Architecture of auditd
William Roberts
bill.c.roberts at gmail.com
Thu Dec 26 17:14:19 UTC 2013
Yes youre missing setting the audit pid so the kernel knows who to
send messages too.
I wrote an auditd from scratch for android, feel free to look at the
code. Its very simple, and
includes the libaudit pieces I needed to re-implement to get a version
that was NOT
GPL'd.
Recently it got a bit more complex when watch rules were added. Its
used by the SE for Android
projects found here:
https://bitbucket.org/seandroid/system-core/src/7c66471348a59107cb4a1f68835eb1937b2137ce/auditd/?at=seandroid
Look for function:
int audit_set_pid (int fd, uint32_t pid, rep_wait_t wmode)
in libaudit.c
Good luck,
Bill
On Wed, Dec 25, 2013 at 2:48 AM, Aaron Lewis <the.warl0ck.1989 at gmail.com> wrote:
> Hi I wrote a very simple program to retrieve netlink sockets (audit messages),
>
> But it stuck at recvfrom, am I missing something?
>
> #include <stdio.h>
> #include <unistd.h>
> #include <assert.h>
> #include <string.h>
> #include <stdlib.h>
> #include <math.h>
> #include <sys/socket.h>
> #include <linux/netlink.h>
>
> #define ERR_QUIT(a) do { perror(a); exit (1); } while (0);
>
> #ifndef PF_NETLINK
> # define PF_NETLINK 16
> #endif
>
> char message [10000];
>
> int main (int argc , char **argv)
> {
> int fd, len;
> struct sockaddr_nl nladdr;
> socklen_t nladdrlen = sizeof(nladdr);
>
> fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
> if (fd < 0)
> ERR_QUIT("socket");
>
> len = recvfrom(fd, &message, sizeof(message), 0, (struct
> sockaddr*)&nladdr, &nladdrlen);
> if (len < 0)
> ERR_QUIT("recvfrom");
>
> printf ("Received %d bytes\n", len);
>
> return 0;
> }
>
>
> --
> Best Regards,
> Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
> Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
--
Respectfully,
William C Roberts
More information about the Linux-audit
mailing list