creating and inserting audits

Nestler, Roger - IS Roger.Nestler at itt.com
Wed Sep 8 13:48:44 UTC 2010 

Thanks,

The below sequence of functions seems to do the trick...

int audit_fd = audit_open();
audit_log_user_message(audit_fd, AUDIT_USER, "MY Message" NULL, NULL, NULL, 1);
audit_close(audit_fd);


Also the executable that I created, then copied to a root area and then ran as root, seemed to have the CAP_AUDIT_WRITE permission by default... how did my app get that permission, is it just because it’s a root app... I didnt explicitly assign it to the app, did I?

Just out of curiosity if I wanted to add a new type, say 'MY_CUSTOM_AUDIT' that would appear as say 'type=HELLOWORLD' in the audit file. Is that possible with a config file or function call?... It looks as if I'd have to modify stuff in maybe libaudit.h and msg_typetab.h, recompile.. etc... in order to add a custom type?

Thanks
Roger


-----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com]
Sent: Tuesday, September 07, 2010 5:17 PM
To: linux-audit at redhat.com
Cc: LC Bruzenak; Nestler, Roger - IS
Subject: Re: creating and inserting audits

On Tuesday, September 07, 2010 05:02:21 pm LC Bruzenak wrote:
> > Is it a bad idea to build and then to insert a custom audit/message,
> > or any standard audit, into the audit.log file?
>
> Nope.

To make sure we don't give conflicting advice, I was thinking he meant writing
directly to the file (which you should not do). Events must be sent to the
kernel. But you are free to make your own audit events as long as you mimic
the existing events.

-Steve

This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail.

More information about the Linux-audit mailing list