Re: [PATCH] Add auditd listener and remote audit protocol

Right, I was just trying to get the basic idea across ;-) My machine is doing about 5M/day. Most of it is cron. Understood. Let's hope so :-) Note that it injects it *after* the plugins are called; the aggregator will not pass along remote messages to its own plugins. The basis for passing failure modes from the plugins back up to auditd is still up for discussion; in the patch those functions are empty. In general, though, if the network hangs, eventually the queues fill up and the usual queue-filled rules apply. There are three likely failure modes: * network timeout. Eventually, the queues (and pipes) fill up and local panic sets in. * network failure (aggregator reboots or restarts, usually) - connection is closed or sync is lost, we know about it immediately. Currently audispd-remote just exits when that happens. * remote error - the aggregator has an error (disk full, etc) and passes it back to the clients. The clients act on it, but currently those functions are empty. Of course, a full review of the failure modes and actions will be needed at some point. Plus we have to decide if we want to feed the status back to auditd and use its configuration, or have a separate configuration in audisp-remote, for what to do about each error case. The event that gets the network error gets lost at the moment (and every event after it), and the code currently doesn't have a "try again" mechanism if it loses connectivity. Again, the whole "what do we do when a problem happens" is still somewhat TBD. Note that you can still log to the local disk *as well as* to the remote aggregator. :-) Well, you *could* based on the node= field, if you wanted to code it that way. At least they're no longer on the machine being attacked/saturated/whatever, if/when that happens.