3 * This is a sample program that you can customize to create your own audit
4 * event handler. It will be started by auditd via the dispatcher option in
5 * /etc/audit/auditd.conf. This program can be built as follows:
7 * gcc skeleton.c -o skeleton -laudit
11 #include <sys/types.h>
24 static volatile int signaled = 0;
26 static const char *pgm = "skeleton";
29 static int event_loop(void);
32 static void term_handler( int sig )
39 * main is started by auditd. See dispatcher in auditd.conf
41 int main(int argc, char *argv[])
45 setlocale (LC_ALL, "");
46 openlog(pgm, LOG_PID, LOG_DAEMON);
47 syslog(LOG_NOTICE, "starting...");
50 // Make sure we are root
52 syslog(LOG_ERR, "You must be root to run this program.");
57 // register sighandlers
59 sa.sa_handler = term_handler;
60 sigemptyset( &sa.sa_mask ) ;
61 sigaction( SIGTERM, &sa, NULL );
62 sa.sa_handler = term_handler;
63 sigemptyset( &sa.sa_mask ) ;
64 sigaction( SIGCHLD, &sa, NULL );
65 sa.sa_handler = SIG_IGN;
66 sigaction( SIGHUP, &sa, NULL );
69 // change over to pipe_fd
72 open("/dev/null", O_RDONLY);
73 fcntl(pipe_fd, F_SETFD, FD_CLOEXEC);
79 static int event_loop(void)
83 struct audit_dispatcher_header hdr;
85 // allocate data structures
86 data = malloc(MAX_AUDIT_MESSAGE_LENGTH);
88 syslog(LOG_ERR, "Cannot allocate buffer");
91 memset(data, 0, MAX_AUDIT_MESSAGE_LENGTH);
92 memset(&hdr, 0, sizeof(hdr));
102 FD_SET(pipe_fd, &fd);
103 rc = select(pipe_fd+1, &fd, NULL, NULL, &tv);
109 /* Get header first. it is fixed size */
110 vec[0].iov_base = (void*)&hdr;
111 vec[0].iov_len = sizeof(hdr);
113 rc = readv(fd, &vec[0], 1);
114 } while (rc < 0 && errno == EINTR);
118 vec[1].iov_base = data;
119 vec[1].iov_len = hdr.size;
121 rc = readv(fd, &vec[1], 1);
122 } while (rc < 0 && errno == EINTR);
125 syslog(LOG_ERR, "rc == %d(%s)", rc, strerror(errno));
129 // Handle events here. Just for illustration, we print
130 // to syslog, but you will want to do something else.
131 syslog(LOG_NOTICE,"type=%d, payload size=%d",
133 syslog(LOG_NOTICE,"data=\"%.*s\"", hdr.size,