Sending auditd records to my audispd plugin

linux audit auditd

Solution 1:

It seems that audispd is writing audit events into its plugins stdin.

(Links to the source below are relative from https://github.com/packetstash/auditd/tree/ba912fa614a7e73160a4eba338e55890d6e8f62f. That's my first post on Server Fault, and I can't include more than two links).

In particular:

  • it creates a pair of sockets at audisp/audispd.c#L484;
  • then forks, sets child's stdin to one end of socket pair: audisp/audispd.c#L500;
  • and the writes events into another end: audisp/audispd.c#L533.

Your script will inherit open file descriptors from audispd, including stdout (fd #1), which would be reopened to /dev/null. So print in the script would likely have no effect, you'll have to write to some file.

Try something like:

import sys

with open('/tmp/my_audit.log', 'w') as log_file:
  for event_message in sys.stdin:
    log_file.write('%s\n' % event_message)

You may also want to use bindings/python/auparse_python.c module to parse the event messages.

Related

Why does `ps -x | grep foo` include the grep command?
How to get a local mysql dump of a specific AWS RDS Snapshot
8 Directional Pathfinding (A*) - Inconsistently Finding Path
How to peek at messages in the queue
Generate a Unique String in Python/Django
object to struct with as operator
Data rerenders only once onClick using function with filter() in reactjs?
Laravel model can't be named 'Match' [duplicate]
Parameter self unfilled, but when I fill it it gives expected type ' ' but got 'Type[]' warning
Select element in drag event using arrow functions in v6
MongoDB can't find data directory after upgrading to Mac OS 10.15 (Catalina)
Android - R cannot be resolved to a variable [duplicate]