Interface between the plugin and auditdispacher
Steve Grubb
sgrubb at redhat.com
Wed Dec 16 16:31:08 UTC 2009
On Wednesday 16 December 2009 09:45:07 am 陈洁丹 wrote:
> I want to write some plugin to do something , but I still do not have a
> clear view of the interface between the plugin and dispacher.
The source code tarball ships with a sample plugin and you can also read it
online:
https://fedorahosted.org/audit/browser/trunk/contrib/plugin
The events are written to stdin of the plugin by the dispatcher. Each plugin
has a configuration file that should be installed to /etc/audisp/plugins.d/ with
a defined format.
One of the items tells audispd whether to send the event in binary format as
the dispatcher itself received it or if it should be changed to string format.
If you chose binary, then you are responsible to check the version number of
the event to make sure that you handle future versions of the event format.
So, I would recommend to people to write plugins that expect string format
since that is most portable.
If you choose string format, then you get the benefit of being able to use the
audit parsing library. And you can debug your plugin by creating a raw audit
event log and cat'ing it to the plugin's stdin. For example if your plugin
does something when someone accesses passwd, you can make a raw log like this:
ausearch --start today -f passwd --raw > test.log
then debug like:
cat test.log | ./my-app
Hope this helps...
-Steve
More information about the Linux-audit
mailing list