* Writtign to audit with an application @ 2007-03-17 18:54 geckiv 2007-03-17 20:59 ` Steve Grubb 0 siblings, 1 reply; 8+ messages in thread From: geckiv @ 2007-03-17 18:54 UTC (permalink / raw) To: linux-audit@redhat.com I was wondering if anyone had a good example of how to write to the audit log on linux for a custom application wanting to log events. Also how that would work. I found a little information but I have been unable to get anything to work properly. Does it write to the demon then write to the /var/log/auit/audit.log? Also how do yo set this up so not just any one or any process write to that log? Thanks, Frank ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Writtign to audit with an application 2007-03-17 18:54 Writtign to audit with an application geckiv @ 2007-03-17 20:59 ` Steve Grubb 2007-03-17 21:34 ` Writting " geckiv 0 siblings, 1 reply; 8+ messages in thread From: Steve Grubb @ 2007-03-17 20:59 UTC (permalink / raw) To: linux-audit On Saturday 17 March 2007 14:54:54 geckiv wrote: > I was wondering if anyone had a good example of how to write to the > audit log on linux for a custom application wanting to log events. There's several examples in trusted apps. But its really simple to do. This is from aide: #ifdef WITH_AUDIT if(nadd!=0||nrem!=0||nchg!=0){ int fd=audit_open(); if (fd>=0){ char msg[64]; snprintf(msg, sizeof(msg), "added=%ld removed=%ld changed=%ld", nadd, nrem, nchg); if (audit_log_user_message(fd, AUDIT_ANOM_RBAC_INTEGRITY_FAIL, msg, NULL, NULL, NULL, 0)<=0) #ifdef HAVE_SYSLOG syslog(LOG_ERR, "Failed sending audit message:%s", msg); #else ; #endif close(fd); } Being that I don't know what your app is doing, I'd say that you should use the AUDIT_TRUSTED_APP event type. Also try to follow guidelines so that it can be parsed correctly by tools: http://people.redhat.com/sgrubb/audit/audit-parse.txt > Does it write to the demon then write to the /var/log/auit/audit.log? No, it sends it to the kernel which decides what to do with it. > Also how do yo set this up so not just any one or any process write to that > log? The audit system is intended to be high integrity, meaning that its not able to be written to by ordinary users. You have to have CAP_AUDIT_WRITE in order to write to the audit system. -Steve ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Writting to audit with an application 2007-03-17 20:59 ` Steve Grubb @ 2007-03-17 21:34 ` geckiv 2007-03-17 22:24 ` Steve Grubb 2007-03-17 22:50 ` Steve Grubb 0 siblings, 2 replies; 8+ messages in thread From: geckiv @ 2007-03-17 21:34 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 2735 bytes --] Steve, Thanks for the reply. I must have something wrong with my system as I can't get it to work even running it as root. I get an error of: FAILURE: errno = 22 Error writing audit file: Invalid argument Error writing audit: Illegal seek Also how do I set auditd to allow other process(s) running not as root to write to the netlink/kernel ( i.e. set CAP_AUDIT_WRITE)? I could not find any info on this. Also where do I find these trusted app examples? Is this something I down loa the src of Linux and look for? snip ----- fd = audit_open(); if (fd < 0) { printf("audit open failure, errno = %d\n", errno); } else { printf("audit file opened, fd = %d\n", fd); printf("attempting to write to audit log.\n"); snprintf(msg, sizeof(msg), "My mesg to audit"); if ((rc = audit_log_user_message(fd, 1101, msg, NULL, NULL, NULL, 0)) > 0) printf("SUCCESS: rc = %d\n", rc); else { printf("FAILURE: errno = %d\n", errno); perror( "Error writing audit file" ); printf( "Error writing audit: %s\n", strerror( errno ) ); } Steve Grubb wrote: >On Saturday 17 March 2007 14:54:54 geckiv wrote: > > >>I was wondering if anyone had a good example of how to write to the >>audit log on linux for a custom application wanting to log events. >> >> > >There's several examples in trusted apps. But its really simple to do. This is >from aide: > >#ifdef WITH_AUDIT > if(nadd!