From: James Antill <jantill@redhat.com>
To: linux-audit@redhat.com
Subject: Audit dispatcher process
Date: Thu, 11 Jan 2007 00:58:51 -0500 [thread overview]
Message-ID: <1168495131.13080.92.camel@code.and.org> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 2058 bytes --]
Steve has asked me to write the audit dispatcher, and after talking
about it we already have some plans (as you'll see below :) but we would
welcome input from people on this list.
First to bring you all up to speed with what we know:
. Development should be starting soon.
. It will, at least initially, be distributed as part of the audit
package.
. We are planning to have a usable version for Fedora 7.
. That initial version will be able to act as the dispatcher for auditd
and (re-)send those messages to multiple plugins.
. Those plugins can be shipped separately.
...and what seems very likely:
. The plugins will be external applications.
. The dispatcher itself will not be parsing audit messages and will be
designed as a kind of Publish/Subscribe daemon.
. In that vein, reuse of code from And-httpd/Vstr/etc.[1] is more than
very likely.
. The dispatcher will only be doing minimal content filtering for the
plugins (this kind of falls out from the minimal parsing).
. That message input will come from plugins, as well as the output.
. They'll be a mode for the plugin to run in where it speaks a
mini-protocol with the dispatcher, instead of just getting raw messages
from auditd.
. That the mini-protocol will allow "commands" to go back to the
dispatcher (think remote server says "out of disk space, do X" or IDS
says "attack happening from IP block X/y, do Z").
. The initial set of plugins will contain at least something to connect
the dispatcher to setroubleshootd and something for (secure) remote
logging.
I've probably missed something already, so if there's anything you want
that isn't on the above list or anything that isn't clear and you want
to clarify ... just hit reply :).
[1] http://www.and.org/and-httpd/ and http://www.and.org/vstr/
--
James Antill - <james.antill@redhat.com>
setsockopt(fd, IPPROTO_TCP, TCP_CONGESTION, ...);
setsockopt(fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, ...);
setsockopt(fd, SOL_SOCKET, SO_ATTACH_FILTER, ...);
[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next reply other threads:[~2007-01-11 5:58 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-01-11 5:58 James Antill [this message]
2007-01-11 14:56 ` Audit dispatcher process Steve Grubb
2007-01-11 19:13 ` James Antill
2007-01-11 21:30 ` Steve Grubb
-- strict thread matches above, loose matches on Subject: below --
2007-01-11 21:03 Todd, Charles
2007-01-11 21:53 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1168495131.13080.92.camel@code.and.org \
--to=jantill@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox