[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-audit
Subject:    Using the Audit Failure Action Query functionality
From:       Lisa Smith <lisa.m.smith () hp ! com>
Date:       2006-07-17 18:03:52
Message-ID: 44BBD108.4060506 () hp ! com
[Download RAW message or body]

Starting with audit 1.2.4, the new audit failure action functionality is
available for applications and services. 

The 1.2.5 audit package contains a man page for the new API,
get_auditfail_action(), which includes the following example that can be
used as a starting point for application developers:

              /* Sample code */
              auditfail_t failmode;

              if ((fd = audit_open() ) < 0 ) {
                   fprintf (stderr, "Cannot open netlink audit socket");

                   /* Get the failure_action */
                   if ((rc = get_auditfail_action(&failmode)) == 0) {
                       if (failmode == FAIL_LOG)
                            fprintf (stderr, "Audit subsystem unavailable");
                       else if (failmode == FAIL_TERMINATE)
                            exit (1);
                       /* If failmode == FAIL_IGNORE, do nothing */
                   }
              }

I'm happy to provide help to anyone who would like to incorporate the
new functionality into an application they are maintaining.  If there
are any applications people would like me to go ahead and modify, please
let me know.

Lisa

[prev in list] [next in list] [prev in thread] [next in thread]