From mboxrd@z Thu Jan 1 00:00:00 1970 From: geckiv Subject: Re: Writting to audit with an application Date: Sat, 17 Mar 2007 17:34:57 -0400 Message-ID: <45FC5F01.4070504@optonline.net> References: <45FC397E.3050307@optonline.net> <200703171659.20981.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1834292650==" Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l2HLZ8wE014058 for ; Sat, 17 Mar 2007 17:35:08 -0400 Received: from mta5.srv.hcvlny.cv.net (mta5.srv.hcvlny.cv.net [167.206.4.200]) by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l2HLZ2Oi002590 for ; Sat, 17 Mar 2007 17:35:02 -0400 Received: from optonline.net (ool-4352b24e.dyn.optonline.net [67.82.178.78]) by mta5.srv.hcvlny.cv.net (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) with ESMTP id <0JF2007IJHA5A7E0@mta5.srv.hcvlny.cv.net> for linux-audit@redhat.com; Sat, 17 Mar 2007 17:34:57 -0400 (EDT) In-reply-to: <200703171659.20981.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============1834292650== Content-type: multipart/alternative; boundary="Boundary_(ID_q37t+PrDDNIyLGP2Ov+++w)" This is a multi-part message in MIME format. --Boundary_(ID_q37t+PrDDNIyLGP2Ov+++w) Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT Steve, Thanks for the reply. I must have something wrong with my system as I can't get it to work even running it as root. I get an error of: FAILURE: errno = 22 Error writing audit file: Invalid argument Error writing audit: Illegal seek Also how do I set auditd to allow other process(s) running not as root to write to the netlink/kernel ( i.e. set CAP_AUDIT_WRITE)? I could not find any info on this. Also where do I find these trusted app examples? Is this something I down loa the src of Linux and look for? snip ----- fd = audit_open(); if (fd < 0) { printf("audit open failure, errno = %d\n", errno); } else { printf("audit file opened, fd = %d\n", fd); printf("attempting to write to audit log.\n"); snprintf(msg, sizeof(msg), "My mesg to audit"); if ((rc = audit_log_user_message(fd, 1101, msg, NULL, NULL, NULL, 0)) > 0) printf("SUCCESS: rc = %d\n", rc); else { printf("FAILURE: errno = %d\n", errno); perror( "Error writing audit file" ); printf( "Error writing audit: %s\n", strerror( errno ) ); } Steve Grubb wrote: >On Saturday 17 March 2007 14:54:54 geckiv wrote: > > >>I was wondering if anyone had a good example of how to write to the >>audit log on linux for a custom application wanting to log events. >> >> > >There's several examples in trusted apps. But its really simple to do. This is >from aide: > >#ifdef WITH_AUDIT > if(nadd!=0||nrem!=0||nchg!=0){ > int fd=audit_open(); > if (fd>=0){ > char msg[64]; > > snprintf(msg, sizeof(msg), "added=%ld removed=%ld changed=%ld", > nadd, nrem, nchg); > > if (audit_log_user_message(fd, AUDIT_ANOM_RBAC_INTEGRITY_FAIL, > msg, NULL, NULL, NULL, 0)<=0) >#ifdef HAVE_SYSLOG > syslog(LOG_ERR, "Failed sending audit message:%s", msg); >#else > ; >#endif > close(fd); > } > >Being that I don't know what your app is doing, I'd say that you should use >the AUDIT_TRUSTED_APP event type. Also try to follow guidelines so that it >can be parsed correctly by tools: > >http://people.redhat.com/sgrubb/audit/audit-parse.txt > > > >>Does it write to the demon then write to the /var/log/auit/audit.log? >> >> > >No, it sends it to the kernel which decides what to do with it. > > > >>Also how do yo set this up so not just any one or any process write to that >>log? >> >> > >The audit system is intended to be high integrity, meaning that its not able >to be written to by ordinary users. You have to have CAP_AUDIT_WRITE in order >to write to the audit system. > >-Steve > > > > --Boundary_(ID_q37t+PrDDNIyLGP2Ov+++w) Content-type: text/html; charset=us-ascii Content-transfer-encoding: 7BIT Steve,  
 Thanks for the reply.  I must have something wrong  with my system as I can't get it to work even running it as root. I get an error of:

FAILURE:  errno = 22
Error writing audit file: Invalid argument
Error writing audit: Illegal seek

Also how do I set auditd to allow other process(s) running not as root to write to the netlink/kernel ( i.e. set CAP_AUDIT_WRITE)? I could not find any info on this.  Also where do I find these trusted app examples? Is this something I down loa the src of Linux and look for?



snip
-----
    fd = audit_open();
    if (fd < 0)
    {
        printf("audit open failure, errno = %d\n", errno);
    }
    else
    {
        printf("audit file opened, fd = %d\n", fd);
        printf("attempting to write to audit log.\n");

       snprintf(msg, sizeof(msg), "My mesg to audit");

        if ((rc = audit_log_user_message(fd, 1101,
            msg, NULL, NULL, NULL, 0)) > 0)
            printf("SUCCESS:  rc = %d\n", rc);
        else
        {
            printf("FAILURE:  errno = %d\n", errno);
            perror( "Error writing audit file" );
            printf( "Error writing audit: %s\n", strerror( errno ) );
        }




Steve Grubb wrote:
On Saturday 17 March 2007 14:54:54 geckiv wrote:
  
I was wondering if anyone had a good example of how to write to the
audit log on linux for a custom application wanting to log events.
    

There's several examples in trusted apps. But its really simple to do. This is 
from aide:

#ifdef WITH_AUDIT
  if(nadd!=0||nrem!=0||nchg!=0){
    int fd=audit_open();
    if (fd>=0){
       char msg[64];

       snprintf(msg, sizeof(msg), "added=%ld removed=%ld changed=%ld", 
                nadd, nrem, nchg);

       if (audit_log_user_message(fd, AUDIT_ANOM_RBAC_INTEGRITY_FAIL,
                                  msg, NULL, NULL, NULL, 0)<=0)
#ifdef HAVE_SYSLOG
          syslog(LOG_ERR, "Failed sending audit message:%s", msg);
#else
          ;
#endif
       close(fd);
    }

Being that I don't know what your app is doing, I'd say that you should use 
the AUDIT_TRUSTED_APP event type. Also try to follow guidelines so that it 
can be parsed correctly by tools:

http://people.redhat.com/sgrubb/audit/audit-parse.txt

  
Does it write to the demon then write to the /var/log/auit/audit.log?
    

No, it sends it to the kernel which decides what to do with it.

  
Also how do yo set this up so not just any one or any process write to that
log? 
    

The audit system is intended to be high integrity, meaning that its not able 
to be written to by ordinary users. You have to have CAP_AUDIT_WRITE in order 
to write to the audit system.

-Steve
--Boundary_(ID_q37t+PrDDNIyLGP2Ov+++w)-- --===============1834292650== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1834292650==--