Audit Dispatcher Design

Steve Grubb sgrubb at redhat.com
Fri Sep 2 19:48:08 UTC 2005 

Hello,

I am attaching an Open Office presentation that contains the slides for the 
audit dispatcher preliminary design review. The audit dispatcher will be 
implemented using C++ to provide some organization and abstraction for some 
of the design elements.

The audit dispatcher will be configured by a file /etc/audisp.conf that will 
instruct it on how to configure the input plugins and the output filter 
plugin. Some plugins will be active - meaning that they have their own thread 
of execution. Others will be passive and use the caller's thread.

The Filter plugin is a Composite of two classes - The filter and an output. 
The filter part does the data transformation or filtering. The output plugin 
takes the data passed to it and outputs it. The plugin class is a wrapper for 
a shared object file that gets loaded and unloaded.

Events will be gathered by input plugins and placed into the applications 
event queue. Filter plugins will have previously registered for callbacks for 
new events. They will all receive the event and begin processing it. When and 
if the event needs to be output, the filter will call its output plugin.

The audisp daemon will receive a reconfigure event whenever SIGHUP is sent to 
the audit daemon. It will re-read its config and remove, add, or modify 
plugins on the fly.

There are some rules regarding the implementation in C++. The ground rules 
are: No dynamic class creation or deletion except at startup/shutdown; No 
exceptions; and No templates.

This is a preliminary design. If there are any concerns, comments, 
suggestions, please follow up on this. This was modeled with Umbrello - which 
is part of Kdesdk. The PDR model will be placed on 
people.redhat.com/~sgrubb/audit.

Thanks,
-Steve Grubb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: audisp-pdr.odp
Type: application/vnd.oasis.opendocument.presentation
Size: 255521 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050902/e0e75235/attachment.odp>

More information about the Linux-audit mailing list