Query regarding to audit netlink call

Mon Nov 26 16:16:05 UTC 2018

On Monday, November 26, 2018 2:09:57 AM EST Avinash Patwari wrote:
> Hi,
> 
> I wrote a program to listen to iptables modification through netlink
> sockets, for this I used NETLINK_AUDIT family, when I execute the program
> and modify the iptables rule, program doesn't receive any message from
> kernel and it will be in blocking mode only. Could you help me to find what
> is wrong in this program or what else I need to do to receive iptables
> notification ?

To receive audit events, you have to register your program as the audit 
daemon by setting the audit pid via audit_set_pid() . Then you will get 
events. All of them. That might be disruptive if you needed auditing. In that 
case, you have 2 options. Write your program as a plugin to the audit daemon. 
There is example code here:

https://github.com/linux-audit/audit-userspace/tree/master/contrib/plugin

The other option is to open a connection to the audit multicast socket as 
systemd's journal does. You might look at it for example code.

-Steve

> I ran this program as a root user & audit deamon is also running.
> 
> ps -eaf | grep -i auditd
> 
> root 499 2 0 Nov16 ? 00:00:00 [kauditd]
> 
>  root 926 1 0 Nov16 ? 00:00:00 /sbin/auditd -n
> 
> 
> I tried configuring  auditctl setting as well directly using auditctl
> command & can see the modifcation with "ausearch -k iptablesChange" command
> output but notification is not received in application.
> 
> Here is the program :-
> 
>  #include "libaudit.h"
> 
> #include <stdio.h>#include <string.h>#include <unistd.h>
> int main(){
>         int rc;
>         struct audit_message rep;
>         int fd;
>         struct sockaddr_nl sa;
> 
>         memset(&sa, 0, sizeof(sa));
>         sa.nl_family = AF_NETLINK;
>         sa.nl_groups = 0;
> 
>         fd = audit_open();
> 
>         bind(fd, (struct sockaddr *) &sa, sizeof(sa));
> 
>         rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
>         if(rc < 0)
>         {
>                 printf("Error");
>         }
>         else
>         {
>                 printf("msg received %d \n",rep.nlh.nlmsg_type );
>                 break;
>         }
> 
> 
>         audit_close(fd);
> 
>         return 0;}
> 
> Thanks,Avinash