From mboxrd@z Thu Jan 1 00:00:00 1970 From: LC Bruzenak Subject: plugin auditing approach question Date: Mon, 23 Jun 2008 12:27:25 -0500 Message-ID: <1214242045.6564.25.camel@homeserver> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m5NHRxHr026919 for ; Mon, 23 Jun 2008 13:27:59 -0400 Received: from magi (rrcs-24-242-137-197.sw.biz.rr.com [24.242.137.197]) by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m5NHRlT1028563 for ; Mon, 23 Jun 2008 13:27:47 -0400 Received: from [24.242.137.194] (helo=[192.168.30.40]) by magi with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from ) id 1KApoD-0007ur-PM for linux-audit@redhat.com; Mon, 23 Jun 2008 12:26:29 -0500 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linux Audit List-Id: linux-audit@redhat.com In our system we need to supply some specialized plugins to, for example evolution, which will be doing things that we desire to audit. However, we don't want to assign CAP_AUDIT_WRITE to evolution. I have an approach on which I wanted to get some feedback. I would create a library call and matching executable audit proxy. I'd give CAP_AUDIT_WRITE to the proxy. Then, the library call would fork/exec the audit proxy child, create a socket pair, and give each side their half of the pair. The sockets would persist until an explicit close (another library call, so that it told the proxy client to shut down through the socket interface) happened, so subsequent audits could use the interface. Also the child proxy would exit on socket close, etc. I can include the parent PID in the audit info. So if anyone has already done this or there is some reason for not choosing this path I'd appreciate comments. Thx, Lenny Bruzenak. -- LC (Lenny) Bruzenak lenny@magitekltd.com