Netlink notification for iptable modification are not received to application

Question

I wrote a program to listen to iptables modification through netlink sockets, for this I used NETLINK_AUDIT family, when I execute the program and modify the iptables rule, program doesn't receive any message from kernel and it will be in blocking mode only. Could you help me to find what is wrong in this program or what else I need to do to receive iptables notification.

#include "libaudit.h"
#include <stdio.h>
#include <string.h>
#include <unistd.h>

int main()
{
        int rc;
        struct audit_message rep;
        int fd;
        struct sockaddr_nl sa;

        memset(&sa, 0, sizeof(sa));
        sa.nl_family = AF_NETLINK;
        sa.nl_groups = 0; 

        fd = audit_open();

        bind(fd, (struct sockaddr *) &sa, sizeof(sa));

        rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
        if(rc < 0)
        {
                printf("Error");
        }
        else
        {       
                printf("msg received %d \n",rep.nlh.nlmsg_type );
                break;
        }       


        audit_close(fd);

        return 0;
}

Yes. ps -eaf | grep -i auditd root 499 2 0 Nov16 ? 00:00:00 [kauditd] root 926 1 0 Nov16 ? 00:00:00 /sbin/auditd -n — avinash, Nov 21 '18 at 06:15
can you check return value of bind and if it is less than zero use perror or check errno ? — Devidas, Nov 21 '18 at 06:30
i checked earlier with prints ,bind is returning success ,it gets stuck in receive blocking call . — avinash, Nov 21 '18 at 06:37
check validity of fd. need to check return value whenever it expects error. let me know. I think less chance of it being invalid as bind is succeeding. please let me know is not -1. — Devidas, Nov 21 '18 at 09:39

score 0 · Answer 1 · answered Nov 21 '18 at 09:43

0

try this flag

https://github.com/linux-audit/audit-userspace/blob/master/lib/libaudit.c#L383

from libaudit source code

rc = audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING,0);

answered Nov 21 '18 at 09:43

Devidas

2,479
9
24

I have tried this as well before ,since it's non blocking call,it will come out without waiting there(used the polling as well before thi call) but not received any data – avinash Nov 22 '18 at 01:23
Is there any other way as well to receive the iptable change notification ? – avinash Nov 22 '18 at 01:25
maybe you have to configure audit with `auditctl` ? can you consult man page and try configuring it ? – Devidas Nov 22 '18 at 08:12
from your observation it is clear that there is less probablity of this code having problem. as it may have given some error. so I feel is audit is not configured to listem to netlink related or for that matter any call by default. I suggest you to go through this https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-defining_audit_rules_and_controls specifically example 7.2 and try simmilar thing with given example try it works and then do same/ related for netlink – Devidas Nov 22 '18 at 08:17
I tried configuring those setting earlier directly using auditctl command & can see the modifcation with "ausearch -k iptablesChange" command output..this time i configured more rules in /etc/audit/audit.rules file but still issue persist. – avinash Nov 23 '18 at 08:43
have you tried system calls and checked with your program ? just to be sure there is no problem in program and audit system. let me know if you see anything in your program when you try system call. – Devidas Nov 23 '18 at 09:14
i tried with system call in that program ,it worked. char command[50]; strcpy( command, "ls -l" ); system(command); – avinash Nov 26 '18 at 06:35
this means your program and libaudit is working so now just need to figure out right configuration for iptable notifications. let me check if i find any. – Devidas Nov 27 '18 at 07:20

Netlink notification for iptable modification are not received to application

1 Answers1