creating and inserting audits
Steve Grubb
sgrubb at redhat.com
Tue Sep 7 21:00:27 UTC 2010
On Tuesday, September 07, 2010 04:38:29 pm Nestler, Roger - IS wrote:
> Using syslog it seems straight forward to insert a new message , 'syslog
> (LOG_NOTICE, "Hello This is just a notice")' for instance.
>
> Does this capability exist already in linux audit and I'm just not seeing
> it???
The Linux audit system is protected by virtue of apps needing CAP_AUDIT_WRITE
in order to send an event. Assuming that your app has this, you will want to
use one of the functions here:
https://fedorahosted.org/audit/browser/trunk/lib/libaudit.h#L375
> Is it a bad idea to build and then to insert a custom audit/message, or any
> standard audit, into the audit.log file?
Yes. Do not do it. It has to be sent to the kernel for timestamping and
correlation. Not to mention the kernel will collect a few things about the
sender to be put in the audit trail.
> If so are there any problems to look out for , e.g event id/sequence number
> collisions, auparse or ausearch problems, formatting issues to adhere
> to???
You must send to the kernel. Aside from that, events must have a type. If you
do not see a type that matches what you are doing, then use the
AUDIT_TRUSTED_APP type which you may do (nearly) anything to. The audit system
wants name=value fields. You should use the same field name as an existing one
any time you find one. If you are not using AUDIT_TRUSTED_APP, then you must
fill in the same fields in the same order as the original source does. The value
part may not have a space or certain control characters in it. If it does you
must encode the contents of the value with the audit_encode_value() function.
-Steve
More information about the Linux-audit
mailing list