Audit Dispatcher Design

Timothy R. Chavez tinytim at us.ibm.com
Tue Sep 6 18:45:44 UTC 2005 

On Friday 02 September 2005 14:48, Steve Grubb wrote:
> Hello,
> 
> I am attaching an Open Office presentation that contains the slides for the 
> audit dispatcher preliminary design review. The audit dispatcher will be 
> implemented using C++ to provide some organization and abstraction for some 
> of the design elements.

Just a note:

AFAIK the OpenDocument Presentation (ODP) file format is not supported in 
OpenOffice 1.0/1.  For a list of applications that do support this file format
(including OpenOffice 2) check here,

http://en.wikipedia.org/wiki/OpenDocument#Applications_supporting_OpenDocument

> 
> The audit dispatcher will be configured by a file /etc/audisp.conf that will 
> instruct it on how to configure the input plugins and the output filter 
> plugin. Some plugins will be active - meaning that they have their own thread 
> of execution. Others will be passive and use the caller's thread.

Will auditd require audisp be running or will the absence of audisp produce a
default behavior in auditd?

> 
> The Filter plugin is a Composite of two classes - The filter and an output. 
> The filter part does the data transformation or filtering. The output plugin 
> takes the data passed to it and outputs it. The plugin class is a wrapper for 
> a shared object file that gets loaded and unloaded.
> 
> Events will be gathered by input plugins and placed into the applications 
> event queue. Filter plugins will have previously registered for callbacks for 
> new events. They will all receive the event and begin processing it. When and 
> if the event needs to be output, the filter will call its output plugin.
> 
> The audisp daemon will receive a reconfigure event whenever SIGHUP is sent to 
> the audit daemon. It will re-read its config and remove, add, or modify 
> plugins on the fly.
> 
> There are some rules regarding the implementation in C++. The ground rules 
> are: No dynamic class creation or deletion except at startup/shutdown; No 
> exceptions; and No templates.
> 
> This is a preliminary design. If there are any concerns, comments, 
> suggestions, please follow up on this. This was modeled with Umbrello - which 
> is part of Kdesdk. The PDR model will be placed on 
> people.redhat.com/~sgrubb/audit.
> 
> Thanks,
> -Steve Grubb
> 

I think it might be useful to spend 30m/1hr on the phone / IRC going over
these diagrams for all parties interested (*raises hand*).  This would be
more helpful for me, at least.

-tim

More information about the Linux-audit mailing list