creating and inserting audits

[Nestler, Roger - IS]

Ok sounds good.. thanks for pointing out the deprecated type... I think I grabbed that from auditctrl.c (v1.7.17...).

Ok, so if we ever wanted to add some new types that would be unique/specific to our app we would submit a request to you/redhat... and then in a future version of audit we'd possible see our new types?

Thanks for all the help,

Roger


--

-----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com]
Sent: Wednesday, September 08, 2010 10:25 AM
To: Nestler, Roger - IS
Cc: linux-audit at redhat.com; LC Bruzenak
Subject: Re: creating and inserting audits

On Wednesday, September 08, 2010 09:48:44 am Nestler, Roger - IS wrote:
> The below sequence of functions seems to do the trick...
>
> int audit_fd = audit_open();
> audit_log_user_message(audit_fd, AUDIT_USER, "MY Message" NULL, NULL, NULL,
> 1); audit_close(audit_fd);

Yes. There are a couple other log functions that may be better suited
depending on your needs. If you want the program name to show up, use
audit_log_user_comm_message(). Also, please note this:

#define AUDIT_USER        1005    /* Message from userspace -- deprecated */

That type is deprecated, please do not use it.


> Also the executable that I created, then copied to a root area and then ran
> as root, seemed to have the CAP_AUDIT_WRITE permission by default... how
> did my app get that permission, is it just because it’s a root app... I
> didnt explicitly assign it to the app, did I?

If your app runs as root, it inherits that capability by virtue of being under
the root account. If your app ran as a normal user, then you would have a
problem because normal users do not have CAP_AUDIT_WRITE. You would either
have to make your app setuid or a helper that is to do the logging. If you
have a helper, then you have to worry if it can be abused to flood the log. If
don't go this route, you have to ask if a normal user can do anything that is
security critical in the first place.


> Just out of curiosity if I wanted to add a new type, say 'MY_CUSTOM_AUDIT'
> that would appear as say 'type=HELLOWORLD' in the audit file. Is that
> possible with a config file or function call?...

No. We create types as they are needed for other projects. We have patched
everything that needs auditing to create audit events. We also created the
generic AUDIT_TRUSTED_APP type for private use. You can do anything with that
type you want. If you have types that you think other projects might need, let
me know and I'll see how we can fit them in.


> It looks as if I'd have to modify stuff in maybe libaudit.h and
> msg_typetab.h, recompile.. etc...in order to add a custom type?

And update aureport/ausearch and libauparse perhaps.

-Steve

This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail.