Audit for live supervision
Steve Grubb
sgrubb at redhat.com
Tue Aug 19 18:39:50 UTC 2008
On Tuesday 19 August 2008 14:23:21 Kay Hayen wrote:
> > > > libaudit should pull complete events from the kernel unless an execve
> > > > has an excessive number of arguments or large sized arguments.
> > >
> > > I read that as that we can use the netlink socket with the libaudit
> > > directly, which sort of could be exactly what we want. That would mean
> > > we wouldn't use audit user space (processes) at all, right?
> >
> > True. You would have to load your own rules since that is done by the
> > audit user space.
>
> Can you confirm that two processes opening netlink sockets for audit
> information get the same messages?
Only one audit pid is allowed for security purposes.
> I am under the impression that the kernel doesn't maintain per socket
> configuration, does it?
Nope, it only allows one.
> If that were the case, we would simply co-exist with auditd and let it do
> its logging, etc. and benefit from it, and its ability to load the rules
If you want to co-exist with auditd, then you want to write your own audispd.
I pointed you to the skeleton.c code in the other email.
> > events. wrt auparse (if that's what you meant) you just run the data
> > through:
> >
> > asprintf(&v, "type=%s msg=%.*s\n", type, e->hdr.size, e->data);
> >
> > and "v" has the string ready for auparse use. asprinf() allocates memory,
> > so watch that it doesn't create a memory leak.
>
> That's very sweet. Where would you expect the pitfalls? I mean, it can't be
> so easy. :-)
No pitfalls except watching for memory leaks. Audispd used the same code.
-Steve
More information about the Linux-audit
mailing list