[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: creating and inserting audits

On Tuesday, September 07, 2010 04:38:29 pm Nestler, Roger - IS wrote:
> Using syslog it seems straight forward to insert a new message ,  'syslog
> (LOG_NOTICE, "Hello This is just a notice")' for instance.
> Does this capability exist already in linux audit and I'm just not seeing
> it???

The Linux audit system is protected by virtue of apps needing CAP_AUDIT_WRITE 
in order to send an event. Assuming that your app has this, you will want to 
use one of the functions here:


> Is it a bad idea to build and then to insert a custom audit/message, or any
> standard audit, into the audit.log file?

Yes. Do not do it. It has to be sent to the kernel for timestamping and 
correlation. Not to mention the kernel will collect a few things about the 
sender to be put in the audit trail.

> If so are there any problems to look out for , e.g event id/sequence number
> collisions, auparse or ausearch problems, formatting issues to adhere
> to???

You must send to the kernel. Aside from that, events must have a type. If you 
do not see a type that matches what you are doing, then use the 
AUDIT_TRUSTED_APP type which you may do (nearly) anything to. The audit system 
wants name=value fields. You should use the same field name as an existing one 
any time you find one. If you are not using AUDIT_TRUSTED_APP, then you must 
fill in the same fields in the same order as the original source does. The value 
part may not have a space or certain control characters in it. If it does you 
must encode the contents of the value with the audit_encode_value() function.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]