Audit for live supervision
Steve Grubb
sgrubb at redhat.com
Tue Aug 19 18:18:46 UTC 2008
On Tuesday 19 August 2008 13:46:14 Kay Hayen wrote:
> > No, you really want to use the user space interface (see above).
>
> Well, for lowest latency possible (note the "live" in subject), it would be
> ideal to avoid context switches auditd -> audisp -> our supervisor and
> instead simply run an additional netlink socket in addition to auditd (if
> that is allowed). That way we would have a lot less latency, at least in
> theory.
Only 1 netlink socket connection is allowed. The code you want to write for
low latency would either need to take the place of the audit daemon, meaning
you need to make your own trail if you need it. Or, write an audispd that is
run from auditd. There is some sample code here contrib/skeleton.c for
starting your own audispd.
-Steve
More information about the Linux-audit
mailing list