Netlink to Audit

[pwrdwnsys]

I'm looking to use Netlink to read audit events. To start with, I created a loop to read packets being sent over the bound Audit socket, but nothing seems to happen after creating the NetlinkReader (I'm running a nightly debug build as root, there are audits being generated by the system). Should I be expecting to see anything coming over Netlink? Have I misunderstood the binding? Thanks.

let mut nlsock = NetlinkSocket::bind(NetlinkProtocol::Audit, 0 as u32).unwrap();
let bufsz = nlsock.getrcvbuf().expect("Couln't getrcvbuf!");
let mut nlreader = NetlinkReader::new(&mut nlsock);
while let Ok(Some(pkt)) = nlreader.read_netlink() {
    let kind = pkt.get_kind();
    println!("Got packet: {:?}", kind);
}

[polachok]

I don't know much about Audit subprotocol, but from quick googling it seems like you have to send a request to enable message delivery:

https://github.com/slackhq/go-audit/blob/4cdef3e05a30f719d14508ed1e2dd3b95d7b5c21/client.go#L137 https://github.com/mozilla/libaudit-go/blob/20ea27794d60a92871ca6979cc644409d80b06a4/libaudit.go#L209 http://elixir.free-electrons.com/linux/latest/source/include/uapi/linux/audit.h#L425

Bonus stupid question: are you root?

[pwrdwnsys]

Yes, I'm running the debug target binary in a separate terminal as root.

I have now created a struct of u32's for the Audit payload, and then used bincode to encode it, and then added this as a payload after a let mut req = NetlinkRequestBuilder::new(1001 as u16, NLM_F_ACK);, but nlsock.send() is expecting &[u8] so I tried to send the payload as_slice but it is private in the struct.

The impl for NetlinkConnection::new() assumes NetlinkProtocol::Route, so I'm guessing that I need to fork the code and change new() to accept any NetlinkProtocol enum so I can build the new connection and get the send that comes with it.

Thank you.

[polachok]

I added initial support for Audit in this PR: https://github.com/polachok/pnetlink/pull/22

It can be used like this:

extern crate pnetlink;
use pnetlink::socket::{NetlinkSocket,NetlinkProtocol};
use pnetlink::packet::audit::{Audit};
use pnetlink::packet::netlink::NetlinkConnection;

fn main() {
    let mut nlsock = NetlinkSocket::bind(NetlinkProtocol::Audit, 0 as u32).unwrap();
    let bufsz = nlsock.getrcvbuf().expect("Couln't getrcvbuf!");
    let mut conn = NetlinkConnection::from(nlsock);
    let mut buf = vec![0; 512];

    conn.audit_enable().unwrap();
}

It doesn't yet receive any events, but this is a start.

[pwrdwnsys]

Thank you for that. I will change my Cargo.toml to point directly to the repo and try it out.

[little-dude]

Hello. I've finally managed to do that in my own netlink crate (see this example). I think the problem here is that the socket needs to be part of the AUDIT_NLGRP_READLOG multicast group, which you can do with setsockopt (according to this SO answer, just setting that in the socket address does not work).