Re: Writting to audit with an application

[geckiv <geckiv@optonline.net>]

[-- Attachment #1.1: Type: text/plain, Size: 2735 bytes --]

Steve,  
 Thanks for the reply.  I must have something wrong  with my system as I 
can't get it to work even running it as root. I get an error of:

FAILURE:  errno = 22
Error writing audit file: Invalid argument
Error writing audit: Illegal seek

Also how do I set auditd to allow other process(s) running not as root 
to write to the netlink/kernel ( i.e. set CAP_AUDIT_WRITE)? I could not 
find any info on this.  Also where do I find these trusted app examples? 
Is this something I down loa the src of Linux and look for?



snip
-----
    fd = audit_open();
    if (fd < 0)
    {
        printf("audit open failure, errno = %d\n", errno);
    }
    else
    {
        printf("audit file opened, fd = %d\n", fd);
        printf("attempting to write to audit log.\n");

       snprintf(msg, sizeof(msg), "My mesg to audit");

        if ((rc = audit_log_user_message(fd, 1101,
            msg, NULL, NULL, NULL, 0)) > 0)
            printf("SUCCESS:  rc = %d\n", rc);
        else
        {
            printf("FAILURE:  errno = %d\n", errno);
            perror( "Error writing audit file" );
            printf( "Error writing audit: %s\n", strerror( errno ) );
        }




Steve Grubb wrote:

>On Saturday 17 March 2007 14:54:54 geckiv wrote:
>  
>
>>I was wondering if anyone had a good example of how to write to the
>>audit log on linux for a custom application wanting to log events.
>>    
>>
>
>There's several examples in trusted apps. But its really simple to do. This is 
>from aide:
>
>#ifdef WITH_AUDIT
>  if(nadd!=0||nrem!=0||nchg!=0){
>    int fd=audit_open();
>    if (fd>=0){
>       char msg[64];
>
>       snprintf(msg, sizeof(msg), "added=%ld removed=%ld changed=%ld", 
>                nadd, nrem, nchg);
>
>       if (audit_log_user_message(fd, AUDIT_ANOM_RBAC_INTEGRITY_FAIL,
>                                  msg, NULL, NULL, NULL, 0)<=0)
>#ifdef HAVE_SYSLOG
>          syslog(LOG_ERR, "Failed sending audit message:%s", msg);
>#else
>          ;
>#endif
>       close(fd);
>    }
>
>Being that I don't know what your app is doing, I'd say that you should use 
>the AUDIT_TRUSTED_APP event type. Also try to follow guidelines so that it 
>can be parsed correctly by tools:
>
>http://people.redhat.com/sgrubb/audit/audit-parse.txt
>
>  
>
>>Does it write to the demon then write to the /var/log/auit/audit.log?
>>    
>>
>
>No, it sends it to the kernel which decides what to do with it.
>
>  
>
>>Also how do yo set this up so not just any one or any process write to that
>>log? 
>>    
>>
>
>The audit system is intended to be high integrity, meaning that its not able 
>to be written to by ordinary users. You have to have CAP_AUDIT_WRITE in order 
>to write to the audit system.
>
>-Steve
>
>
>  
>

[-- Attachment #1.2: Type: text/html, Size: 4227 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]