I was a bit talkish in the last days but still I didn’t provide anything practical to my “two” readers.
So here we go:
I’ve decided to let auditpipe trace a small program:
int main(){
gid_t *gid;
int i;
gid = malloc(25);
memset(gid, 15*4, 0x41);
setgroups(15, gid);
printf("%s\n", strerror(errno));
return 0;
}
The code needed was just:
value = 4;
if(ioctl(fd, AUDITPIPE_SET_PRESELECT_MODE, &value) < 0)
err(-1, "AUDITPIPE_SET_PRESELECT_MODE");
entry->app_pid = pid;
entry->app_event_len = 0;
if(ioctl(fd, AUDITPIPE_SET_PRESELECT_EVENTS) < 0)
err(-1, "AUDITPIPE_SET_PRESELECT_EVENTS");
After that I just needed to read from /dev/auditpipe.
The results (in a xml-readable form).
As you can see the whole execution flow for a given pid (823) was traced.
So you don’t have to use some complex regex to take out from a very huge auditd log file the record you’re interested in.
Hope it will help you.
Snagg