Created
March 11, 2015 22:43
-
-
Save DanielO/e36de242e79fed3fe4f7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <bsm/audit.h> | |
#include <bsm/libbsm.h> | |
#include <security/audit/audit_ioctl.h> | |
#include <err.h> | |
#include <fcntl.h> | |
#include <stdio.h> | |
#include <stdlib.h> | |
#include <sys/ioctl.h> | |
#include <sysexits.h> | |
#include <unistd.h> | |
#define AUDITPIPE_PATH "/dev/auditpipe" | |
int | |
main(int argc, char **argv) { | |
int auditfd, i, reclen; | |
au_mask_t mask; | |
FILE *f; | |
u_char *buf; | |
char tmppath[MAXPATHLEN]; | |
tokenstr_t tok; | |
if ((auditfd = open(AUDITPIPE_PATH, 'r')) == -1) | |
err(EX_OSERR, "Unable to open " AUDITPIPE_PATH ":"); | |
if (ioctl(auditfd, AUDITPIPE_GET_QLEN, &i) == -1) { | |
close(auditfd); | |
err(EX_OSERR, "Can't get queue length:"); | |
} | |
printf("Queue length %d\n", i); | |
if (ioctl(auditfd, AUDITPIPE_GET_QLIMIT_MAX, &i) == -1) { | |
close(auditfd); | |
err(EX_OSERR, "Can't get maximum queue length:"); | |
} | |
printf("Queue length maximum %d\n", i); | |
if (ioctl(auditfd, AUDITPIPE_GET_MAXAUDITDATA, &i) == -1) { | |
close(auditfd); | |
err(EX_OSERR, "Can't get max record size:"); | |
} | |
printf("Maximum record size %d\n", i); | |
i = AUDITPIPE_PRESELECT_MODE_LOCAL; | |
if (ioctl(auditfd, AUDITPIPE_SET_PRESELECT_MODE, &i) == -1) { | |
close(auditfd); | |
err(EX_OSERR, "Can't get set local preselection:"); | |
} | |
if (ioctl(auditfd, AUDITPIPE_FLUSH) == -1) { | |
close(auditfd); | |
err(EX_OSERR, "Can't get flush queue:"); | |
} | |
/* From audit_class -> 0x00000002:fw:file write */ | |
/* Note that auditd must be running (or have been run) to populate the kernel mask table | |
* http://markmail.org/message/2smblfimnixlrgsh#query:+page:1+mid:wjqw7bioezs74ugd+state:results | |
*/ | |
mask.am_success = 0x00000002; | |
mask.am_failure = 0x00000000; | |
if (ioctl(auditfd, AUDITPIPE_SET_PRESELECT_FLAGS, &mask) == -1) { | |
close(auditfd); | |
err(EX_OSERR, "Can't se PR select flags:"); | |
} | |
printf("success: 0x%08x failure: 0x%08x\n", mask.am_success, mask.am_failure); | |
mask.am_success = 0x00000002; | |
mask.am_failure = 0x00000000; | |
if (ioctl(auditfd, AUDITPIPE_SET_PRESELECT_NAFLAGS, &mask) == -1) { | |
close(auditfd); | |
err(EX_OSERR, "Can't set PR select NA flags:"); | |
} | |
printf("NA: success: 0x%08x failure: 0x%08x\n", mask.am_success, mask.am_failure); | |
if ((f = fdopen(auditfd, "r")) == NULL) { | |
close(auditfd); | |
err(EX_OSERR, "fdopen failed:"); | |
} | |
while ((reclen = au_read_rec(f, &buf)) != -1) { | |
while (1) { | |
/* Is this an incomplete record? */ | |
if (au_fetch_tok(&tok, buf, | |
reclen) == -1) | |
break; | |
switch (tok.id) { | |
case AUT_HEADER32: | |
printf("Time: %" PRIu32 ".%03" PRIu32 " ", tok.tt.hdr32.s, tok.tt.hdr32.ms); | |
break; | |
case AUT_PATH: | |
realpath(tok.tt.path.path, tmppath); | |
printf("Path: %s ", tmppath); | |
break; | |
case AUT_SUBJECT32: | |
printf("PID: %d ", tok.tt.subj32.pid); | |
break; | |
} | |
buf += tok.len; | |
reclen -= tok.len; | |
} | |
free(buf); | |
printf("\n"); | |
} | |
close(auditfd); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment