DanielO/gist:e36de242e79fed3fe4f7

## gistfile1.txt
#include <bsm/audit.h>
#include <bsm/libbsm.h>
#include <security/audit/audit_ioctl.h>
#include <err.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/ioctl.h>
#include <sysexits.h>
#include <unistd.h>

#define AUDITPIPE_PATH "/dev/auditpipe"

int
main(int argc, char **argv) {
	int		auditfd, i, reclen;
	au_mask_t	mask;
	FILE		*f;
	u_char		*buf;
	char		tmppath[MAXPATHLEN];
	tokenstr_t	tok;

	if ((auditfd = open(AUDITPIPE_PATH, 'r')) == -1)
		err(EX_OSERR, "Unable to open " AUDITPIPE_PATH ":");

	if (ioctl(auditfd, AUDITPIPE_GET_QLEN, &i) == -1) {
		close(auditfd);
		err(EX_OSERR, "Can't get queue length:");
	}
	printf("Queue length %d\n", i);
	if (ioctl(auditfd, AUDITPIPE_GET_QLIMIT_MAX, &i) == -1) {
		close(auditfd);
		err(EX_OSERR, "Can't get maximum queue length:");
	}
	printf("Queue length maximum %d\n", i);

	if (ioctl(auditfd, AUDITPIPE_GET_MAXAUDITDATA, &i) == -1) {
		close(auditfd);
		err(EX_OSERR, "Can't get max record size:");
	}
	printf("Maximum record size %d\n", i);

	i = AUDITPIPE_PRESELECT_MODE_LOCAL;
	if (ioctl(auditfd, AUDITPIPE_SET_PRESELECT_MODE, &i) == -1) {
		close(auditfd);
		err(EX_OSERR, "Can't get set local preselection:");
	}

	if (ioctl(auditfd, AUDITPIPE_FLUSH) == -1) {
		close(auditfd);
		err(EX_OSERR, "Can't get flush queue:");
	}

	/* From audit_class -> 0x00000002:fw:file write */
	/* Note that auditd must be running (or have been run) to populate the kernel mask table
	 * http://markmail.org/message/2smblfimnixlrgsh#query:+page:1+mid:wjqw7bioezs74ugd+state:results
	 */
	mask.am_success = 0x00000002;
	mask.am_failure = 0x00000000;
	if (ioctl(auditfd, AUDITPIPE_SET_PRESELECT_FLAGS, &mask) == -1) {
		close(auditfd);
		err(EX_OSERR, "Can't se PR select flags:");
	}
	printf("success: 0x%08x failure: 0x%08x\n", mask.am_success, mask.am_failure);

	mask.am_success = 0x00000002;
	mask.am_failure = 0x00000000;
	if (ioctl(auditfd, AUDITPIPE_SET_PRESELECT_NAFLAGS, &mask) == -1) {
		close(auditfd);
		err(EX_OSERR, "Can't set PR select NA flags:");
	}
	printf("NA: success: 0x%08x failure: 0x%08x\n", mask.am_success, mask.am_failure);

	if ((f = fdopen(auditfd, "r")) == NULL) {
		close(auditfd);
		err(EX_OSERR, "fdopen failed:");
	}

	while ((reclen = au_read_rec(f, &buf)) != -1) {
		while (1) {
			/* Is this an incomplete record? */
			if (au_fetch_tok(&tok, buf,
				reclen) == -1)
				break;

			switch (tok.id) {
			case AUT_HEADER32:
				printf("Time: %" PRIu32 ".%03" PRIu32 " ", tok.tt.hdr32.s, tok.tt.hdr32.ms);
				break;
			case AUT_PATH:
				realpath(tok.tt.path.path, tmppath);
				printf("Path: %s ", tmppath);
				break;
			case AUT_SUBJECT32:
				printf("PID: %d ", tok.tt.subj32.pid);
				break;
			}
			buf += tok.len;
			reclen -= tok.len;
		}
		free(buf);
		printf("\n");
	}

	close(auditfd);
}
	#include <bsm/audit.h>
	#include <bsm/libbsm.h>
	#include <security/audit/audit_ioctl.h>
	#include <err.h>
	#include <fcntl.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <sys/ioctl.h>
	#include <sysexits.h>
	#include <unistd.h>

	#define AUDITPIPE_PATH "/dev/auditpipe"

	int
	main(int argc, char **argv) {
	int auditfd, i, reclen;
	au_mask_t mask;
	FILE *f;
	u_char *buf;
	char tmppath[MAXPATHLEN];
	tokenstr_t tok;

	if ((auditfd = open(AUDITPIPE_PATH, 'r')) == -1)
	err(EX_OSERR, "Unable to open " AUDITPIPE_PATH ":");

	if (ioctl(auditfd, AUDITPIPE_GET_QLEN, &i) == -1) {
	close(auditfd);
	err(EX_OSERR, "Can't get queue length:");
	}
	printf("Queue length %d\n", i);
	if (ioctl(auditfd, AUDITPIPE_GET_QLIMIT_MAX, &i) == -1) {
	close(auditfd);
	err(EX_OSERR, "Can't get maximum queue length:");
	}
	printf("Queue length maximum %d\n", i);

	if (ioctl(auditfd, AUDITPIPE_GET_MAXAUDITDATA, &i) == -1) {
	close(auditfd);
	err(EX_OSERR, "Can't get max record size:");
	}
	printf("Maximum record size %d\n", i);

	i = AUDITPIPE_PRESELECT_MODE_LOCAL;
	if (ioctl(auditfd, AUDITPIPE_SET_PRESELECT_MODE, &i) == -1) {
	close(auditfd);
	err(EX_OSERR, "Can't get set local preselection:");
	}

	if (ioctl(auditfd, AUDITPIPE_FLUSH) == -1) {
	close(auditfd);
	err(EX_OSERR, "Can't get flush queue:");
	}

	/* From audit_class -> 0x00000002:fw:file write */
	/* Note that auditd must be running (or have been run) to populate the kernel mask table
	* http://markmail.org/message/2smblfimnixlrgsh#query:+page:1+mid:wjqw7bioezs74ugd+state:results
	*/
	mask.am_success = 0x00000002;
	mask.am_failure = 0x00000000;
	if (ioctl(auditfd, AUDITPIPE_SET_PRESELECT_FLAGS, &mask) == -1) {
	close(auditfd);
	err(EX_OSERR, "Can't se PR select flags:");
	}
	printf("success: 0x%08x failure: 0x%08x\n", mask.am_success, mask.am_failure);

	mask.am_success = 0x00000002;
	mask.am_failure = 0x00000000;
	if (ioctl(auditfd, AUDITPIPE_SET_PRESELECT_NAFLAGS, &mask) == -1) {
	close(auditfd);
	err(EX_OSERR, "Can't set PR select NA flags:");
	}
	printf("NA: success: 0x%08x failure: 0x%08x\n", mask.am_success, mask.am_failure);

	if ((f = fdopen(auditfd, "r")) == NULL) {
	close(auditfd);
	err(EX_OSERR, "fdopen failed:");
	}

	while ((reclen = au_read_rec(f, &buf)) != -1) {
	while (1) {
	/* Is this an incomplete record? */
	if (au_fetch_tok(&tok, buf,
	reclen) == -1)
	break;

	switch (tok.id) {
	case AUT_HEADER32:
	printf("Time: %" PRIu32 ".%03" PRIu32 " ", tok.tt.hdr32.s, tok.tt.hdr32.ms);
	break;
	case AUT_PATH:
	realpath(tok.tt.path.path, tmppath);
	printf("Path: %s ", tmppath);
	break;
	case AUT_SUBJECT32:
	printf("PID: %d ", tok.tt.subj32.pid);
	break;
	}
	buf += tok.len;
	reclen -= tok.len;
	}
	free(buf);
	printf("\n");
	}

	close(auditfd);
	}