From: Matthew Booth <mbooth@redhat.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: Linux Audit <linux-audit@redhat.com>
Subject: Re: Near Term Audit Road Map
Date: Fri, 27 Feb 2009 20:59:44 +0000 [thread overview]
Message-ID: <49A85440.9080104@redhat.com> (raw)
In-Reply-To: <200902271033.21486.sgrubb@redhat.com>
Steve Grubb wrote:
> Hi,
>
> With the proposals sent to the list, I wanted to talk about how this might
> play out code-wise. With regard to the current code base, I am working on a
> 1.8 release. This would represent finishing the remote logging app and
> nothing more. The 1.8 series would become just an update series just like the
> 1.0.x series did.
>
> In parallel with finishing remote logging, I would release a 2.0 version.
> Patches applied to 1.8 would also be applied to 2.0. A 2.1 release would
> signify the completion of remote logging that branch. I would recommend this
> branch for all distributions pulling new code in.
>
> The 2.0 branch will also have a couple more changes. I want to split up the
> audit source code a little bit. I want to drop the system-config-audit code
> and let it become standalone package updated and distributed separately.
>
> I also want to drop all audispd-plugins in the 2.0 branch and have them
> released separately. They cause unnecessary build dependencies for the audit
> package.
>
> During the work for a 2.2 release, I would also like to pull the audispd
> program inside auditd. In the past, I tried to keep auditd lean and single
> purpose, but with adding remote logging and kerberos support, we already have
> something that is hard to analyze. So, to improve performance and decrease
> system load, the audit daemon will also do event dispatching.
>
> Would this proposal impact anyone in a Bad Way?
On the contrary. My austream tool was born because:
* Ensuring a dispatcher doesn't generate audit events is fragile
* The additional task switching and memory copying becomes onerous under
load
Additionally, auditd is clearly geared up for writing to disk: certainly
in RHEL 4, switching off all disk related activity is a whole lot of
typing to tell it not to do anything :)
Solaris's BSM implements custom behaviour with loadable modules. If our
auditd did that, hopefully I could deprecate austream. The dispatcher
architecture doesn't lend itself to sustained high volume.
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
prev parent reply other threads:[~2009-02-27 20:59 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-27 15:33 Near Term Audit Road Map Steve Grubb
2009-02-27 16:13 ` LC Bruzenak
2009-02-27 16:23 ` LC Bruzenak
2009-02-27 16:56 ` Steve Grubb
2009-03-24 16:29 ` audisp-remote and audisp-prelude question LC Bruzenak
2009-03-24 16:41 ` Steve Grubb
2009-03-24 16:55 ` Sebastien Tricaud
2009-03-24 17:30 ` LC Bruzenak
2009-03-24 17:06 ` Steve Grubb
2009-03-24 18:01 ` LC Bruzenak
2009-03-24 18:13 ` Steve Grubb
2009-02-27 20:59 ` Matthew Booth [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49A85440.9080104@redhat.com \
--to=mbooth@redhat.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.