creating and inserting audits

Steve Grubb sgrubb at redhat.com
Wed Sep 8 14:25:16 UTC 2010 

On Wednesday, September 08, 2010 09:48:44 am Nestler, Roger - IS wrote:
> The below sequence of functions seems to do the trick...
> 
> int audit_fd = audit_open();
> audit_log_user_message(audit_fd, AUDIT_USER, "MY Message" NULL, NULL, NULL,
> 1); audit_close(audit_fd);

Yes. There are a couple other log functions that may be better suited 
depending on your needs. If you want the program name to show up, use 
audit_log_user_comm_message(). Also, please note this:

#define AUDIT_USER        1005    /* Message from userspace -- deprecated */
 
That type is deprecated, please do not use it.

 
> Also the executable that I created, then copied to a root area and then ran
> as root, seemed to have the CAP_AUDIT_WRITE permission by default... how
> did my app get that permission, is it just because it’s a root app... I
> didnt explicitly assign it to the app, did I?

If your app runs as root, it inherits that capability by virtue of being under 
the root account. If your app ran as a normal user, then you would have a 
problem because normal users do not have CAP_AUDIT_WRITE. You would either 
have to make your app setuid or a helper that is to do the logging. If you 
have a helper, then you have to worry if it can be abused to flood the log. If 
don't go this route, you have to ask if a normal user can do anything that is 
security critical in the first place.

 
> Just out of curiosity if I wanted to add a new type, say 'MY_CUSTOM_AUDIT'
> that would appear as say 'type=HELLOWORLD' in the audit file. Is that
> possible with a config file or function call?...

No. We create types as they are needed for other projects. We have patched 
everything that needs auditing to create audit events. We also created the 
generic AUDIT_TRUSTED_APP type for private use. You can do anything with that 
type you want. If you have types that you think other projects might need, let 
me know and I'll see how we can fit them in.


> It looks as if I'd have to modify stuff in maybe libaudit.h and
> msg_typetab.h, recompile.. etc...in order to add a custom type?

And update aureport/ausearch and libauparse perhaps.

-Steve

More information about the Linux-audit mailing list