[PATCH] Add auditd listener and remote audit protocol
LC Bruzenak
lenny at magitekltd.com
Thu Aug 14 21:58:56 UTC 2008
On Thu, 2008-08-14 at 17:43 -0400, DJ Delorie wrote:
> Second in a series, a bit bigger than the first one.
> (http://www.redhat.com/archives/linux-audit/2008-August/msg00070.html)
>
> The goal of this patch is to add the server side of the remote logging
> feature. To this end, a new auditd-listener.c is added which listens
> on a TCP port for connections from other systems' audisp-remote
> plugins. A new (private) protocol is added which prepends each
> message with a header, giving length, status, version, and sequence
> information. Each message begets a reply from the server, so we can
> pass along status like "disk full" or "ok". Currently, these call a
> set of stub functions, as the details of performing appropriate
> actions from the plugin are yet to be decided.
>
> The remote plugin has a new option "format" for "ascii" or "managed"
> to choose between the old protocol (ascii strings) and the new one
> (the header with ACK, default).
>
> The listener will accept either format. It has new options for the
> listen port, accept queue size, and acceptable client-side ports.
>
> Comments?
>
> DJ
Sorry to be dense, but if it isn't too much trouble would you mind
supplying an example use-case for this new capability? I went back and
read the supplied link but it isn't clear to me how to take advantage of
this, and I suspect it is important.
What I'm getting is that in addition to kernel-generated local events
the auditd would also receive signals as well as tcp-based events from
other sources. Would this be the way of implementing multi-source audit
aggregation or is it something different?
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list