Query regarding to audit netlink call

Avinash Patwari patwariavinash04 at gmail.com
Wed Nov 28 08:30:51 UTC 2018 

Hi Steve,

Thanks for your suggestion.

I tried by passing audit deamon process id in audit_set_pid call but still
i didn't receive any iptable modification notification,what else we need to
do to receive notification ?

Could please also share the right configuration for iptable notifications  ?

I didn't get your suggestion with 2 options,could you please elaborate more
?

Br,
avinash

On Mon, Nov 26, 2018 at 9:46 PM Steve Grubb <sgrubb at redhat.com> wrote:

> On Monday, November 26, 2018 2:09:57 AM EST Avinash Patwari wrote:
> > Hi,
> >
> > I wrote a program to listen to iptables modification through netlink
> > sockets, for this I used NETLINK_AUDIT family, when I execute the program
> > and modify the iptables rule, program doesn't receive any message from
> > kernel and it will be in blocking mode only. Could you help me to find
> what
> > is wrong in this program or what else I need to do to receive iptables
> > notification ?
>
> To receive audit events, you have to register your program as the audit
> daemon by setting the audit pid via audit_set_pid() . Then you will get
> events. All of them. That might be disruptive if you needed auditing. In
> that
> case, you have 2 options. Write your program as a plugin to the audit
> daemon.
> There is example code here:
>
> https://github.com/linux-audit/audit-userspace/tree/master/contrib/plugin
>
> The other option is to open a connection to the audit multicast socket as
> systemd's journal does. You might look at it for example code.
>
> -Steve
>
> > I ran this program as a root user & audit deamon is also running.
> >
> > ps -eaf | grep -i auditd
> >
> > root 499 2 0 Nov16 ? 00:00:00 [kauditd]
> >
> >  root 926 1 0 Nov16 ? 00:00:00 /sbin/auditd -n
> >
> >
> > I tried configuring  auditctl setting as well directly using auditctl
> > command & can see the modifcation with "ausearch -k iptablesChange"
> command
> > output but notification is not received in application.
> >
> > Here is the program :-
> >
> >  #include "libaudit.h"
> >
> > #include <stdio.h>#include <string.h>#include <unistd.h>
> > int main(){
> >         int rc;
> >         struct audit_message rep;
> >         int fd;
> >         struct sockaddr_nl sa;
> >
> >         memset(&sa, 0, sizeof(sa));
> >         sa.nl_family = AF_NETLINK;
> >         sa.nl_groups = 0;
> >
> >         fd = audit_open();
> >
> >         bind(fd, (struct sockaddr *) &sa, sizeof(sa));
> >
> >         rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
> >         if(rc < 0)
> >         {
> >                 printf("Error");
> >         }
> >         else
> >         {
> >                 printf("msg received %d \n",rep.nlh.nlmsg_type );
> >                 break;
> >         }
> >
> >
> >         audit_close(fd);
> >
> >         return 0;}
> >
> > Thanks,Avinash
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20181128/7454fd17/attachment.htm>

More information about the Linux-audit mailing list