Query regarding to audit netlink call
Avinash Patwari
patwariavinash04 at gmail.com
Wed Nov 28 08:30:51 UTC 2018
Hi Steve,
Thanks for your suggestion.
I tried by passing audit deamon process id in audit_set_pid call but still
i didn't receive any iptable modification notification,what else we need to
do to receive notification ?
Could please also share the right configuration for iptable notifications ?
I didn't get your suggestion with 2 options,could you please elaborate more
?
Br,
avinash
On Mon, Nov 26, 2018 at 9:46 PM Steve Grubb <sgrubb at redhat.com> wrote:
> On Monday, November 26, 2018 2:09:57 AM EST Avinash Patwari wrote:
> > Hi,
> >
> > I wrote a program to listen to iptables modification through netlink
> > sockets, for this I used NETLINK_AUDIT family, when I execute the program
> > and modify the iptables rule, program doesn't receive any message from
> > kernel and it will be in blocking mode only. Could you help me to find
> what
> > is wrong in this program or what else I need to do to receive iptables
> > notification ?
>
> To receive audit events, you have to register your program as the audit
> daemon by setting the audit pid via audit_set_pid() . Then you will get
> events. All of them. That might be disruptive if you needed auditing. In
> that
> case, you have 2 options. Write your program as a plugin to the audit
> daemon.
> There is example code here:
>
> https://github.com/linux-audit/audit-userspace/tree/master/contrib/plugin
>
> The other option is to open a connection to the audit multicast socket as
> systemd's journal does. You might look at it for example code.
>
> -Steve
>
> > I ran this program as a root user & audit deamon is also running.
> >
> > ps -eaf | grep -i auditd
> >
> > root 499 2 0 Nov16 ? 00:00:00 [kauditd]
> >
> > root 926 1 0 Nov16 ? 00:00:00 /sbin/auditd -n
> >
> >
> > I tried configuring auditctl setting as well directly using auditctl
> > command & can see the modifcation with "ausearch -k iptablesChange"
> command
> > output but notification is not received in application.
> >
> > Here is the program :-
> >
> > #include "libaudit.h"
> >
> > #include <stdio.h>#include <string.h>#include <unistd.h>
> > int main(){
> > int rc;
> > struct audit_message rep;
> > int fd;
> > struct sockaddr_nl sa;
> >
> > memset(&sa, 0, sizeof(sa));
> > sa.nl_family = AF_NETLINK;
> > sa.nl_groups = 0;
> >
> > fd = audit_open();
> >
> > bind(fd, (struct sockaddr *) &sa, sizeof(sa));
> >
> > rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
> > if(rc < 0)
> > {
> > printf("Error");
> > }
> > else
> > {
> > printf("msg received %d \n",rep.nlh.nlmsg_type );
> > break;
> > }
> >
> >
> > audit_close(fd);
> >
> > return 0;}
> >
> > Thanks,Avinash
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20181128/7454fd17/attachment.htm>
More information about the Linux-audit
mailing list