Architecture of auditd

Architecture of auditd

[Aaron Lewis]

Hi I wrote a very simple program to retrieve netlink sockets (audit messages),

But it stuck at recvfrom, am I missing something?

#include <stdio.h>
#include <unistd.h>
#include <assert.h>
#include <string.h>
#include <stdlib.h>
#include <math.h>
#include <sys/socket.h>
#include <linux/netlink.h>

#define ERR_QUIT(a) do { perror(a); exit (1); } while (0);

#ifndef PF_NETLINK
# define PF_NETLINK 16
#endif

char message [10000];

int main (int argc , char **argv)
{
    int fd, len;
    struct sockaddr_nl nladdr;
    socklen_t nladdrlen = sizeof(nladdr);

    fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
    if (fd < 0)
        ERR_QUIT("socket");

    len = recvfrom(fd, &message, sizeof(message), 0, (struct
sockaddr*)&nladdr, &nladdrlen);
    if (len < 0)
        ERR_QUIT("recvfrom");

    printf ("Received %d bytes\n", len);

    return 0;
}


-- 
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E

Re: Architecture of auditd

[William Roberts]

Yes youre missing setting the audit pid so the kernel knows who to
send messages too.

I wrote an auditd from scratch for android, feel free to look at the
code. Its very simple, and
includes the libaudit pieces I needed to re-implement to get a version
that was NOT
GPL'd.

Recently it got a bit more complex when watch rules were added. Its
used by the SE for Android
projects found here:

https://bitbucket.org/seandroid/system-core/src/7c66471348a59107cb4a1f68835eb1937b2137ce/auditd/?at=seandroid

Look for function:
int audit_set_pid (int fd, uint32_t pid, rep_wait_t wmode)
in libaudit.c

Good luck,

Bill

On Wed, Dec 25, 2013 at 2:48 AM, Aaron Lewis <the.warl0ck.1989@gmail.com> wrote:
> Hi I wrote a very simple program to retrieve netlink sockets (audit messages),
>
> But it stuck at recvfrom, am I missing something?
>
> #include <stdio.h>
> #include <unistd.h>
> #include <assert.h>
> #include <string.h>
> #include <stdlib.h>
> #include <math.h>
> #include <sys/socket.h>
> #include <linux/netlink.h>
>
> #define ERR_QUIT(a) do { perror(a); exit (1); } while (0);
>
> #ifndef PF_NETLINK
> # define PF_NETLINK 16
> #endif
>
> char message [10000];
>
> int main (int argc , char **argv)
> {
>     int fd, len;
>     struct sockaddr_nl nladdr;
>     socklen_t nladdrlen = sizeof(nladdr);
>
>     fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
>     if (fd < 0)
>         ERR_QUIT("socket");
>
>     len = recvfrom(fd, &message, sizeof(message), 0, (struct
> sockaddr*)&nladdr, &nladdrlen);
>     if (len < 0)
>         ERR_QUIT("recvfrom");
>
>     printf ("Received %d bytes\n", len);
>
>     return 0;
> }
>
>
> --
> Best Regards,
> Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
> Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit



-- 
Respectfully,

William C Roberts

Re: Architecture of auditd

[Steve Grubb]

On Thu, 26 Dec 2013 09:14:19 -0800
William Roberts <bill.c.roberts@gmail.com> wrote:

> Yes youre missing setting the audit pid so the kernel knows who to
> send messages too.
> 
> I wrote an auditd from scratch for android, feel free to look at the
> code. Its very simple, and
> includes the libaudit pieces I needed to re-implement to get a version
> that was NOT
> GPL'd.

libaudit is LGPL and not GPL. Its legal to link against for any
software with no undue burden the same as glibc is.

-Steve