Hello, On Tuesday, October 7, 2025 8:21:56 AM Eastern Daylight Time Jean-Jacques Pitrolle wrote: > This is my first message and i hope i will provide the expected > information to get help (:
Welcome. I think so. > I'm looking in libaudit if there is a function to transform a line in > audit.rules's format to a *struct audit_rule_data* to feed > *audit_add_rule_data* to insert a new rule. No. At times I think it was a mistake to put any rule processing code in libaudit because that is very specific to auditctl and not something that you would normally do. > From tag *v3.0.9* (i need to stick to this version for the moment), i > see occurences of *audit_add_rule_data* in *autrace.c* and *auditctl.c* > but it seems that adding a rule is specific to those binaries. Yes. It is easier to see the pattern in autrace. You have to call: audit_rule_create_data audit_rule_syscallbyname_data <- for each syscall audit_rule_fieldpair_data <- for each field audit_add_rule_data <- sends the rule into the kernel audit_get_reply <- check to see how sending went > Do i understand it correctly? > Do i need to specifically write a basic rule parser to call > *audit_add_rule_data* with a new rule when i use libaudit? auditctl *is* the rule parser. It has not been broken out into a library call. If it were, it would basically be the setopt function in auditctl. And there are a *lot* of helper functions it calls. Pretty much 80% of auditctl is involved in rule parsing. > Or does libaudit provides a general way to tranform an auditd rule (i.e > in format of audit.rules file) to a struct audit_rule_data? Nope. I think this is the first request to parse rules since the list was active. It may not sound appealing, but the quick thing is using execve to run auditctl. This way you avoid shell command injection issues. The only documentation for how to add rules into the kernel is auditctl's code. You would have to do a careful read of the code and mimic all the idiosyncrasies it has. -Steve _______________________________________________ Linux-audit mailing list -- [email protected] To unsubscribe send an email to [email protected]
