plugin auditing approach question
LC Bruzenak
lenny at magitekltd.com
Mon Jun 23 17:27:25 UTC 2008
In our system we need to supply some specialized plugins to, for example
evolution, which will be doing things that we desire to audit. However,
we don't want to assign CAP_AUDIT_WRITE to evolution.
I have an approach on which I wanted to get some feedback.
I would create a library call and matching executable audit proxy. I'd
give CAP_AUDIT_WRITE to the proxy. Then, the library call would
fork/exec the audit proxy child, create a socket pair, and give each
side their half of the pair.
The sockets would persist until an explicit close (another library call,
so that it told the proxy client to shut down through the socket
interface) happened, so subsequent audits could use the interface.
Also the child proxy would exit on socket close, etc. I can include the
parent PID in the audit info.
So if anyone has already done this or there is some reason for not
choosing this path I'd appreciate comments.
Thx,
Lenny Bruzenak.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list