From mboxrd@z Thu Jan 1 00:00:00 1970 From: Lisa Smith Subject: Using the Audit Failure Action Query functionality Date: Mon, 17 Jul 2006 14:03:52 -0400 Message-ID: <44BBD108.4060506@hp.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Return-path: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: LSPP , Audit Mailing List List-Id: linux-audit@redhat.com Starting with audit 1.2.4, the new audit failure action functionality is available for applications and services. The 1.2.5 audit package contains a man page for the new API, get_auditfail_action(), which includes the following example that can be used as a starting point for application developers: /* Sample code */ auditfail_t failmode; if ((fd = audit_open() ) < 0 ) { fprintf (stderr, "Cannot open netlink audit socket"); /* Get the failure_action */ if ((rc = get_auditfail_action(&failmode)) == 0) { if (failmode == FAIL_LOG) fprintf (stderr, "Audit subsystem unavailable"); else if (failmode == FAIL_TERMINATE) exit (1); /* If failmode == FAIL_IGNORE, do nothing */ } } I'm happy to provide help to anyone who would like to incorporate the new functionality into an application they are maintaining. If there are any applications people would like me to go ahead and modify, please let me know. Lisa