[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Proposal: New Auditd Design



Hi,

I'm planning big change in auditd now. But I'd like to hear comments
from people on this list before getting on it.
It is long and my English is bad but I try.

I have own project which is very similar to auditd and after talking with
Steve Grubb I have started porting some part of my stuff into auditd.
First goal was plugin support and it's pretty much done.
I needed it because I wanted to attach plugins for particular use
such as writing audit messages to network(D-BUS or XMLRPC) without
changing auditd itself. With plugin, changing output can be done just
specifying output plugin in config file. This is pretty much done now.
The auditd has interface to register separate methods for auditing.
For example if I want to use current auditd format but want to send
out messages to network, not log out to file for purpose, what I
need to do is just specify plugin for each API's(receiver, interpreter
and consumer) . I'm working on D-BUS plugin now.

Please check it out at:
http://download.linuon.com/audit/

Now I'm planning to port my other stuff(mostly networking stuff) as
plugin of auditd. It is a complement to syslog and does more stuff.
What I really want to do with it is to capture all kernel events and
filter them with plugins and send some critical event messages to
remote server to ask what action needs to be done for the event.
It can be done either server just sends back command number
of the action or connects back to the host with D-BUS or XMLRPC
to call the action.
With this idea, host management will be completely automatic.
It is good for handling network attacks though I have to tweak
kernel netfilter a bit, the host can block itself without operator,
without lag. (BTW, let me know if any problems with this idea)

Now I wonder if I should go with auditd or start new branch for
yet another auditd because people would not want it in main tree.
I think putting above things into auditd makes sense. It won't hurt
current design since all current code had been moved into plugin,
it is matter of which plugins user wants to enable/disable but
not sure if people want this in main tree so.

Please email me if any comments, suggestions and problems.

Thank you,

-- Junji Kanemaru
Linuon Inc.
Tokyo Japan


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]