=0||nrem!=0||nchg!=0){ > int fd=audit_open(); > if (fd>=0){ > char msg[64]; > > snprintf(msg, sizeof(msg), "added=%ld removed=%ld changed=%ld", > nadd, nrem, nchg); > > if (audit_log_user_message(fd, AUDIT_ANOM_RBAC_INTEGRITY_FAIL, > msg, NULL, NULL, NULL, 0)<=0) >#ifdef HAVE_SYSLOG > syslog(LOG_ERR, "Failed sending audit message:%s", msg); >#else > ; >#endif > close(fd); > } > >Being that I don't know what your app is doing, I'd say that you should use >the AUDIT_TRUSTED_APP event type. Also try to follow guidelines so that it >can be parsed correctly by tools: > >http://people.redhat.com/sgrubb/audit/audit-parse.txt > > > >>Does it write to the demon then write to the /var/log/auit/audit.log? >> >> > >No, it sends it to the kernel which decides what to do with it. > > > >>Also how do yo set this up so not just any one or any process write to that >>log? >> >> > >The audit system is intended to be high integrity, meaning that its not able >to be written to by ordinary users. You have to have CAP_AUDIT_WRITE in order >to write to the audit system. > >-Steve > > > > [-- Attachment #1.2: Type: text/html, Size: 4227 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Writting to audit with an application 2007-03-17 21:34 ` Writting " geckiv @ 2007-03-17 22:24 ` Steve Grubb 2007-03-19 19:58 ` geckiv 2007-03-17 22:50 ` Steve Grubb 1 sibling, 1 reply; 8+ messages in thread From: Steve Grubb @ 2007-03-17 22:24 UTC (permalink / raw) To: linux-audit On Saturday 17 March 2007 17:34:57 geckiv wrote: > Thanks for the reply. I must have something wrong with my system as I > can't get it to work even running it as root. I get an error of: > > FAILURE: errno = 22 > Error writing audit file: Invalid argument > Error writing audit: Illegal seek This does sound wrong. Maybe strace would shed some light on how its going wrong? What kernel are you using? > Also how do I set auditd to allow other process(s) running not as root > to write to the netlink/kernel ( i.e. set CAP_AUDIT_WRITE)? You can't. The audit system is designed to be high integrity meaning only trusted apps or processes that run as root or started as root but dropped privileges keeping CAP_AUDIT_WRITE. The audit event is written to the kernel, not auditd (meaning the kernel must be compiled with syscall audit support at a minimum). The kernel may decide to give the event to auditd. > I could not find any info on this. Also where do I find these trusted app > examples? dbus, nscd, passwd, shadow-utils, pam, ... > Is this something I down loa the src of Linux and look for? No, dbus is an example of a program that keeps CAP_AUDIT_WRITE after starting as root but changes uids. passwd is setuid root. pam runs as part of applications that stay root. -Steve ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Writting to audit with an application 2007-03-17 22:24 ` Steve Grubb @ 2007-03-19 19:58 ` geckiv 2007-03-19 21:38 ` Steve Grubb 0 siblings, 1 reply; 8+ messages in thread From: geckiv @ 2007-03-19 19:58 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 1587 bytes --] Steve, I never heard of dbus before. Is there an example how it keeps it's CAP_AUDIT_WRITE and changes uids? Is this just using setuid() some how? Thanks, Frank Steve Grubb wrote: >On Saturday 17 March 2007 17:34:57 geckiv wrote: > > >> Thanks for the reply. I must have something wrong with my system as I >>can't get it to work even running it as root. I get an error of: >> >>FAILURE: errno = 22 >>Error writing audit file: Invalid argument >>Error writing audit: Illegal seek >> >> > >This does sound wrong. Maybe strace would shed some light on how its going >wrong? What kernel are you using? > > > >>Also how do I set auditd to allow other process(s) running not as root >>to write to the netlink/kernel ( i.e. set CAP_AUDIT_WRITE)? >> >> > >You can't. The audit system is designed to be high integrity meaning only >trusted apps or processes that run as root or started as root but dropped >privileges keeping CAP_AUDIT_WRITE. The audit event is written to the kernel, >not auditd (meaning the kernel must be compiled with syscall audit support at >a minimum). The kernel may decide to give the event to auditd. > > > >>I could not find any info on this. Also where do I find these trusted app >>examples? >> >> > >dbus, nscd, passwd, shadow-utils, pam, ... > > > >>Is this something I down loa the src of Linux and look for? >> >> > >No, dbus is an example of a program that keeps CAP_AUDIT_WRITE after starting >as root but changes uids. passwd is setuid root. pam runs as part of >applications that stay root. > >-Steve > > > > [-- Attachment #1.2: Type: text/html, Size: 2335 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Writting to audit with an application 2007-03-19 19:58 ` geckiv @ 2007-03-19 21:38 ` Steve Grubb 0 siblings, 0 replies; 8+ messages in thread From: Steve Grubb @ 2007-03-19 21:38 UTC (permalink / raw) To: linux-audit On Monday 19 March 2007 15:58, geckiv wrote: > I never heard of dbus before. Is there an example how it keeps it's > CAP_AUDIT_WRITE and changes uids? Not without looking at its source code. Here's its patch: http://developer.momonga-linux.org/viewvc/trunk/pkgs/dbus/dbus-0.61-selinux-avc-audit.patch?r1=13947&r2=13946&pathrev=13947&view=patch nscd also does the same trick, but its coded in glibc style. > Is this just using setuid() some how? No, there's an intricate dance regarding setuid, prctl, & capabilities that must be followed exactly or bad things can happen. -Steve ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Writting to audit with an application 2007-03-17 21:34 ` Writting " geckiv 2007-03-17 22:24 ` Steve Grubb @ 2007-03-17 22:50 ` Steve Grubb 2007-03-18 21:15 ` geckiv 1 sibling, 1 reply; 8+ messages in thread From: Steve Grubb @ 2007-03-17 22:50 UTC (permalink / raw) To: linux-audit On Saturday 17 March 2007 17:34:57 geckiv wrote: > FAILURE: errno = 22 > Error writing audit file: Invalid argument I bet this is the problem. ^^^^ EINVAL. That can be bad arguments or sometimes a permission problem from selinux. > Error writing audit: Illegal seek This was probably a changed errno from perror. -Steve ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Writting to audit with an application 2007-03-17 22:50 ` Steve Grubb @ 2007-03-18 21:15 ` geckiv 0 siblings, 0 replies; 8+ messages in thread From: geckiv @ 2007-03-18 21:15 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 482 bytes --] Steve, I updated my kernel and that seemed to fix the problem. Thanks, Frank Steve Grubb wrote: >On Saturday 17 March 2007 17:34:57 geckiv wrote: > > >>FAILURE: errno = 22 >>Error writing audit file: Invalid argument >> >> > >I bet this is the problem. ^^^^ EINVAL. That can be bad arguments or >sometimes a permission problem from selinux. > > > >>Error writing audit: Illegal seek >> >> > >This was probably a changed errno from perror. > >-Steve > > > > [-- Attachment #1.2: Type: text/html, Size: 1048 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2007-03-19 21:38 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-03-17 18:54 Writtign to audit with an application geckiv 2007-03-17 20:59 ` Steve Grubb 2007-03-17 21:34 ` Writting " geckiv 2007-03-17 22:24 ` Steve Grubb 2007-03-19 19:58 ` geckiv 2007-03-19 21:38 ` Steve Grubb 2007-03-17 22:50 ` Steve Grubb 2007-03-18 21:15 ` geckiv
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox