I'm looking for a pointer on the programming model
Steve Grubb
sgrubb at redhat.com
Thu Mar 23 19:15:42 UTC 2006
On Thursday 23 March 2006 09:48, Taylor_Tad at emc.com wrote:
> I've gone over all the audit-related man pages that I could find on a RHEL 4
> system and searched/googled for a while but I can't find a clear description
> of the programming model/paradigm that trusted processes would follow to
> generate audit records.
They would simply use one of these functions:
/* The following are for standard formatting of messages */
extern int audit_log_user_message(int audit_fd, int type, const char *message,
const char *hostname, const char *addr, const char *tty, int result);
extern int audit_log_user_comm_message(int audit_fd, int type,
const char *message, const char *comm, const char *hostname,
const char *addr, const char *tty, int result);
extern int audit_log_acct_message(int audit_fd, int type, const char *pgname,
const char *op, const char *name, unsigned int id,
const char *host, const char *addr, const char *tty, int result);
extern int audit_log_user_avc_message(int audit_fd, int type,
const char *message, const char *hostname, const char *addr,
const char *tty, uid_t uid);
The top one would be the most likely choice.
> I could go through something like the login code to see what it does, but
> then I'd be making an assumption that it does it correctly :-).
It does. :)
A good, simple example is util-linux login & hwclock programs or passwd. The
one thing to note is that you need to have CAP_AUDIT_WRITE in order to be
successful.
-Steve
More information about the Linux-audit
mailing list