>    
>>
>
>No, dbus is an example of a program that keeps CAP_AUDIT_WRITE after starting 
>as root but changes uids. passwd is setuid root. pam runs as part of 
>applications that stay root.
>
>-Steve
>
>
>  
>

[-- Attachment #1.2: Type: text/html, Size: 2335 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Writting to audit with an application

[Steve Grubb]

On Monday 19 March 2007 15:58, geckiv wrote:
>     I never heard of dbus before. Is there an example how it keeps it's  
> CAP_AUDIT_WRITE and changes uids?

Not without looking at its source code. Here's its patch:

http://developer.momonga-linux.org/viewvc/trunk/pkgs/dbus/dbus-0.61-selinux-avc-audit.patch?r1=13947&r2=13946&pathrev=13947&view=patch

nscd also does the same trick, but its coded in glibc style.

> Is this just using setuid() some how? 

No, there's an intricate dance regarding setuid, prctl, & capabilities
that must be followed exactly or bad things can happen.

-Steve