From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Audit for live supervision
Date: Tue, 19 Aug 2008 14:18:46 -0400
Message-ID: <200808191418.46608.sgrubb@redhat.com>
References: <200808140914.07779.kayhayen@gmx.de> <48AAD55E.5070408@redhat.com>
	<200808191946.14420.kayhayen@gmx.de>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-15"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200808191946.14420.kayhayen@gmx.de>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Kay Hayen <kayhayen@gmx.de>
Cc: linux-audit@redhat.com, alex@segv.de
List-Id: linux-audit@redhat.com

On Tuesday 19 August 2008 13:46:14 Kay Hayen wrote:
> > No, you really want to use the user space interface (see above).
>
> Well, for lowest latency possible (note the "live" in subject), it would be
> ideal to avoid context switches auditd -> audisp -> our supervisor and
> instead simply run an additional netlink socket in addition to auditd (if
> that is allowed). That way we would have a lot less latency, at least in
> theory.

Only 1 netlink socket connection is allowed. The code you want to write for 
low latency would either need to take the place of the audit daemon, meaning 
you need to make your own trail if you need it. Or, write an audispd that is 
run from auditd. There is some sample code here contrib/skeleton.c for 
starting your own audispd.

-Steve