[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Writtign to audit with an application



On Saturday 17 March 2007 14:54:54 geckiv wrote:
> I was wondering if anyone had a good example of how to write to the
> audit log on linux for a custom application wanting to log events.

There's several examples in trusted apps. But its really simple to do. This is 
from aide:

#ifdef WITH_AUDIT
  if(nadd!=0||nrem!=0||nchg!=0){
    int fd=audit_open();
    if (fd>=0){
       char msg[64];

       snprintf(msg, sizeof(msg), "added=%ld removed=%ld changed=%ld", 
                nadd, nrem, nchg);

       if (audit_log_user_message(fd, AUDIT_ANOM_RBAC_INTEGRITY_FAIL,
                                  msg, NULL, NULL, NULL, 0)<=0)
#ifdef HAVE_SYSLOG
          syslog(LOG_ERR, "Failed sending audit message:%s", msg);
#else
          ;
#endif
       close(fd);
    }

Being that I don't know what your app is doing, I'd say that you should use 
the AUDIT_TRUSTED_APP event type. Also try to follow guidelines so that it 
can be parsed correctly by tools:

http://people.redhat.com/sgrubb/audit/audit-parse.txt

> Does it write to the demon then write to the /var/log/auit/audit.log?

No, it sends it to the kernel which decides what to do with it.

> Also how do yo set this up so not just any one or any process write to that
> log? 

The audit system is intended to be high integrity, meaning that its not able 
to be written to by ordinary users. You have to have CAP_AUDIT_WRITE in order 
to write to the audit system.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]