审计实时事件处理C / C ++

Question

I'm trying to write a process in C/C++ that will analyze auditd events in real time.

Currently, I'm using the af_unix plugin to read the audit events from Unix socket ( /var/run/audisp_events by default).

I tried using select() , recv() to consume the events from the socket like this:

select(FD_SETSIZE, &set, NULL, NULL, NULL);
recv(sockfd, message, size, MSG_DONTWAIT);

And then sending to auparse callback to parse the buffer similer to this example :

auparse_feed(au, buf, (size_t)len);
auparse_flush_feed(au);

The issue here is that auditd events can be multi-records events (like SYSCALL) and use the recv() only consume some of the records and not all of them, so in the parsing callback, I don't have all the information.

Then I tried using getline() to consume one record at a time but I still cannot tell if the record is one record event or muli-records events.

After reading the auditd documentation here , I found this: EOE Triggered to record the end of a multi-record event. I can use this to know when to stop consuming (because getline() is a blocking operation) but the EOE event only exists in multi-records events.

My questions are:

• Is using af_unix plugin is the best way to consume auditd events in real-time?
• Is there any way to know from the record information if this is a multi-records event? if no, is there any documentation on what events are multi-records events?

Answer 1

You should use an Audit Dispatcher (audisp) plugin for this.

Here are some resources:

• SLES documentation on audisp
• Tutorial from auditd author
• Sample application -- fill in the handle_event function

For the number of records in an event, call auparse_get_num_records .